--- Log opened Fri Aug 01 12:49:14 2008 12:49 -!- ecrist [n=ecrist@snipe.secure-computing.net] has joined #openvpn 12:49 -!- ServerMode/#openvpn [+ns] by zelazny.freenode.net 12:49 -!- Irssi: #openvpn: Total of 1 nicks [1 ops, 0 halfops, 0 voices, 0 normal] 12:49 -!- Irssi: Join to #openvpn was synced in 0 secs 12:49 -!- mode/#openvpn [-s+tc] by ChanServ 12:52 -!- ecrist changed the topic of #openvpn to: OpenVPN | http://openvpn.net 13:19 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:19 < krzee> heh right on 13:19 < krzee> link to howto in topic please 13:19 <@ecrist> working on getting some control 13:19 < krzee> ya, good job 13:19 <@ecrist> hang on - I'll give you access 13:20 -!- ecrist changed the topic of ##openvpn to: OpenVPN | http://openvpn.net | HowTo: http://openvpn.net/index.php/documentation/howto.html 13:21 < krzee> nice 13:21 < krzee> that howto is a big win =] 13:22 <@ecrist> for sure. 13:26 -!- mode/##openvpn [-o ecrist] by ecrist 13:27 -!- Irssi: ##openvpn: Total of 2 nicks [0 ops, 0 halfops, 0 voices, 2 normal] 13:28 < ecrist> LoRez has moderated and +i to #openvpn 13:29 < ecrist> and forwarded it to here. 13:33 < krzee> cool 13:33 < krzee> maybe someone should say so in that channel 13:33 < krzee> lol 13:34 -!- intangir [i=Intangir@c-98-197-217-152.hsd1.tx.comcast.net] has joined ##openvpn 13:34 -!- intangir [i=Intangir@c-98-197-217-152.hsd1.tx.comcast.net] has left ##openvpn [] 13:38 -!- mode/##openvpn [+r] by ChanServ 13:47 < ecrist> I wonder how long then, until people realize it's too quiet in there. 13:49 -!- SilenceGold [n=chris@adsl-70-232-50-35.dsl.ltrkar.sbcglobal.net] has joined ##openvpn 13:49 < SilenceGold> nice 13:50 < ecrist> I'm not one for take-overs, but there was nobody to moderate that channel before. 13:50 < SilenceGold> yea I understand 13:50 < SilenceGold> so... 13:50 < SilenceGold> how do we get everyone to leave #openvpn 13:50 < SilenceGold> lol 13:50 < ecrist> SilenceGold: they will, in time. 13:51 < SilenceGold> maybe I can flood #openvpn to tell everyone to /hop 13:51 < SilenceGold> lol 13:51 < SilenceGold> like this 13:51 < SilenceGold> /hop 13:51 < ecrist> they'll figure out there no talking 13:51 < ecrist> you can't, it's +m 13:51 < SilenceGold> oo 13:51 < SilenceGold> didn't notice it 13:51 < ecrist> :) 13:51 < ecrist> I wonder if it's possible to lock the access list. 13:52 < SilenceGold> /msg chanserv help 13:56 -!- Irssi: ##openvpn: Total of 3 nicks [0 ops, 0 halfops, 0 voices, 3 normal] 14:11 -!- JW [n=jw@cvs.claborn.net] has joined ##openvpn 14:16 < JW> Does anyone know if the address assigned to the bridge is supposed to be the same IP address that is normally assigned to the LAN? 14:17 < JW> in other words if I'm bridging eth0 and tap0 - I have one privae address I normally use on eth- in /etc/network/interfaces - 14:17 < JW> Is that the address I assign to the bridge? 14:17 < JW> Or is it another uniquie address? 14:17 < krzee> im unsure, been a long time since i used bridging 14:18 < JW> I'm about ready to go crazy - I think VPN is the hardest thing I've every tried to setup in 10 years of using Linux. 14:18 < JW> it's worse than hacking xorg.conf by hand. 14:18 < JW> I'm working on the server end - it's Debian Etch. 14:19 < JW> And no matter what method I use to try to do the briding, 14:19 < krzee> you;re sure you want a bridge? 14:19 < JW> there is never a /dev/tap0 or /dev/net/tap0 created 14:19 < JW> I do have a /dev/net/tun tha tis persistent 14:19 < JW> krzee: well, I think so I started off trying the routing method, and I got that to work. 14:20 < JW> I'm setting this up for my boss and one other emplyoee to use when they are out of the office 14:20 < krzee> the goal? 14:20 < JW> They want to be able to seamlessly get to any server or workstation on our office LAN using its normal IP 14:20 < JW> we run a 192.168.0.X LAN 14:20 < krzee> windows sharing? 14:20 < JW> NO 14:21 < JW> We do use samba but it's not relevent right now because none of ht eLinux uses mount samba shares on Linux workstations 14:21 < JW> and the VPN is for the Linux users 14:21 < krzee> what in link layer do you need tunneled? 14:21 < JW> sorry for the typos - that was supposed to read "none of the Linux users mount samba shares on Linux workstations" 14:22 < krzee> all good i understood 14:22 < JW> krzee: I'm not sure what you're calling the Link layer - 14:22 < krzee> the layer with mac addresses 14:22 < JW> I must be confused. I thought all traffice on that layer were just packets that contain application data 14:23 < JW> and the application data "type" didn't matter 14:23 < JW> He'll be using primarily ssh 14:23 < JW> also possibley mysql connections 14:23 < krzee> if you need arp, and whatnot tunneled you want bridge 14:23 < krzee> if you want IP tunneled, you want routed 14:23 < JW> possibly want to print to our printers 14:23 < krzee> most people want routed 14:23 < JW> And one of them might want to use DNS and our gateway. 14:24 < krzee> its few exceptions that lead to bridged 14:24 < JW> krzee: At first I, too thought we wanted routed. 14:24 < JW> Something I read said it was simpler 14:24 < krzee> it is 14:24 < krzee> and i think thats what you want 14:24 < JW> And I got a 1-external client to 1-border serer VPN set and working 14:24 < JW> The problem is I used a differnt IP range 10.8 14:24 < krzee> no problem 14:25 < krzee> thats good 14:25 < JW> And that client cannot access the other 192.168.0's behind the serve when it's setup that way without setting up a bunch of nasty routing rules 14:25 < krzee> ya you need to let it know the routes 14:25 < JW> i started down that path and it looked like a mess - and something in the documentation at that point said it might be better to try briding 14:25 < krzee> 192.168.0 is not the network on both sides right? 14:26 < krzee> bridging adds more overhead and to me is less easy 14:26 < JW> I also saw something that said if you want to have all client be on the same net range (192.168.0.*) that it was easier to use bridging 14:26 < krzee> client and server are not both on 192.168.0 right? 14:26 < JW> As far as the network on both sides: 14:26 < JW> it will probably be changing 14:27 < JW> Most of the time the remote client will be using an AT&T data card, 14:27 < JW> and not be attached to a LAN on the remote side 14:27 < JW> Well no, that's how one of the clients will be 14:27 < JW> And that same client will sometimes be on a 10.0.0 network 14:27 < JW> and I suppose every once in a while he'll be on other things at random depending on what hotspot/hotel he's in 14:28 < JW> the other one has a remote office - and I guess a LAN though I have not asked (I'm more worreid about the first client who is about to leave the office for a week) 14:28 < JW> I would say let's ignore the client that has the remote LAN for now. 14:28 < JW> krzee: did I lose you? 14:29 < krzee> nah but you're about to 14:29 < krzee> i need to shower and head out =/ 14:29 < JW> Ah, well. Too bad. 14:29 < krzee> but imo you want routed and pushed routes 14:29 < krzee> then the router on servers network needs to know the route to 10.8 14:30 < krzee> so when it gets packets from clients it knows where to send them 14:30 < JW> But with that set the clients will see the server as 10.8.* and not 192.168.0.x right? 14:30 < krzee> yes but they will be able to reach 192.168.0 through it if you setup routes 14:30 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 14:31 < JW> BTW we can totally ignore the LAN gateway router (I think) because the server doens't use the LAN gateway: eth-0 (actually eth2) is connected to the internet directly 14:31 < krzee> the other clients in that lan route through the vpn server by default? 14:31 < JW> No all the LAN-only servers have a route that's their gateway 14:32 < JW> router I mean 14:32 < JW> hardware router 14:32 < JW> A cheap DSL router to be exact. 14:32 < krzee> it needs to know how to reach the vpn 14:32 < JW> the router does? 14:32 < krzee> or every lan machine which will be talked to over the lan does 14:33 < krzee> when they get packets from vpn they send to 10.8 in response 14:33 < krzee> but they have no route for it, so it goes to default 14:33 < krzee> default is the router, which needs to know where to send the 10.8 14:33 < krzee> follow the routes 14:33 < krzee> gotta go shower 14:33 < JW> but won't they see the VPN trafic coming in from 192.168.0.2 (let's say) and respond to that address without having anything to to with going back out throgh the gateway? 14:33 < JW> See you, thank you. 14:33 < krzee> no 14:33 < krzee> they will see 10.8.sending.machine 14:34 < JW> krzee: will you be back at any time later? 14:34 < krzee> unless you NAT it 14:34 < krzee> yah every day 14:34 < krzee> but likely late 14:34 < krzee> its 3:30 here now, likely around 2am ill be back 14:34 < JW> Doesn't using a brige setup make all that easier ? :-D 14:34 < krzee> not really 14:34 < krzee> and it adds needless overhead 14:35 < krzee> bbl 14:35 < JW> thanks 14:36 < krzee> btw 14:36 < krzee> even in a bridge the machines need a route back to the machine 14:36 < krzee> they need to know the block of ips goes through the vpn server 14:36 < krzee> so you get the same problem either way, involving routing a subnet in a bridge 14:38 -!- Irssi: ##openvpn: Total of 5 nicks [0 ops, 0 halfops, 0 voices, 5 normal] 14:48 < krzee> on my way out, i take that back 14:48 < ecrist> krzee: not really, a bridge will pass arp broadcasts. 14:48 < krzee> i guess arp handles it 14:48 < ecrist> :) 14:48 < krzee> haha jinx 14:48 < krzee> ;] 14:48 < krzee> shower cleared that up for me 14:48 < krzee> aiight, bbl =] 14:49 -!- mode/##openvpn [+o ecrist] by ChanServ 14:50 -!- ecrist changed the topic of ##openvpn to: OpenVPN | http://openvpn.net | HowTo: http://openvpn.net/index.php/documentation/howto.html | Current Release: OpenVPN 2.0.9 14:51 -!- mode/##openvpn [-o ecrist] by ecrist 14:56 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:00 -!- eyeris [i=98df84e8@moose.intercarve.net] has joined ##openvpn 15:00 -!- eyeris [i=98df84e8@moose.intercarve.net] has left ##openvpn [] 15:11 < BoomSie> I'm having an issue with OpenVPN over here & tracked it down with google, a collegue of mine created a ca+crt+key+ovpn+key files for me, but the crt is 0Bytes (empty) ... now I'm wondering if I could reverse the process and generate it myself and send the 'correct' files to put on the server to him 15:11 -!- JW is now known as JW---------- 15:11 -!- JW---------- is now known as JW 15:11 < ecrist> BoomSie: do you have perl installed? 15:11 < BoomSie> create from scratch (taking the certificate basics from the mailserver) 15:11 < BoomSie> jep 15:12 < BoomSie> at least, basic perl the system needs, but I could just pump it up through apt 15:12 < ecrist> https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 15:12 < ecrist> on that page is a link for ssl-admin.tar, which is a perl script I wrote to manage ssl certificates. 15:12 < ecrist> it greatly simplifies the ssl certificate management. 15:13 < ecrist> download it, put it in the same directory as your openvpn server config file 15:13 < BoomSie> ... thanks, I'll take a look at it ( for my private server =) ) but could I generate files and hand it to him so he can add it to the openvpn server for example? Cause I'm a complete noob at openvpn to be honest :( 15:14 < BoomSie> all I know is that every user has his/her own cert/key file 15:14 < ecrist> yeah - read that wiki page, it explains quite a bit. 15:14 * BoomSie reads away, thanks in advance 15:14 < ecrist> BoomSie: that script handles all that for you. 15:14 < ecrist> bbl - away for the drive home (with a stop at the bank) 15:14 < BoomSie> =) ... drive safe ;) 15:15 < BoomSie> and watch your back while at the bank 15:17 < BoomSie> magnificent piece of art you made =) 15:39 < BoomSie> specific question, to anyone reading: my colleague created an OpenVPN certificate for me, which was faulty (ubuntu openssl bug -> empty crt file) ... could I just create a new one myself and send it to him to install it on the OpenVPN server so I can login? 16:03 < ompaul> yeah but .... you need to think about the table: http://openvpn.net/index.php/documentation/howto.html where you search for Key Files 16:03 < ompaul> Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files: 16:03 < ompaul> BoomSie, cos as you need to have particular files on each end 16:04 < ompaul> BoomSie, you make it "not practical" to do it the way you suggest - better for him to update box and start again 16:06 < BoomSie> ay, well, basicly, I started this evening, wanting to JUST generate the whole bunch myself, but then someone told me "if you have the ca.crt, why don't you generate it yourself". Making me believe, I can obtain my own my.crt again, so I can just login without bothering the other guy again\ 16:07 < ompaul> ca.key key signing machine only Root CA key YES 16:07 < ompaul> that line should explain lots 16:09 < ecrist> BoomSie: if you have ca.crt and ca.key (or ca.pem), you can create/sign yourself. 16:09 < ecrist> if you don't, and if it's not your server, you shouldn't, you'll need to have him reissue it. 16:10 < BoomSie> ca.crt & dh1024.pem I have 16:11 < ompaul> no key no go 16:11 < BoomSie> ca.crt though, ONLY contains a key it seems, no common name and stuff 16:11 < BoomSie> I do have a key, my personal one, that's why I'm so confused 16:11 < ompaul> BoomSie, there is a ca.key which is what you really need and if there are other links then you fail 16:11 < ompaul> BoomSie, look at it as a two sided lock 16:12 < ompaul> you got one key and the door is only open to you if the other side of the lock is op 16:12 < ompaul> open 16:12 < ompaul> you don't have the "inner" key 16:12 < BoomSie> oK, so basicly, I can generate it for my own personal key, cause the 'my.key' file does contain the common name and stuff 16:12 < ecrist> BoomSie: ca.crt is an encoded certificate, not the key 16:13 < ecrist> dh1024.pem isn't the key 16:13 < ecrist> no 16:13 < ecrist> let me describe it like so: 16:13 < ecrist> SSL is a chain of keys 16:13 < ecrist> at the top, you have a Certificate Authority 16:14 < BoomSie> (the reason I want so desperately try to get the vpn working is cause there's a deadline monday afternoon and I want to commit code asap. I threw in the error the vpn gave me and 9 out of 10 came back with the latest ubuntu bug: Cannot load certificate file prtg.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM @ google.com/linux ... guess what, the guy who gave me th 16:14 < BoomSie> e key/files USES ubuntu, so this is the story behind, I'm not hacking or anything ... well .. a bit, but white hat then ;)) 16:14 < ecrist> in many organizations, they create their own CA, called a self-signed certificate. 16:14 < BoomSie> I have 4 files: ca.crt client.ovpn dh1024.pem genmyself prtg.crt prtg.key 16:14 < BoomSie> (genmyself is the testing folder I have to get a normal crt) 16:14 < ecrist> that CA certificate has a key. 16:14 < BoomSie> the prtg.crt is EMPTY cause of the bug 16:15 < BoomSie> jep, only a key 16:15 < ecrist> only the CA admins should have access to that key. 16:15 < ecrist> now, that CA certificate and key pair are used to sign CSR, or Certificate Signing Requests. 16:15 < ompaul> BoomSie, please watch ecrist, the general message is, you can't get there from here 16:16 < ecrist> as an end user (man CA admins just do this part for you), you create a CSR yourself, with a key only you keep (you don't send the key with the CSR to be signed). 16:16 < ecrist> the idea is, each side is the only one with access to their key. 16:16 < ecrist> the CA certificiate 'signs' your CSR, and returns a .CRT, certificate, to you. 16:17 < ecrist> so, the key you have, is only for your client key, not the CA key. 16:17 * BoomSie really needs to study again the SSL, feels like a wimp in this moment 16:17 < BoomSie> that I gathered, hoped it would be JUST enough to also create the client pem 16:17 < BoomSie> crt, sorry 16:17 < BoomSie> AAAAA 16:17 < BoomSie> confusion all around =) 16:17 < ompaul> BoomSie, if you read that page it will help you a lot understand the operation 16:17 < ecrist> BoomSie: no, you can't. 16:19 < BoomSie> shitty ... I leave it alone for now, will send him an email + sms ... hope he doesn't get a burnout/heart attack ... pressure is really HIGH on that guy lately =) 16:20 < BoomSie> thought I could avoid needing his assistance, thanks very much guys, I really appreciate the time to get me to understand it, will dig a little deeper in it tomorrow myself. Also the idea of generating a few keys myself for him is completely out of the picture I guess 16:21 < ompaul> BoomSie, yes, what you do is point them to the http://openvpn.net/index.php/documentation/howto.html that just "works" 16:22 < BoomSie> together with this script: https://www.secure-computing.net/wiki/index.php/OpenVPN_Server ? (I mean, the guy REALLY knows his things about openvpn, but he was experimenting/testing last few days on ubuntu with the things we are developing, so this afternoon he 'just' generated it for me. He couldn't know that (k)ubuntu had this bug) 16:25 * BoomSie likes to broaden his knowledge now and then ... until he hits his head SO hard against the wall for completely not knowing the basics behind technology he's working with. Gives him a shock back to reality and urge to read his way into stuff =) 16:31 -!- Irssi: ##openvpn: Total of 6 nicks [0 ops, 0 halfops, 0 voices, 6 normal] 16:45 -!- JW [n=jw@cvs.claborn.net] has quit ["Thanks"] 17:02 -!- JW [n=jw@32.176.55.80] has joined ##openvpn 17:03 < JW> So I have a bridge setup that's almost working, 17:03 < JW> the client can talkto the server: ping and make ssh connections 17:03 < JW> and the server can talk to the client on it's "LAN" address: ping and make ssh connections 17:03 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:03 < JW> but when the client tries to talk to other hosts on the LAN, there is no response. 17:04 < JW> So I've done something wrong - anyone know what? 17:04 < ecrist> JW, are your VPN clients on the same subnet as the LAN clients? 17:04 < JW> Or have a guess, at least? :-) 17:04 < JW> I'm not 100% sure what you're asking but they are all on 192.168.0.0/24 255.255.255.0 17:05 < JW> including the clients 17:05 < ecrist> ok. 17:05 < JW> the server is using the server-bride config directive and is handing out IPs to the clients 17:05 < JW> only one client at this time 17:05 < ecrist> can you pastebin your client config? 17:05 < JW> certainly what would you like me to use for a pastebin? 17:06 < ecrist> anything 17:07 < JW> Yeah I almost never use one so I don't have any URls bookmarked, hold on I'll find one 17:07 -!- mode/##openvpn [+o ecrist] by ChanServ 17:07 -!- ecrist changed the topic of ##openvpn to: OpenVPN | http://openvpn.net | HowTo: http://openvpn.net/index.php/documentation/howto.html | Current Release: OpenVPN 2.0.9 | Please use http://pastebin.com or like for >5 lines. 17:07 -!- mode/##openvpn [-o ecrist] by ecrist 17:10 < JW> I'm working on it. 17:10 < JW> mind if I just give you thr grep -v output? 17:12 < ecrist> sure, curious what you're omitting, though. 17:12 < JW> http://pastebin.com/d2a90e055 17:12 < JW> would have omitted the comments (lots of them) but never mnd they're all there 17:12 < JW> I have changed very little from the default config 17:13 < JW> tcp > udp 17:13 < JW> host name. 17:13 < JW> path to cert. 17:13 < JW> I think that's it. 17:13 < ecrist> can I see the server config? 17:16 < JW> http://pastebin.com/d6f3bbecc 17:18 < ecrist> ok, both look good. you said server and client can ping eachother? 17:18 < JW> yes, and I can ssh between them using the 192.* IP 17:18 < JW> both ways 17:18 < JW> I have the firewall open completely for br0 right now 17:19 < JW> and actually I do for tun0 and tap0 just to avoid any potential problems until I get all the bugs worked out. 17:19 < JW> BTW I'm using this for my guide: http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 17:19 < ecrist> ifconfig shows IPs for br0, and tap0? 17:19 < JW> IPs for br0 17:20 < JW> there is no IP on tap0, it's briged with eth3 17:20 < JW> et3 is still working onthe real, local LAN though. 17:20 < ecrist> ok, gimme one minutes 17:20 < ecrist> minute* 17:20 < JW> don't be mislead by the eth3 name, it's only 1 of two NIC (external & internal) 17:21 < ecrist> did you run the bridge-start script? 17:21 < JW> yes 17:21 < JW> on the servre 17:21 < JW> before starting openvpn 17:21 < JW> I manually added iptables -A FORWARD -i br0 -j ACCEPT like the documentation says but it didn't help any. 17:21 < JW> (I don't normally use IPtables directly, I use firehol) 17:22 < ecrist> I'm not a linux/iptables person, so I hope it's not a firewall issue 17:22 < ecrist> can you show me ifconfig output? 17:22 < ecrist> if you want, pm me the pastebin for a bit of privacy 17:23 < JW> Yeah same here. Earlier I had the br0 blocked (more more simply, not expressly opened) on accident and it took me ages to figure it out. 17:23 < JW> good idea 17:23 < JW> You want the server's ifconfig right? 17:24 < ecrist> yes, 17:24 < ecrist> I'm not worried about the client. 17:26 < ecrist> JW: the IPs look weird. 17:26 < ecrist> ther is no 999 in IPv4 17:26 < ecrist> :] 17:26 < JW> ecrist: of course. It's a real address. 17:26 < JW> 9's are just place holders. 17:27 < ecrist> by 'real' do you mean internet-routable? 17:27 < JW> trust me there is nothing wrong with the palin old network config part. 17:27 < JW> yes 17:28 < ecrist> actually, I think that's your problem. 17:28 < JW> I don't think so - I've probably confused you - but pelase explain 17:29 < JW> eth2 is the external NIC. There is no eth0 or eth1 thanks to Debian going weird on me during an upgrade. 17:29 < ecrist> ok, so where's your LAN interface? 17:29 < JW> eth3 17:29 < JW> which is bridged with tap0 into br0 17:30 < ecrist> hrm, OK, so LAN clients can ping 192.168.0 OK?.127 17:30 < JW> yes, exactly 17:30 < ecrist> hrm, OK, so LAN clients can ping 192.168.0.127 OK? 17:30 < JW> even after openvpn is started on the server and client 17:31 < ecrist> and VPN clients can ping 192.168.0.127 just fine? 17:31 < ecrist> but they can't ping eachother? 17:31 < JW> There is only one VPN client, and yes, it can ping 192.168.0.127 17:31 < JW> and the client can ssh to 192.168.0.127 17:31 < JW> also the server can ssh back to 192.168.0.112 which is the VPN client's VPN -given Ip address 17:32 < JW> everything between the client and server s working dandy 17:32 < JW> however the remote VPN client is not able to ping/ssh other hosts on the LAN 17:32 < JW> the client is connected directly to the internet through ppp0. 17:33 < ecrist> it's looking like a firewall problem. 17:33 < JW> The client is NOT on a remote LAN, it's all alone on pp0 17:33 < JW> hmm. 17:33 < JW> like, something isn't being forwarded right? 17:33 < ecrist> yes 17:33 < ecrist> is there a reason you need bridging? 17:33 < ecrist> routed vpns are much easier. 17:34 < JW> Hey, you're right - I turned the firewall off for a sec and the vpn client can ssh directly to anothe machine on the LAN. 17:34 < JW> so it's not even a forwarding or routing problem. 17:35 < JW> Somehow the client is plain old blocked on the server firewall. 17:35 < ecrist> that's a common problem. 17:35 < JW> I wonder what part would control that since I have all of br0 totally open. 17:35 < ecrist> I was looking in to other things because you said you'd turned off the firewall for those interfaces... 17:35 < ecrist> :) 17:35 < ecrist> JW, eth3 and tap0 rules would affect it, as well. 17:35 < JW> for all of br0, tun0, and tap0, yes, it's completely open. 17:36 < JW> something in the eth3 rules must be mudlding with it. 17:36 < JW> 2nd time today the firewall has bitten me. 17:36 < ecrist> you prolly have to allow arp through, amongst other things. 17:38 < JW> Ok excuse me for being dumb - arp is NOT the same as ICMP, right? 17:39 < ecrist> it's it's own protocol 17:39 < ecrist> non-stateful 17:43 < ecrist> I'd just allow all traffic between br0, tap0, and eth3 17:43 -!- SilenceGold [n=chris@adsl-70-232-50-35.dsl.ltrkar.sbcglobal.net] has quit [Nick collision from services.] 17:43 -!- SilenceGold [n=chris@70.232.50.35] has joined ##openvpn 17:43 < JW> all 3 of those already have client all allow. 17:44 < JW> and now all 3 of them have server all allow but it's still not working. 17:44 < JW> There must be some special command to allow arp but I'm not finding it in the docs yet 17:44 < SilenceGold> is it tap or tun? JW 17:45 < ecrist> tap0, SilenceGold 17:45 < SilenceGold> heh 17:45 < ecrist> JW, at least you know it's a firewall issue, now. 17:45 < JW> yes 17:45 < SilenceGold> yea arp packets should go thru tap0 then 17:46 < JW> SilenceGold: do you happen to know how to do that with firehol? 17:46 < SilenceGold> firehol? 17:46 < JW> I guess that answers the Q :-) 17:47 < JW> Well it's working beautifully when the firewall is not in the way. 17:47 < JW> I can't see why everyone says the routed setup is easier than the bridged one. 17:48 < JW> (when you're trying to access LAN clients behind the server) 17:50 < JW> The internal LAN clients can ever ssh back out to the remote VPN client without ever knowing the difference. Fabulous! 17:54 < SilenceGold> JW, the problem with tap is that you can only do one tap to other tap tunnel 17:54 < SilenceGold> tun, you can handle multiple clients 17:54 < SilenceGold> from all over the internet cloud 17:55 < JW> SilenceGold: are you saying you can only have one client at a time? 17:55 < JW> one remote client? 17:55 < SilenceGold> not 100% certain 17:55 < JW> If so, that's ugly. 17:57 < JW> Well thanks for all the help, I gotta run now. 17:57 -!- JW [n=jw@32.176.55.80] has quit ["Thanks!"] 19:31 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 19:33 < kraut> what happened to #openvpn?! 20:08 < SilenceGold> we had problems with authority 20:08 < SilenceGold> so now #openvpn is closed and will be ##openvpn 20:09 < SilenceGold> those who are still online are still in #openvpn but it's +m 21:11 -!- SilenceGold [n=chris@70.232.50.35] has quit [Remote closed the connection] 21:42 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit [Read error: 110 (Connection timed out)] 21:52 -!- SilenceGold [n=chris@adsl-70-232-50-35.dsl.ltrkar.sbcglobal.net] has joined ##openvpn 22:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Sat Aug 02 2008 00:31 -!- freezer [n=freezer@static.12.72.46.78.clients.your-server.de] has joined ##openvpn 00:31 < freezer> hi 00:32 < freezer> krzee: it seems to run fine with tun now 00:33 < krzee> nice =] 01:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 01:24 -!- freezer [n=freezer@static.12.72.46.78.clients.your-server.de] has quit [Remote closed the connection] 01:29 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 01:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:45 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 07:35 -!- Irssi: ##openvpn: Total of 4 nicks [0 ops, 0 halfops, 0 voices, 4 normal] 10:58 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 11:01 -!- daemon [n=paul@laptop2.daemoncore.org] has joined ##openvpn 11:04 < daemon> hey guys im having a weird problem with openvpn 11:04 < daemon> on one my clients 11:04 < daemon> I get this as an error: 11:04 < daemon> Sat Aug 2 17:04:27 2008 Cannot load CA certificate file /usr/local/etc/openvpn/keys/ca.crt (SSL_CTX_load_verify_locations) (OpenSSL) 11:15 < daemon> ah corrupt file nm 13:46 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 14:36 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 15:52 -!- daemon [n=paul@laptop2.daemoncore.org] has quit [Read error: 104 (Connection reset by peer)] 16:17 -!- bandini [n=bandini@host208-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 17:49 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 18:40 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:49 -!- _aia_ [n=_aia_@unaffiliated/aia] has joined ##openvpn --- Log opened Sun Aug 03 00:40:11 2008 00:40 -!- ecrist [n=ecrist@snipe.secure-computing.net] has joined ##openvpn 00:40 -!- Irssi: ##openvpn: Total of 7 nicks [0 ops, 0 halfops, 0 voices, 7 normal] 00:40 -!- Irssi: Join to ##openvpn was synced in 5 secs 01:30 -!- Buzer [n=buzer@cs151132.pp.htv.fi] has joined ##openvpn 01:31 < Buzer> Hello. Does anyone happend to if it's possible to assign clients to different bridge based on their certificate (as I would like to assign clients to different vlans)? 01:56 < Buzer> hmm... Seems client-connect script should solve my problem 01:56 -!- Buzer [n=buzer@cs151132.pp.htv.fi] has quit [] 02:16 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 04:49 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 05:30 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 05:30 -!- bandini [n=bandini@host208-23-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] --- Log opened Sun Aug 03 09:01:38 2008 09:01 -!- ecrist [n=ecrist@snipe.secure-computing.net] has joined ##openvpn 09:01 -!- Irssi: ##openvpn: Total of 8 nicks [0 ops, 0 halfops, 0 voices, 8 normal] 09:01 -!- Irssi: Join to ##openvpn was synced in 12 secs 09:25 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 09:46 < daemon> hey guys 09:46 < daemon> hola ecrist :) 09:46 < daemon> im about to take my laptop into an enviroment where ill probably be expected to use NAT ?*psh* 09:46 < daemon> have i got to start forwarding ports for my openvpn client to get out to my server 09:46 < daemon> or should I be ok 09:46 < daemon> im using udp as the protocol 09:51 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:35 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 14:00 < SilenceGold> daemon you shouldn't have to forward any ports provided if the NATD is smart at keep-state connections 14:01 < SilenceGold> if you are hosting an openvpn server behind the NATD, you can just port forward a single port that your openvpn server is using 14:20 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 14:20 -!- _aia_ [n=_aia_@unaffiliated/aia] has joined ##openvpn 14:30 -!- drax` [n=drax@bob.sweon.net] has joined ##openvpn 14:30 < drax`> hi g 14:30 < drax`> hi guys 14:32 < drax`> banging my head against this --> http://dpaste.com/69173/ 14:32 < drax`> I've set it up the same way I've setup dozens of openvpn ... I don't get where this is coming from 14:33 < drax`> openssl verify on the client and servers certs say OK 14:34 < drax`> the ca cert is the same on both sides 14:34 < drax`> any directions appreciated 15:41 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 15:42 < krzie> anyone here use osx besides me? 15:42 < krzie> ive got an idea 15:42 < krzie> wanna get feedback 15:46 * drax` raises hand 15:47 < krzie> came up with an idea last night 15:48 < krzie> while almost sleeping 15:48 < krzie> the apple remote can be paired to your computer 15:48 < krzie> at that point it could easily be used as the poor man's crypto card 15:49 < krzie> not to replace a pw / certs, as its predictable (not alternating the signal or anything) 15:49 < krzie> but as an addition, it seems easy and nice 15:52 < drax`> Could be fun I suppose 15:53 < drax`> not that usefule in practise though ;) 15:55 < krzie> heh i guess not =/ 15:55 < krzie> i dunno, seems better than no token 15:55 < krzie> but its definatly no usb token 15:58 < drax`> hey krzie you couldn't help me out with this? http://dpaste.com/69173/ 15:59 < drax`> i'm going nuts. It's not like its my first openvpn either... 15:59 < krzie> both configs pls 16:01 < krzie> ouch, why tcp? 16:01 < krzie> (you know the rammifications of tcp over tcp...?) 16:02 < drax`> http://dpaste.com/69197/ 16:02 < krzie> also, you should re-make your certs after reading http://openvpn.net/howto.html#mitm 16:03 < drax`> tcp cuz later on it'll be used with socks5. udp doesn't go over socks :( 16:03 < krzie> ahh 16:03 < krzie> ya i go the other way, i do socks5 over my vpn 16:03 < krzie> if you can get around that, try to at all cost 16:03 < krzie> tcp-over-tcp is very bad 16:04 < drax`> I'm using the easy-rsa from debian, and I've got tons over other vpns generate the same way, that work. I don't get it 16:04 < krzie> http://sites.inka.de/~W1011/devel/tcp-tcp.html 16:04 < krzie> (good read) 16:05 < krzie> build-key-server 16:05 < drax`> my server cert is a server cert 16:05 < drax`> yeah, that's what I used 16:05 < drax`> and build-key for the clients 16:05 < krzie> ahh, then all you gotta do is check for it with ns-cert-type server 16:06 < krzie> but thats not your problem 16:06 < drax`> ok thx, i'll add that 16:06 < krzie> just a god thing to do once your problem is fixed (and on existing vpns) 16:06 < krzie> s/god/good/ 16:06 < drax`> noted :) 16:07 < krzie> your 10. ips are seperate networks right? 16:07 < krzie> (your test setup) 16:07 < krzie> in same network has issues 16:07 < krzie> could be the problem even if everything is setup right 16:08 < drax`> well actually, the original conf was with public ips (and a firewall in between) 16:08 < krzie> oh ok 16:08 < drax`> I changed those to 10... for testing, after it not working 16:08 < drax`> but it didn't help, heh :) 16:09 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:09 < krzie> ya and you seem to know enough that i dont care if i see real ips or not (its annoying when unskilled people do that cause its sometimes part of their problem) 16:09 < drax`> I understand yeah 16:09 < krzie> ahh dude 16:09 < krzie> server has tls-server 16:10 < krzie> client doesnt know about it 16:10 < krzie> plus, no TLS static file 16:10 < drax`> what annoys me even more is i've done this like 10 times, i even have .sh scripts 16:10 < drax`> mm ok. 16:10 < krzie> thats the problem 16:10 < drax`> what should I do. just 'server' on the server ? 16:10 < krzie> for test you could comment tls-server 16:11 < krzie> but then you'll wanna fix the problem 16:11 < krzie> (by setting up TLS verification correctly 16:11 < krzie> 1sec lemme look at my config 16:12 < krzie> client: 16:12 < krzie> ns-cert-type server 16:12 < krzie> tls-auth /home/krzee/vpn/keys/ta.key 1 16:12 < krzie> server: 16:12 < krzie> tls-auth /home/krzee/vpn/keys/server-ca/ta.key 0 16:13 < krzie> you dont need tls-server and tls-client anymore 16:13 < krzie> at least not in dev branch (which i recommend) 16:13 < drax`> hum, I think it defaults to tls-server. If I comment it out on the server, errors stay the same 16:14 < drax`> wait lemme setup another client, this tunnelblick on osx is pissing me off :) 16:14 < krzie> oh dude i hate that app 16:15 < krzie> i just use a .command file 16:15 < krzie> (sh scripts named .command can be double clicked) 16:15 < drax`> damn, that's some protip 16:16 < krzie> ya its nice and lazy when you have 20 .command scripts in stacks 16:16 < drax`> I'll probably get round to doing that. it's always crashing i hate it 16:16 < krzie> haha 16:16 < krzie> i tried tunnelblick once, wont be doing it again 16:16 < krzie> also 16:17 < krzie> dont forget to tell openvpn to drop privs 16:17 < krzie> user nobody 16:17 < krzie> group nogroup 16:17 < drax`> true dat 16:17 < krzie> for server and client 16:17 < krzie> (whatever sandbox account you use) 16:18 < drax`> yeah, this one in particular is for an NIDS 16:18 < drax`> would be silly to get owned this way :) 16:18 < krzie> NIDS \ ? 16:19 < drax`> network IDS 16:19 < krzie> ahh, lol 16:19 < krzie> ya would be funny way to go down 16:20 < krzie> oh also 16:20 < krzie> keyx doesnt happen overly often 16:21 < krzie> so increasing to say 4096 isnt very expensive 16:21 < krzie> (only expensive during key creation) 16:21 < drax`> where is that set ? 16:21 < krzie> your DH key, your TLS static key, your cert generating 16:22 < krzie> (the RSA sig) 16:22 < drax`> oh sorry, I misread 16:22 < drax`> yeh ok, size matters ;) 16:22 < krzie> hahah 16:23 < krzie> its one of those things where it doesnt hurt you any to increase it, so may as well 16:23 < krzie> its only during keyx that it increases overhead 16:23 < drax`> wait, those lines you pasted. its for a server-server config ? 16:23 < drax`> ie not a roadwarriors config ? 16:23 < krzie> the client can be whatever 16:24 < krzie> another server, or a remote laptop in unknown lands 16:25 < drax`> but you use a pkcs12 file right ? 16:25 < krzie> nah 16:25 < drax`> hurm 16:26 < krzie> in fact, ive gotta google that to see what it would be 16:26 < krzie> heh 16:26 < krzie> like where it would go in the auth 16:27 < krzie> ahh diff style of key file 16:27 < drax`> grah, I'm going nuts, my config works everywhere execpt now 16:27 < krzie> nah i use 4096 RSA 16:28 < krzie> try rebuilding your certs 16:28 < krzie> and inclue a TLS static key 16:28 < krzie> depending on if its dev branch or stable i think syntax for TLS static key differs 16:28 < krzie> the one i pasted is for dev 16:29 < krzie> IIRC stable branch would want tls-client and tls-server 16:29 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 16:29 < drax`> if just got whatever's in the debian package (stable). It's not like I'm _asking_ for trouble or anything :) 16:29 < krzie> in mine its the 0 and 1 after tls-auth /home/krzee/vpn/keys/ta.key 1 16:29 < krzie> 1 being client 16:30 < drax`> ok 16:30 < krzie> also, your debian has updated ssl right? 16:30 < krzie> (the debian specific SSL issue) 16:30 < drax`> yeh, fresh install, updated 16:30 < drax`> and the bells and stuff 16:31 < krzie> the dev branch is worth using btw 16:31 < krzie> imo 16:31 < krzie> not that you have to, but i would / do 16:31 < drax`> ll 16:31 < drax`> woops 16:31 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 16:32 < krzie> [Openvpn-devel] OpenVPN 2.1_rc9 released -- note security fix James Yonan 0 2008-08-01 06:41 16:32 < krzie> http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel 16:34 < drax`> security fix ey 16:34 < krzie> hrm, i think imma paste my configs to my webserver 16:34 < krzie> will come in handy often for showing in here 16:34 < drax`> ok I'm gonna re-gen all my configs and certs 16:35 < drax`> I'm pretty sure I'm gonna hit the same wall and it's gonna piss me off :) 16:35 < drax`> fg 16:35 < drax`> rah, sorry :) 16:36 < krzie> lemme show you my configs too 16:36 < krzie> once i post them 16:40 < drax`> ok static keys work 16:40 < drax`> but that doesn't help me, cuz that's not the setup I want 16:40 < drax`> gonna try again, with easy-rsa package 16:49 < krzie> http://www.ircpimps.org/openvpn.configs 16:50 < krzie> no no 16:50 < krzie> the TLS static keys are additional security 16:50 < krzie> not replacement 16:50 < krzie> it compliments your setup 16:52 < krzie> doesnt replace your certs or anything 16:55 -!- _aia_ [n=_aia_@unaffiliated/aia] has quit ["Bye"] 16:55 < krzie> that will give you HMAC sigs 16:56 < krzie> # For extra security beyond that provided 16:56 < krzie> # by SSL/TLS, create an "HMAC firewall" 16:56 < krzie> # to help block DoS attacks and UDP port flooding. 16:56 < krzie> # 16:56 < krzie> # Generate with: 16:56 < krzie> # openvpn --genkey --secret ta.key 16:56 < krzie> # 16:56 < krzie> # The server and each client must have 16:56 < krzie> # a copy of this key. 16:57 < krzie> # The second parameter should be '0' 16:57 < krzie> # on the server and '1' on the clients. 16:57 < krzie> ;tls-auth ta.key 0 # This file is secret 16:57 < krzie> basically, unless each packet is signed with that, openvpn wont even process it 16:58 < krzie> i have a feeling that would help against attacks against potential daemon security issues too (unless the security issue was in HMAC processing) 17:03 < drax`> yeh I saw 17:03 < drax`> ok I think I've got progress 17:04 < krzie> personally i use 4096 keys everywhere, but im a freak like that 17:04 < drax`> error=self signed certificate in certificate chain 17:04 < drax`> I don't think I had that before 17:04 < krzie> but ild use 1024 just for testing cause they're so much faster to generate 17:05 < krzie> odd 17:06 < krzie> paste whole thing? 17:06 < krzie> also for testing you should raise your verbosity 17:06 < krzie> to 6 or so 17:06 < krzie> you can go back down when everything works 17:06 < krzie> i leave mine at 4 for everyday usage, but lower is fine when everything is good 17:07 < krzie> (i see your client had 1) 17:07 < drax`> http://dpaste.com/69211/ <-- client 17:08 < drax`> http://dpaste.com/69212/ and server 17:08 < krzie> k, server and both logs pls 17:10 < krzie> and up the verb to 6 17:10 < krzie> before posting logs 17:10 < krzie> verb = high for debugging 17:12 < drax`> http://dpaste.com/69213/ <-- server logs with verb 6 17:13 < krzie> can you switch to udp just for the testing of configs? 17:13 < drax`> http://dpaste.com/69214/ <-- client with verb 6 17:13 < drax`> yeah 17:14 < krzie> actually nm 17:14 < krzie> doesnt matter 17:14 < krzie> now that i see client log 17:16 < drax`> yeh, I switched but the errors stay the same 17:18 < krzie> both boxes have the correct time/date? 17:18 < krzie> can be checked or fixed by using ntpdate time.nist.gov 17:19 < drax`> hurm yeah the timezone is wrong on one 17:21 < krzie> that could do it 17:21 < drax`> wtf, after ntpdate it's ever more wrong :) 17:21 < krzie> whats more wrong? 17:22 < krzie> and how much was the time off as reported by ntpdate 17:22 < drax`> the time, it's like half a day off :) 17:22 < drax`> was only two hours off before 17:22 < drax`> gonna fix it 2s 17:23 < krzie> no the time is correct as related to GMT 17:23 < krzie> aka UTC 17:23 < krzie> your timezone is off 17:23 < krzie> http://www.debian-administration.org/articles/213 17:24 < krzie> ntpdate will make your clock correct, if date then shows it as diff than you expect, you need to fix your TZ 17:25 < drax`> yeah that's waht I meant, the damn thing requires a reboot though :( 17:26 < krzie> nah you should be find with just tzselect 17:26 < krzie> i dont use debian but i cant remember ever rebooting gentoo or fbsd after changing the TZ 17:26 < krzie> its just an offset from UTC 17:28 < krzie> http://wiki.debian.org/TimeZoneChanges 17:30 < krzie> either way, openvpn doesnt care if the timezones are set, agree or anything 17:31 < krzie> once both agree on UTC time you're fnie 17:35 < drax`> k, well tiem is set according to time.nist.gov 17:35 < krzie> same error? 17:35 < drax`> yep 17:38 < drax`> hurm wait no, I'm not getting the same time depending on the shell. 17:38 < drax`> ffs.. 17:39 < krzie> just run that command on both 17:39 < krzie> well 17:40 < drax`> well, that I did. but the timezone is off 17:40 < krzie> doesnt matter 17:41 < krzie> (for this) 17:42 < drax`> yeah it was the TLS Error: Unroutable control packet received 17:42 < drax`> but I don't seem to be getting those anymore 17:43 < krzie> interesting 17:43 < drax`> in fact I'm seeing stuff about 'P_CONTROL_V1' so I suppose those "control" packets are going through 17:48 < drax`> hurm wait I think my CA is broken because of the whole timezone thing 17:48 < drax`> I've gone back in time now, it's "not yet valid" 17:48 < krzie> oh 17:48 < krzie> it was generated on the machine that was off? 17:48 < krzie> that got updated by ntpdate? 17:48 < drax`> yeh 17:48 < krzie> yup 17:48 < krzie> time to make them again ;] 17:49 < krzie> at least you'll be a cert generating pro ;] 17:49 < drax`> 4th time's a charm.. 17:52 -!- DaPrivateer [i=Privatee@crimson.66fruit.com] has joined ##openvpn 17:56 < drax`> raaaah it works \o/ 17:57 < drax`> so in the end it was probably all because of my time being off... grrr 17:57 < drax`> thx for the input krzie 17:58 < drax`> it's only 1 in the morning... :) 17:58 < krzie> np man =] 17:58 < krzie> 7pm here 17:59 < krzie> although 1am is closer to the time i shine 17:59 < krzie> haha 17:59 < krzie> im only alive at this time cause of coffee (<-- nocturnal) 18:05 < krzie> drax, its still a good thing you had the problem 18:05 < krzie> cause now you know a few more things to do to make your setup better 18:05 < krzie> which ild say is worth any time you spent troubleshooting 18:05 < krzie> especially since you have multiple setups 18:10 < drax`> yeah no, I must agree I learnt quite a bit 18:10 < drax`> but I'm taking the plane in two days with this box, I would rather have not lost those precious hours :D 18:10 < drax`> but nevermind :) 18:11 < drax`> yeah thanks for those extra tips, I'll add a tls-auth 18:11 < drax`> and I made 4096bit keys, "because I can" :p 18:12 < krzie> =] 18:13 < krzie> yup 18:13 < krzie> doesnt hurt you any 18:13 < krzie> and as you mentioned, its the size that matters ;] 18:15 < drax`> well unless you've got some twat commenting out lines in mt_rand.c, but that's not the subject :P 18:18 < krzie> haha 18:34 < krzie> <-- loves some twat 18:34 < krzie> o_O 18:49 < drax`> That's a troll that'll last for ages :) 18:50 < drax`> http://blog.rominet.net/images/debiancat3.jpg 18:50 < krzie> hah 18:51 < krzie> www.ircpimps.org/pimpin.jpg 18:51 < drax`> mad photoshop skillz I see 18:51 < krzie> lol no actually i suck at art 18:51 < krzie> i had a guy i gave free hosting to to do all my art stuff 18:51 < krzie> haha 18:54 < krzie> it would be a stick figure if left up to me 18:54 < krzie> lol 19:10 -!- krzie [i=krzee@unaffiliated/krzee] has quit ["BitchX: causing all sorts of havok!"] 19:43 -!- drax` [n=drax@bob.sweon.net] has left ##openvpn [] 22:19 -!- Irssi: ##openvpn: Total of 8 nicks [0 ops, 0 halfops, 0 voices, 8 normal] 22:19 < ecrist> yawn. 22:20 < ecrist> have a good night. --- Day changed Mon Aug 04 2008 00:28 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:52 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 02:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:11 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:15 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:21 < kraut> moin 02:46 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 04:17 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 04:17 < kexman> hi 04:17 < kexman> im using openvpn as a client under linx 04:17 < kexman> *linux* 04:17 < kexman> and im having problems with /etc/resolv.conf 04:18 < kexman> since my router is overwriting it from time to time 04:18 < kexman> i set search and openvpn dns server so i can find stuff inside my network 04:19 < kexman> but the dhcp client on my laptop overwrites stuff 05:01 < krzee> i dont know linux all that well but in the conf.d file for dhcp you can turn that off 05:02 < krzee> you can tell it not to override your NS stuff 05:09 < kexman> krzee: hmm 05:09 < kexman> but some times i need it to override :) 05:09 < kexman> like when i dont know the ip of the openvpn server :) 05:10 < kexman> well not that that changes but i dont like to enter ips in my openvpn config 05:10 < kexman> i like to enter dns hosts 05:10 < kexman> krzee: i need dns resolution 05:11 < kexman> before i can get onto the openvpn network and use my localnetwork dns server 05:28 < krzee> http://www.phocean.net/?p=12 05:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:01 < kexman> krzee: thanx 06:02 < kexman> ill bookmark that page for later use 06:02 < kexman> it seems good 06:10 < krzee> np 06:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 07:14 -!- snejk [n=snejk@f213-89-26-57.bredband.comhem.se] has joined ##openvpn 07:26 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 07:27 < vlt> Hello. I got some strange error messages on one client today: "TLS Error: unknown opcode received from xxx.xxx.81.182:1197 op=22" and "Authenticate/Decrypt packet error: packet HMAC authentication failed". Any idea what could cause this? 07:37 -!- snejk [n=snejk@f213-89-26-57.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 07:41 < ecrist> vlt: what does the google say? 07:41 < ecrist> that message comes up with about 538,000 hits in google 07:47 < kexman> vlt: uuu wait i had something like that before 07:48 < kexman> but i cant remember what was the problem 07:48 < kexman> but i fixed it using google :) 07:50 -!- Edward123 [n=edward@host81-149-214-135.in-addr.btopenworld.com] has joined ##openvpn 07:50 < Edward123> hey 07:50 < Edward123> i've setup openvpn elsewhere, i can connect up fine (using ethernet bridging) and see other machines by IP but for some reason the netbios stuff isn't working? 07:50 < Edward123> i notice the TAP adapter doesn't have a gateway set, should it? would that make a difference? 07:51 < ecrist> Edward123: if you're using correct IP addressesing (all on the same subnet), NetBIOS should be fine. 07:51 < ecrist> gateway is only needed for off-network communication. 07:51 < Edward123> actually i think netbios might be OK 07:51 < Edward123> yes, it's just we're on seperate 'workgroups' 07:52 < Edward123> sorry about that heh 07:52 < Edward123> openvpn is great 07:56 < kexman> really great :) 07:56 < kexman> Edward123: that is cause hmm wait with bridging you should be able to see broadcast 07:57 < kexman> :) lol Edward123 put the same workgroups :) 07:58 < Edward123> heh kexman 07:58 < Edward123> now i realise it's not an issue 07:58 < Edward123> openvpn is a really good piece of light software that does a great job for free 07:59 < Edward123> i tried to implement windows native VPN and it was a bitch 07:59 < Edward123> not to mention the fact that windows XP doesn't even support SSL VPN natively 07:59 < Edward123> openvpn took half the time and was twice as good 07:59 < Edward123> and works with other devices too 07:59 < ecrist> Edward123: windows natively supports PPTP, which used to be the standard 08:34 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has joined ##openvpn 08:34 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has quit [Remote closed the connection] 08:36 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has joined ##openvpn 09:04 < Edward123> ecrist, sure, i've read that 09:05 < Edward123> but who wants PPTP when you can have SSL? 09:05 < ecrist> Edward123: what I'm saying is that it's not windows-specific. Macs and others support PPTP by default. I agree, using SSL keys is better. 09:14 < cpm> macs and windows also do l2tp/ipsec, which is arguably much better than pptp, buy an order of magnitude. A lot trickier to implement than openvpn however. 09:16 < ecrist> cpm, pm? 09:17 < Edward123> ##vpn-politik 09:18 < Edward123> i haven't really got to grips with the openvpn gui yet 09:19 < Edward123> all it seems to do is proxying 09:20 < Edward123> maybe that's all it's supposed to do 10:47 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:48 < ecrist> cpm, you around? 11:04 -!- Edward123 [n=edward@host81-149-214-135.in-addr.btopenworld.com] has quit ["zzz"] 12:11 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 12:27 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has quit [Remote closed the connection] 12:35 -!- xattack [i=root@132.248.108.239] has joined ##openvpn 12:51 < xattack> i'm having some problems to use openvpn with ipv6 protocolo , is this wrong ? computer 1 : openvpn --remote 2001:1218:1:6:211:11ff:fe2b:40f2 1194 --tun-ipv6 --dev tun --ifconfig 10.4.0.1 10.4.0.2 --verb 9 and for computer2 openvpn --remote 2001:1218:6:2c0:4fff:fead:dcd2 1194 --tun-ipv6 --dev tun0 --ifconfig 10.4.0.2 10.4.0.1 --verb 9 12:52 -!- Irssi: ##openvpn: Total of 12 nicks [0 ops, 0 halfops, 0 voices, 12 normal] 12:52 * ecrist has no ipv6 openvpn experience, yet. 12:52 < xattack> any feedback is welcome 12:52 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 12:53 < ecrist> xattack: can you put that into normal configuration and pastebin it? 12:53 < ecrist> it's easier to read that way 12:53 < xattack> ok 12:53 < xattack> computer 1 debian 12:55 < xattack> openvpn --remote 2001:1218:1:6:211:11ff :fe2b:40f2 1194 --tun-ipv6 --dev tun ---ifconfig 10.4.0.1 10.4.0.2 --verb 9 12:55 < xattack> computer 2 openBSD 12:56 < xattack> openvpn --remote 2001:1218:1:6:2c0:4fff :fead:dcd2 1194 --tun-ipv6 --dev tun ---ifconfig 10.4.0.2 10.4.0.1 --verb 9 12:56 < ecrist> xattack: pastebin.com, please 12:56 < xattack> ok let me chek it 12:57 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 13:49 < xattack> ecrist: sorry , takes a lot, but at least , there is in pastebin.com ,thx ! 13:49 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 13:49 < xattack> http://pastebin.com/m4eecad33 13:52 < xattack> any idea , feedback , recommendation are welcom 13:53 < ecrist> xattack: line 408 in your paste leads me to believe it can't find the other host... 13:57 < xattack> yeah ,and thats the problem , in ipv4 works fine , without problem , but in ipv6 in dont know why is not founding the other host , any idea ? 13:58 < ecrist> xattack: can you ping back and forth via IPv6? 13:58 < xattack> yes 13:58 < ecrist> sometimes, you have to enclose IPv6 addresses in square brackets, depending on what's going on. 13:59 < xattack> ok , let me try it , you're right ! 14:00 < ecrist> so, you got it workings? 14:00 < ecrist> working* 14:01 < xattack> not yet , one moment , please , thx! 14:01 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:04 < xattack> ecrist: not working , men , still saying [HOST_NOT_FOUND] , cannot resolve host address , sorry 14:04 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 14:04 < ecrist> xattack: check the FAQ on the openvpn page - limited ipv6 support. 14:04 < ecrist> The VPN carrier connection must currently use IPv4 endpoints, however there's a patch 14:05 < xattack> i have done my homework , i think , but im gonna doublecheck the sources 14:07 < ecrist> well, it appears that you're trying to use IPv6 endpoints - which isn't supported. 14:07 < ecrist> :\ 14:07 < ecrist> and it states that in the FAQ 14:12 < xattack> ecrist: yeah , whe i use them in ipv4 , its works well , no problem there , where did you found the patch ? 14:12 < xattack> =0 14:12 < ecrist> xattack: I didn't, that was a copy out of the FAQ, which I'm sure you read, did you did your homework... 14:13 < ecrist> s/did/since/ 14:13 < krzee> heh 14:14 < krzee> mind reader :-p 14:14 < ecrist> xattack: please go and read the FAQ from the openvpn main site. 14:14 < krzee> http://www.google.com/search?hl=en&q=ipv6+patch+openvpn&btnG=Google+Search 14:14 < xattack> jajaja ok men , im gonna check it again , thx a lot for all ! =) 14:15 < xattack> byte ! 14:15 -!- xattack [i=root@132.248.108.239] has quit ["Leaving"] 14:19 -!- snk00sj [n=gnelisse@47.184-243-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 14:20 < snk00sj> hi, i am trying to setup a "roadwarrior" connection using openvpn 2.1 rc7 (on both sides) but keep getting handshake errors : TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 14:20 < ecrist> um, it's an ssl problem. 14:20 < ecrist> can you post your server and client configs to pastebin, please? 14:21 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:21 < snk00sj> clientside : http://www.pastebin.be/13178 14:24 < ecrist> ok, you're missing some very important pieces of information. 14:24 < ecrist> https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:24 < ecrist> you need to have ssl configured and certificates distributed. 14:24 < ecrist> nowhere within your config do I see mention of your ssl certificates. 14:25 < snk00sj> the p12 file contains all the encryption 14:26 < ecrist> well, your log entry above seems to indicate something is missing. 14:37 < snk00sj> hmm i got it working, looking at a thread : http://community.smoothwall.org/forum/viewtopic.php?f=55&t=29141 14:37 < snk00sj> clientconfig stays the same 14:46 -!- snk00sj [n=gnelisse@47.184-243-81.adsl-dyn.isp.belgacom.be] has quit [Read error: 60 (Operation timed out)] 14:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:56 -!- kreg_work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 14:57 < kreg_work> everytime i run revoke-full i get a new crl.pem. It appears to be a single private key when i look at it. Do i need to append this key to a larger crl.pem every revoke? 15:01 -!- mighty-d [i=500@63.58.83.190.static.coldecon.com] has joined ##openvpn 15:01 < mighty-d> Hi 15:01 < mighty-d> i want to deploy a vpn between my girlfriend's house and mine. I was reading and it seems using PPTP is an intruder's magnet, do you suggest IPSec or i can go with SSL, my concern is if the extra complexity of IPSec is worth it 15:03 -!- tcccp [i=hey@223.66.238.89.arpa-addr.in] has joined ##openvpn 15:03 < tcccp> o.O 15:26 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 15:38 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 16:34 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 16:38 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 16:40 < ecrist> kreg_work: no, that's the entire revokation list 16:40 < ecrist> there's not a lot of data there, mostly serial numbers of certificates that have been revoked. 16:40 < kreg_work> ok 16:40 < kreg_work> figured something like that. all iv'e done in the past is just overwrite the old 16:41 < ecrist> mighty-d: OpenVPN will be sufficient with ssl certificates. 16:41 < kreg_work> ssl should secure all the dirty talk 16:41 < ecrist> that's all you need to do, kreg_work. Also, be sure to point your openvpn server config to the file. 16:42 < ecrist> mighty-d: I'm guessing it's for web-cam type stuff. If that's the case, you should send me an ssl certificates, so, um, I can, uh, help you test it. 16:42 < kreg_work> ecrist: do all the keymaking and revokeing on a seperate machine. i manually move the crl.pem to the new server and restart openvpn. 16:42 < ecrist> yeah, help you test it 16:42 < kreg_work> >: P 16:44 < ecrist> kreg_work: you don't need to restart openvpn for each revoke - it's read dynamically at each ovpn connection. 16:45 < kreg_work> funny, i just read that too 16:45 < kreg_work> heh 16:45 < ecrist> also, storing the key building on another machine is a good idea - you should, theoretically, make the CRL public, fwiw. 16:45 < kreg_work> out of the can i think it was a 644 16:45 < kreg_work> so it was readable and i just left it alone 16:46 < ecrist> kreg_work: I mean, if you use your CA for website/mail server/etc, you should be placing that file on the net. 16:46 < ecrist> there's a field in your root certificate for CRL URI - that should be kept up to date. 16:47 < kreg_work> oh i never knew that 16:47 < kreg_work> we use ssl certs for our domains. mail/web 16:47 < kreg_work> but i've never signed one to inclue a url 16:48 < ecrist> it only applies to your root CA certificate 16:48 < kreg_work> i c. makes sense 16:49 < ecrist> well, intermediary signing authorities, as well. 16:58 < mighty-d> ecrist, lol, thanks 16:59 < mighty-d> ecrist, as a matter of fact it is for a boring purpose, i just want to learn how to do this and thats all 16:59 < ecrist> that's no fun 17:00 < ecrist> it's pretty straight forward - you just have to know a bit about networking and get the right holes punched into the firewalls. 17:02 < mighty-d> ecrist, ok, so i should go with ssl? 17:02 < mighty-d> ipsec its kinda scary 17:03 < ecrist> IPsec is pretty damn tricky to set up. ssl is far easier. 17:03 < mighty-d> :) 17:03 < mighty-d> ok, ssl will do it 17:04 < ecrist> mighty-d: look here: https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 17:04 < mighty-d> the thing i dont like with ssl is the PKI and the not trusted CA 17:04 < ecrist> gives a bit of a how-to. 17:04 < ecrist> mighty-d: there's a HUGE misconception with SSL and CA certificates. 17:04 < mighty-d> why do you say so? 17:04 < ecrist> well, let me describe it this way. 17:05 < ecrist> what do you mean by '...and the not trusted CA?' 17:06 < mighty-d> well you know, i have to deploy a CA because i wont expend money on verisign or the others, and now if i use client-to-lan they will be warned about a non trusted CA 17:06 < mighty-d> the other way to go is to use autosigned certificates, but thats even worse ;) 17:06 < ecrist> where is this certificate trusted? 17:07 < mighty-d> i think i understand your point 17:07 < ecrist> what I'm getting at is what you are calling trusted is simply what's been 'included' with your web browser 17:07 < mighty-d> yeah 17:07 < ecrist> you don't *really* know where those certificates come from. Only that you've been told to trust them. 17:08 < mighty-d> but, im not worried about you and me 17:08 < mighty-d> im worried about the people that doesnt get this 17:08 < ecrist> what are you worried about? 17:08 < mighty-d> well, not that it really matters on this deployment 17:08 < ecrist> you're concerned right now with openvpn and using ssl, right? 17:08 < mighty-d> yes. 17:08 < ecrist> you're actually *more* secure by building a self-signed CA (root) certificate and signing client keys with that. 17:09 < ecrist> because 100% of the process is done by you, within your own organization (or living room). 17:09 < mighty-d> lol 17:09 < ecrist> there is no part of the signing process outside your own control. 17:09 < mighty-d> ecrist, i totally agree with you 17:09 < ecrist> when you roll out your client packages, you include four files 17:10 < ecrist> 1) client certificate, 2) client key, 3) client config, and 4) the ca certificate. 17:10 < ecrist> including the ca certificate tells openvpn to trust it. 17:10 < mighty-d> ecrist, so they will never get a warning... 17:10 < ecrist> your users (girlfriend) isn't going to get any popups about that certificate not being 'trusted' 17:11 < ecrist> no 17:11 < ecrist> let me use an example, with my site. 17:11 < ecrist> go to https://www.secure-computing.net 17:11 < ecrist> you're going to get a warning. 17:11 < mighty-d> hmmm actually i didnt 17:11 < ecrist> "WARNING: the sky will fall, virgins will be raped, and all your sugar will harden in the box." 17:11 < mighty-d> lol 17:11 < ecrist> did you already go to my site earlier? 17:12 < mighty-d> lol, of course you gave me the link 17:12 < ecrist> oh, that's right. 17:12 < mighty-d> :) 17:12 < ecrist> what browser are you using? 17:12 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit ["Leaving"] 17:12 < mighty-d> firefox 17:12 < ecrist> don't worry, I'm going to hack you or anything lame like that. 17:13 < ecrist> ff 3? 17:13 < ecrist> or 2? 17:13 < mighty-d> you dont want to know (1.5) ;) 17:13 < ecrist> ok, let me find a copy of it. 17:15 < ecrist> hrm, I can't 17:15 < mighty-d> lol 17:15 < mighty-d> ecrist, dont worry 17:15 < mighty-d> i think i understand your point 17:16 < ecrist> when you're on my website, do you have a lock icon in one of the tool bars? 17:16 < mighty-d> yeah 17:16 < ecrist> probably down in the lower right corner? 17:16 < ecrist> click on that 17:16 < ecrist> should give you page info 17:16 < ecrist> maybe have security tab selected? 17:17 < ecrist> what I'd like you to do is select the 'view certificate' button 17:18 < mighty-d> yes, im looking at the cert now 17:18 < ecrist> and, what does your browser say, regarding how that cert is trusted? 17:19 < mighty-d> well, it says i trusted it for the pourpose of authenticating your site 17:20 < ecrist> ok, if you look, you'll see that it was signed by SCN Root Certificate Authority 17:20 < mighty-d> yes 17:20 < ecrist> the reason you originally got the popup/warning, was that your browser didn't have the SCN Root Certificate Authority pre-installed. 17:21 < ecrist> if you were to download and install https://www.secure-computing.net/scn-root.crt from my site, you will then trust *any* certificate signed by SCN Root Certificate Authority 17:22 < ecrist> this would include various services I've got running, including OpenVPN, https, smpts, imaps, and pop3s 17:22 < ecrist> because all the certificates I use are signed by the same CA certificate. 17:22 < mighty-d> of course 17:22 < ecrist> what *more* secure about this, is I give my root certificate out to my users, friends, and family. 17:23 < ecrist> I've got all my keys stored off the servers my information is served from. 17:24 < ecrist> I personally certify my content. While you don't know me, we could talk on the phone, verify fingerprints, etc, and at least in my opinion, that's a more closely guarded/guaranteed certificate chain that what verisign offers. 17:24 < ecrist> but, I'm done ranting, gotta run the kid to grandma's 17:24 < ecrist> good luck 17:26 < mighty-d> thanks a lot ecrist 17:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:58 -!- mighty-d [i=500@63.58.83.190.static.coldecon.com] has quit ["Gotta go"] 18:43 -!- SilenceGold [n=chris@adsl-70-232-50-35.dsl.ltrkar.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 18:47 -!- SilenceGold [n=chris@70.232.50.35] has joined ##openvpn 19:06 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 20:56 -!- mszathmar [n=mszathma@S0106001d7e2f9523.ok.shawcable.net] has joined ##openvpn 22:40 -!- mszathmar [n=mszathma@S0106001d7e2f9523.ok.shawcable.net] has quit ["Leaving"] --- Day changed Tue Aug 05 2008 00:12 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:56 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn --- Log opened Tue Aug 05 07:32:18 2008 07:32 -!- ecrist [n=ecrist@chunk.secure-computing.net] has joined ##openvpn 07:32 -!- Irssi: ##openvpn: Total of 17 nicks [0 ops, 0 halfops, 0 voices, 17 normal] 07:32 -!- Irssi: Join to ##openvpn was synced in 15 secs 07:40 -!- mmm4m5m [n=ububam@83.228.48.24] has joined ##openvpn 07:43 < mmm4m5m> hi all. Could you please help me with openvpn client config? Shortly: there win server and win client, both working. Now trying to setup linux (ubuntu) client using windows client config file. Looks fine, except ifconfig does not show me openvpn interface 07:44 < mmm4m5m> I am very beginner with linux/ubuntu 07:47 < mmm4m5m> anyone? maybe it is simple question... yesterday I install vpnc (Cisco VPN) and setup was very easy (again port settings from my win PC) 08:00 < Edward123> cpm... re restarting the network service, it serves as a local iis asp.net & mysql server 08:01 < Edward123> i just tried a reboot infact, heh 08:01 < Edward123> typical windows problem resolution move 08:03 < Edward123> cpm, a reboot didn't resolve the issue 08:03 < Edward123> heh cpm 08:03 < Edward123> re ethernet bridging, i'll explain: ethernet bridging ftw! when it worked, it worked splendidly 08:04 < mmm4m5m> here my config file and terminal screen log entries: http://pastebin.com/m27d94190 08:04 < mmm4m5m> 1) I did: sudo openvpn --mktun --dev tap0 --dev-type tap (but I am not sure do I need it) 08:04 < mmm4m5m> 2) ifconfig does not show tap0 (but 'ifcofnig -a' do show it). Do I have to ifdown/ifup? Do I have to setup IP address manually? 08:04 -!- mmm4m5m [n=ububam@83.228.48.24] has quit ["Leaving."] 08:04 < ecrist> wow, he's a bit impatient. 08:05 < cpm> heh 08:07 -!- edeca [n=david@emo.two-pebbles.com] has joined ##openvpn 08:07 < Edward123> hrm so any more thoughts on my error? i'm not even sure the error is fatal... maybe it's a red herring but the client can't connect so.... 08:07 < Edward123> i don't have a clue 08:08 < Edward123> the openvpn can't connect to the openvpn server, they could previous but something has changed 08:09 < ecrist> Edward123: is it something you changed, or external to you? 08:09 < Edward123> ecrist, well not knowingly 08:09 < Edward123> i think the machine may have been restarted but that's it 08:10 < ecrist> I came in to this in the middle, but, what's going on/not working? 08:10 < Edward123> [10:28] my vpn server is starting but nothing can connect. when it starts up i see the error: Tue Aug 05 10:12:16 2008 NOTE: FlushIpNetTable failed on interface [14] {8FD49F1D-6F9D-42F2-AA01-294EF7A3D726} (status=1168) : Element not found. 08:11 < Edward123> this is windows 2k8 with ethernet bridging 08:11 < ecrist> ooh, windows as a vpn server, yuk 08:13 < Edward123> i'm running the latest release candidate 08:13 < cpm> yup. I keep telling him that since windows has such an excellent community, to address his questions there, but he doesn't listen. 08:13 < cpm> Oh, and not even running stable code? 08:14 * cpm kicks Edward123, really hard. 08:14 < Edward123> cpm, the stable code doesn't work well with vista/2k8 08:14 < cpm> Try running the stable code, why dontcha? 08:14 < Edward123> it can't do the routing 08:14 < cpm> there is no routing in a bridge. 08:14 < Edward123> yeesh you think i'd use unstable code without good reason? 08:14 < Edward123> hmm 08:15 < edeca> Argh. Latest openvpn on client and server. I can nslookup domains, including the HTTP proxy called 'foobar' from the client (winxp). IE/Firefox can't look up the proxy by name though. Have I hit: http://support.microsoft.com/kb/311218 ? 08:15 < Edward123> why exactly does openvpn need to FlushIpNetTable? 08:15 < cpm> Sure, you use windows for no reason I can ascertain. So, yeah, of course. 08:15 < Edward123> heh 08:15 < Edward123> you cut me deep 08:15 < ecrist> Edward123: there are a number of things wrong with your setup. 08:15 < cpm> heh 08:15 < cpm> ecrist, yup. a lot. 08:15 < ecrist> first, you're using RC code - it's not released and won't be supported as such. 08:16 < ecrist> second, you're using windows as a vpn server - you should be tarred and feathered. 08:16 < Edward123> ecrist, if that's the case why is there a windows release? 08:16 < ecrist> third, there is no routing involved with bridging, quit trying to route. 08:16 < Edward123> openvpn is a project entirely developed by masochists? 08:16 < ecrist> lol 08:17 < ecrist> masochists? 08:17 < Edward123> ye ye 08:18 < Edward123> OK, windows machines are the only ones i have available to me here. i will eventually get a linux machine on the network here but not right away, so i have to work with this 08:18 < Edward123> however, i take your point about not using the RC when the routing isn't needed so i'll downgrade and test again 08:18 < ecrist> then start by using the 2.0.9 release code. 08:18 < Edward123> ^ 08:20 < edeca> Anybody got an idea why client apps can't do DNS resolution through openvpn when nslookup can? winxp, not sure if it's related to the post in the docs 08:25 < edeca> Can I tell openvpn to remove the current DNS entries from windows when the client connects? 08:26 < ecrist> I don't know that you can have them removed, but you can 'push' alternate DNS servers in your server config 08:26 < ecrist> it's discussed in the how to. 08:29 < edeca> I've pushed them, but of course it has 3 08:29 < edeca> So it uses any of the 3 (my pushed 1 and the default 2) 08:30 < ecrist> if you check ipconfig /all on the windows machine, do you see all three listed? 08:30 < edeca> One second, just rebooted it :) 08:30 < edeca> Silly windows gremlins 08:31 < ecrist> also, is your server config using push "dhcp-option DNS 1.2.3.4" or some such? 08:34 < edeca> Yes 08:34 < edeca> However, it seems to work now 08:34 < edeca> (after a reboot!) 08:36 < Edward123> ok chaps, ecrist and cpm, downgrading didn't fix the error 08:37 < ecrist> Edward123: what's the error in the OpenVPN logs? 08:37 < Edward123> lemme pastebin the whole thing and highlight the error 08:39 < ecrist> kk 08:39 < Edward123> http://pastebin.com/d4d3beb20 08:39 < Edward123> i've done tons-a-google but not found anything i could use 08:41 < Edward123> and this is a new tap adapter - i uninstalled the old openvpn and reinstalled the old version which removed/re-created the device 08:41 -!- weedar [n=sikrit@062016224079.customer.alfanett.no] has joined ##openvpn 08:42 < Edward123> so i changed the name (to tap-bridge) and added it back to the bridge 08:47 < ecrist> Edward123: on the client, try adding route-method exe and route-delay 2 to the config 08:49 < ecrist> if route-delay 2 doesn't work, try route-delay 10 08:54 < Edward123> ok ecrist, i'll try that now 08:57 < Edward123> p.s. ecrist, does that mean you think the warning on the server is a red herring? 08:57 < ecrist> Edward123: yes 08:57 < ecrist> everything from the goog seems to indicate so. 08:58 -!- tobias|home [n=tobias@f049002177.adsl.alicedsl.de] has joined ##openvpn 08:58 < tobias|home> hi 08:59 -!- weedar [n=sikrit@062016224079.customer.alfanett.no] has quit [Operation timed out] 08:59 < Edward123> hmm OK 08:59 < Edward123> still testing 09:02 < Edward123> the server log just isn't showing even a connection attempt from any of the clients 09:02 < Edward123> trying with 10 09:06 < ecrist> Edward123: if you're not seeing a connection attempt, you've got other problems 09:06 < ecrist> like, windows firewall, maybe? 09:07 < tobias|home> when i start openvpn i become automaticly a dns server, but is it possible to forbid it? 09:17 < Edward123> hmm no windows firewalls enabled anywhere ecrist 09:17 < Edward123> but 'cos it's UDP i can't diagnose it with telnet... 09:18 < Edward123> i guess i need netcat? 09:18 < Edward123> don't suppose you know if anything is built into windows i can use just to find out if a UDP port is opening and answering? 09:19 < ecrist> Edward123: netstat from the terminal should show you 09:33 < Edward123> well the server is showing this: UDP 0.0.0.0:1194 *:* 09:33 < Edward123> so it's defo. binding OK on the server 09:40 < ecrist> if you're not seeing connection attempts, the client machines aren't getting trhough 09:44 < Edward123> ffs today is less than a walk in the park 09:44 < Edward123> this is just one of several problems 09:53 -!- kpoman [n=chatzill@200.181.12.180] has joined ##openvpn 09:53 < kpoman> hi to all ! is there a way to bind openvpn server to a particular interface ? 09:53 < ecrist> hrm, interface, I don't think so, IP address, yes. 09:53 < kpoman> via local statement ? 09:58 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has quit [] 10:09 < Edward123> ecrist, the clients don't have firewalling turned on and no settings have been changed on either of their routers so i think i need to further diagnose connection issues 10:10 < ecrist> ok 10:10 < Edward123> when i run 'netstat -a' on the client whilst starting the service i don't see 1194 anywhere 10:10 < Edward123> but windows firewall is turned off soooo... i'm a bit lost 10:10 < ecrist> as I said, if you show OpenVPN listening, but you're not getting any connection information in the logs, you've probably got lower level issues. 10:11 < ecrist> is there anything in the client log fies 10:11 < ecrist> files* 10:11 < Edward123> one of the clients has started saying: Tue Aug 05 16:10:53 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) 10:11 < Edward123> which i'm currently googling 10:18 -!- kpoman [n=chatzill@200.181.12.180] has quit [Read error: 104 (Connection reset by peer)] 10:22 < Edward123> my current best guess is that the router (server end) isn't forwarding properly 10:23 < ecrist> forwarding implies NAT 10:25 < Edward123> ecrist... yes? 10:25 < Edward123> again i hasten to add this was all working yesterday 10:26 < ecrist> you're running nat 10:26 < Edward123> i'm running NAT but i've configured port forwarding on the router for the required UDP port... and it WAS all working prior to today 10:26 < ecrist> Edward123: something is broken. Next you're going to tell me the 'server' is getting it's IP via DHCP. 10:27 < cpm> heh 10:28 < Edward123> ecrist, yes something is broken 10:29 < ecrist> when you have your clients at least showing up in the server logs, get back to us. Until then, it's not an openvpn problem. 10:29 < Edward123> but no the server isn't getting it's IP via dhcp 10:29 < Edward123> yeah i agree 10:33 -!- dasunt [n=nobody@unaffiliated/dasunt] has joined ##openvpn 10:33 -!- tobias|home [n=tobias@f049002177.adsl.alicedsl.de] has left ##openvpn [] 10:44 < Edward123> man i'm about to drop kick this router out of the window 10:46 < cpm> you are blaming the router? 10:46 * cpm chuckles 10:46 < Edward123> well yeah 10:46 < Edward123> i think i've discovered why it suddenly stopped working: it took external connections to be some kind of attack 10:47 < Edward123> and therefore blocked them 10:47 < Edward123> for debugging i've disabled all these rules but yet it does not work 10:47 < dasunt> I want to run OpenVPN on a BSD machine, with a FreeRADIUS user/pass authentication on a Linux machine, and connect with windows clients. 10:47 < dasunt> Using (AFAICT) pam_radius on the BSD machine. 10:47 < dasunt> This *is* possible, right? 10:48 < cpm> no earthly clue. 10:48 < dasunt> It looks like the default tutorials tend to talk about preshared keys, instead of username/passwords for the OpenVPN clients. 10:49 < cpm> yeah, easier to do cert pairs that way. This is openssl 10:49 < cpm> how you would do certificate against radius, I have no idea, at all. No doubt it's doable., but I don't have the mental capacity to even imagine how. 10:54 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: Edward123, vlt, tcccp, justdave, dasunt, kraut, BoomSie, SilenceGold, DaPrivateer, edeca, (+4 more, use /NETSPLIT to show all of them) 11:02 -!- Netsplit over, joins: DaPrivateer, cpm, justdave, mikkel, vlt 11:02 -!- chesty [n=chesty@chesterton.id.au] has joined ##openvpn 11:02 -!- weedar [n=sikrit@062016224079.customer.alfanett.no] has joined ##openvpn 11:02 -!- Netsplit over, joins: dasunt, BoomSie 11:02 -!- rob0 [n=rob0@tuxaloosa.org] has joined ##openvpn 11:02 -!- Netsplit over, joins: edeca, krzee, bandini, Edward123, SilenceGold, tcccp, kraut 11:02 -!- justdave [n=dave@unaffiliated/justdave] has quit [Connection reset by peer] 11:02 -!- vlt [n=dm@suez.activ-job.com] has quit [Connection reset by peer] 11:04 -!- Alex [i=hauntedu@goatse.co.uk] has joined ##openvpn 11:04 -!- Edward123 [n=edward@host81-149-214-135.in-addr.btopenworld.com] has quit [Read error: 113 (No route to host)] 11:07 < rob0> hmmm there they are; when I joined it was only 2 others! 11:14 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 11:32 < cpm> there is no one here. 11:49 < ecrist> rob0: netsplit 11:49 -!- Irssi: ##openvpn: Total of 18 nicks [0 ops, 0 halfops, 0 voices, 18 normal] 11:51 * cpm splits rob0 11:52 < cpm> now 2x rob.5 11:52 < cpm> now 2x rob1- and rob1 rather 13:11 -!- int [n=quassel@wikia/int] has joined ##openvpn 13:16 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:57 < krzee> hrm 13:57 < krzee> ecrist, should we make a mail-list bot for here? 13:58 < krzee> like we use in some other channels, ie: 13:58 < krzee> [13:10] New on the ForumFeed: Re: Intel iwlwifi drivers with injection * WORKING with 3945 & 4965 cards * 14:05 < ecrist> krzee: I don't know if that's necessary at this point. 14:06 < ecrist> if you want to work on one and test it for a few days, I'm cool with that. 14:06 < krzee> right on ill bust something out next time i get bored enough 14:10 -!- dasunt [n=nobody@unaffiliated/dasunt] has left ##openvpn [] 14:26 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:38 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 14:39 -!- slango [n=slango@unaffiliated/iamethos] has joined ##openvpn 14:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:40 < slango> my employer uses open VPN, and for a while, things were working great. Lately though, I have been constantly disconnecting and reconnecting with the message: [server] Inactivity timeout (--ping-restart), restarting 14:41 < slango> it has become so frequent that my connection to the VPN is almost worthless 14:43 < ecrist> sounds like network problems. 14:43 < ecrist> do you connect via satellite, or cellular broadband? 14:45 < slango> ecrist: cable... :-) 14:45 < slango> it's a regular wired connection on my home network 14:46 < ecrist> slango: some cable modems block UDP traffic intermittently. Also, some CATV providers will perceive UDP traffic as p2p and try to throttle it down. 14:46 < slango> I'm not experiencing any obvious problems with my internet connection (not losing my IRC connection, etc) 14:47 < slango> ecrist: so you think that's what this is? 14:47 < slango> the only thing I really do over the VPN for now is connect to the company's IRC server 14:48 < ecrist> slango: OpenVPN, with most setups, tunnels across as UDP traffic. 14:48 < slango> doesn't seem like that would be the amount of traffic the provider would throttle 14:48 < ecrist> i.e. ALL of your VPN traffic will show as UDP. 14:48 < slango> ecrist: right, but there really shouldn't be very much at all 14:49 < slango> hmm 14:49 < slango> well, I guess I'll call comcast and see what the hell their problem is 14:49 < ecrist> I'm not worried about how much, it doesn't matter that you're connected to irc via tcp, it's tunneled through udp. 14:49 < ecrist> good luck. 14:49 < ecrist> you could ask your administrator to switch to tcp vpn. 14:50 < rob0> I have a very stable UDP openvpn using Comcast on one end. 14:50 < ecrist> rob0: so do we, but certain cable modems have problems with udp traffic. 14:51 < ecrist> I've got a few users here at the office on Comcast - some work great, never go down, others get reset about once an hour, it seems. 14:51 < rob0> The cable modem, or the router? I've seen routers which mess up UDP. 14:51 < ecrist> cable modem/router 14:53 < slango> hmm 14:53 < slango> ecrist: to give you an idea of how bad this is: I'm going down once every ten minutes or so 14:54 < slango> I have a WRT310N router from Linksys.... is there anywhere that I can check to determine if that is known to have problems with UDP? 14:55 < ecrist> slango: is that your cable modem? 14:56 < slango> ecrist: that's my router. the cable modem is an Arris TM602G/CT 14:56 < ecrist> check that for UDP filtering. 14:57 < slango> a google search for Arris TM602G comes up with no results 14:58 < slango> *Arris TM602G UDP 14:59 < ecrist> ok, so run wireshark and look at the packets around the failure. 14:59 < ecrist> see if there are a lot of retransmissions, etc. 15:05 < rob0> Talk to your vendor about the features of your router, or test it yourself. 15:05 < rob0> I never have problems like that; I use Linux machines. 15:12 < slango> rob0: well, I'm getting the exact same problem on my Linux laptop 15:12 < rob0> Laptop as a router? Or behind some cheap router? 15:13 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 15:13 < pumkinhed> hello #openvpn 15:13 < rob0> I connect Linux to cable/DSL modem. 15:14 < pumkinhed> quick q, we have clients connecting via laptop from their home/hotels/wherever 15:14 < slango> rob0: oh.... no, it's a linksys router, I meant that my laptop workstation is exhibiting the same symptoms as is my OS X workstation 15:14 < slango> s/laptop/linux/ 15:14 < rob0> slango, the point is that the ROUTER is most likely the cause of the problem. 15:14 < pumkinhed> sometimes, when the computer is put to sleep overnight (by closing the lid), and the computer comes back from sleep, it will complain that it cannot connect to our network 15:15 < slango> rob0: don't capitalize at me. I get that. I just misunderstood what you meant when you said "I use Linux machines." 15:15 < pumkinhed> upon closer inspection, it seems the push "route ip mask" command is failing. 15:16 < pumkinhed> the error message in openvpn logs seems to indicate that the ip address assigned to the TUN has changed since the lid was closed, and the route command fails 15:17 < pumkinhed> which makes sense, but why is openvpn calling the push "route" command, before changing the address of the TUN? 15:18 < ecrist> calm down now, kids. 15:18 < rob0> Ignored. 15:18 * ecrist fetches his beatin' stick. 15:19 < ecrist> pumkinhed: it's a good idea when you put your laptop to sleep to kill your vpn connection and rebuild it. 15:20 * ecrist puts his beatin' stick away and goes home. 15:21 < pumkinhed> ok, a batch file is easy enough to build for end-users, but i've never had this problem before now, and i've been using openvpn for years 15:22 < ecrist> pumkinhed: I'm guessing it's a windows-specific problem, probably with a recent update. 15:22 < pumkinhed> ah i am going to try and dig up the error log from a client bbiab 15:22 < ecrist> l8r 15:37 -!- slango [n=slango@unaffiliated/iamethos] has quit [Nick collision from services.] 15:40 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 15:40 -!- Lin [n=igormorg@unaffiliated/lincity] has quit [Read error: 104 (Connection reset by peer)] 15:46 -!- Breetai [n=Breetai@mx.northriverboats.com] has joined ##openvpn 15:47 < Breetai> Hi all, I am getting messages showing up on my root console. Any way to stop that? 15:49 -!- edeca [n=david@emo.two-pebbles.com] has quit ["leaving"] 16:06 < rob0> root console? Maybe just learn about how your shell does redirection, and/or see --daemon in the man page. 16:06 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 16:07 < Breetai> hmmmm, I will need to look, it is started from an /etc/init.d/openvpn script. I presumed it is run as a daemon 16:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:39 -!- klugefoo| [n=klugefoo@c-76-126-54-37.hsd1.ca.comcast.net] has joined ##openvpn 17:05 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 17:15 -!- Breetai [n=Breetai@mx.northriverboats.com] has quit ["Leaving"] 17:20 -!- klugefoo| [n=klugefoo@c-76-126-54-37.hsd1.ca.comcast.net] has left ##openvpn [] 18:10 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 18:26 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:47 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 19:11 < ecrist> evening, kids 19:25 < tcccp> hiho 19:30 -!- Irssi: ##openvpn: Total of 20 nicks [0 ops, 0 halfops, 0 voices, 20 normal] 19:32 < ecrist> I think his problem had to do how syslog was configured 21:49 -!- _aia_ [n=_aia_@unaffiliated/aia] has joined ##openvpn 22:10 -!- znoG_ [n=gs@host145.190-31-233.telecom.net.ar] has joined ##openvpn 22:10 < znoG_> hey all 22:11 < znoG_> I'm trying to setup OpenVPN in ethernet bridging mode .. I got the tunnel established, my client tap0 interface configured, the server side has a br0 interface with an IP and the eth1 (LAN nic) and tap0 bridged. 22:11 < ecrist> ok... 22:11 < znoG_> When I ping the server's bridge IP address on the client side, I get destination host unreachable.. and a tcpdump on the server on the tap0 interface reveals nothing at all. 22:12 < znoG_> I'm not sure where to go from here 22:13 < ecrist> how do you know you're connected to the VPN? 22:14 < znoG_> on the client side, it shows the normal "establishing connection" messages and ends with "Wed Aug 6 00:08:50 2008 Initialization Sequence Completed 22:15 < znoG_> and the IP is assigned to tap0 on the client side from the pool 22:15 < ecrist> ok, that's good to know 22:15 < znoG_> just to double check: tap0 on the server has no IP address (0.0.0.0) .. and my server-bridge line looks like this: 22:15 < ecrist> did you set up your bridge? 22:16 < znoG_> server-bridge 10.0.2.1 255.255.255.0 10.0.2.220 10.0.2.240 22:16 < znoG_> yep 22:16 < znoG_> bridge is setup .. and it is currently bridging eth1 (LAN) and tap0 .. with IP: 10.0.2.1 22:16 < ecrist> no, I mean, there's a script you need to run to build br0, and actually bridge the interfaces on the server. 22:16 < znoG_> yep got that setup 22:17 < ecrist> br0, iirc, is supposed to be part of the bridge. 22:17 < znoG_> i modified /etc/init.d/openvpn to run /etc/openvpn/bridge-start (on start) and bridge-stop (on stop) 22:17 < ecrist> ok 22:18 < ecrist> and, is there a firewall between the LAN and the VPN? 22:18 < znoG_> the only firewall is on the server itself and I've allowed openvpn traffic 22:19 < znoG_> even if it was blocking it, it should still show on tcpdump right? 22:19 < znoG_> actually if I do a tcpdump on br0 22:19 < znoG_> i can see 10.0.2.220 constantly doing a arp who-has 22:20 < znoG_> of the IP I'm trying to ping 22:20 < znoG_> and no reply by the look of it 22:20 < ecrist> :) 22:20 < ecrist> you have firewall problems. 22:26 < znoG_> you may well be right :) time to dig in 22:26 < znoG_> thanks ecrist for the hand 22:27 < ecrist> no problem. 22:36 < znoG_> ecrist: apart from letting in/out port 1194, I'm not sure what else I need to do for the traffic to be allowed through. 22:48 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:00 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:21 < znoG_> ecrist: it turned out to be an interface problem ... tap0 was already created (by some other program) so openvpn was creating tap1. Changed it to 'dev tap1' in the conf and all is well now. 23:21 < znoG_> Thanks! 23:21 -!- znoG_ [n=gs@host145.190-31-233.telecom.net.ar] has left ##openvpn [] --- Day changed Wed Aug 06 2008 00:35 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 01:32 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 01:32 < kexman> helloo 01:32 < kexman> what happened to the openvpn channel ???? 01:32 < kexman> why so "many" ? 01:39 -!- weedar [n=sikrit@062016224079.customer.alfanett.no] has quit [Connection timed out] 01:58 < kraut> moin 02:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:32 < kexman> hello 02:32 < kexman> so many around :) 02:32 < kexman> 20 :) 02:39 < tcccp> hhr 04:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:36 < kexman> wtf is wrong here ? 04:36 < kexman> something changed ? 04:36 < kexman> openvpn channel moved ? 05:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:51 < ecrist> kexman: what's up? 06:51 -!- Irssi: ##openvpn: Total of 22 nicks [0 ops, 0 halfops, 0 voices, 22 normal] 06:59 < ecrist> morning, cpm 07:12 < cpm> good morning 07:20 < kexman> ecrist: well last time i was here this channel was more populated 07:20 < kexman> what happened ? 07:21 < ecrist> don't know 07:21 < ecrist> it got moved here about a week ago 07:22 < ecrist> what would you say the original population was/ 07:22 < ecrist> ? 07:28 -!- Lin [n=igormorg@unaffiliated/lincity] has quit [Remote closed the connection] 07:30 < ecrist> if there are normally more, I'm sure they'll find their way here in time. 07:46 < kexman> hmm 07:46 < kexman> wait what do you mean here ? 07:46 < kexman> where did you come from ? 07:47 < kexman> wasnt this #openvpn ? 07:47 < ecrist> yes, it was. 07:47 < kexman> i now joined and i got into ##openvpn 07:47 < ecrist> it's called channel forwarding. 07:47 < kexman> yes but why ? 07:47 < kexman> so where are the other that need to find theire way here ? 07:47 < kexman> *their* 07:47 < ecrist> read up on channel forwarding on freenode.net website. 07:48 < ecrist> kexman: I don't know who you think is missing. Every time I've joined #openvpn, there's been ~20 users. 07:48 < ecrist> regardless, it's not a big deal. 07:58 < kexman> hmm 07:58 < kexman> i tought there where more people :) 07:58 < kexman> uhh :) maybe im confusing openvpn with openwrt :)) 07:58 < kexman> lol 07:58 < kexman> sorry 07:58 < kexman> im hungry :)) 07:58 < cpm> cookies? 08:00 < ecrist> I'm hungry. Cookies sound good. 08:09 < cpm> mmmm, cookies 08:24 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 08:24 -!- Lin [n=igormorg@unaffiliated/lincity] has quit [Read error: 104 (Connection reset by peer)] 08:37 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 08:57 -!- Snow- [n=snow@silver.teardrop.org] has joined ##openvpn 08:59 -!- Lin [n=igormorg@unaffiliated/lincity] has quit ["Ex-Chat"] 09:34 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: bandini, mikkel, kexman 09:39 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:39 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 09:39 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 10:33 < Snow-> Anyone ever seen an issue where using UDP as a transport, large packets (>=1500) don't make it through an OpenVPN tunnel? 10:34 < Snow-> Doesn't seem to be a 100% of the time thing, dependant on other factors. 10:34 < rob0> I idled about 3-4 days in #openvpn after the forwarding and gag order was done. There were only a few folks left, and obviously, no discussion there. 10:34 < Snow-> I blew a bunch of time trying to find an PMTU problem and then switched to TCP, ind it magically worked. 10:34 < Snow-> Forwarding and gag order? 10:35 < cpm> what was with that? 10:35 < rob0> #openvpn forwards to ##openvpn and is mode +q or whatever. 10:35 < cpm> Snow-, sounds like an MTU path discovery issue 10:36 < Snow-> cpm: That's what I thought, but ICMP (all types) are wholly unfiltered between the two locations. 10:36 < ecrist> cpm: there were some ass-clowns in the chan and there was no way to moderate. 10:36 < ecrist> so we fixed it. 10:36 < ecrist> :) 10:36 < rob0> I gather that someone was making a fuss that day ... yeah 10:36 < Snow-> Weirdly, there was a brief moment where it worked without any configuration changes at all. 10:36 < cpm> ecrist, ass-clowns? Like me? 10:36 < ecrist> cpm, no 10:36 < rob0> It WAS you. 10:36 < ecrist> ? 10:36 * cpm pouts. 10:36 < Snow-> I think it's an issue with long fast pipes, but I'm not sure... 10:37 < cpm> what happened to whuzzizname? 10:37 < Snow-> Anyway, switching to TCP as a transport seems to have solved the problem quite conclusively. 10:37 < ecrist> cpm, pm? 10:37 < rob0> He got kicked in the whachamacallit. 10:37 < cpm> ecrist, sure. 11:11 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 11:23 -!- Deecodeuh [n=kaminski@209.83.2.36] has joined ##openvpn 11:25 < Deecodeuh> I'm trying to set up a vpn client connection, but the documentation is so difficult... I'm in linux, and it's so simple in windows. How can I simply just connect to a vpn network? 11:25 < Deecodeuh> Or is it not simple? 11:27 < Deecodeuh> Can anyone answer...? 11:31 < SilenceGold> Deecodeuh what are you using to connect as a client in windows? 11:31 < cpm> routed vpn? or bridge? 11:32 < Deecodeuh> I'm using the wizard that comes standard with vista. I need to connect to a samba share over vpn. 11:33 < SilenceGold> oh 11:33 < SilenceGold> that's windows' PPTP 11:33 < SilenceGold> it's incompatiable with openvpn 11:33 < SilenceGold> openvpn comes with its own server or client 11:34 < SilenceGold> you have to use openvpn client to work with openvpn server that uses SSL...not PPTP or IPSEC VPN types 11:38 < Deecodeuh> Does anyone know what a pcf file is? 11:38 < Deecodeuh> Is that a vpn setting file for windows? 11:38 < Deecodeuh> maybe... 11:39 < cpm> has to do with cisco's vpn client I think 11:39 < Deecodeuh> ah, thanks. 11:40 < cpm> again, nothing at all to do with openvpn. 11:40 < cpm> Who runs this server to which you would like to connect? 11:40 < Deecodeuh> I think it's a branch off of aflac. 11:40 < Deecodeuh> And my mom needs it to run for her work. 11:41 < Deecodeuh> Not that that helps 11:42 < cpm> I recommend that you contact the administrator of server running the vpn to which you would like to connect. 11:43 < Deecodeuh> The problem is that he knew nothing about linux... 11:48 < ecrist> Deecodeuh: is he running an OpenVPN server, Cisco VPN, or PPTP VPN? 11:49 < Deecodeuh> Probably pptp 11:49 < Deecodeuh> You can just call me Coda... it's easier to type... 11:51 < ecrist> Deecodeuh: tab-completion makes almost any name trivial to type. :) 11:51 < ecrist> why would you say PPTP? 11:52 < Deecodeuh> tab-completion... wow, I had no idea that shortcut was there... that's cool. 11:52 < Deecodeuh> Isn't that the only type of server that the windows wizard can connect to? 11:53 < ecrist> hrm, I can't remember for sure, but I thought it also supported ipsec. 11:54 < Deecodeuh> you're right, I see it on the options in the settings. 11:54 < Deecodeuh> PPTP VPN, and L2TP IPsec VPN 11:54 < ecrist> ;) 11:54 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 11:55 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit ["Happy Hacking !"] 11:56 < Deecodeuh> There's a setting caled VPN Gateway... would I set that to be the ip address of the server. 11:56 < SilenceGold> no 11:56 < SilenceGold> that's the router at the remote network that you would want your workstation's network to be routed to 11:56 < SilenceGold> you have few options.. 11:57 < SilenceGold> get your PPTP client working with the remote VPN server that is running a PPTP VPN type server 11:57 < SilenceGold> or install OpenVPN server at the site then install OpenVPN client locally 11:58 < ecrist> SilenceGold: I doubt he has the authority to install a new vpn server at AFLAC. 12:09 -!- n3kl [n=n3kl@c-24-8-165-101.hsd1.co.comcast.net] has joined ##openvpn 12:09 < n3kl> Hi. Anyone heard of openvpn running in a xen vm? 12:09 < ecrist> don't know why it couldn't 12:10 < ecrist> as long as it's got the ability to build virtual interfaces. 12:10 < SilenceGold> *use virtual interfaces 12:11 < Deecodeuh> Thanks for the help. I'll figure it out eventually. 12:11 < ecrist> SilenceGold: it builds virtual interfaces for routed vpn 12:11 -!- Deecodeuh [n=kaminski@209.83.2.36] has left ##openvpn [] 12:11 < SilenceGold> well, I thought you were meaning "it" as the instance 12:20 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 12:32 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has joined ##openvpn 12:32 < thrope> hello - does anyone know about setting up openvpn with rsa securid keyfobs 12:32 < thrope> or if there are any major rsa competitors in the keyfob market 12:32 < ecrist> thrope: there are a few how-to documents out there, and iirc, the openvpn.net howto covers it, briefly. 12:32 < thrope> I understand it can work - but what I wanted to check was whether you could have some users authenticating with a keyfob, but others without 12:32 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 12:34 < ecrist> hrm, that I don't know. You could with two different openvpn instances I think 12:34 < ecrist> unless the backend that support the RSA stuff has the support for selective requirements. 12:34 < ecrist> I think you can do that with LDAP/Kerberos, etc. 12:51 -!- xattack [i=root@132.248.108.239] has joined ##openvpn 12:57 < krzee> thrope, 12:57 < krzee> figure out how to make it work 12:58 < krzee> then put the parts that you use to make it work in ccd entries 12:58 < thrope> ah ok 12:58 < krzee> for the clients who get crypto-keys 12:59 < krzee> i havnt had the pleasure of implimenting crypto-keys, but thats what i recommend 12:59 < krzee> since ccd/ is the only method for selectively changing server config based on the connecting client 12:59 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:05 -!- Lin [n=igormorg@unaffiliated/lincity] has quit ["Ex-Chat"] 13:20 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 13:22 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:52 -!- highzeth [n=highzeth@hoiseth.no] has joined ##openvpn 13:52 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 13:53 -!- fozzmoo [n=fozz@209.41.95.5] has joined ##openvpn 13:54 < fozzmoo> I'm struggling trying to get openvpn traffic to go out over a specific interface where I have two providers. 13:54 < fozzmoo> shorewall node is an openvpn client. 13:54 < fozzmoo> (and a server too, but I'll worry about that later) 13:55 < fozzmoo> What do I need to do to ensure all traffic between server and client goes over, say, eth1? 13:55 < fozzmoo> Provider name: dsl 13:57 < ecrist> ok, that's done with routing. 13:57 < ecrist> simply add the appropriate routes to your routing tables and you'll be fine. 13:57 < fozzmoo> Shorewall is balancing traffic across both WAN connections. 13:57 < fozzmoo> That's the monkey wrench 13:58 < ecrist> you can still do this with routing. 13:59 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 14:00 < ecrist> fozzmoo: if you build an OpenVPN connection, that connection has state, which is going to go across the same interface, no matter what. 14:00 < ecrist> unless your config is wonky, in which case, you'll need to re-evaluate your config. 14:00 < fozzmoo> Yeah- that's what I thought too. 14:00 < fozzmoo> I wonder if it would help if I switched from UDP to TCP 14:01 < fozzmoo> TCP is a heck of a lot easier to track. 14:01 < ecrist> that it is 14:02 < ecrist> it gets around a lot of bugs that are present in some CATV networks, too. 14:05 -!- itguru [n=The@5ad30b3b.bb.sky.com] has joined ##openvpn 14:13 < krzee> im always a strong advocate of sticking with UDP whenever humanly possible 14:13 < krzee> tcp over tcp = bad 14:18 -!- itguru [n=The@5ad30b3b.bb.sky.com] has quit [Remote closed the connection] 14:21 -!- xattack [i=root@132.248.108.239] has quit ["Leaving"] 14:23 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 14:26 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:26 -!- linux_manju [n=manju@202.122.23.18] has joined ##openvpn 14:27 < linux_manju> Hi All 14:27 < linux_manju> Is it possible to have UDP broadcasts across the tunnel? 14:31 < linux_manju> I have set it up in route mode.. The UDP broadcasts are not traversing through the tunnel 14:31 < linux_manju> Will bridge mode work in the above scenario? 14:35 < ecrist> it should, yes. 14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 < linux_manju> ecrist: Thanks.. Will try that :) 14:53 < thrope> does the windows client work on vista 32 and 64 bit? 15:21 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 15:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:22 -!- krzie is now known as krzee 15:27 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 15:38 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has joined ##openvpn 15:39 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has quit [Client Quit] 16:07 < linux_manju> I just setup a Bridge config.. 16:08 < linux_manju> The tun0 is getting the correct IP in the client side.. 16:08 < linux_manju> However I am not able to ping the server or anything behind it and vice versa 16:09 < linux_manju> any idea what would have gone wrong 16:09 < linux_manju> tcpdump while pinging does not reveal anything on both client and server side 16:09 < SilenceGold> firewall? 16:09 < krzee> you are bridging but using tun? 16:09 < SilenceGold> oh yea 16:09 < linux_manju> SilenceGold: Nope.. disabled that 16:09 < SilenceGold> should be using tap0 for bridge 16:09 < linux_manju> krzee: Sorry 16:09 < SilenceGold> otherwise, tun0 is router 16:09 < linux_manju> Its tap0 16:09 < krzee> routed = tun, bridge=tap 16:09 < SilenceGold> okay 16:09 < krzee> oh ok 16:10 < SilenceGold> you might not be pushing out a new route for the clients 16:10 < linux_manju> krzee: Yes.. I know.. thanks.. 16:10 < linux_manju> SilenceGold: In bridge is it not transparent.. 16:10 < linux_manju> Why do I need to push a route 16:10 < SilenceGold> hrm 16:10 < linux_manju> However .. route -n shows the route for my VPN network through tap0 16:11 < SilenceGold> how did your client get an IP? 16:11 < SilenceGold> thru DHCP or you set it up as as static setting? 16:11 < linux_manju> After getting connected.. I specified a parameter in the OpenVPN server-bridge 192.170.30.1 255.255.255.0 192.170.30.20 192.170.30.40 16:11 < linux_manju> The client got 30.21 and 22 16:12 < SilenceGold> I'm not an expert but you can pastebin the two configs..both the server and client configs 16:13 < krzee> also make sure verb is at 5 or 6 and look for any errors 16:13 < krzee> (on client and server) 16:13 < krzee> also, is there a reason you want to bridge? 16:14 < krzee> most often the bridge setups i see people try for should actually be routed 16:14 < krzee> but there are occasions where bridge is necessary 16:14 < krzee> ie: SMB shares, gaming 16:16 < linux_manju> krzee: Sorry.. was busy pasting it in the bin 16:17 < linux_manju> krzee: YEs.. I want UDP broadcasts to traverse through 16:17 < krzee> np, im here for awhile 16:17 < krzee> interesting, for my personal knowledge what do you use with udp broadcasts, if you dont mind my asking 16:17 < linux_manju> http://pastebin.com/m3bb6369d 16:17 < linux_manju> Server config 16:18 < linux_manju> http://pastebin.com/m771f5cdd 16:19 < linux_manju> client 16:19 < linux_manju> krzee: UDP broadcasts for an Application testing.. 16:19 < linux_manju> krzee: I cant reveal the application name and usage beacause of a corp policy.. sorry 16:20 < krzee> which of the examples does your goal meet? 16:20 < krzee> http://www.cisco.com/en/US/docs/internetworking/case/studies/cs006.html 16:20 < krzee> all ones, network, subnet? 16:21 < linux_manju> 1st one is the closest.. 16:21 < krzee> seems to me that as long as its not data link layer, routed would be able to handle it (assuming nothing is blocking it) 16:21 < linux_manju> krzee: Tried that in routed mode.. 16:21 < krzee> but i guess after you get it up in bridge mode you'll see if thats tru or not 16:22 < linux_manju> Rest was able to work perfectly fine.. 16:22 < linux_manju> excpet UDP broadcasts.. 16:22 < linux_manju> Now.. in bridge mode nothing goes through 16:22 < linux_manju> :( 16:23 < linux_manju> Any idea? 16:24 < krzee> just getting to look 16:24 < krzee> can i see routing tables for both machines too? 16:25 < linux_manju> Sure 16:25 < krzee> btw verb 3 is no good for troubleshooting 16:25 < linux_manju> Will paste the specific ones here 16:25 < krzee> raise it to 6 16:25 < krzee> you might see errors that help you figure out wassup 16:25 < linux_manju> geekbox ~ # route -n | grep -i 192.170 16:25 < linux_manju> 192.170.30.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0 16:25 < linux_manju> Client 16:25 < linux_manju> Server 16:26 < linux_manju> root@DMZA:~# route -n | grep -i 192.170 16:26 < linux_manju> 192.170.30.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 16:28 < krzee> these setups are confusing enough without hiding the rest of the routing table and who is where 16:28 < krzee> i cant garuntee an answer with the complete routing table, but it raises your chances 16:28 < krzee> also, are you sure you want "duplicate-cn" 16:29 < krzee> i would remove that and only allow each cert to be connected once at a time 16:30 < linux_manju> krzee: Yes.. to start with 16:30 < linux_manju> krzee: I dont think duplicate-cn would make this happen... 16:30 < krzee> ahh ok, so you will remove that and add the tls-auth when you are done... gotchya 16:30 < linux_manju> However I can eliminate the same 16:30 < krzee> no, you are right about that 16:30 < krzee> it is not the problem 16:31 < krzee> just something i noticed while reading the configs 16:31 < linux_manju> krzee: Routing table is perfectly fine.. trust me.. 16:32 < linux_manju> 1: 192.170.30.21 (192.170.30.21) 0.117ms pmtu 1500 16:32 < linux_manju> 1: 192.170.30.21 (192.170.30.21) 684.726ms !H 16:32 < linux_manju> Is the tracepath output from the client 16:33 < linux_manju> Mon Aug 4 05:33:01 2008 us=659582 DMZA/202.122.23.18:43115 UDPv4 READ [77] from 202.122.23.18:43115: P_DATA_V1 kid=0 DATA len=76 16:33 < linux_manju> Mon Aug 4 05:33:01 2008 us=660027 DMZA/202.122.23.18:43115 TUN WRITE [42] 16:33 < linux_manju> Is what I get 16:33 < linux_manju> if I run it in verb 6 16:33 < linux_manju> while pinging 16:33 < linux_manju> from the client 16:34 < krzee> ok so it is going through the client 16:34 < linux_manju> YEs 16:34 < krzee> does server do the same? 16:34 < krzee> while client is pinging 16:34 < linux_manju> Let me try.. one sec 16:36 < krzee> its been a long time since i used a bridge setup 16:36 < krzee> more pitfalls in it, but ill try to help 16:36 < linux_manju> read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 16:36 < linux_manju> In the server... 16:37 < linux_manju> I am prettu sure that the firewall is disabled 16:38 < krzee> if it was firewall openvpn wouldnt report it as refused 16:38 < krzee> it would happpen independant of ovpn in the OS 16:39 < linux_manju> Yes 16:39 < linux_manju> http://readlist.com/lists/lists.sourceforge.net/openvpn-users/1/5495.html 16:39 < linux_manju> Clarifies that. Safely ignore 16:40 < linux_manju> If I ping from server to client.. same message in the client as well.. 16:40 < linux_manju> UDPv4 WRITE [53 16:40 < linux_manju> UDPv4 READ [53] 16:42 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has joined ##openvpn 16:42 < linux_manju> Weird.. 16:43 < linux_manju> atleast tcpdump should show some output 16:45 * linux_manju kicks himself and goes out for a beer 16:45 -!- Valect [n=aaron@71.39.93.58] has joined ##openvpn 16:49 < Valect> http://pastebin.ca/1094189 16:49 < Valect> any ideas as to why that's happening 16:49 < Valect> ? 16:55 < krzee> what OS's? 17:01 < Valect> pfsense/freebsd 17:02 < Valect> and windows 17:02 < Valect> xp 17:02 < krzee> nice 17:02 < krzee> make sure all times are correct 17:02 < krzee> ntpdate time.nist.gov 17:02 < krzee> especially on the box you made certs on 17:02 < Valect> as far as i can tell they are 17:02 < krzee> run that command on each 17:03 < krzee> ive seen people think they were correct but timezones were off making them think all was good when it wasnt 17:03 < Valect> $ date 17:03 < Valect> Wed Aug 6 15:02:56 PDT 2008 17:03 < krzee> ok, that ones right 17:03 < Valect> client machine is 15:03:40 pdt 17:04 < krzee> you made the certs on one of those boes? 17:04 < krzee> boxes 17:04 < Valect> on the pfsense box 17:04 < krzee> k 17:05 < krzee> pastebin both configs? 17:06 < Valect> if i can find the openvpn server config sure, but it's all over a webui so give me a couple minutes 17:06 < Valect> here's the client 17:06 < Valect> http://pastebin.ca/1094205 17:07 < krzee> once its working, you may want to add tls-auth 17:08 < krzee> but thats not part of the problem (unless your server is using it) 17:08 < Valect> there is a server1 and server0.conf -_- thanks pfsense 17:08 < krzee> welp, figure out which is being used 17:09 < Valect> yea 17:09 < krzee> timestamps can prolly tell you 17:09 < krzee> (change it over web, look for updated timestamp) 17:10 < Valect> http://pastebin.ca/1094211 17:11 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has quit [] 17:13 < krzee> ahh 17:13 < Valect> oh? 17:13 < krzee> you change the cipher in server but not in client 17:13 < Valect> i see 17:14 < Valect> so just put "cipher AES-256-CBC" in the client config? 17:14 < krzee> i believe server / client must agree on that 17:14 < krzee> ya 17:14 < Valect> didn't work 17:14 < krzee> # Select a cryptographic cipher. 17:14 < krzee> # This config item must be copied to 17:14 < krzee> # the client config file as well. 17:15 < Valect> same errors 17:16 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:16 < krzee> after stopping the server and starting it again? 17:16 < Valect> what do i need to change in the server config? 17:17 < krzee> oh right 17:17 < Valect> heh. 17:17 < krzee> after stopping the client and starting it again? 17:17 < Valect> -. 17:17 < krzee> hehe 17:17 < Valect> yea 17:18 < Valect> and in the openvpn log i see: 17:18 < Valect> Aug 6 15:17:26 openvpn[24596]: 192.168.1.131:3414 LZO compression initialized 17:18 < Valect> Aug 6 15:17:26 openvpn[24596]: 192.168.1.131:3414 Re-using SSL/TLS context 17:18 < Valect> Aug 6 15:17:12 openvpn[24596]: Initialization Sequence Completed 17:20 < krzee> Aug 6 15:17:12 openvpn[24596]: Initialization Sequence Completed 17:20 < krzee> looks like you're connected... 17:20 < Valect> the client is still spitting that error though 17:21 < Valect> Wed Aug 06 14:40:43 2008 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 17:21 < Valect> Wed Aug 06 14:40:43 2008 TLS Error: TLS object -> incoming plaintext read error 17:21 < Valect> Wed Aug 06 14:40:43 2008 TLS Error: TLS handshake failed 17:21 < Valect> Wed Aug 06 14:40:43 2008 TCP/UDP: Closing socket 17:22 < krzee> you sure you built with build-key-server ? 17:22 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has joined ##openvpn 17:22 < krzee> fr now comment the ns-cert-type server line from client config 17:23 < krzee> if it then connects without that error, regenerate your certs 17:23 < Valect> still errors 17:23 < Valect> and yes, i built with build-key-server 17:24 < krzee> umm 17:24 < krzee> so you're saying the server says Initialization Sequence Completed 17:24 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has quit [Client Quit] 17:24 < krzee> but the client says TCP/UDP: Closing socket 17:24 < krzee> ? 17:24 < Valect> now it's saying 17:24 < Valect> Aug 6 15:24:05 openvpn[24596]: 192.168.1.131:3474 TLS Error: TLS handshake failed 17:24 < Valect> Aug 6 15:24:05 openvpn[24596]: 192.168.1.131:3474 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 17:24 < krzee> stop both 17:24 < krzee> then start the server with verb 6 17:25 < krzee> then start the cliednt with verb 6 17:25 < krzee> 3474? i see you using 1194 17:25 < Valect> that's the remote port 17:27 < Valect> here's the server log 17:27 < Valect> http://pastebin.ca/1094228 17:27 < Valect> client log 17:27 < Valect> http://pastebin.ca/1094229 17:28 < krzee> try commenting out your extra scripts and whatnot 17:28 < krzee> then introduce them 1 at a time to find out where it breaks 17:28 < Valect> i don't have any extra scripts O.o 17:28 < krzee> this time it looks like it may have happened at: 17:28 < krzee> Aug 6 15:25:03 openvpn[24596]: /etc/rc.filter_configure tun0 1500 1558 10.0.123.1 10.0.123.2 init 17:29 < Valect> oh 17:29 * Valect kicks pfsense 17:29 < Valect> but 17:29 < Valect> why would that cause an issue with the tls stuff? 17:30 < krzee> Aug 6 15:25:03 openvpn[24596]: event_wait : Interrupted system call (code=4) not sure its the problem 17:30 < krzee> just see that the server errors right after that 17:30 < krzee> now i see the client giving that tls error too 17:31 < Valect> that was the server killing the previous instance 17:31 < krzee> could be a corrupted cert too 17:31 < Valect> i just generated these certs 17:33 < krzee> that garuntees no problem with them? 17:33 < krzee> also, you said you generated them using pfsense, did you do it with the web based thing? 17:34 < Valect> no, but i don't see where or how they could have become corrupted 17:34 < Valect> no 17:34 < Valect> oh 17:34 < Valect> wait 17:34 < Valect> damn it 17:34 < Valect> i did make the certs on a different machine 17:35 < krzee> you did it according to these directions: http://openvpn.net/index.php/documentation/howto.html#pki 17:35 < Valect> yea 17:35 < krzee> and if its done on another machine, make sure its time is correct 17:35 < Valect> [root@fileserver ~/easy-rsa/KEYS]# date 17:35 < Valect> Wed Aug 6 15:34:01 PDT 2008 17:35 < krzee> the same error you have ive seen fixed by updating times, and regenerating certs 17:36 < Valect> the time on this machine is correct because our samba stuff freaks out if it isn't 17:38 < krzee> try commenting out the cipher line on both configs 17:39 < krzee> is pfsense client or server? 17:39 < Valect> server 17:41 < Valect> you have no idea how difficult it is to manipulate pfsense through it's webui command interpreter 17:41 < Valect> (ssh isn't working either, hooray) 17:41 < krzee> heh 17:41 < krzee> tru i do have no idea 17:41 < krzee> pfsense is modified fbsd, i just stick with fbsd 17:41 < krzee> with no gui 17:41 < Valect> my conf editor has become unwieldy combinations of sed, awk, and grep 17:41 < krzee> haha 17:42 < Valect> yea same here, 'cept this system was already in place when i was employed 17:42 < krzee> ahh work box 17:42 < krzee> understood 17:42 < krzee> heh, fun 17:42 < Valect> :p 17:43 < Valect> no error from the client 17:43 < krzee> after removing cipher? 17:43 < Valect> yea 17:43 < krzee> ahh 17:43 < Valect> nothing from the server 17:43 < krzee> then 1 of the boxes openssl used when comiling openvpn didnt have that cip[her 17:44 < krzee> can either recompile openvpn after updating openssl, or weaken the used cipher 17:44 < Valect> ah 17:44 < Valect> i'm going to have to test this from a remote location later anyway, it's doing something else entirely 17:45 < krzee> both machines are on the same lan? 17:45 < Valect> oh i'm getting the tls error again 17:45 < Valect> yea heh :x 17:45 < krzee> heh 17:45 < krzee> thats a problem 17:45 < krzee> (routers in between?) 17:45 < Valect> i thought as much, however, i would have expected everything to work up until the point i try to use the tunnel 17:45 < Valect> no 17:45 < krzee> ya, problemo 17:46 < Valect> wouldn't it still connect though? 17:46 < krzee> possibly 17:46 < Valect> heh 17:46 < krzee> i know it wont work, dunno how far it would get 17:47 < krzee> i guess for the same reason i dont know how fast a broadcast storm would ramp up to taking down a LAN 17:47 < krzee> lol 17:47 < Valect> >:) 17:48 < Valect> bleh 17:48 < Valect> thanks for the help 17:48 < Valect> ill have to poke at this later 17:48 -!- Valect [n=aaron@71.39.93.58] has left ##openvpn [] 17:51 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:53 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:34 -!- miggyb [n=miggyb@cpe-069-134-035-139.nc.res.rr.com] has joined ##openvpn 18:36 < miggyb> hello. i was wondering if i needed to make a vpn if my router was also my fileserver. that is, any person outside the network wouldn't have to do network area translation, a simple ssh tunnel would suffice. 18:36 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 18:36 < krzee> i dont fully understand the question 18:37 < ecrist> miggyb: can you rephrase? 18:38 < miggyb> krzee: it's not two separate networks that need to be joined together. i have a LAN where the router connecting me to the internet is also my fileserver. if i was outside the network and needed to access some files, i wouldn't have to connect to any computers in the LAN, just the router itself, right? i could just use the external ip instead of the internal one. 18:39 < krzee> ecrist, im starting to look into that bot now, gunna have it use !learn to learn !commands for common things, like !nat would give our common links for NAT stuff, !firewall, etc etc 18:39 < ecrist> ok - just don't build an annoying bot. 18:39 < krzee> that is correct 18:40 < krzee> ecrist, we use the same bot in #aircrack-ng and #remote-exploit, comes in very handy 18:40 < krzee> and ill be running it for the channel so if its decided that part or all of it is annoying, we'll just kill it 18:40 < ecrist> miggyb: that is correct - although, if it were my network, I'd either 1) tunnel over ssh, or 2) install openvpn and make the fileserver stuff accessible only via the vpn. 18:40 < krzee> (or remove the annoying part) 18:41 < krzee> i agree with ecrist 18:41 < krzee> i personally would make a simple openvpn setup for it 18:41 < krzee> ild be more inclined to only allow sshd over the vpn even 18:41 < miggyb> could i make a ssh tunnel without having to do a full vpn? 18:41 < krzee> yes 18:42 < miggyb> would there be any downsides to this, besides not being able to access every computer in the LAN, etc? 18:42 < krzee> www.ircpimps.org/openvpn.configs 18:42 < krzee> (sample configs from my network, which would work for you) 18:43 < krzee> only reason ild use openvpn as opposed to ssh as the way into the network is cause i trust its security more, but in reality nah both should work fine for you 18:43 < krzee> except... what do you use to serve the files? 18:44 < krzee> SMB, NFS, etc? 18:44 < miggyb> right now i'm just scp-ing them back and forth. but eventually, i'd like to get appletalk working. 18:44 < krzee> ahh, appletalk uses udp iirc, you may not be able to do that over a ssh tunnel 18:45 < miggyb> i read somewhere that it works over vpn, though. 18:45 < krzee> im not 100% on if apletalk will work over ssh tunnel 18:45 < krzee> right, it will work over vpn 18:45 < krzee> ssh tunnel is socks5, not vpn 18:45 < miggyb> ah, i see. so a vpn isn't just a ssh tunnel with NAT? 18:46 < krzee> not at all 18:46 < krzee> in fact a vpn doesnt do nat at all 18:46 < krzee> if you needed nat youd hafta do it at the OS level either way 18:46 < krzee> (but you dont need nat) 18:46 < miggyb> hmm. that's what i get for reading an oversimplified version of how vpns work. 18:46 < krzee> i dont use NAT on my vpns 18:47 < krzee> think of a vpn as a network cable running from 1 location to the other 18:47 < krzee> only, its a virtual cable which goes over the inet using encryption 18:47 < krzee> in openvpn's case, that encryption can be customized and strengthened like arnold on roids 18:48 < ecrist> miggyb: look into sftp - it's FTP via ssh. 18:48 < miggyb> ecrist: truth be told, i kind of hate ftp. i've had bad experiences with it. :) 18:49 < krzee> ya sftp is another way to meet your goal if you arent 100% sure you want appletalk 18:49 < ecrist> miggyb: it's not ftp though, it's it's own protocol 18:49 < krzee> i would never use ftp, i use sftp often 18:49 < miggyb> krzee: so openvpn works at the "hardware" level, while ssh works at a higher level? 18:49 < ecrist> but, it gives you access to your files. 18:49 < ecrist> no, they're both application-layer. 18:49 < ecrist> erm, layer 6 18:49 < krzee> no, openvpn works either on link layer or network layer, depending if bridged or routed 18:49 < ecrist> transport 18:50 * ecrist goes for his book 18:50 < ecrist> layer for - transport 18:50 < ecrist> lol, four 18:50 < krzee> bridged mode is like hooking that cable into the LAN switch 18:50 < miggyb> well, i put hardware in quotes. i know you don't need a "vpn card." but having a software interface that looks like a hardware interface has it's benefits, then/ 18:50 * ecrist is drinking 18:50 < miggyb> i'm not that good with the terminology. 18:51 < krzee> have you read the howto and the faq? 18:51 < krzee> they are a big read but a lot of understanding can be gained from them 18:51 < ecrist> miggyb: openvpn isn't what you need - SFTP is your ticket. 18:51 < miggyb> krzee: i did. but this was a while ago and i could probably use a refresher 18:51 < ecrist> unless you want access to your lan, then openvpn is it. 18:51 < krzee> ecrist is right, although you can use openvpn (and i do for the same stuff you mention) it can be done easier with sftp 18:52 < miggyb> ecrist: part of the reason why i want to set it up using appletalk is so i could listen to my itunes library locally and on the road. the OS just sees a mounted volume called "music" and it doesn't know whether it's local or not 18:53 < ecrist> miggyb: You should have said you were on a mac - gimme a sec. 18:53 < miggyb> if anything, i'd be more open to samba/nfs, but samba has performance issues, and nfs isn't as integrated into the os 18:53 < miggyb> ecrist: sure 18:54 < ecrist> miggyb: look into ExpanDrive - it'll allow you to mount an SFTP share on your mac. 18:54 < krzee> but also 18:54 < ecrist> also, NFS is pretty much a core technology, it's VERY integrated. 18:55 < krzee> the openvpn setup for your needs is most simple to setup 18:55 < krzee> so if you would like to play with openvpn anyways, thats a good setup to get your feet wet with 18:55 < ecrist> if you're on linux or FreeBSD, look in to FuseFS 18:57 < miggyb> so what would be easier to set up, sftp or openvpn + smb/appletalk/nfs/etc 18:57 < miggyb> this is on freebsd 18:57 < ecrist> miggyb: there's no setup for sftp 18:57 < krzee> his way 18:57 < ecrist> enable ssh, and you're done. 18:58 < ecrist> use ExpanDrive on your mac, done deal. 18:58 < krzee> sftp is a subsystem of ssh 18:58 < krzee> if you can ssh, you can sftp 18:58 < ecrist> usually 18:58 < krzee> well ya 18:58 < krzee> it can be disabled 18:59 < krzee> but youd hafta try to do that 18:59 < ecrist> as long as you have "Subsystem sftp /usr/libexec/sftp-server" in youre /etc/ssh/sshd_config 18:59 < krzee> default on fbsd (system or ports) will have it enabled 18:59 < miggyb> so performance is essentailly the same as scp? 19:00 < ecrist> miggyb: scp and sftp use the same subsystem. 19:01 < ecrist> just different invokations. 19:01 < ecrist> also, KDE has built-in support for it, so you can call file systems with a standard URI (sftp://user@host:/this/directory) 19:02 < ecrist> in thinks like KDevelope, Kuanta, etc. 19:02 < miggyb> hmm. i'm going to have to give this some thought. paying $30 bucks for something that i could have for free seems kind of... "wasteful," in a sense. 19:03 < ecrist> ok 19:03 < miggyb> is there a FUSE plugin for sftp? 19:03 < krzee> i believe so 19:04 < ecrist> miggyb: yes 19:04 < ecrist> I mentioned that, above. 19:04 < ecrist> 18:55 < ecrist> if you're on linux or FreeBSD, look in to FuseFS 19:04 < miggyb> oh, sorry. 19:05 < miggyb> haha. i've been having problems with only half-reading material. 19:05 < miggyb> i'm going to get conned out of something one of these days. 19:06 < ecrist> you know, though, it *is* polite to read everything that's being said, especially when you're asking for help. 19:06 < ecrist> :\ 19:07 < miggyb> ecrist: i know. i apologize. i sincerely do appreciate the help you and krzee have given me. i wouldn't have considered sftp before this, but now, it seems as though it might be a viable solution. 19:08 < ecrist> sftp/scp/ssh is the most under-used utility I know. 19:09 < miggyb> ecrist: there's an entire generation of computer users that are afraid of using the terminal. i'm not saying i'm about to give up a nice GUI, but i also know some things are best typed out. 19:11 < miggyb> however, i need to crack open my laptop. i bought a 250gb drive for it and i can't wait to have that extra space. 19:11 < krzee> sftp isnt only CLI 19:12 < krzee> cyberduck is free for osX 19:12 < krzee> it supports sftp 19:12 < miggyb> again, thanks for all the help, and i'm sorry i skipped over that message. it was really an honest mistake, i didn't mean anything malicious from it. 19:12 < miggyb> krzee: i'll keep that in mind 19:13 < miggyb> goodbye, all. 19:13 -!- miggyb [n=miggyb@cpe-069-134-035-139.nc.res.rr.com] has quit ["leaving"] 19:13 < krzee> adios 19:13 * krzee high 5's ecrist 19:13 < krzee> drinking and still bustin out answers 19:13 < ecrist> lol 19:14 < ecrist> I'm a bottle deep in wine and 3 beers down the hatch! 19:14 * ecrist thinks of some Homer-isms. 19:14 < krzee> hah 19:15 < krzee> go for the fat bastard 19:15 < krzee> look at it and yell "get in mah belly" 19:20 * ecrist goes to start the grill 19:22 * krzee decides what discoteca to go to tonight 19:34 -!- krzee [i=krzee@unaffiliated/krzee] has quit ["bbl"] 20:34 -!- highzeth [n=highzeth@hoiseth.no] has quit [Read error: 104 (Connection reset by peer)] 21:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:33 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:33 -!- krzie [i=nobody@unaffiliated/krzee] has left ##openvpn [] 23:40 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##openvpn 23:40 < krzee> !learn krzee as http://www.ircpimps.org/pimpin.jpg 23:40 < vpnHelper> krzee: Error: "learn" is not a valid command. 23:41 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Client Quit] 23:41 < krzee> is too! 23:45 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##openvpn 23:46 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Client Quit] 23:52 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##openvpn 23:52 < krzee> !help 23:52 < vpnHelper> krzee: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 23:53 < krzee> !help learn 23:53 < vpnHelper> krzee: Error: There is no command "learn". 23:53 < krzee> !learn krzee 23:53 < vpnHelper> krzee: Error: "learn" is not a valid command. 23:53 < krzee> !help rss 23:53 < vpnHelper> krzee: (rss []) -- Gets the title components of the given RSS feed. If is given, return only that many headlines. 23:53 < krzee> !rss 23:53 < vpnHelper> krzee: (rss []) -- Gets the title components of the given RSS feed. If is given, return only that many headlines. 23:53 < krzee> !rss feed://feedity.com/rss.aspx/sourceforge-net/V1pVV1A 23:53 < vpnHelper> krzee: Unable to download feed. 23:53 < krzee> hrmz 23:54 < krzee> !quit 23:54 < vpnHelper> krzee: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 23:54 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Client Quit] 23:59 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##openvpn --- Day changed Thu Aug 07 2008 00:00 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Client Quit] 00:01 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##openvpn 00:15 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Remote closed the connection] 00:15 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##openvpn 00:15 < krzee> sorry for the rehashing 00:36 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit ["I was just trying to help!"] 00:53 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 01:54 -!- wyze [n=swc|666@unaffiliated/swc666/x-4934821] has joined ##openvpn 02:04 -!- MrY [n=mry@70.42.255.230] has joined ##openvpn 02:04 -!- MrY [n=mry@70.42.255.230] has left ##openvpn [] 02:22 < kraut> moin 02:25 < krzee> hey 02:28 < wyze> is there any short answer to explain the cause of this error? 02:28 < wyze> us=228709 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 02:28 < wyze> us=230588 TLS Error: TLS object -> incoming plaintext read error 02:29 < wyze> us=997579 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 02:29 < krzee> heh ran into that one earlier 02:29 < krzee> you defining cipher manually? 02:30 < wyze> yep 02:30 < krzee> try commenting that out 02:30 < krzee> on both client and server 02:30 < krzee> then stop and start each 02:35 < wyze> no luck 02:37 < wyze> krzee: are you on debian by any chace when you experienced the issue? 02:43 < krzee> it wasnt me 02:43 < krzee> it was another person 02:43 < krzee> they were using pfsense and freebsd 02:43 < krzee> seemed 1 side didnt support the cipher he used 02:44 < krzee> have you made sure ntpdate time.nist.gov didnt show your time as being off on client/server/machine used to gen certs? 02:44 < krzee> cert files look fine? 02:44 < wyze> krzee yes to both 02:46 < krzee> temp comment tls-auth? 02:46 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:49 < krzee> are you using network manager? 02:49 < krzee> are you using ns-cert-type command in client? if so try commenting it 02:50 < wyze> no, i'm going from debian client > debian server 02:51 < wyze> has to be a debian issue... my configuration works flawlessly on fedora and freebsd 02:51 < krzee> you dont have openssl old enough that its still effected by that debian specific ovpn problem do you? 02:51 < wyze> nope 02:51 < krzee> err not ovpn 02:51 < krzee> ossl 02:52 < krzee> post your configs in pastebin 02:52 < wyze> i have 0.9.8g12 02:52 < wyze> 1 sec... 02:53 < krzee> also try those 2 things i suggested 02:53 < krzee> ill brb 02:53 < krzee> gotta reboot 02:53 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 03:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:08 < wyze> w00t 03:08 < wyze> looks like its resolved ;) 03:09 < krzee> any luck with the testing of commenting tls-auth, ns-cert type? 03:09 < krzee> ahh what was it? 03:09 < wyze> not sure actually.. :o 03:09 < krzee> erm 03:09 < krzee> what did you do? 03:09 < wyze> 1 sec... lemme review what i did again... 03:11 < wyze> i think it was a combination of time sync and switching from tap to tun w/ifconfig options 03:12 < wyze> attributes* 03:12 < wyze> cipher works also with AES-256-CBC too 03:14 < wyze> krzee: question... given that in this instance, i'm running this from a debian installation on my openmoko phone (client), is there any way that you know of to bypass issues if the client isn't sync'd for its system clock? 03:15 < wyze> the phone hw clock tends to get of beat 03:22 -!- wyze [n=swc|666@unaffiliated/swc666/x-4934821] has left ##openvpn [] 04:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 04:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:57 < ecrist> morning, folks. 06:58 < cpm> morn'n 07:50 -!- highzeth [n=highzeth@hoiseth.no] has joined ##openvpn 09:25 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 09:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:50 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 09:53 -!- Irssi: ##openvpn: Total of 28 nicks [0 ops, 0 halfops, 0 voices, 28 normal] 09:58 -!- Lin [n=igormorg@unaffiliated/lincity] has quit ["Ex-Chat"] 10:17 -!- fozzmoo [n=fozz@209.41.95.5] has left ##openvpn [] 10:38 -!- afrayedknot [n=user@sourcemage/elder/afrayedknot] has joined ##openvpn 10:41 -!- intangir [i=Intangir@c-98-197-217-152.hsd1.tx.comcast.net] has joined ##openvpn 11:32 -!- xattack [i=root@132.248.108.239] has joined ##openvpn 11:50 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 12:14 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 12:17 < intangir> does the dns setting work on linux? 12:21 < intangir> i put this in my config: dhcp-option dns 192.168.1.1 12:21 < intangir> but it never gets set 12:21 < intangir> also most of the routing changes are changed BEFORE the connection is even established.. 12:21 < intangir> which complicates matters 12:38 < ecrist> intangir: all those settings should work fine on linux 12:49 < n3kl> Is it possible to setup a mirror port on openwrt? 12:52 < ecrist> you should ask openwrt 12:53 < intangir> ecrist: well it didnt 12:53 < intangir> i added commands to crontab to add the name server to /etc/resolv.conf 12:54 < intangir> who wants to hear about a rather unusual possibly unique set up ;) 12:55 < ecrist> enlighten us 12:55 < intangir> check it out.. my work has everything outgoing blocked except port 22 12:55 < intangir> everything in blocked 12:56 < intangir> so.. i use autossh to establish a ssh tunnel to my home machine on 22 12:56 < intangir> and port forward local 1194 to my home machine 12:56 < intangir> i use openvpn over tcp over that tunnel 12:57 < intangir> on both sides i setup the routing to allow my home machine to get to any server at work 12:57 < intangir> and my work machine to get to any machine at home 12:57 < intangir> and the ENTIRE INTERNET 12:57 < intangir> so i can use the whole internet without anyone at work seeing ;) 12:57 < intangir> both sides of my vpn tunnel allow nat for the other client 12:58 < intangir> its a ptp 13:02 < intangir> sounds simplier with that explaination but it was a pretty huge pain in the ass to setup 13:06 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:22 < ecrist> glad you got it figured out, intangir 13:22 -!- Irssi: ##openvpn: Total of 30 nicks [0 ops, 0 halfops, 0 voices, 30 normal] 13:55 < intangir> http://www.youtube.com/watch?v=h6HLTBwCFO0 14:04 -!- xattack [i=root@132.248.108.239] has quit [Remote closed the connection] 14:16 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:21 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 14:29 < ecrist> SilenceGold: I've got svn setup and current sources for ssl-admin commited, if you're still willing to write man pages. 14:30 < ecrist> or contribute to the code. 14:46 < intangir> hey guys 14:46 < intangir> ok so i trold you about that interesting setup.. 14:46 < intangir> hes my dilema 14:46 < intangir> i have to setup a special route, so that i can connect that tunnel that my openvpn is over 14:46 < intangir> then i setup a default route for all traffic to go over that 14:47 < intangir> the only IP that DOESNT go across the VPN (so the only one i cant access) 14:47 < intangir> is the website being hosted on the other side of this vpn tunnel 14:47 < intangir> i cant route it.. cause then i cant connect the tunnel.. 14:47 < intangir> i want to connect to its port 80 14:47 < ecrist> intangir: you can do it, but it's going to be a really funky rule set. 14:47 < intangir> how? 14:50 < ecrist> lots of routes. 14:51 < intangir> its like i need to route it on one gateway if its port 22 14:51 < ecrist> properly subnet the internte in push route statements. 14:51 < intangir> or route it on another gateway if its 80 14:51 < ecrist> intangir: that sounds like a pf thing. 14:51 < ecrist> use pf with rdr rules. 14:51 < intangir> whats pf and rdr? 14:51 < ecrist> pf is a firewall, avail on *BSD. 14:52 < ecrist> you couple probably do the same thing with ipfw and ipchains, but I'm not as familiar with those. 14:52 < ecrist> or, do it with local ssh tunnels. 14:52 < intangir> i have thought about ssh tunnels i dont thinkt heres a way 14:52 < intangir> maybe the ip. tables/chains 14:53 < intangir> i always forget which is the nwer 14:53 < intangir> tables 14:57 < rob0> You want a remote IP (routable, non-NAT'ed) to be bound over openvpn? 14:57 * rob0 has done that and posted a Linux-centric HOWTO on the mailing list 14:57 < ecrist> rob0: other way around. 14:58 < ecrist> he want's openvpn to be default, restrict certain ips to local 14:58 < rob0> In Soviet Russia, IP's restrict YOU 14:59 < cpm> yeah, they do that here 14:59 < cpm> :) 14:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:49 < intangir> iptables -t nat -A PREROUTING -p tcp -d intangir.org --dport 80 -j DNAT --to-destination 10.8.0.1 15:49 < intangir> thats what i used ;) 15:49 < intangir> changes the IP for packets to my vpn hosts WAN ip to instead use the vpn ip 15:49 < intangir> only for port 80 15:50 < ecrist> there ya go 15:50 * ecrist goes home 16:02 < intangir> is there a way to check if im getting fragmentation issues? 16:02 < intangir> i have the mtu for both my eth0 and tun0 as 1500 16:10 < kexman> intangir: what did you do that for ? 16:11 < kexman> ecrist: ipchains ? :) are you serious ? :))) 16:11 < kexman> that thing still exists ? 16:11 < kexman> didnt netfilter came up with iptables ? 16:21 < intangir> kexman: so i can http onto the vpn server 16:24 -!- Lin [n=igormorg@unaffiliated/lincity] has quit [Read error: 113 (No route to host)] 16:50 < kexman> hmm ? 17:40 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 18:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:07 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 18:33 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:36 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 18:36 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has quit [] 18:37 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 18:38 < Valect> i need help getting openvpn working on freebsd over a tap device 18:38 < Valect> here's my config and ifconfig output: http://pastebin.ca/1095168 18:39 < Valect> i don't see anything wrong with it, but i can't actually reach the service 18:50 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has quit [Remote closed the connection] 18:50 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 19:00 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 19:43 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 20:26 < Valect> :| 21:11 < ecrist> Valect: have some patience. 21:11 < ecrist> :] 21:12 < Valect> it's only been 2.15 hours 21:12 < Valect> maybe 2.5 21:12 < Valect> too lazy to count 21:12 < ecrist> right, while my nick is present, I'm often not here - similar to many others. 21:12 < ecrist> I'm looking at your pastebin now. 21:12 < Valect> lol i know, just giving shit 21:15 < ecrist> so, is your config not working? 21:15 < Valect> openvpn doesn't complain about it 21:15 < Valect> Thu Aug 7 19:15:36 2008 OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Jul 1 2008 21:15 < Valect> Thu Aug 7 19:15:36 2008 TUN/TAP device /dev/tap0 opened 21:15 < Valect> Thu Aug 7 19:15:36 2008 /usr/local/etc/openvpn/scripts/create-bridge-on-start.sh tap0 1500 1590 init 21:15 < Valect> Thu Aug 7 19:15:36 2008 UDPv4 link local (bound): [undef]:1194 21:15 < Valect> Thu Aug 7 19:15:36 2008 UDPv4 link remote: [undef] 21:15 < Valect> Thu Aug 7 19:15:36 2008 Initialization Sequence Completed 21:16 < ecrist> ok, so, you can start openvpn, can your clients connect? 21:16 < ecrist> please don't paste here. 21:16 < Valect> no 21:16 < Valect> i can't access port 1194 locally either, using 127.0.0.1, 192.168.1.11, or 192.168.5.11 21:16 < ecrist> can you show me a client config, via pastebin? 21:16 < ecrist> and, after openvpn has been started, show me sockstat output. 21:17 < Valect> http://pastebin.ca/1095270 21:17 < Valect> oh snap i'm retarded 21:17 < Valect> i always try to telnet udp ports 21:18 < ecrist> yeah, you can't do that. 21:18 < Valect> here's a client config 21:18 < Valect> http://pastebin.ca/1095272 21:20 < ecrist> ok, sockstat shows port 1194 is listening. 21:20 < ecrist> are you running a firewall? 21:20 < Valect> i'm checking out the firewall.. it may have decided to take back over 21:22 < Valect> so this openvpn is behind our firewall.. would i have to setup a rule to forward 1194 to 192.168.1.11 or 192.168.5.11 21:23 < Valect> because neither is working 21:23 < Valect> but i want to be sure before i start messing with other things 21:24 < ecrist> you would have to forward upd:1194 in to your openvpn server, yes 21:25 < Valect> yea but to which interface 21:25 < ecrist> either one - openvpn is listening to both. 21:25 < Valect> k 21:31 < Valect> i'm starting to think pfsense is lieing to me 21:33 < ecrist> I'm thinking you have a firewall issue, and not an OpenVPN issue. 21:34 < Valect> at this point i would have to agree 21:34 < Valect> but you see no problems with my configs? 21:34 < Valect> that's what i wanted to verify 21:35 < ecrist> no problems with the config I can see. 21:35 < Valect> cool 21:35 < Valect> thanks 21:35 < ecrist> np 21:36 < ecrist> weren't you asking this same stuff in ##freebsd earlier today? 21:36 < ecrist> ;) 21:39 -!- near [n=near@83-156-241-63.rev.libertysurf.net] has joined ##openvpn 22:03 < Valect> almost 22:04 < Valect> i was asking about the bridge and tap device part 22:58 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has quit [] 23:01 < _aia_> any reason why I'm getting Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 23:18 < _aia_> getting failed to update databas TXT_DB error number 2 when I try to create another client 23:18 < _aia_> server connects fine --- Day changed Fri Aug 08 2008 00:23 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 00:23 < Valect> anyone still here? 00:29 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 00:44 -!- wyze [n=swc|666@unaffiliated/swc666/x-4934821] has joined ##openvpn 00:44 < wyze> krzee: ping 01:13 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:17 < Valect> ahoy wyze 01:17 < wyze> :o 01:18 < Valect> you in vegas? 01:21 < wyze> hell no 01:21 < wyze> i might go saturday 01:21 < Valect> lol 01:28 < Valect> omg!? 01:28 < Valect> i think i finally got openvpn working 01:30 < Valect> hrm not quite 01:30 < Valect> it's connected at least, but now i have to figure out why i can't reach anything on the smae subnet 01:30 < Valect> smae 01:30 < Valect> same 01:42 < wyze> iptables? 01:43 < wyze> and are you pushing dns to the cient? 01:44 < Valect> no, and yes 01:44 < Valect> but i'm trying to reach an IP anyway 01:44 < Valect> i will worry about dns later :x 01:45 < wyze> u should edit your... umm, which os is the server? 01:45 < Valect> freebsd 01:45 < wyze> u need a echo 1 > /proc/sys/net/ipv4/ip_forward 01:45 < wyze> and 01:45 < wyze> iptables -t nat -A POSTROUTING -s 192.168.2.3 -j SNAT --to 123.123.123.123 01:45 < wyze> iptables -t nat -A POSTROUTING -s 192.168.2.4 -j SNAT --to 123.123.123.123 01:45 < wyze> iptables -t nat -A POSTROUTING -s 192.168.2.5 -j SNAT --to 123.123.123.123 01:46 < wyze> where 123.x.x.x.x is your ip 01:46 < wyze> and where the 192.x.x.x addy are the ones being distributed to the clients 01:46 < Valect> there's no iptables in play 01:46 < wyze> ah thats right.. 01:47 < Valect> and i can't remember if freebsd has an ip_forward thing 01:49 < wyze> are u using pf at all? 01:50 < Valect> pf is on the firewall in front of it, and 1194 is mapped to it 01:50 < wyze> try this... tweak to your needs.. 01:50 < wyze> http://pastebin.ca/index.php 01:51 < Valect> heh 01:51 < wyze> i had it running on openbsd some time ago, but disabled it... that tidbit was from some note si had 01:51 < Valect> try again :) 01:51 < Valect> pastebin.ca echos the url instead of forwarding you to it 01:51 < wyze> http://pastebin.ca/1095430 01:51 < wyze> duh 01:52 < Valect> :p 01:52 < wyze> 234239864 things going on @ once 01:52 < Valect> >.< 01:52 < wyze> none of them good either 01:52 < Valect> not fun 02:03 < Valect> i suspect this may be part of my issue 02:03 < Valect> E:\Documents and Settings\Aaron>tracert 192.168.10.11 02:03 < Valect> Tracing route to 192.168.10.11 over a maximum of 30 hops 02:03 < Valect> 1 * * * Request timed out. 02:08 < Valect> whoa 02:09 < Valect> i added 02:09 < Valect> ifconfig 192.168.10.1 192.168.10.2 02:09 < Valect> push "route 192.168.10.1" 02:09 < Valect> and it works 02:10 < Valect> the push route wasn't even needed 02:10 < Valect> :s 02:12 < wyze> ahhh 02:12 < wyze> u know what, i had a similar issue last night 02:13 < wyze> i got openvpn running on the debian sd install on my neo and that was a factor i neglected 02:15 < Valect> i'm not even sure i understand *why* that line works 02:15 < Valect> but at least it does 02:16 < Valect> now i have to get samba working over openvpn 02:47 -!- wyze [n=swc|666@unaffiliated/swc666/x-4934821] has left ##openvpn [] 03:06 < krzee> intangir, http://help.expedient.com/broadband/mtu_ping_test.shtml 04:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:35 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has quit [Read error: 110 (Connection timed out)] 05:35 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 05:44 -!- pinchartl [n=User@49.198-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 05:44 < pinchartl> hi 06:12 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has quit [Read error: 110 (Connection timed out)] 06:17 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:26 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 07:05 < ecrist> morning, kids 07:05 -!- Irssi: ##openvpn: Total of 30 nicks [0 ops, 0 halfops, 0 voices, 30 normal] 07:14 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 07:15 -!- rmull [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has joined ##openvpn 07:17 < rmull> I wonder where Taishi's gone. 07:39 * ecrist doesn't know. 07:40 < rmull> In happier news, my openvpn has 30 days of uptime 07:41 < ecrist> grats. 07:42 < ecrist> ours has been running since May 3, 2008. 07:42 < ecrist> :) 07:43 < rmull> Ahh very nice 07:43 < rmull> Hey, you changed the topic? 07:43 < ecrist> at some point, yeah 07:44 < rmull> No more "fascinating HOWTO?" haha. 07:44 < ecrist> lol 07:44 < rmull> I haven't been around these parts in a few days 07:44 < rmull> Been hanging out in #nginx 07:44 < ecrist> ah, yeah, I changed the topic on Aug 1 07:44 < ecrist> what's that? 07:44 < rmull> It's a really fast http server/reverse proxy, built in Mother Russia 07:45 < rmull> We're using it to provide a single entry point for all the external access to our HTTP servers, but we're serving out a wildcard ssl cert with it as well 07:46 < rmull> So basically we're using it to reduce our exposure and encrypt all outside access to our webservers 07:46 < rmull> And benchmarks show it to be crazy fast, so that's cool too. 07:46 < ecrist> sounds neat. 07:46 < rmull> Damn right :D 07:46 < ecrist> Big IP has an appliance that does similar things. 07:47 < rmull> We're just a ~15 employee firm though, so I don't think we need to drop the money on something too serious 07:47 < rmull> I talk to a guy who works at F5 pretty regularly - he works on the Big IP device and has some good things to say about it 07:48 < rmull> Personally, I'm more interested in the model that appears in the rotation of images they have on their homepage: http://www.f5.com/images/home/home004.jpg 07:48 < ecrist> there's a guy in our data center (he hosts ilounge, amongst others) who has 5 Big IPs and uses them for SSL proxying. 07:48 < rmull> :D 07:49 < pinchartl> rmull: sounds interesting. I'll give it a try. we're a 20 employee firm and nobody seems to be interested in security here :-( 07:49 < pinchartl> we develop networking-aware products, and their idea of tcp security is a 16bit password on a clear connection 07:50 < rmull> pinchartl: It's definitely worth looking into. I just have it running in a VM with 128M RAM allocated, and the machine idles at 11-12M (CentOS) 07:50 < rmull> ecrist: Any idea of how much traffic that setup sees? 07:51 < ecrist> rmull, I think he said he's seeing a consistent 140Mbps 07:51 < rmull> Wow, that's big-time. 07:51 < rmull> Yeah, we're not at that level and probably never will be :D 07:51 < pinchartl> speaking of wildcard ssl certs, how do you do that ? 07:51 < ecrist> pinchartl: set CN to *.hostname.com 07:51 < pinchartl> I got a few CNAME records pointing to the same http server with virtual hosting enabled 07:51 < pinchartl> ok 07:52 < ecrist> not recommended, though. 07:52 < pinchartl> do you know if subjectAltName can be used to specify alternate names for virtual hosts ? 07:52 < rmull> Yeah, that's the one shortcoming - one cert for all sites 07:52 < ecrist> for a hosting provider, that is. 07:52 < ecrist> yes, I believe so. 07:53 < rmull> But afaik, there's no way to use multiple certs, one for each vhost or proxied host, right? 07:53 < rmull> If it's served from a single IP 07:53 < ecrist> you can, but they've got to have their own IP. 07:54 < pinchartl> there's actually an SSL extension to do that, but it's not supported in openssl 0.9.8 07:54 < pinchartl> 0.9.9 should work 07:54 < rmull> Is it supported by browsers, or does it not matter on the client end? 07:54 < pinchartl> it's a kind of Host: header at the SSL level 07:54 < pinchartl> so clients will have to be upgraded 07:54 < rmull> Okay. Glad to hear it's in the works 07:55 < pinchartl> but I think IE already supports and, and maybe Firefox as well 07:55 < pinchartl> the other standard option is to issue an UPGRADE http command on a clear connection after sending the Host header, but that has never been widely deployed 07:59 < rmull> I just upgraded to Firefox 3 and was amazed at the new treatment of self-signed certs 07:59 < rmull> I saw the hullabaloo on slashdot when it hit the news, but I hadn't experienced it until just recently 07:59 < pinchartl> they tightened their security procedures 08:00 < pinchartl> not a bad thing 08:00 < pinchartl> it should also dropped ill-formed html/xhtml :-) 08:00 < pinchartl> s/dropped/drop/ 08:00 < rmull> Lol 08:01 < rmull> I ran a wordpress installation I'm running for a LUG through the validator and it had something like ~80 errors 08:01 < rmull> Should probably swich to a CMS with less bullshit 08:01 < ecrist> pinchartl: I think the way firefox handles self-signed certificates is misleading. 08:01 < pinchartl> if all internet browsers had an html/xhtml validator built-in websites designers would fix them 08:01 < pinchartl> ecrist: why ? 08:01 < ecrist> we fix ours her. 08:01 < ecrist> here* 08:02 < pinchartl> I've recently found a website with two s 08:02 < rmull> pinchartl: Moinmoin has the "validated xhtml" logo on the bottom of their pages, but if you actually run it through the validation, it fails. :P 08:02 < ecrist> pinchartl: they *overly* imply that the site they user is connecting to is dangerous/fraudulent. 08:02 < rmull> ecrist: I think I agree with you for the most part 08:03 < rmull> I just get constantly nagged by the "trust" aspect of SSL 08:03 < rmull> But it costs so much to be trusted 08:03 < rmull> And anyone with money seems trustworthy. 08:03 < ecrist> I think, if they gave you a yellow bar, similar to the one they have for "do you want me to remember this password" indicating that, while the connection was encrypted, the site's identity cannot be verified" would be sufficient. 08:03 < ecrist> rmull: exactly. 08:03 < rmull> That would be acceptable to me. 08:04 < pinchartl> ecrist: the risk my be overstated by Firefox, but that's better than understating it :-) 08:04 < ecrist> pinchartl: that doesn't make it less wrong, on the part of mozilla. 08:04 < ecrist> Safari does it nicely, without a lot of doom and gloom. 08:04 < cpm> yeah, that's pretty funny. I'd *love* to see an analysis of ssl certificate fraud. Where 'untrusted' certificates actually caused loss, relative to 'trusted' certificates that were acquired via fraudulent means. 08:05 < cpm> There are cases where folks paid good money to acquire certificates in another companies name. using faked letter head kinda stuff. 08:05 < ecrist> I have IT people here, who, when they started using Firefox 3, thought we were having internal website problems because the ssl error wasn't friendly, at all. It's similar to a connection failed, 404, etc. 08:05 < rmull> cpm: Lol, letter-head verification cracks me up 08:06 < ecrist> yeah, no doubt. 08:06 < cpm> that I'll bet lead to losses greater than whatever losses were had by 'untrusted' certificates. 08:06 < pinchartl> ecrist: that's right. we've been bitten by that too 08:06 < cpm> rmull, goes to show that the only think 'trusted' CAs care about is the money. 08:07 < rmull> For my personal stuff I've been using cacert.org 08:07 < ecrist> I'm a proponent of self-signed certificates. In the case of my networks, I control, 100%, the certificate chain. for better or for worse. All I've got to do is make sure the root CA certificate is installed on the client machines, and there are no problems. 08:07 < cpm> ecrist, I'm not so keen on self signed, esp since there are alternatives. 08:08 * cpm uses CACert.org certificates 08:08 < rmull> I support that :D 08:08 < ecrist> lol, cacert.org uses an invalid certificate, according to ff3. 08:08 < ecrist> no different than my self-signed ones. 08:09 < rmull> ecrist: You don't have the root cert installed in your browser 08:09 < cpm> ecrist, that's right. FF (moz in general) will not accept it, by default (you can install the root ca) because they claim the model isn't trusted. 08:09 < cpm> Because it's a chain of trust, rather than a chain of cash. 08:09 < rmull> It's installed by default in a couple of more obscure browsers, but not yet in FF. 08:09 < ecrist> right, so using cacert.org is no different than signing my certificates myself. 08:10 < cpm> certificates have to be signed by verified 'Persons', rather than faceless corporate entities. 08:10 < cpm> ecrist, no, it isn't the same. 08:10 < ecrist> sure it is. 08:10 < cpm> no, it isn't. 08:10 < ecrist> sure it is. 08:10 < cpm> how is it the same? 08:10 < cpm> I have no earthly idea who you are. In fact, I have no idea that you actually exist. 08:11 < cpm> no one have verified that you exist. 08:11 < ecrist> exactly, same goes for cacert. 08:11 < cpm> Not at all. 08:11 < cpm> in order to get a certificate, you have to submit a csr, as a verified person, known. 08:11 < cpm> the csr is traceable to you. 08:12 < ecrist> yep 08:12 < ecrist> it's a matter of who you trust to do the initial, root, verification. 08:12 < cpm> the certificate granted is on a sliding scale of trust, depending on how many signatories have signed your signing key. 08:12 < cpm> Exactly. 08:13 < rmull> I use them because it's more likely that people will have that cert installed. Because many people use CACert, many people may have already installed the root cert. If they haven't, I would like them to so that CACert gets more publicity. 08:13 < ecrist> in our organization, I'm the network administrator. I'm trusted, exclusively, for all network decisions, included who/what gets on the network. As such, I've created our organizational root certificate. 08:13 < ecrist> VPN certs, etc, all pass through my hands. 08:13 < cpm> in order to get a cacert certificate. You have to be a known person, that some other known person has vouched for. Actually, not exactly true. You can get a certificate without being vouched for, but it will have no trust credential.s 08:13 < rmull> ecrist: Running an in-house CA is not "recommended" though, no? 08:14 < ecrist> rmull: wrong. 08:14 < ecrist> why wouldn't it be recommended? 08:14 < ecrist> why do you think *most* ssl-enabled programs, OpenVPN included, don't have a pre-established group of trusted certificates? 08:14 < rmull> Hmm. 08:14 < ecrist> the browser industry in a scam when it comes to SSL. 08:15 < rmull> That's a fact, which is why I went with CACert :P 08:15 < ecrist> the only reason the big CAs are *trusted* is because they paid money. 08:15 < ecrist> rmull: CACert is no different, and they do *less* to verify identity than the others. 08:15 < cpm> self signed works okay. Again, I think the actual incidence of compromise have come from 'trusted' cas, rather than self signed. Self signed opens the door wide to mtm attacks. but these are relatively rare. And I'm personally not aware of one. 08:15 < ecrist> as such, my argument stands. 08:16 < cpm> ecrist, not so. You are misinformed on this. 08:16 < cpm> they do NOT do less. In fact, they do more. 08:16 < cpm> the only thing 'the others' do, is take money. 08:16 < ecrist> cpm, I've read through all the emails and blogs regarding cacert.org's attempt to get included in mozilla applications. 08:16 < cpm> you want it, you pay for it, you get it. Then end. 08:17 < cpm> ecrist, lotta straw men in those arguments. 08:17 < ecrist> cpm? 08:17 < ecrist> the only thing you gain by going to an outside CA is a chain that's only conveniently trusted. 08:18 < cpm> No. Again, not so. 08:18 < cpm> you remove the mitm attack vector. 08:19 < pinchartl> I use self-signed certificates internally too. no major issue, except that I had to recreate all my certificates at some point because I made a mistake in the root CA certificate :-) 08:19 < ecrist> well, I think we're going to have to agree to disagree on this one, cpm. 08:19 < ecrist> cpm, where's the mitm attack on a self-signed certificate, if the root CA is pre-configured on client machines? 08:19 < cpm> ecrist, sure. When you get your facts straight. I will agree to disagree. The statement that a self signed, and a cacert.org signed certificate are of the same security level is demonstrably false. 08:19 < rmull> Even if they're not any more trustworthy than paid-for CAs, if there's a possibility that they'll eventually be included in popular browsers because a lot of people use them and they have a solid ID verification process, I support that it's the best option for a free non-self-sign SSL solution. I'd like to see them be included in popular browsers. 08:20 < ecrist> the only real disadvantage is that they're not pre-included in web browsers. 08:20 < ecrist> cpm, I *do* have my facts straight. 08:20 < cpm> but to the overaching point that self-signed is good enough. No argument. 08:21 < cpm> a cacert.org certificate is signed by a third party. A self signed is not. They are not equivalent. 08:21 < pinchartl> the reason why big CAs are trusted is that they are supposed to verify your identify when you submit a CSR. in theory they do, in practice they are often careless. as CA cert is free, there is no way they can dedicate the necessary resources to perform this kind of verification 08:21 < rmull> self-signed may be good enough for purely internal things, but for everything else, cacert is a better option. 08:21 < ecrist> part of my point, cpm, is *why* should I trust XYZ CA? 08:21 < cpm> ecrist, depends. 08:21 < cpm> doesn't it? 08:21 < ecrist> that's just it. 08:22 < ecrist> that's the majority of my point. 08:22 < cpm> but from a crypto analysis standpoint, they cannot be equivalent. 08:22 < ecrist> there's no good reason to trust them other than I've been told to. 08:22 < cpm> sure there's good reason. but you are splitting hairs. Do you trust the math behind ssl in the first place? 08:22 < ecrist> cpm, I'll conceed that issue - is a third party-verified certificate better than one that's not? of course. 08:23 * cpm bows to ecrist 08:23 < ecrist> where my issues lie is in *who* that third-part is. who the fuck is XYZ CA? I don't know them. I don't know the people who make the decisions. 08:23 < ecrist> I'd rather have my Mom, and her self-signed CA by my third-party, than XYZ CA. 08:24 < ecrist> s/by/be 08:24 < ecrist> cpm, SSL serves two uses - encryption and identification. 08:25 < ecrist> we're arguing identification, there are few issues with encryption. 08:25 < ecrist> now, a lot of the identification stuff could be solved if there were a flag in SSL certs to say, this is an encryption-only certificate. 08:25 < cpm> true dat. in the case of encryption (I think) it's nearly identical. As your point illustrates. 08:25 < rmull> We're forgetting that CACert has "levels" of trust: http://www.cacert.org/index.php?id=19 08:26 < ecrist> which would turn off all the doom-and-gloom errors in browsers, with just a warning, as I mentioned previously. 08:26 < cpm> rmull, I'm not. 08:26 < ecrist> me either. 08:26 * rmull takes it back 08:26 < cpm> ecrist, good point. 08:26 < cpm> which would be a nod to the practical aspect of 'the way things really are'. 08:27 < ecrist> right 08:27 < pinchartl> rmull: interesting 08:27 < ecrist> I use SSL on my sites not for identification, but for encryption. 08:27 < ecrist> banks, etc, *should* use them for both. 08:27 < ecrist> I could really care less if someone mitm my wikipeida password 08:28 < ecrist> my bank account password, otoh, is a different issue. 08:28 < rmull> ecrist: But according to your argument, how can banks use them for both if XYZ CA is unable to be trusted? 08:28 < cpm> well, that was fun. 08:28 < cpm> :) 08:28 < ecrist> rmull: that's the issue. people are sheep. 08:28 < cpm> rmull, it's possible to use ssl for indentification only, like the default gmail. 08:29 < ecrist> they trust XYZ CA because their browser tells them to. 08:29 < rmull> cpm: But all of us here say that SSL as ID is inherently broken. 08:29 < rmull> Trust is bought. 08:29 < rmull> And self-signed is no better. 08:29 < ecrist> in MY perfect world, when you open your bank account, you get a disk with the banks (third-party verified) root CA, which I would install to my browser. 08:30 < rmull> Let's talk about how broken credit cards are in their existing state when we're done :D 08:30 < ecrist> or RFID 08:30 < rmull> Seriously. 08:31 < cpm> in my perfect world, you don't sweat it. You, as a grown up, deal with someone else as a grown up, you asses the risk, pay yer money, take your chances. The End. The rest is all a bunch of hooey. 08:31 < ecrist> I've been working in the access-control industry for ~10 years now - it's scary how easy it is to break in to some places. 08:31 < rmull> That's not a bad philosophy. 08:32 < ecrist> cpm: that's the way most people do operation, in reality, myself included. 08:32 < cpm> The only contract I have any respect for, is a hand shake, anyone who will not trust a handshake is not trustworthy themselves, because they expect you to screw them, and I don't like dealing with people like that. I expect them to keep an eye on the loophole to try and screw me. 08:32 < ecrist> because my bank didn't give me a disk with their root ca, doesn't mean I don't use online banking. 08:32 < ecrist> ;) 08:32 < cpm> Break a deal, Face the Wheel! 08:32 < ecrist> cpm agreed. 08:37 < rmull> Man, the photos from the CERN supercollider are insane. 08:39 < rmull> http://cdsweb.cern.ch/collection/Photos?ln=en 08:39 < rmull> So much engineering. 08:49 * cpm loves that stuff 08:49 < cpm> that was a great big fuckup in my life. 08:49 < cpm> I was in the service back in the mid-80s, and I had it all planned out. 08:51 < cpm> back then, there was all this go-ahead money towards the Superconducting Super Collider (SSC) particle accelerator project down in texas. this thing was going to be about the size of manhattan. And pretty much the whole deal was done, they were even beginning escavation of the site about the time I was going to muster out of service. 08:51 < cpm> i was going to go to texas, sign on as a apprentice electrician, (I had the skillz) and do whatever the hell it took to stay on the project until it was active. 08:52 < cpm> then get a job as a plant managment electrician, they guy with the green work pants and shirt and all the keys to all the breaker panels. 08:52 < cpm> Be the dude who know the ssc as well as anyone alive. Work then until I died. 08:52 < cpm> that was my life goal. 08:52 < cpm> The cancelled it, of course. 08:52 < cpm> http://en.wikipedia.org/wiki/Superconducting_Super_Collider\ 08:53 < cpm> and that's my story. 08:53 < cpm> now I'm just a broken down, fat, grey haired sysadmin. 08:54 < rmull> That's mildly depressing :\ 08:58 < cpm> heh 08:59 < ecrist> lol 09:03 < pinchartl> "Mike Zusman, in his talk on Abusing SSL VPNs, revealed that he was able to successfully get a valid digital certificate for a subdomain in the Live.com domain (owned by Microsoft) from a Root CA provider that was not authoritative for the domain. This allowed him to insert a man-in-the-middle Live.com VPN connection without setting off certificate warnings." 09:03 < pinchartl> that's from blackhat 2008 09:05 < ecrist> wow 09:06 < ecrist> what ssl vpn software where they usnig? 09:06 < ecrist> using* 09:07 < ecrist> I wonder if that would work for OpenVPN. in the openvpn config, you have to specify a root CA certificate. as I understand, unless your certificate is signed by that specific CA, you don't get validated. 09:07 < ecrist> I guess, that's one other reason to have multi-factor authentication. 09:08 < ecrist> speaking of that, any of you guys played with the openvpn pam module? 09:13 < pinchartl> it's not a vpn software issue. the guy successfully bought an ssl certificate for a live.com subdomain from one of the big CAs without being affiliated with microsoft in any way 09:14 < ecrist> oh, was misreading it, then. 09:22 -!- eWizard [n=identd@88.222.138.61] has joined ##openvpn 09:24 -!- Irssi: ##openvpn: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31 normal] 09:25 < ecrist> rmull: was it you who was building the bot? 09:25 < rmull> ecrist: Probably not, a bot to do what? 09:26 * ecrist looks to logs 09:27 < ecrist> ah, it was krzee. 09:27 < rmull> Ah 09:27 < rmull> What did he want it to do? 09:27 < ecrist> I think it was going to log the chan or something. 09:27 < ecrist> he said mail-list, but I don't know what that would do for us. 09:30 < rmull> Hmm. 10:03 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 10:04 < ecrist> heya pumkinhed_ 10:05 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has quit [Read error: 104 (Connection reset by peer)] 10:15 -!- pumkinhed_ is now known as pumkinhed 10:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:34 < ecrist> morning, krzee 10:51 < krzee> g'mornin 10:51 < krzee> head kinda hurts 10:51 < krzee> fun concert last night =] 10:56 -!- mode/##openvpn [+o ecrist] by ChanServ 10:57 -!- ecrist changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/index.php/documentation/howto.html | Current Release OpenVPN 2.0.9 | Please use http://pastebin.com (or other) for >5 lines | Don't feed the trolls. 10:58 -!- mode/##openvpn [-o ecrist] by ecrist 11:00 < krzee> oh and today im going to jump down waterfalls! 11:00 < cpm> krzee, what concert? 11:00 < krzee> heh 11:00 < krzee> it was tipico 11:00 < krzee> i live in the caribbean 11:00 < krzee> but the bands are very popular here 11:01 < cpm> where in the carrib? 11:01 < krzee> msg'ed 11:01 < krzee> its privledged information 11:01 < cpm> Ah, cool! Only been there once, but I liked it. 11:01 < krzee> if i told you ild hafta kill you ;] 11:02 < krzee> ya its really nice 11:02 < cpm> yeah, but we can't talk about it. You'll have to kill me. 11:02 < krzee> hehe 11:02 < ecrist> lol 11:12 -!- pinchartl [n=User@49.198-78-194.adsl-static.isp.belgacom.be] has quit ["leaving"] 11:13 < cpm> ecrist, going back a bit, did you read the nice argument against including root CAs in browsers *at all*? 11:15 < rmull> Lol, oh lord. 11:18 < ecrist> cpm: which one? 11:19 < ecrist> I *thought* I read every line. 11:21 -!- eWizard [n=identd@88.222.138.61] has quit [Read error: 60 (Operation timed out)] 11:22 < cpm> umm, it's alluded to here: 11:22 < cpm> https://bugzilla.mozilla.org/show_bug.cgi?id=215243#c12 11:24 < cpm> I must confess, that since the death of cypherpunks, as in the real death, not the many many little deaths, I kinda stopped paying a lot of attention. 11:34 < ecrist> hrm, cacert.org was supposed to be included back in 2004 - looks like mozilla == fail 11:37 < krzee> interesting argument 11:38 -!- SilenceGold [n=chris@70.232.50.35] has quit [Read error: 104 (Connection reset by peer)] 11:38 -!- xattack [i=root@132.248.108.239] has joined ##openvpn 11:39 -!- SilenceGold [n=chris@70.232.50.35] has joined ##openvpn 11:39 < ecrist> xattack: you're not really connecting from your root account, are you? 11:39 < krzee> irc'in from root is bad mmmkay 11:39 < cpm> mmmkay 11:39 < SilenceGold> which irc client allows exploits? 11:39 < SilenceGold> I haven't seen one yet 11:40 < krzee> allows or happens to have had? 11:40 < krzee> there were some for bitchx iirc 11:40 < ecrist> SilenceGold: any client that allows for scripting. 11:40 * cpm fires up a nice dcc payload 11:40 < SilenceGold> only seen those who are foolish to run something like /run rm -rf /* 11:40 < krzee> http://www.google.com/search?hl=en&q=irc+client+exploit&btnG=Google+Search 11:41 < krzee> but that shouldnt even matter 11:42 < krzee> cause when people care about security they do nothing as root unless it needs root to be done 11:42 < krzee> regardless if its been proven something is vulnerable or not 11:45 < SilenceGold> I used to run irc as root 11:45 < SilenceGold> so I could make friends with smart people 11:45 < SilenceGold> when they exploit me...I became friends with them 11:45 * cpm chuckles 11:45 < SilenceGold> at least I didn't have a lame friend 11:45 < SilenceGold> :) 11:46 < krzee> hahaha 11:46 < krzee> alright im out, bbl 11:48 < xattack> ok im apologize for that , im still testing , so the easy way is using the same account 11:48 < ecrist> ok, it's a bad idea to do things like that as root. 11:49 < xattack> i know it ! .......i hope no one want to screw me up !!! 11:50 < krzee> while learning maybe use sudo to run a command with higher privileges when you need to 11:50 < krzee> like sudo rm -rf /protected/file 11:51 < krzee> then you are still only using 1 account, but it's not root 11:51 < krzee> http://www.gratisoft.us/sudo/man/sudo.html 11:51 < xattack> sudo .... i hate it , didnt like it since mac .......... 11:52 < krzee> huh? 11:52 < xattack> ...........long story 11:53 -!- xattack [i=root@132.248.108.239] has quit ["Leaving"] 11:54 < ecrist> I don't think he understands. 11:58 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:08 -!- mode/##openvpn [+o ecrist] by ChanServ 12:09 -!- mode/##openvpn [+b *!?=root@*] by ecrist 12:09 -!- mode/##openvpn [-o ecrist] by ecrist 12:30 -!- xattack [i=invitado@132.248.108.239] has quit ["byte!!"] 12:34 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:37 -!- Optic [n=dfraser@miso.capybara.org] has joined ##openvpn 12:39 -!- Irssi: ##openvpn: Total of 32 nicks [0 ops, 0 halfops, 0 voices, 32 normal] 12:43 -!- Kaushal [n=Kaushal@59.184.24.251] has joined ##openvpn 12:43 < Kaushal> hi 12:44 < Kaushal> I am using Ubuntu 8.04 linux 12:44 < ecrist> hi 12:44 < Kaushal> whenever i have to connect to vpn, I need to add the route command on the command line 12:44 < Kaushal> is there a way to automate it 12:45 < ecrist> yes, it's discussed in the howto 12:46 < ecrist> but, your server admin should have pushed the routes to you. 12:46 < Kaushal> ecrist, can you please give me an example 12:46 < ecrist> first, why isn't your admin pushing the route? 12:47 < Kaushal> ecrist, I will definetly instruct him 12:48 < Kaushal> is there a way to do that 12:48 < ecrist> yes, it's a standard server config option 12:48 < ecrist> go to the howto and search for push_route 12:49 < Kaushal> sure 12:49 < Kaushal> http://openvpn.net/index.php/documentation/howto.html 12:50 < Kaushal> is that the one 12:50 < ecrist> yep 12:50 < Kaushal> ecrist, is it Pushing DHCP options to clients. 12:51 < ecrist> no 12:52 < ecrist> sorry, gave you wrong search string 12:52 < ecrist> push "1.2.3.4/cidr" 12:52 < cpm> bastard! 12:52 < ecrist> would be the option in the server config. 12:53 < ecrist> yeah, I already know I suck, cpm. Why you gotta rub it in? 12:53 * cpm hangs his head in shame 12:54 < Kaushal> ecrist, I will have a look into it 12:54 * ecrist runs away, throwing arms around, crying, in a fit of child-like humility. 12:54 < Kaushal> ecrist, as you said there is an option from the client side too 12:54 < Kaushal> to add the route 12:54 < cpm> man, I feel really bad now. 12:54 < ecrist> Kaushal: if that doesn't work, and it should, there is a way in the client config to execute a custom script after the vpn has come up. 12:54 * cpm kills himself. 12:55 * ecrist kills his wife, kid, parents, them himself. 12:55 < _aia_> why is it that I can connect to rdp fine on the vpn server but not other applications 12:55 < Kaushal> ecrist, if you can point me to some examples 12:55 < cpm> wow, you must really be ashamed. 12:55 * cpm bows to ecrist's most excellent shame 12:57 < ecrist> Kaushal: I think it's up script and down 12:57 < ecrist> down script* 12:58 < ecrist> where is the full path to the script to run - but let me check on that. 13:00 < ecrist> erm, I think it's just up/down 13:00 < Kaushal> ecrist, i did not understand 13:00 < Kaushal> is it in the GUI on the client side 13:01 < ecrist> Kaushal: it's in the config file, on the client side. 13:01 < Kaushal> ok 13:02 < ecrist> Kaushal: http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html#lbAP 13:04 * Kaushal read that page 13:04 * Optic moops 13:05 < Kaushal> ecrist, so on the client side where would be the location of config file 13:05 < Kaushal> not sure 13:05 < ecrist> Kaushal: usually in your c:\program files\OpenVPN\config 13:05 < Kaushal> thats windows 13:05 < ecrist> have your admin help you with this. 13:05 < Kaushal> I am using Ubuntu 13:06 < ecrist> well, then I don't know - it can vary. 13:06 < ecrist> Kaushal: what command do you use to build your vpn connection? 13:06 < rmull> Kaushal: Typical /etc/openvpn 13:06 < Kaushal> ecrist, I have used gui to connect to openvpn server 13:08 < ecrist> Kaushal: read the documentation for the gui, then. 13:09 < Kaushal> ecrist, thanks 13:10 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:12 -!- Irssi: ##openvpn: Total of 34 nicks [0 ops, 0 halfops, 0 voices, 34 normal] 13:22 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has quit [] 13:40 -!- bandini [n=bandini@host90-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 13:43 -!- Kaushal [n=Kaushal@59.184.24.251] has quit ["Leaving"] 13:47 * ecrist wants to go home. 13:47 < ecrist> FRIDAY! \o/ 13:54 < rmull> wewt 13:55 < ecrist> one 13:55 < ecrist> more 13:55 < ecrist> hour 14:20 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:20 -!- wwalker [n=wwalker@pdpc/supporter/sustaining/wwalker] has joined ##openvpn 14:20 < wwalker> does OpenVPN work on Vista, or should I just hang myself? I've just spent 3 hours trtying to get VMware working on a friend's Vista machine (he's 300 miles away, so I want to use OpenVPN to get to his machine via VNC) 14:24 < ecrist> wwalker: I think so. 14:34 < wwalker> ecrist: thank you. 14:35 < ecrist> np 14:44 < rob0> I think there are SSL-enabled VNC clients and servers, no? If that's all you need, openvpn is overkill. And if you just want to secure access to the VNC, a firewall can do that. 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 16:01 < ecrist> mmmm hot pockets 16:07 -!- epsilon [n=epsilon@raid1.net] has joined ##openvpn 16:08 -!- epsilon [n=epsilon@raid1.net] has left ##openvpn ["Leaving"] 16:08 -!- epsilon [n=epsilon@raid1.net] has joined ##openvpn 16:10 < ecrist> coming or going? :) 16:35 < SilenceGold> bring it 16:44 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:26 -!- bandini [n=bandini@host90-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:45 -!- Irssi: ##openvpn: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31 normal] 17:46 < ecrist> SilenceGold: if you didn't see my message yesterday, I've got svn running with ssl-admin code/etc committed. 17:46 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: chesty, linux_manju, wwalker 17:46 < ecrist> :) 17:48 -!- Netsplit over, joins: wwalker, linux_manju, chesty 17:48 -!- Alex [i=hauntedu@goatse.co.uk] has quit [Remote closed the connection] 17:51 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Remote closed the connection] 18:03 -!- int [n=quassel@wikia/int] has quit [Connection timed out] 18:08 -!- highzeth [n=highzeth@hoiseth.no] has quit ["Leaving."] 18:12 < SilenceGold> saw it, ecrist 18:12 < SilenceGold> like I said, I do best modifying something that someone already started 18:13 -!- Alex [i=hauntedu@goatse.co.uk] has joined ##openvpn 18:21 -!- Alex [i=hauntedu@goatse.co.uk] has quit [Remote closed the connection] 18:33 < ecrist> yeah, there's man pages there 18:33 < ecrist> trunk/ssl-admin/man1 and man5 18:54 -!- Alex [i=hauntedu@goatse.co.uk] has joined ##openvpn 19:00 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 19:08 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 19:18 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit ["Happy Hacking !"] 21:05 < rmull> Hey, was one of you working on a script that integrates cert management with active directory? Someone mentioned something about it a while ago. 21:37 -!- djs [n=djs@unaffiliated/djs26] has left ##openvpn ["Ex-Chat"] 21:37 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 21:37 -!- near [n=near@83-156-241-63.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@88-122-28-164.rev.libertysurf.net] has joined ##openvpn 21:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Remote closed the connection] 21:52 -!- djs [n=djs@unaffiliated/djs26] has left ##openvpn ["Ex-Chat"] 21:52 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 22:20 < ecrist> rmull: how would that work? 22:20 < ecrist> what would be the advantage of putting certs in ldap/ad? 22:20 < rmull> ecrist: Not so much "putting them in" as much as generating them based on the login IDs 22:21 < ecrist> oh, that would be pretty trivial, really. 22:21 < rmull> Yeah, I'm probably going to look into it. I've never worked with any sort of directory services. 22:21 < rmull> But assuming I can get a list of IDs, then I'm basically done, heh 22:21 < ecrist> right. 22:22 < ecrist> that's something I could roll into ssl-admin, to integrate with ldap/ad, build the certificate based on values stored there. 22:22 < rmull> Well, I'm all in favor :D 22:28 < ecrist> I'll add a ticket so I remember. 22:33 < krzee> hey nice 22:33 < krzee> i didnt know ssl-admin existed 22:33 < krzee> I'll have to give it a try sometime =] 22:33 < krzee> is it .sh? 22:33 < krzee> ahh nm, pl 22:33 < rmull> ecrist: Thanks man, I appreciate it 22:34 -!- tcccp [i=hey@223.66.238.89.arpa-addr.in] has quit [Read error: 110 (Connection timed out)] 22:35 < ecrist> krzee: you don't like my perl foo? 22:35 < ecrist> o.O 22:35 < krzee> haha nothing wrong with perl =] 22:36 < ecrist> krzee: don't know what your OS of choice is, but I've had ssl-admin committed to the FreeBSD ports tree. 22:36 < krzee> didnt mean it to sound like that 22:36 < krzee> ya i see that =] 22:36 < krzee> fbsd is my fav for servers 22:36 < krzee> osx for desktop 22:36 < ecrist> ditto 22:36 < ecrist> I was done fucking with fbsd on the desktop about 5 years ago. 22:37 < krzee> nice 22:37 < krzee> ya i never gave it much of a shot 22:37 < ecrist> bought a G4 powerbook and never looked back. 22:37 < krzee> used windows for many yrs for desktop til 2 yrs ago when i scored a macbook 22:37 < krzee> then MBP 22:37 < krzee> couldnt go back 22:38 < krzee> my fbsd machines never run X 22:38 < krzee> except my NFS at home 22:38 < krzee> but only have X on there for multiple terms, and i tossed in a TV tuner card since cable comes with the inet 22:39 < ecrist> I don't own a machine that runs windows anymore, and have two servers that run freebsd. 22:39 < krzee> oh and so i wouldnt need a TV to watch my dvds from my dvd changer 22:39 < krzee> ya no windows for me either 22:39 < krzee> although i wanna tri-boot it so i can play with some of johnny lee's wii-remote hacks 22:39 < krzee> now i dual boot ubuntu and osx 22:40 < krzee> for the hell of it, i wanted to play with beryl/compiz 22:40 < krzee> i never boot into it tho 22:40 < ecrist> I've been playing with VirtualBox to run freebsd/kubuntu virtual machines on my mac 22:40 < krzee> just kinda cool to be able to 22:40 < ecrist> seems pretty solid 22:40 < krzee> hehe 22:40 < krzee> whoa never hearda virtualbox 22:40 < krzee> i use vmware and parallels 22:41 < krzee> i use backtrack in vmware to pentest wifi, works great with my usb adapters and whatnot 22:42 < krzee> once had a mortgage company tell me they wouldnt let me disable their WEP 22:42 < krzee> so i demonstrated cracking it in 5-10 min, then started showing them the traffic that was going over their wired network... needless to say they let me disable it 22:42 < ecrist> lol 22:44 < krzee> i wish i could afford a mac pro 22:45 < ecrist> they're grossly over priced. 22:45 < rmull> I'm extremely turned off by most things Apple Corp does. 22:46 < ecrist> but, time to give the wife some attention, watch a tivo'd copy of the olympic opening ceremony. 22:46 < ecrist> l8r guys 22:46 < krzee> later 22:46 < krzee> ya they're overpriced but soo sweet 22:46 < rmull> Have a good one 22:46 < krzee> and snow leopard will just be improvements to the multi-cpu tech 22:47 < krzee> and making everything slicker under the hood 22:48 < krzee> if i hit the lottery im so buying a mac pro 22:48 < rmull> Yeah, and people will stand in line outside all the Apple stores, and it will be happy times for everyone, etc etc. 22:48 < rmull> <_< 22:48 < krzee> ya! ;] 22:48 < rmull> Sorry. I think I'm Mac-racist. 22:48 < rmull> Lol 22:49 < krzee> i used to be 22:49 < krzee> back when they were good for graphics and door-stops --- Day changed Sat Aug 09 2008 00:11 < _aia_> haha 00:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:27 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 01:40 -!- _aia_ [n=_aia_@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 01:41 -!- bandini [n=bandini@host90-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 01:52 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 01:57 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 110 (Connection timed out)] 01:57 -!- RexMundi [n=RexMundi@ip-80-113-156-106.ip.prioritytelecom.net] has joined ##openvpn 02:02 -!- intangir [i=Intangir@c-98-197-217-152.hsd1.tx.comcast.net] has left ##openvpn [] 02:06 -!- bandini [n=bandini@host90-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 02:44 -!- RexMundi [n=RexMundi@ip-80-113-156-106.ip.prioritytelecom.net] has quit [Read error: 110 (Connection timed out)] 02:44 -!- RexMundi [n=RexMundi@ip-80-113-156-106.ip.prioritytelecom.net] has joined ##openvpn 03:18 -!- RexMundi [n=RexMundi@ip-80-113-156-106.ip.prioritytelecom.net] has quit [Read error: 104 (Connection reset by peer)] 03:20 -!- RexMundi [n=RexMundi@213.126.138.14] has joined ##openvpn 03:49 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 03:50 -!- RexMundi [n=RexMundi@213.126.138.14] has quit [Read error: 110 (Connection timed out)] 04:05 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 04:31 -!- afrayedknot [n=user@sourcemage/elder/afrayedknot] has quit [Read error: 60 (Operation timed out)] 04:33 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 04:45 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 06:28 -!- candyban [n=candyban@146.182-201-80.adsl-dyn.isp.belgacom.be] has joined ##openvpn 06:29 < candyban> hi guys, ... I have generated my keys (twice) already, but I can't seem to get a client to work (identical config to a client config that works) and I get : Aug 9 21:12:03 gwhome ovpn-eenderwat[4287]: Cannot load private key file /etc/openvpn/home.eenderwat.be.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib 06:30 < candyban> anyone an idea? (according to google, this is often when you are using the .csr instead of the .crt, which is not the case) 06:30 < candyban> Also: the next entry is: Aug 9 21:12:03 gwhome ovpn-eenderwat[4287]: Error: private key password verification failed ... which is weird as I did not set a password (build-key rather than build-key-pass) 06:33 < candyban> openssl verify -CAfile ca.crt home.eenderwat.be.crt 06:33 < candyban> home.eenderwat.be.crt: OK 06:34 < candyban> openssl verify -CAfile ca.crt home.eenderwat.be.key 06:34 < candyban> unable to load certificate 06:34 < candyban> 4297:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE 06:37 < candyban> which is the same on the working client configuration 06:37 < candyban> the only difference is that one machine is a genuine intel while the other is a VIA 06:40 < candyban> but both are using the i386 architecture ... can anyone point me in the right direction as to where to look? 06:40 -!- eWizard [n=identd@77.90.91.188] has joined ##openvpn 06:42 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 06:53 < candyban> nm. I found the error 06:53 < candyban> the problem was that I had accidentally put the .crt as the key file (woops) 06:54 -!- candyban [n=candyban@146.182-201-80.adsl-dyn.isp.belgacom.be] has quit ["Leaving"] 07:12 < kraut> moin 08:06 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 08:07 < onats> hello,what's the best router i can use to setup two remote sites to connect to each other? a computer for each location/ 08:22 -!- eWizard [n=identd@77.90.91.188] has quit ["Leaving"] 08:48 < ecrist> morning, people. 08:48 < ecrist> onats: what do you mean by 'router'? 08:49 < ecrist> if it's just for an OpenVPN connection between two locations, a older PC with FreeBSD or Linux would be perfect. 09:37 -!- onats [n=onats@unaffiliated/onats] has quit ["Leaving"] 10:17 -!- djs [n=djs@unaffiliated/djs26] has left ##openvpn ["Ex-Chat"] 10:17 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 10:37 -!- djs [n=djs@unaffiliated/djs26] has left ##openvpn ["Ex-Chat"] 10:37 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 10:53 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 11:27 -!- HaRRT [n=Arthur@193.227.226.84] has joined ##openvpn 12:14 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 12:22 < SilenceGold> I'm looking at this 100mhz soekris board 12:22 < SilenceGold> wondering if it can do good as openvpn client 12:23 < epsilon> 100mhz FSB or CPU? 12:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:29 < ecrist> SilenceGold: possibly - can you get the crypto card with it? 12:44 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Remote closed the connection] 12:52 < SilenceGold> I doubt it 12:52 < SilenceGold> I don't know of a crypto card that does SSL for openvpn yet 12:52 < SilenceGold> I really want the two ports one 12:52 < SilenceGold> where an idiot user can just plug it in 12:52 < SilenceGold> and not get confused by multiple ports 12:53 < SilenceGold> and I'm talking about 100mhz cpu 13:16 < ecrist> I think that would only be good for low-bandwidth. 13:18 < ecrist> gigabit ethernet can saturate a P4 2.4GHz if there's a ton of small packets. 13:21 -!- djs [n=djs@unaffiliated/djs26] has left ##openvpn ["Leaving"] 13:21 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 13:41 -!- bandini [n=bandini@host90-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 15:17 -!- st1650 [n=eb@modemcable137.154-130-66.mc.videotron.ca] has joined ##openvpn 15:18 < st1650> What does this error means : 15:18 < st1650> Sat Aug 09 07:46:44 2008 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 15:18 < st1650> Sat Aug 09 07:46:44 2008 TLS Error: TLS object -> incoming plaintext read error 15:18 < st1650> Sat Aug 09 07:46:44 2008 TLS Error: TLS handshake failed 15:21 < ecrist> it means your TLS certificate is invalid 15:21 < ecrist> in other words, what you think is an SSL certificate, isn't. 15:22 < st1650> Couldn't it be a connection problem ? 15:22 < ecrist> no 15:23 < st1650> It's not the first time I've set up an openvpn box and I'm pretty sure I didn't mess up my cert generation 15:23 < ecrist> it looks like the local copy of the ca root certificate doesn't exist. 15:23 < ecrist> st1650: it's an openssl error, not an openvpn error. 15:23 < ecrist> check your work. 15:23 < st1650> The error is on the client side right ? 15:24 < ecrist> could be either, you tell me. 15:24 < ecrist> which side are you seeing the error on? 15:24 < st1650> because I've test on both my XP and my Win2K3 box ... server is on a DD-WRT firmware 15:24 < st1650> client side 15:24 < ecrist> what's the error log saying on the server? 15:25 < st1650> hold on ... 15:26 < st1650> No idea how to access the log on a dd-wrt router ... 15:32 < ecrist> me either, #dd-wrt might help you, there. 15:32 < ecrist> show me your client config. 15:33 < ecrist> nm, gotta go to a bbq. 15:33 < ecrist> good luck 15:33 < st1650> thx 15:33 < st1650> I'll try static key 15:54 -!- st1650 [n=eb@modemcable137.154-130-66.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 16:40 -!- linux_manju [n=manju@202.122.23.18] has quit ["Lost terminal"] 16:41 -!- tharvey|home [n=tharvey@76.205.222.173] has joined ##openvpn 16:42 < tharvey|home> how can I get a dns server/search-name added to my local host when connecting to an openvpn server? 17:01 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 17:08 -!- tharvey|home [n=tharvey@76.205.222.173] has quit [Read error: 104 (Connection reset by peer)] 17:11 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:35 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 17:39 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 18:24 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 18:24 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##OpenVPN 18:25 < krzie> !learn 18:25 < vpnHelper> krzie: Invalid arguments for learn. 18:25 < krzie> sweet 18:25 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Client Quit] 19:38 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##OpenVPN 19:39 < krzie> !learn krzee as http://www.ircpimps.org/pimpin.jpg 19:39 < vpnHelper> krzie: The operation succeeded. 19:39 < krzie> !krzee 19:39 < vpnHelper> krzie: "krzee" is http://www.ircpimps.org/pimpin.jpg 19:40 < krzie> !learn howto as OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:40 < vpnHelper> krzie: The operation succeeded. 19:40 < krzie> http://openvpn.net/howto 19:40 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 19:40 < krzie> heh, nice 19:40 < krzie> !howto 19:40 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:47 < krzie> !quit be right back 19:47 < vpnHelper> krzie: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:47 < krzie> heh 19:47 < krzie> !quit be right back 19:47 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit ["be right back"] 19:48 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##OpenVPN 19:48 < krzie> there, now its in the background 19:49 < krzie> ill consider adding some openvpn RSS feeds to it, but i think this config is the least obtrusive to the channel while still helping us 19:54 < krzie> !learn tcp as Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:54 < vpnHelper> krzie: The operation succeeded. 19:56 < krzie> !learn nat as http://openvpn.net/howto.html#redirect 19:56 < vpnHelper> krzie: The operation succeeded. 19:57 < krzie> !learn secure as http://openvpn.net/howto.html#security 19:57 < vpnHelper> krzie: The operation succeeded. 19:57 < krzie> http://openvpn.net/howto.html#security 19:57 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 19:57 < krzie> heh i love that 20:01 < krzie> !learn bridge as http://openvpn.net/index.php/documentation/faq.html#bridge1 20:01 < vpnHelper> krzie: The operation succeeded. 20:01 < krzie> !learn bridge as http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 20:01 < vpnHelper> krzie: The operation succeeded. 20:02 < krzie> !bridge 20:02 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 20:03 < krzie> !learn faq as http://openvpn.net/index.php/documentation/faq.html 20:03 < vpnHelper> krzie: The operation succeeded. 20:06 < krzie> !learn sample as a working sample config: http://www.ircpimps.org/openvpn.configs 20:06 < vpnHelper> krzie: The operation succeeded. 20:07 < krzie> !sample 20:07 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 20:08 < krzie> !learn secure as http://openvpn.net/index.php/documentation/security-overview.html 20:08 < vpnHelper> krzie: The operation succeeded. 20:08 < krzie> !secure 20:08 < vpnHelper> krzie: "secure" is (#1) http://openvpn.net/howto.html#security, or (#2) http://openvpn.net/index.php/documentation/security-overview.html 20:10 < krzie> !weather 20:10 < vpnHelper> krzie: (weather ) -- Returns the approximate weather conditions for a given city. 20:10 < krzie> !weather 92109 20:10 < vpnHelper> krzie: An error has occurred and has been logged. Please contact this bot's administrator for more information. 20:10 < krzie> heh 20:10 < krzie> !weather 92109 20:10 < vpnHelper> krzie: An error has occurred and has been logged. Please contact this bot's administrator for more information. 20:14 < krzie> !google openvpn howto 20:14 < vpnHelper> krzie: Error: Code red: 400 -> invalid key 20:15 < krzie> !google openvpn 20:15 < vpnHelper> krzie: Error: Code red: 400 -> invalid key 20:15 < krzie> !qgoogle openvpn 20:15 < vpnHelper> krzie: Error: The "QGoogle" plugin is loaded, but there is no command named "openvpn" in it. Try "list QGoogle" to see the commands in the "QGoogle" plugin. 20:15 < krzie> !qgoogle search openvpn 20:15 < vpnHelper> krzie: Error: The "QGoogle" plugin is loaded, but there is no command named "search" in it. Try "list QGoogle" to see the commands in the "QGoogle" plugin. 20:15 < krzie> !list qgoogle 20:15 < vpnHelper> krzie: google 20:15 < krzie> !qgoogle google openvpn 20:15 < vpnHelper> krzie: Error: Code red: 400 -> invalid key 20:16 < krzie> bleh i guess ill reg a key for that 20:18 < krzie> !quit be right back 20:18 < vpnHelper> krzie: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 20:18 < krzie> !quit be right back 20:18 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit ["be right back"] 20:20 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##OpenVPN 20:21 < krzie> !google openvpn 20:21 < vpnHelper> krzie: http://openvpn.net/ - Welcome to OpenVPN 20:21 < krzie> !google openvpn help 20:21 < vpnHelper> krzie: http://fedoraforum.org/forum/archive/index.php/t-81907.html - OpenVPN Help 20:21 < krzie> niiice 20:21 < krzie> !seen krzee 20:22 < vpnHelper> krzie: I have not seen krzee. 20:22 < krzie> !seen krzie 20:22 < vpnHelper> krzie: krzie was last seen in ##openvpn 6 seconds ago: !seen krzee 20:27 -!- krzie [i=krzee@unaffiliated/krzee] has quit ["BitchX: causing all sorts of havok!"] 21:38 -!- near [n=near@88-122-28-164.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@88-122-31-232.rev.libertysurf.net] has joined ##openvpn 22:18 -!- solexious [n=solexiou@80-44-168-226.dynamic.dsl.as9105.com] has joined ##openvpn 22:18 < solexious> Hello any one free to help me with my bridge server config? 22:52 < ecrist> krzee: couple suggestions - could you echo the reply via /msg to keep chan traffic down? 22:53 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 22:53 < mooseman089> hey 22:53 < ecrist> also, could you test out of band? 22:53 < ecrist> mooseman089: hey 22:53 < mooseman089> do i need 2 nics to make a openvpn server in bridging mode? 22:54 < ecrist> no 22:54 < ecrist> generally, anyway 22:55 < mooseman089> yea well i have a dedicated linux firewall to bridge my lan to the internet via nat and i forwarded 1194 udp to a spare system which will be the server 22:55 < ecrist> mooseman089: should work just fine 22:55 < ecrist> we're doing a routed setup with one interface 22:55 < ecrist> same difference, really. 22:56 < ecrist> but, why not run the OpenVPN instance on your firewall 22:56 < ecrist> g'night 22:57 < mooseman089> ok is it normal that when i run /usr/sbin/bridge-start (with my changes) that i lose network connectivity? 22:57 < mooseman089> well i can still access systems on the same subnet but not ping google or anything 23:04 < mooseman089> anybody here? --- Day changed Sun Aug 10 2008 00:36 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 00:57 < solexious> I get the same thing 00:57 < mooseman089> im glad im not alone 00:58 < solexious> what flavour oflinux you using? 00:58 < mooseman089> debian 00:58 < mooseman089> u? 00:58 < solexious> a, ubuntu here so almost the same 00:59 < mooseman089> yea im making some progress i think 00:59 < mooseman089> is your client windows? 00:59 < solexious> nope, ubuntu as well 01:00 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:00 < mooseman089> ok 01:01 < mooseman089> check this out http://zzzmaestro.wordpress.com/2008/07/22/openvpn-bridging-two-networks/ 01:01 < vpnHelper> Title: OpenVPN - Bridging two networks « Tech Stuff (at zzzmaestro.wordpress.com) 01:02 < mooseman089> i think the whole modifing the bridge-start with the route add default gw might be important 01:07 < mooseman089> did you try it? 01:08 < solexious> nope wll do 01:08 < mooseman089> yea for me i can then ping google.com which is good 01:10 < mooseman089> but i connected my client and i cant seem to use anything on the lan like it was working 01:26 -!- solexious [n=solexiou@80-44-168-226.dynamic.dsl.as9105.com] has quit [Read error: 110 (Connection timed out)] 02:31 < mooseman089> does debian have a tap device by default? 02:45 < krzee> ecrist, the reply is most often not meant for the person who will say it 02:46 < krzee> ecrist, you may have noticed that we usually answer the same questions over and over in here 02:46 < krzee> or say the same things 02:46 < krzee> !howto 02:46 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:46 < krzee> etc 02:57 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 03:06 < mooseman089> in my openvpn log im getting the error "Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2)" im on debian with bridge-utils installed 03:10 < krzee> you sure you have the tun/tap driver? 03:11 < krzee> and it is loaded if it is a module 03:11 < mooseman089> if i do lsmod i see bridge and tun 03:13 < mooseman089> is tap in that tun module or do i need something else? 03:13 < krzee> its the same 03:13 < mooseman089> hmmm any ideas whats wrong? 03:15 < krzee> ifconfig shows the bridge? 03:16 < krzee> !google "Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2)" 03:16 < mooseman089> yea 03:18 < krzee> interesting the bot didnt bite 03:18 < krzee> !google Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2) 03:18 < mooseman089> yea well i have been doing a lot of googling but i havent found a solution yet and its driving me crazy 03:20 < krzee> openvpn --mktun --dev tap0 03:20 < krzee> done that? 03:20 < mooseman089> no i havent should i? 03:21 < krzee> i believe so 03:21 < krzee> i dont use bridge 03:21 < krzee> and it has been too long since i have 03:21 < mooseman089> i think that command is run with teh bridge-start script? 03:21 < krzee> just to ask, why do you want a bridge? 03:21 < mooseman089> i need to browse samba shares and lan games 03:22 < krzee> gotchya 03:22 < krzee> valid reasons =] 03:22 < mooseman089> yea its not as easy as i planned though thats for sure 03:22 < krzee> ya i find routed much easier 03:23 < krzee> http://forum.openwrt.org/viewtopic.php?id=5264 03:23 < vpnHelper> Title: OpenWrt / Creating OpenVPN using bridge interfaces (at forum.openwrt.org) 03:23 < krzee> seen that right? 03:23 < mooseman089> yea the default bridge-start script didnt work for some reason i had to modify it with a route add default gw so when it ran i could still get to the internet 03:25 < mooseman089> yea i think i saw that link but ill look at it again 03:25 < mooseman089> even with my missing tap device error my win client can still connect but it cant access anything on the lan so the vpn isnt working 03:26 < krzee> you have tun driver loaded 03:26 < krzee> you have run the command i pasted 03:26 < krzee> tap0 is in ifconfig? 03:28 < mooseman089> i ran the command and i see tap0 in ifconfig but the log still gets the error after a restart and teh vpn isnt working 03:29 < krzee> try killing the bridge and restarting it manually 03:29 < krzee> ls -l /dev/tap* 03:30 < krzee> <-- only here for another couple minutes, then movie time 03:30 < mooseman089> yea its 4:30am here so i have to sleep eventually.... 03:30 < mooseman089> ls gets no such file or directory 03:30 < krzee> ya same time here 03:30 < mooseman089> after should i kill and restart manually? 03:30 < krzee> theres no error when you run the command i typed? 03:31 < krzee> (openvpn --mktun --dev tap0) 03:31 < krzee> and after that theres no /dev/tap) 03:31 < krzee> and after that theres no /dev/tap0 03:32 < mooseman089> i just get tun/tap device tap0; persist state set to: ON 03:32 < mooseman089> yea no /dev/tap0 after 03:32 < krzee> but after that there is no /dev/tap0 03:32 < krzee> odd 03:32 < krzee> you are root... 03:32 < mooseman089> lol i was just typing fyi all this is in root 03:34 < mooseman089> i shutdown openvpn and now there is only eth0 and lo in ifconfig 03:34 < krzee> ahh 03:34 < krzee> then run my command 03:34 < mooseman089> yea i just tried and still nothing in ifconfig or /dev/tap0 03:36 < mooseman089> what else could i try? 03:36 < krzee> ls /dev/net/ 03:36 < mooseman089> tun 03:37 < krzee> modeprobe tun 03:37 < krzee> modprobe tun 03:37 < mooseman089> ok i didnt say anything after i ran it 03:38 < krzee> then the command...? 03:38 < mooseman089> i did the --mktun but nothing in /dev still 03:40 < krzee> !bridge 03:40 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 03:42 < mooseman089> yea i have seen both of those pages 03:42 < krzee> =/ 03:42 < krzee> i dont know, when you find the problem please let me know so i can maybe help the next bridge user 03:43 < mooseman089> yea im going to keep working with this i bet its something simple im just totally missing.... 03:43 < krzee> could be 03:44 < krzee> has to do with getting your OS to load the tap interface 03:44 < krzee> but im sure you knew that 03:44 < mooseman089> yea i thought my clean debian system would be perfect but im having second thoughts now 03:46 < mooseman089> do you think i need to do any like mknod commands? 03:46 < mooseman089> like here http://forums.gentoo.org/viewtopic-t-184737.html 04:08 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [] 05:57 -!- chayane [n=malana@unaffiliated/chayane] has joined ##openvpn 06:10 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 06:18 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 07:07 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 08:55 -!- kralor [n=kralor@hackincorp.net] has joined ##openvpn 08:55 < kralor> o/ 08:57 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 09:01 -!- kaushal [n=kaushal@59.184.10.118] has joined ##openvpn 09:01 < kaushal> hi 09:02 < kaushal> i want to add this sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0 while I am connecting to openvpn 09:02 < kaushal> is there a way to add it in the client side 09:04 < kaushal> anybody awake here 09:18 < kaushal> :/ 09:55 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit [Remote closed the connection] 10:19 -!- wwalker [n=wwalker@pdpc/supporter/sustaining/wwalker] has left ##openvpn [] 10:31 -!- HaRRT [n=Arthur@193.227.226.84] has quit [Read error: 104 (Connection reset by peer)] 10:44 < kaushal> ecrist, hi 10:44 < kaushal> ecrist, yt ? 11:11 -!- kaushal [n=kaushal@59.184.10.118] has quit ["Leaving"] 12:05 -!- chayane [n=malana@unaffiliated/chayane] has quit [Read error: 110 (Connection timed out)] 12:05 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 12:42 -!- mooseman089 [n=alex@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 12:45 < mooseman089> is it possible to migrate openvpn server to another system by just copying all the keys and config files over? 13:08 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 13:25 -!- mooseman089 [n=alex@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Ex-Chat"] 13:31 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 13:51 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 14:01 < krzee> ecrist, here? 14:01 < mooseman089> hello 14:01 < krzee> hey moose 14:01 < krzee> [13:45] is it possible to migrate openvpn server to another system by just copying all the keys and config files over? 14:01 < krzee> yes 14:01 < krzee> just install it on the other one first 14:02 < mooseman089> yea i just tried moving my whole openvpn setup to another ubuntu system and same errors 14:02 < krzee> the keys and configs are platform independent except for a couple small things special for windows 14:02 < krzee> by whole setup you mean binaries and whatnot? 14:03 < mooseman089> well i did apt-get install on the system and just moved over /etc/openvpn 14:03 < krzee> ... what is in your /etc/openvpn 14:03 < mooseman089> just the conf file and keys 14:04 < krzee> what errors do you get? 14:05 < mooseman089> the tap0 one i had on my first server 14:06 < mooseman089> the first was debian this one is ubuntu so this could be a debian problem still 14:06 < krzee> oh well you get the same errors as before 14:06 < krzee> heheh thats kinda expected 14:06 < krzee> you use the same thing to do the same thing, and the same thing happens 14:06 < mooseman089> lol i was hopeful.... 14:06 < krzee> hah 14:07 < mooseman089> i thought maybe a long time ago i did something on the first server to ruin it.... 14:07 < mooseman089> though i might have a solution soon http://ubuntuforums.org/showthread.php?p=5561454 14:07 < vpnHelper> Title: [ubuntu] Problems with OpenVPN and bridging - Ubuntu Forums (at ubuntuforums.org) 14:12 < krzee> !learn insanity as doing the same thing over and over expecting different results 14:13 < krzee> sorry not directed at you, seems like a fun definition to have on the bot 14:13 < krzee> hehe 14:15 < krzee> !quit brb 14:16 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Remote closed the connection] 14:16 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##OpenVPN 14:16 < krzee> !learn insanity as doing the same thing over and over expecting different results 14:16 < vpnHelper> krzee: The operation succeeded. 14:18 < krzee> ahh cool it looks like you found your answer 14:18 < krzee> (kinda, not yet) 14:19 < krzee> i look forward to seeing it too (but im sure not as much as you do right now) 14:19 < krzee> hehe 14:24 < krzee> !quit brb with new host 14:24 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["brb with new host"] 14:24 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 14:40 -!- rsc [n=robert@fedora/rsc] has joined ##openvpn 14:40 < rsc> Hello folks, openvpn 2.1rc9 seems to be unusable here for me. 14:41 < rsc> Aug 10 21:15:47 int-fw openvpn[22164]: x.y.z.a:1194 Verify command failed to execute: openssl verify -CAfile /etc/openvpn/PCAcert.pem 2 /C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=PRIVATE/OU=Certification_Authority/CN=Root_Certification_Authority/emailAddress=pca@localhost 14:41 < rsc> with openvpn 2.1rc2 this worked, script-security 3 is already set to avoid problems with that. 14:41 < krzee> both sides are 2.1rc2? 14:42 < rsc> let me see. 14:42 < rsc> (was there an incompatibility between rc2 and rc9?) 14:43 < krzee> no idea 14:43 < krzee> also, you tried a strace / ktrace to see where the problem happens? 14:43 < rsc> looks like the shell expansion (?) or so is strange. 14:44 < krzee> looks like it has to do with tls-verify 14:44 < rsc> because if I try to put the command on the shell, I'm getting also errors. 14:44 < rsc> yes. 14:44 < krzee> paste both your configs 14:44 < rsc> btw, client is 2.1rc8, server was 2.1rc2 in working state. client is 2.1rc8, server is 2.1rc9 when failures. 14:46 < rsc> server is http://fpaste.org/paste/4587 14:46 < vpnHelper> Title: Fedora Pastebin - Viewing paste #4587 (at fpaste.org) 14:46 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##OpenVPN 14:46 < rsc> client is nothing special, can't access it from here, is at colleagues notebook which has the connection problems ;) 14:46 < rsc> but's something simple, just the host and so on. 14:47 < rsc> (at least it affects all clients, but I've got only one colleague more or less around currently) 14:48 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 14:48 < krzee> tls-verify "openssl verify -CAfile /etc/openvpn/PCAcert.pem" 14:48 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 14:48 < rsc> yes 14:48 < rsc> but that worked for ages now. 14:48 < krzee> you using chroot? 14:49 < rsc> no, no chroot. 14:50 < rsc> upgrade from 2.1rc2 to 2.1rc9 was just a version bump in the build script. Same parameters, same options etc. 14:53 < krzee> brb from krzie 14:54 < rsc> ok 15:00 < rsc> Ideas? 15:18 < krzie> im checking it out, never seen tls-verify 15:19 < rsc> hehe. 15:19 < rsc> Unluckily it isn't my setup, was setup by a student here. 15:20 < rsc> the only thing, I would see as relevant is the switch of openvpn from system() to execve() in the changelog 15:20 < rsc> maybe I should build exactly that version before the switch and re-check 15:23 < krzie> try just commenting it out 15:24 < rsc> commenting it out, makes it work. 15:24 < rsc> (regarding tls-verify) 15:24 < krzie> cool, that way we're 100% its that 15:24 < rsc> why is there no rc8 tarball? 15:24 < krzie> tried putting that in a script instead of calling openssl from there? 15:24 < krzie> there = config 15:26 < krzie> can you paste that pastebin link again pls 15:27 < rsc> http://fpaste.org/paste/4587 15:27 < vpnHelper> Title: Fedora Pastebin - Viewing paste #4587 (at fpaste.org) 15:27 < rsc> why is there no rc8 tarball of 2.1? 15:27 < krzie> *shrug* 15:27 < rsc> personally I'm _very_ sure it's a rc9 regression caused by system() vs. execvp() 15:28 -!- FurnaceBoy [n=toby@189.71.173.157] has joined ##openvpn 15:29 < krzie> have you tried putting "openssl verify -CAfile /etc/openvpn/PCAcert.pem" 15:29 < krzie> without ", in a script 15:29 < rsc> I didn't put it in a script, because I think, it requires STDIN 15:29 < krzie> and just calling tls-verify script 15:30 < krzie> # Use a tls-verify script or plugin to accept/reject the server connection based on a custom test of the server certificate's embedded X509 subject details. 15:30 < krzie> from the howto 15:33 < krzie> http://openvpn.net/archive/openvpn-devel/2006-11/msg00022.html 15:33 < vpnHelper> Title: [Openvpn-devel] ovpnCNcheck -- an OpenVPN tls-verify script (at openvpn.net) 15:34 < krzie> About the script: 15:34 < krzie> This script checks if the peer is in the allowed 15:34 < krzie> user list by checking the CN (common name) of the 15:34 < krzie> X509 certificate against a provided text file. 15:34 < krzie> For example in OpenVPN, you could use the directive 15:34 < krzie> (as one line): 15:34 < krzie> tls-verify "/usr/local/sbin/ovpnCNcheck.py 15:34 < krzie> /etc/openvpn/userlist.txt" 15:36 < rsc> okay so far, the stuff worked, rc9 breaks it somehow. 15:36 < rsc> so this is IMHO a openvpn problem, not a configuration one. 15:43 < krzie> so you dont want to try that? 15:43 < krzie> if you believe it is a problem in the openvpn code post to the openvpn-devel list 15:44 < krzie> !google openvpn mail list 15:45 < krzie> !learn mail as http://sourceforge.net/mail/?group_id=48978 15:45 < krzie> grr 15:46 < rsc> ;) 15:47 < rsc> I'm trying rc8 first. If rc8 works, rc9 contains a regression, simple thing. 15:47 < mooseman089> hey im back 15:47 < krzie> mooseman089, did that person reply in the forum yet? 15:48 < mooseman089> nope im waiting eagerly for it though 15:58 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 16:01 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 16:02 < krzie> !learn mail as http://sourceforge.net/mail/?group_id=48978 16:02 < vpnHelper> krzie: The operation succeeded. 16:03 < mooseman089> i dont know how that --mktun command could run fine but the /dev/tap0 isnt there.... 16:10 < krzie> try compiling tuntap into kernel instead of module 16:11 < mooseman089> i have played with linux a lot but never tried recompiling a kernel :/ 16:11 < krzie> could be time ;] 16:11 < FurnaceBoy> any hints on a client (winxp) that abruptly stops TLS handshaking... ta.key is in use... certificate is valid. many other clients using same server without problems. 16:11 < FurnaceBoy> i checked the list @ the FAQ 16:11 < FurnaceBoy> no server issue exists, must be client... 16:12 < krzie> FurnaceBoy, firewall? 16:16 < FurnaceBoy> krzie looking into that on the windows end... but not likely (since user hasn't changed it) 16:16 < FurnaceBoy> krzie, in fact doesn't know how to. :| 16:17 < FurnaceBoy> any other common causes? anyone experiencing isp port filtering at client end, etc? 16:17 < krzie> by default it wants to firewall 16:17 < krzie> and i believe after disabling it there is a big windows red shield saying click here to re-enable 16:17 < krzie> i dont use windows so im not 100% but i remember something like that 16:17 < mooseman089> yea i think krzie is right 16:18 < FurnaceBoy> krzie ok. no response from user on this question yet. :| 16:18 < FurnaceBoy> but the weird thing is they haven't changed anything. just tls stopped negotiating. and *something* is hitting the server since its logs note the failed negotiation. 16:18 < FurnaceBoy> so the firewall isn't blocking everything (if it's active) 16:18 < krzie> even if they say "no i didnt click anything" half the time that means "yes i clicked everything in the world" 16:18 < FurnaceBoy> :) 16:18 < krzie> its best if you can aquire the machine and check stuff yourself 16:19 < FurnaceBoy> not a chance; they're in another country far far away :) 16:19 < krzie> ouch 16:19 < krzie> remote desktop? 16:19 < FurnaceBoy> i prefer not even to touch windows even at that remove. :) 16:19 < FurnaceBoy> i'm hoping they'll confirm or deny firewall soon. 16:20 < krzie> i prefer not to touch windows, but sometimes you gotta 16:20 < FurnaceBoy> big thick rubber gloves! 16:20 < krzie> you should walk them through verifying if its up then 16:20 < krzie> (firewall, for the interface) 16:20 < FurnaceBoy> i'm really suspecting isp shenanigans, they;re in a ... tightly controlled jurisdiction. 16:20 < krzie> ohhh 16:20 < krzie> wher? 16:21 < krzie> thing is, they're able to start the process 16:21 < FurnaceBoy> if this were anywhere but irc, i'd say. :) 16:21 < FurnaceBoy> yes 16:21 < FurnaceBoy> definitely 16:21 < FurnaceBoy> and i can watch the server logs 16:21 < krzie> whereas a firewall blocking on the tun interface could do it 16:21 < FurnaceBoy> i see the failure there, so it's not like all packets are missed 16:21 < FurnaceBoy> hm ok 16:23 < krzie> are you using tcp to avoid the country's firewall? 16:23 < krzie> cause tcp connections over links with latency can have a hard time connecting... 16:23 < krzie> not always, but can intermittenly 16:25 < FurnaceBoy> udp 16:26 < FurnaceBoy> it's used from several countries (5 off the top of my head) 16:26 < FurnaceBoy> this is the first undiagnosable problem which is why i suspect funny business in local networks 16:26 < FurnaceBoy> somebody throwing a spanner into sniffed tls negotiations? (guessing) 16:26 < FurnaceBoy> i should say *so far* undiagnosed 16:27 < krzie> im thinking its a local issue on the winbox 16:28 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has quit [Connection timed out] 16:28 < FurnaceBoy> hope so. 16:33 < krzie> other thing is the client may have better error log 16:37 < krzie> !quit brb 16:37 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["brb"] 16:37 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 16:44 < rsc> krzie: it's a regression of 2.1rc8 -> 2.1rc9 16:44 < rsc> krzie: looks like the change from system() -> execvp() is just crappy work ;) 16:51 < krzie> gotchya, and changing it to a script in rc9 doesnt help any? 16:52 < krzie> (seeing as the docs say it runs a script or plugin, seems worth giving a shot) 16:55 < krzie> if that doesnt fix it, ild submit a bug report to the dev list 17:01 < rsc> krzie: script didn't change anything here 17:01 < rsc> krzie: I already opened up a bug report for Fedora. But you can do an upstream one, if you like. 17:02 < rsc> krzie: feel free to reference https://bugzilla.redhat.com/show_bug.cgi?id=458600 from Fedora. 17:02 < vpnHelper> Title: Bug 458600 Verify command failed to execute: openssl verify -CAfile /etc/openvpn/PCAcert.pem (at bugzilla.redhat.com) 17:03 < krzie> that wont get anything done 17:03 < krzie> fedora doesnt develop openvpn 17:03 < krzie> !mail 17:03 < vpnHelper> krzie: "mail" is http://sourceforge.net/mail/?group_id=48978 17:04 < krzie> if you dont tell the right devs, dont expect it to be fixed 17:04 < rsc> krzie: the Fedora OpenVPN maintainer is responsible for handling upstream things. 17:04 < krzie> personally, i wont be using tls-verify and dont plan on it, so i think you have more reason than me to report it to them 17:04 < krzie> i dont get it, you think its a fedora bug or openvpn bug? 17:05 < rsc> it's an OpenVPN one. But first I've to stop 2.1rc9 on its way into Fedora -> Fedora Bug report 17:06 < rsc> after that, the Fedora maintainer of OpenVPN catches the report and will push the issue upstream/Cc me and so on. 17:06 < krzie> *shrug* whatever makes you happy 17:06 < rsc> krzie: just the regular distribution workflow...confusing, I know. But working and proofed a lot of times 17:07 < krzie> nah i understand what you're saying, but seems more logical to tell the openvpn devs if you care (i dont so ill let the subject die here) 17:08 < rsc> yes, this happens next. 17:08 < rsc> either by me or the Fedora package maintaner 17:08 < rsc> *maintainer 17:08 < krzie> cool, glad you got it workin 17:09 < krzie> !learn tls-verify as seems to be broken in 2.1rc9 and working in 2.1rc8 https://bugzilla.redhat.com/show_bug.cgi?id=458600 17:09 < vpnHelper> krzie: The operation succeeded. 17:17 < mooseman089> krzie how intense is compiling the kernel? 17:18 < krzie> i dont run linux but its easy in freebsd and i see more people that are new to *nix using linux so i imagine its easy there too 17:18 < krzie> all you gotta do is read the manual 17:18 < mooseman089> hmm ok if i dont get a response in like a hour ill look into compiling 17:19 < krzie> i saw it fixed some other peoples problem when they got the same error as you 17:19 < krzie> in one of the links i posted last night i think 17:19 < mooseman089> oh ok 17:19 < mooseman089> i just dont know why that module wouldnt be working.. 17:20 < krzie> nor do i, but thats before openvpn, mre of an OS+module thing 17:20 < mooseman089> yea i agree 17:23 < FurnaceBoy> mooseman089, basic advice, do a thorough hardware checklist before you start. what distro? 17:23 < FurnaceBoy> mooseman089, and make sure you have a fallback kernel (i.e. don't replace your working one, evah!) 17:24 < krzie> FurnaceBoy he just wants to compile in tuntap (but the backup kernel is great advice) 17:24 < mooseman089> yea im thinking i might make a drive image first just incase of a complete failure 17:25 < FurnaceBoy> mooseman089, unlikely! 17:25 < mooseman089> i hope your right 17:25 < FurnaceBoy> mooseman089, you might try and find the exact config for the kernel you're running. 17:25 < FurnaceBoy> I configure mine from scratch so I don't know where to look on your distro. 17:26 < mooseman089> ok 17:26 < FurnaceBoy> and get the same source version, if possible 17:26 < FurnaceBoy> since you know it's working 17:26 < krzie> mooseman089 by distro he means which linux do you run? 17:27 < FurnaceBoy> hehe 17:27 < mooseman089> well i could either do this on a debian or ubuntu system both fully updated 17:27 < FurnaceBoy> jargon, sorry 17:27 < FurnaceBoy> mooseman089, the other approach is to keep exactly your current kernel, and just build as a module. 17:27 < FurnaceBoy> ultra conservative but possibly no easier 18:56 -!- mzanfardino [n=mark@astound-64-85-228-83.ca.astound.net] has joined ##openvpn 18:56 < mzanfardino> question regarding setting up the vpn: can you route 192.168.x.x over a vpn? I had thought 192.168.x.x was non-routable... 18:57 -!- Optic [n=dfraser@miso.capybara.org] has left ##openvpn [] 19:12 < FurnaceBoy> mzanfardino, it's 'non routable' on the public internet. 19:12 < FurnaceBoy> mzanfardino, what you do in the privacy of your own home is your business. :) 19:12 < krzie> right, its reserved for lan use, like a vpn for example 19:14 < mzanfardino> right. that's my understanding as well. Bare in mind that I'm new to openvpn and I'm attempting to troubleshoot a newly created vpn server. I just want to eliminate this as an issue. So to recap, if my home network is in the 192.168 range and I connect to it from outside via openvpn, i should have no problem pinging active machines in the 192.168 range from the system on the outside with the open vpn connection, right? 19:19 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 19:20 < FurnaceBoy> mzanfardino, I believe openvpn has that capability, though I've never configured it 19:20 < FurnaceBoy> mzanfardino, it's not default (afaik) 19:22 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 19:26 < mzanfardino> hmm... ok, well, I'm working with someone on #dd-wrt as it's dd-wrt that's my openvpn server 19:27 < krzee> mzanfardino, you are using routed tun? 19:27 < krzee> as long as the 2 lans are in different subnets, no problem 19:27 < krzee> !configs 19:27 < vpnHelper> krzee: Error: "configs" is not a valid command. 19:27 < krzee> !config 19:27 < krzee> !sample 19:27 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:28 < mzanfardino> tap actually 19:29 < krzee> for windows share browsing? 19:29 < mzanfardino> no windows. strictly linux 19:29 < krzee> then why do you need tap? 19:29 < krzee> !bridge 19:29 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 19:30 < krzee> !learn bridge as if you dont know why you need a tap bridge, you probably want a routed tun 19:30 < mzanfardino> yikes. I was afraid a question like this might come up. I don't have a clue. The history, if you can bare with me a second is this: we have just installed openvpn at work. I want the same capability here at home. I've flashed my router with dd-wrt as it has openvpn integrated. I'm configuring my home vpn to look like the work vpn. However, I did not choose tap vs. tun at work and really don't know the difference. 19:31 < krzee> ahh 19:31 < krzee> http://openvpn.net/index.php/documentation/faq.html#bridge1 19:31 < vpnHelper> Title: FAQ (at openvpn.net) 19:31 < rob0> cool, we have a bot! 19:31 < rob0> krzee, yours? 19:31 < mzanfardino> ok, so I need to RTFM... ;) 19:31 < krzee> aye, its new... still working out some bugs 19:32 < krzee> mzanfardino, you likely want routed 19:32 < krzee> less overhead and as far as im concerned, it is easier 19:32 < krzee> !krzee 19:32 < vpnHelper> krzee: "krzee" is http://www.ircpimps.org/pimpin.jpg 19:32 < mooseman089> yea trust me bridge is annoying... 19:32 * FurnaceBoy uses routed 19:33 < krzee> rob0, !learn as , then you can !keyword to pull it up 19:33 < rob0> Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better. 19:33 < rob0> yeah I've seen bots like that 19:33 < krzee> werd 19:34 < krzee> !bridge 19:34 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 19:34 < krzee> !learn bridge as Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better. 19:34 < rob0> nice hat krzee :) 19:34 < krzee> hrm i wonder why it only wants 2 definitions 19:34 < krzee> oh well ill worry bout that later 19:34 < mzanfardino> krzee: on a complete aside, I have both that hat and the cane! :) 19:34 < krzee> hahaha 19:34 < krzee> nice 19:34 < krzee> time for me to go use up a little of this hash oil 19:34 < krzee> lol 19:35 < rob0> you can probably do "!forget factoid" 19:35 < mzanfardino> krzee: got them for my birthday this year to celebrate A Pimp Named Slickback... an alter ego of mine... blatantly stolen from Boondocks. 19:35 < krzee> someone may want to let mzanfardino know about the need to either run openvpn on his gateway of the lan he wants to ping through, or to add the route to said gateway 19:35 < krzee> i would but gotta go 19:35 < krzee> adios all! 19:36 < mooseman089> cya 19:36 < mzanfardino> ah 19:36 < mzanfardino> hmm 19:36 < mzanfardino> ok 19:51 < mooseman089> if i were to use ip routing i could still type in any address to a browser for an intranet web server? 20:00 < FurnaceBoy> can you explain that question another way? 20:21 < ecrist> krzee: I am now. :) 20:23 -!- Irssi: ##openvpn: Total of 29 nicks [0 ops, 0 halfops, 0 voices, 29 normal] 20:25 < mooseman089> furnaceboy nevermind i think that question confused me.... 20:25 < ecrist> :) 20:27 < mooseman089> in the openvpn config files are # and ; the same thing (comments) 20:27 < ecrist> yes, I think ; is a valid comment line. 20:28 < mooseman089> ok great 20:33 < FurnaceBoy> yep 20:51 -!- FurnaceBoy [n=toby@189.71.173.157] has quit ["This computer has gone to sleep"] 20:53 -!- FurnaceBoy [n=toby@189.71.173.157] has joined ##openvpn 21:05 -!- FurnaceBoy [n=toby@189.71.173.157] has quit ["Leaving"] 21:36 -!- near [n=near@88-122-31-232.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:37 -!- near [n=near@83-155-184-101.rev.libertysurf.net] has joined ##openvpn 21:40 -!- mzanfardino [n=mark@astound-64-85-228-83.ca.astound.net] has left ##openvpn ["Konversation terminated!"] 21:59 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 21:59 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 22:00 < krzee> !learn bridge as Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better. 22:00 < vpnHelper> krzee: The operation succeeded. 22:01 < krzee> [20:51] if i were to use ip routing i could still type in any address to a browser for an intranet web server? 22:01 < krzee> yes 22:01 < krzee> all you need for that is the right routes 22:04 < krzee> !learn bridge as useful for windows sharing (without wins server) and LAN gaming, anything where the protocol uses MAC addresses instead of IP addresses. 22:04 < vpnHelper> krzee: The operation succeeded. 22:04 < krzee> !bridge 22:04 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 22:04 < krzee> !more 22:04 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 22:04 < krzee> k, so thats how vpnHelper works guys =] 22:14 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 22:15 -!- mooseman447 [n=mooseman@207-172-54-23.c3-0.tlg-ubr5.atw-tlg.pa.cable.rcn.com] has joined ##openvpn 22:27 < krzee> !learn mtu as you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 23:25 -!- mooseman447 [n=mooseman@207-172-54-23.c3-0.tlg-ubr5.atw-tlg.pa.cable.rcn.com] has quit [Read error: 110 (Connection timed out)] --- Day changed Mon Aug 11 2008 00:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 00:44 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 00:44 < krzee> !learn mtu as you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 00:44 < vpnHelper> krzee: The operation succeeded. 00:44 < krzee> !learn iroute does not bypass the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 00:44 < vpnHelper> krzee: Invalid arguments for learn. 00:45 < krzee> !learn iroute as does not bypass the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 00:45 < vpnHelper> krzee: The operation succeeded. 00:45 < krzee> !learn ccd as entries that are basically included into server.conf, but only for the specified client 00:45 < vpnHelper> krzee: The operation succeeded. 00:47 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:28 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [] 02:07 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:40 < kraut> moin 02:47 < krzee> mornin 03:46 -!- lolo92 [n=laurentl@host.146.247.23.62.rev.coltfrance.com] has joined ##openvpn 03:46 < lolo92> hello 03:47 < krzee> hey 03:47 -!- lolo92 [n=laurentl@host.146.247.23.62.rev.coltfrance.com] has quit [Client Quit] 03:48 -!- lolo92 [n=lolo92@84.55.144.90] has joined ##openvpn 03:49 < lolo92> the openvpn.nsi file from the last RC release search a file "!include "${HOME}\autodefs\defs.nsi" 03:49 < lolo92> but i dont have any defs.nsi file... 03:49 < lolo92> i have installed the last nsi package 03:49 < lolo92> nsis 03:50 < krzee> nsi? 03:50 < lolo92> krzee: nsis 03:50 < krzee> ahh i see, Nullsoft Scriptable Install System 03:50 < krzee> so you're talkin bout windows 03:50 < krzee> ? 03:51 < lolo92> yes i want to build windows package 03:51 < krzee> you want to package your own setup? 03:51 < lolo92> yes 03:51 < krzee> i take it you read this? http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html 03:51 < vpnHelper> Title: HowTo Roll Your Own OpenVPN Windows Installation Package (at openvpn.se) 03:52 < lolo92> yes i have read this 03:52 < lolo92> it works well with an older version of openvpn 03:52 < lolo92> but with the last version RC9 03:52 < krzee> ahh, im afraid i will be useless then 03:52 < lolo92> the openvpn.nsi script want new files to include 03:52 < krzee> as i dont have a windows box 03:53 < krzee> !mail 03:53 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 03:53 < krzee> you may want to post to openvpn dev list 03:54 < lolo92> ok 04:11 -!- Han [n=han@unaffiliated/han] has joined ##openvpn 04:13 < Han> Hi. I have a configfile with multiple lines like push "route 10.0.0.0 2552.255.254.0", yet after sending a HUP signal openvpn does not add those routes. Howcome? 04:18 < Han> ignore that, I misunderstood what push was supposed to do. 04:20 < krzee> so you understand it now? 04:21 < Han> I'm getting there. Now I need to figure out how openvpn sets up routes internally. 04:22 < krzee> what do you mean? 04:24 < Han> hmm I just get into the matter. OpenVPN sets up tunnels here, but I had to manually add routes to be able to get to certain locations. 04:24 -!- hawk [n=hawk@pdpc/supporter/active/hawk] has joined ##openvpn 04:24 < Han> Always fun when your predecesor doesn't document a thing. 04:25 < krzee> ahh 04:25 < krzee> when the server needs to know a route 04:25 < krzee> use route in the server config file 04:25 < krzee> when client does, push route 04:25 < krzee> (in server config file) 04:26 < krzee> !ccd 04:26 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 04:26 < krzee> !iroute 04:26 < vpnHelper> krzee: "iroute" is does not bypass the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 04:26 < Han> a h 04:27 < Han> so for each push "route foo bar" there should be a matching route foo bar? 04:28 < krzee> umm, dunno 04:28 < krzee> i dont group it like that in my head 04:28 < krzee> just know which box would need the route manually added 04:29 < krzee> if its all clients, push route in server config 04:29 < krzee> it its 1 client, push the route in ccd entry 04:29 < krzee> if its server, put it in server config (not pushed) 04:29 < Han> hmmm 04:30 < krzee> a push route is the same as route, but is ran on the client 04:30 < krzee> the client may need the pull command in config 04:30 < krzee> to take the pushes 04:34 < Han> lets experiment a bit on a non-production server =) 04:35 < Han> thanks for your help 04:45 < krzee> np 05:31 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:00 -!- mcp [n=hightowe@wolk-project.de] has joined ##openvpn 08:41 -!- lolo92 [n=lolo92@84.55.144.90] has quit ["Quitte"] 09:09 < ecrist> morning, folks 09:22 < rmull> morin ecrist 09:29 < cpm> morning 09:31 < rmull> hi cpm 10:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:23 < ecrist> hi, mikkel 10:43 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit [Remote closed the connection] 11:17 -!- n3kl [n=n3kl@c-24-8-165-101.hsd1.co.comcast.net] has left ##openvpn [] 11:21 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 11:34 -!- kaushal [n=kaushal@59.184.58.220] has joined ##openvpn 11:34 < kaushal> ecrist, hi 11:34 < kaushal> good evening 11:35 < kaushal> ecrist, yt ? 11:38 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 11:38 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Client Quit] 11:41 < ecrist> sup, kaushal ? 11:41 < kaushal> I have bought my Ubuntu Laptop 11:41 < kaushal> today at home 11:42 < kaushal> please give me a moment 11:44 -!- bandini [n=bandini@host90-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 11:44 < kaushal> back 11:44 < kaushal> I want to add the route command sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0 11:44 < kaushal> on the client side 11:45 < ecrist> ok... 11:47 < kaushal> I have used NetworkManager to configure openvpn on the Client side 11:47 < kaushal> as i said to you last time every now and then i need to add that command whenever i need to connect to openvpn 11:47 < kaushal> server 11:48 < kaushal> ecrist, you gave me a hint that it can be done too on the client side 11:49 < kaushal> I could not do it 11:49 < ecrist> ok, so, find the openvpn client config file and add the 'up' option. 11:50 < kaushal> ok 11:52 < kaushal> ecrist, http://rafb.net/p/zgapsL50.html 11:52 < vpnHelper> Title: Nopaste - No description (at rafb.net) 11:52 < kaushal> I am using it on Ubuntu 8.04 Desktop Linux 11:53 < ecrist> kaushal: you tell me which it is. 11:53 < ecrist> my guess, /home/kaushal/openvpn 11:54 < ecrist> I'm not about to do it for you, however. 11:55 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 12:01 < kaushal> ecrist, it isnt there 12:02 < ecrist> what isn't there? 12:02 < kaushal> I mean openvpn client config 12:02 < ecrist> well, I can't help you until you find it. 12:03 < kaushal> ecrist, I have used NetworkManager on Ubuntu 12:03 < ecrist> kaushal: I don't care. I don't use that program, and I'm not going to support it. 12:04 < ecrist> read the help, or google it. 12:04 < ecrist> it's a simple front-end to openvpn 12:04 < ecrist> there is a client config somewhere, you need to find it. 12:04 < ecrist> when you do, I can help 12:04 < ecrist> until then, my hands are ties. 12:04 < ecrist> tied* 12:19 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 12:31 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 12:31 < mooseman089> hey 12:33 < cpm> I want a peanut butter and honey sandwich 12:35 < mooseman089> i like peanut butter and that marshallow fluff personally 12:35 * ecrist puts his wife in a peanut butter sandwich 12:36 < ecrist> get it, peanut butter and honey? 12:36 < ecrist> lol 12:36 < cpm> ecrist, rule #43, never explain 12:36 < cpm> :) 12:36 < mooseman089> wow... 12:36 < ecrist> cpm: that was part of the humor, the explaination. 12:36 * rmull is amused 12:37 * cpm is also amused 12:37 < ecrist> if the joke was tangible, I would have been pointing at it, eyebrows raised, nodding my head, AS I explained it. 12:37 < ecrist> :P 12:37 < mooseman089> am i the only one still wanting one of those sandwichs? 12:37 * ecrist doesn't know what marshallow is 12:38 < ecrist> what ever it isn't it isn't too deep. 12:38 < cpm> it's an american thing, really poisonous treat. 12:38 < ecrist> I was making fun of his spelling. 12:38 < cpm> http://en.wikipedia.org/wiki/Marshmallow 12:38 < vpnHelper> Title: Marshmallow - Wikipedia, the free encyclopedia (at en.wikipedia.org) 12:38 < cpm> !vpmHelper 12:38 < vpnHelper> cpm: Error: "vpmHelper" is not a valid command. 12:39 < cpm> !liat 12:39 < vpnHelper> cpm: Error: "liat" is not a valid command. 12:39 < cpm> !liar 12:39 < vpnHelper> cpm: Error: "liar" is not a valid command. 12:39 < ecrist> !domelongtime 12:39 < vpnHelper> ecrist: Error: "domelongtime" is not a valid command. 12:39 < ecrist> doh! 12:39 < cpm> !learn liar as vpnHelper isn't always truthful 12:39 < vpnHelper> cpm: The operation succeeded. 12:39 < cpm> !liar 12:39 < vpnHelper> cpm: "liar" is vpnHelper isn't always truthful 12:39 < Han> consider consulting the bot in private 12:40 < ecrist> wow, way to piss on the parade. :\ 12:40 < cpm> quite so. But I still blame vpnHelper, he started it. 12:40 * ecrist blames vpmHelper 12:40 < ecrist> :P 12:42 * ecrist is done. 12:45 < ecrist> well, if anyone cares, I've got svn setup for ssl-admin, and wouldn't mind if others wanted to contribute to the scripts. 12:46 < ecrist> https://www.secure-computing.net/ssl-admin 12:46 < vpnHelper> Title: SCN Open Source - Trac (at www.secure-computing.net) 12:47 < rmull> ecrist: zomg, big SSL error!! :o 12:47 < rmull> jk :P 12:48 -!- int_ [n=quassel@wikia/int] has joined ##openvpn 12:48 -!- int_ is now known as int 12:48 -!- mcp [n=hightowe@wolk-project.de] has quit [Remote closed the connection] 12:50 -!- Han [n=han@unaffiliated/han] has left ##openvpn [] 12:50 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 13:03 -!- kaushal [n=kaushal@59.184.58.220] has quit ["Leaving"] 13:05 -!- mcp [n=hightowe@wolk-project.de] has joined ##openvpn 13:25 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:33 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 13:38 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 13:38 -!- Irssi: ##openvpn: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31 normal] 13:42 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:57 -!- Valect [n=aaron@71.39.93.58] has joined ##openvpn 14:00 < ecrist> *yawn* 14:00 < ecrist> this is a slow day, today 14:01 < mooseman089> im still trying to get my openvpn working in bridging mode... 14:01 < rmull> What problems are you having? 14:02 < mooseman089> im using debian but when i start openvpn in the log i see that it cannot open /dev/tap0 14:03 < mooseman089> i have tried running openvpn --mktun --dev tap0 but there is no tap0 in /dev 14:04 < rmull> How are you starting it? 14:05 < ecrist> mooseman089: you need to run it as root 14:05 -!- bandini [n=bandini@host111-108-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 14:05 < ecrist> so, as root user, or use sudo 14:05 < mooseman089> yea i did 14:05 < ecrist> did you run the start-bridge script? 14:05 < mooseman089> rmull i have up /usr/sbin/bridge-start in the config 14:06 -!- bandini [n=bandini@host111-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Client Quit] 14:06 < ecrist> do you ever see the tap0 device show up in ifconfig? 14:07 < mooseman089> yea i see in ifconfig but not in /dev 14:07 < ecrist> mooseman089: you're not going to see in /dev, iirc. 14:07 < mooseman089> why not? 14:07 < ecrist> it's a virtual device. 14:07 < ecrist> a 'cloned' interface. 14:08 < ecrist> your /dev is generally reserved for hardware devices. 14:08 < krzee> root@hemp:/usr/home/krzee> ls /dev/tap0 14:08 < krzee> ./dev/tap0 14:08 < krzee> (added . for irc) 14:08 * ecrist fails 14:08 < krzee> of course thats on fbsd 14:09 < mooseman089> hi krzee 14:09 < krzee> hey =] 14:09 < ecrist> /kickban ecrist 14:09 < krzee> heh 14:09 < krzee> g'mornin =] 14:09 < ecrist> krzee: gif devices are cloned interfaces, and they don't show up in /dev 14:10 < ecrist> :\ 14:10 < ecrist> on freebsd 14:10 < krzee> suuuuuuuure 14:10 < krzee> ;] 14:10 < mooseman089> what about my openvpn log that is complaining 14:10 < ecrist> mooseman089: pastebin it, please 14:11 < mooseman089> ok 14:12 < mooseman089> http://pastebin.com/d7952205f 14:12 < vpnHelper> Title: pastebin - collaborative debugging tool (at pastebin.com) 14:13 < ecrist> krzee: can you blacklist that feature for various paste sites? 14:13 < rmull> krzee and ecrist: What about using that bot with tinyurl or xrl for URL squashing? 14:14 < rmull> For non-paste sites. 14:14 * ecrist looks quizically at krzee 14:14 < krzee> im checking for ecrist's answer 14:14 < ecrist> mooseman089: that log makes me think it was not run as root. 14:14 < mooseman089> i swear it was 14:15 < krzee> rmull, what plugin for supybot would that be? 14:15 < ecrist> krzee: that's where you went wrong, using someone else's code. :) 14:15 < krzee> hah 14:16 < krzee> then you write one 14:16 < ecrist> I have. 14:16 < krzee> im not saying you havnt 14:16 < krzee> but if you wanna reinvent this wheel, go for it 14:16 < ecrist> no, that's OK. 14:16 < krzee> hehe 14:16 < krzee> ;] 14:16 < ecrist> the bots I've written are essentially glorified RSS readers. 14:17 < krzee> !help RSS 14:17 < vpnHelper> krzee: (rss []) -- Gets the title components of the given RSS feed. If is given, return only that many headlines. 14:17 < krzee> ;] 14:17 < ecrist> oh, and they interface with text pager hardware, but that's irrelevant. 14:17 < krzee> hardware to SMS? 14:17 < ecrist> no, actual Pagers, not SMS 14:18 < ecrist> but, it's not hard to do SMS 14:18 < krzee> right 14:18 < ecrist> there's lots of stuff out there for that. 14:18 < krzee> but no point in hw 14:18 < mooseman089> so basically openvpn hates me? 14:18 < krzee> inet SMS 14:18 < ecrist> you just need an SMS gateway. 14:18 < ecrist> krzee: that's not as reliable as hardware SMS 14:18 < krzee> you can also page people over voip 14:19 < krzee> ecrist, true if the problem the SMS is alerting to is down eth card or whatnot 14:19 < krzee> lol 14:19 < ecrist> there's also often considerable latency in the inet->SMS gateway 14:19 < krzee> that all depends 14:20 < ecrist> in addition, there's the formatting - email-> SMS sucks because of the headers/etc. 14:20 < ecrist> regardless, this is all a bit OT. 14:20 < krzee> when i had a voip company we used inet for SMS'ing ourselves and it was never slow 14:20 < ecrist> I'm just messing with you on your choice of IRC bot. 14:20 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:20 < krzee> hehe yup ;] 14:20 < krzee> Mon Aug 11 15:01:55 2008 us=29849 TUN/TAP device tap0 opened 14:20 < krzee> Mon Aug 11 15:01:55 2008 us=29890 TUN/TAP TX queue length set to 100 14:20 < krzee> Mon Aug 11 15:01:55 2008 us=29971 /usr/sbin/bridge-start tap0 1500 1574 init 14:20 < krzee> Mon Aug 11 15:01:55 2008 Note: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16) 14:20 < krzee> Mon Aug 11 15:01:55 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface 14:20 < krzee> Mon Aug 11 15:01:55 2008 Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2) 14:21 < krzee> thats odd 14:21 < ecrist> mooseman089: did you complie your openvpn software, or install a package? 14:21 < krzee> hey mooseman089, paste your ifconfig tap0 14:21 < krzee> Mon Aug 11 15:01:54 2008 us=916278 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007 14:21 < krzee> im going with package 14:22 < ecrist> yeah, prolly, but still gotta ask. 14:22 < ecrist> my php coding is hell today 14:22 < ecrist> simple logic is kicking my ass. 14:22 < krzee> dude i woke up 2 hours after going to sleep so i could look at a house 14:22 < krzee> then the guy told me i couldnt go today 14:23 < krzee> i was / am pissed 14:23 < ecrist> I hope the housing market in your area is as good as ours, for buyers anyway. 14:23 < ecrist> selling a house, sucks. 14:23 < krzee> nah im just gunna rent 14:23 < krzee> i dont think the economy crash is over 14:23 < ecrist> my wife and I are going to be stuck in ours for a couple more years. 14:23 < krzee> and the US economy will effect many others including where im at 14:24 * ecrist thinks mooseman089 isn't paying attention anymore. 14:24 < ecrist> 36 mins to home time. 14:25 < krzee> supybot.plugins.Web.nonSnarfingRegexp 14:25 < krzee> This config variable defaults to "" and is channel specific. 14:25 < krzee> Determines what URLs are to be snarfed and stored in the database in the channel; URLs matching the regexp given will not be snarfed. Give the empty string if you have no URLs that you'd like to exclude from being snarfed. 14:25 < krzee> ecrist, ill add anything you paste to me to that in the config 14:26 < ecrist> perl regex? 14:26 < krzee> snarfing is: 14:26 < krzee> [15:12] Title: pastebin - collaborative debugging tool (at pastebin.com) 14:26 < krzee> python 14:27 < krzee> although im not sure of a diff 14:28 < ecrist> .*paste.* 14:29 * mooseman089 is back for a sec 14:29 < mooseman089> ercist installed by package 14:30 < mooseman089> http://pastebin.com/m3b26ed8 14:30 < vpnHelper> Title: pastebin - collaborative debugging tool (at pastebin.com) 14:31 -!- mooseman089 is now known as mooseman089-lapt 14:31 -!- mooseman089-lapt is now known as mooseman-laptop 14:32 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 14:36 < Valect> i need some help getting broadcasts to work so I can access samba file shares over openvpn 14:37 < Valect> i'm using a bridge tap device 14:37 < Valect> bridged 14:37 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 14:37 < Valect> not really sure where to go from here 14:38 < ecrist> you assigning IPs from a DHCP server on the remote LAN? 14:38 < Valect> yes 14:40 < krzee> !bridge 14:40 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 14:40 < krzee> !more 14:40 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 14:43 < rmull> August 11, 19:43GMT: 14:43 < rmull> vpnHelper becomes aware. 14:43 < vpnHelper> rmull: Error: "becomes" is not a valid command. 14:43 < krzee> lol 14:43 < krzee> not that aware 14:43 < rmull> :D 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:44 < Valect> i've already looked at the documentation 14:44 < Valect> doesn't really tell me what i'm missing 14:46 < ecrist> Valect: so, the IPs are getting assigned, which means broadcasts are working. 14:46 < Valect> so what am i missing on the windows filesharing part of it 14:47 < ecrist> are your VPN clients on the same workgroup/domain? 14:47 < Valect> kind of - the samba server is on two subnets, one of which is the same as vpn clients 14:47 < ecrist> that's the only one they'll be able to browse, then. 14:47 < Valect> i'm aware 14:48 < ecrist> and they'll need to be on the same workgroup 14:48 < Valect> not so 14:48 < ecrist> unless they go to All Computers 14:48 < Valect> locally, i can be on any domai/workgroup and access it just fine 14:48 < ecrist> is the firewall blocking anything? 14:49 < Valect> that's what i'm not sure of. the firewall on the samba box isn;t, but the pfsense firewall before it might be, but i'm not sure what all i need to configure for openvpn to get the firewall to leave it alone 14:50 < Valect> and neither are linux, so iptables commands won't particularily help 14:50 < ecrist> Valect: if you've got connectivity, and can get IPs from your remote LAN DHCP server, your openvpn config is complete. 14:51 < Valect> hm 14:51 < ecrist> my guess is that pf sense blocks certain windows/NetBIOS ports, be default. 14:51 < Valect> how do i know openvpn isn't the one assigning ips? 14:51 < Valect> :x 14:52 < ecrist> can you ping the LAN from the vpn? 14:52 < Valect> i don't recall, i last poked at this on friday, and i'm local to the vpn right now 14:53 < ecrist> that's ambiguous 14:53 -!- mooseman-laptop [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 14:53 < Valect> :p 14:53 < ecrist> you're remote, or on the LAN (LAN being what you're trying to connect TO. 14:53 < Valect> i suppose i should come back when i'm not local so i can actually test things 14:53 < Valect> im on the lan and about 150 feet away from the openvpn server 14:53 < ecrist> well, if you're VPN client is 'up' you should be able to ping it. 14:54 < Valect> sure, but that doesn't help me actually test what i can and cant reach on the vpn side if i can still reach it on the non-vpn side 14:54 < ecrist> sure it does. 14:54 < ecrist> what I'm saying is, if you've got a bridged VPN up, and you can ping from LAN to VPN, your Openvpn config is done. 14:54 < ecrist> period 14:54 < ecrist> everything else is external. 14:54 < ecrist> :\ 14:55 < Valect> you mean ping vpn clients from the lan? 14:55 < ecrist> yes 14:55 < Valect> can't, the lan is only configured for a /24 14:55 < ecrist> so? 14:56 < Valect> so.. the vpn is on a differnet /24 14:56 < Valect> and the subnet mask on the lan is ffffff00 14:56 < ecrist> that doesn't stop pings, unless you don't have the proper routes in place. 14:56 < Valect> i wouldn't know, i didn't setup the network 14:56 < Valect> lemme test some things 14:56 < ecrist> in my experience, more than 3/4 of problems people have in this chan are related to routing. 14:56 < ecrist> or firewalls 14:57 < Valect> i'm almost certain this is related to routing 14:57 < ecrist> NetBIOS broadcasts will not pass through subnets. 14:57 < ecrist> period 14:57 < Valect> that's fine, because samba is listening on the same subnet as vpn clients anyway 14:58 < Valect> hm 14:58 < ecrist> and, can samba ping the vpn clients? 14:58 < Valect> the server can 14:59 < Valect> clients on the lan can't ping the vpn subnet 14:59 < Valect> what route would remedy that? :p 15:00 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 15:04 < krzie> so.. the vpn is on a differnet /24 15:04 < krzie> and the subnet mask on the lan is ffffff00 15:04 < krzie> that's fine, because samba is listening on the same subnet as vpn 15:04 < krzie> clients anyway 15:04 * krzie baffles 15:04 < Valect> lol 15:04 < Valect> the samba box is on two subnets 15:04 < Valect> two interfaces 15:24 < ecrist> Valect: if the pings aren't going through, can you confirm that the clients are on the VPN, and have been given a valid IP address? 15:26 * ecrist goes home. 15:26 < Valect> i'm the only one able to test it right now, but when i'm remote, it gives me a valid ip 15:26 < Valect> and i can reach the samba boxes ip 15:26 < Valect> i just can't access the actualy samba part 15:26 < ecrist> ok, so why do you think it's a vpn issue, then? 15:27 < ecrist> sounds more and more like a firewall issue. 15:27 < Valect> i'm not sure what the issue is, that's what i wanted to figure out 15:27 < Valect> [12:37:11] not really sure where to go from here 15:27 < ecrist> ok, let me reiterate what I said earlier 15:28 < ecrist> if you can connect to the vpn, and get an IP, and you're able to verify connectivity (ping, etc), your VPN works, it's an external problem. 15:28 < ecrist> you indicated there's a pfSense firewall between the samba box and the vpn. 15:28 < ecrist> I'd start there. 15:28 < ecrist> a good way to test is, if you're able, temporarily disable the firewall for the vpn, if traffic gets through, that's your problem. 15:28 < ecrist> fix the ruleset, have a beer. 15:28 * ecrist really goes home now. 15:28 < Valect> heh 15:38 < krzie> ya i agree with ecrist 15:38 < Valect> okay 15:38 < krzie> if you can ping over bridge, you can do arp over it 15:38 < krzie> as far as the vpn is concerned 15:39 < krzie> when im troubleshooting i always disable ALL firewalls 15:39 < krzie> then bring them up slowly 15:39 < Valect> i can't really disable our work firewall 15:39 < Valect> that would be a huge mistake 15:39 < Valect> i suppose i could dmz the samba box though 15:40 < krzie> could do that, or disable it for 2 minutes during the night 15:40 < krzie> im not saying throw it out the window ;] 15:40 < Valect> i would if pfsense would actually let me access it's webui remotely - i've been using lynx and elinks 15:40 < Valect> bloody nightmare that is 15:40 < krzie> haha 15:40 < krzie> i kinda like lynx, but never used pfsense 15:41 < Valect> i had some weird issue where it wouldn't reload the ruleset when using lynx 15:45 < krzie> wierd 15:45 < Valect> s/it\'s/its/ 16:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:07 < mooseman089> hey im back 16:16 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 16:17 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [] 16:18 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:27 * ecrist is home 16:29 < ecrist> Valect: you can temp disable pfsense's firewall by sshing into the box, and as root, type pfctl -d 16:29 < Valect> sshd crashes when i try to connect to it :D 16:30 < ecrist> your fw has problems 16:30 < Valect> you're telling me 16:32 < mooseman447> even though my server still has that tap0 error it still starts and my client can connect to it but how can i check if the vpn is working? 16:33 < ecrist> route traffic across it. 16:34 < mooseman447> the client is win xp 16:34 < ecrist> so 16:34 < ecrist> what're you using openvpn for? 16:35 < mooseman447> oh i thought there was something funny i would need to do 16:35 < mooseman447> i mean i type in the ip address for a intranet server in ff but it doesnt load 16:35 < ecrist> sounds like a routing issue. 16:36 < mooseman447> maybe because the tap0 isnt working on the server? 16:36 < ecrist> could be, do you get an IP address on your desktop? 16:37 < mooseman447> yea one in the range allowed in the server-bridge option 16:38 < ecrist> ok, can you ping any of the addresses on the remote LAN? 16:38 < mooseman447> nope times out 16:38 < ecrist> any further errors in the log? 16:40 < mooseman447> no 16:40 < ecrist> I would hedge a bet on that error. 16:40 < mooseman447> ? 16:40 < ecrist> the error earlier. 16:40 < ecrist> tap error 16:41 < mooseman447> yea i think the tap driver is the problem 16:42 < mooseman447> do you have any ideas on how to go about fixing it? 16:43 < ecrist> try compliing OpenVPN directly on your system. 16:43 < mooseman447> oh that doesnt sound like fun 16:43 < ecrist> not a big deal at all 16:44 < ecrist> four commands, once you download the source tarball 16:44 < ecrist> tar -xzvf foo.tgz 16:44 < ecrist> ./configure 16:44 < ecrist> make 16:44 < ecrist> make install 16:44 < mooseman447> ok but i first i would need to apt-get remove openvpn right? 16:44 < ecrist> yes, I'd do that. 16:45 < mooseman447> ok what about the bridge-utils package? 16:46 < ecrist> probably that, too. 16:46 < ecrist> you using a recent version of debian? 16:46 < mooseman447> yea 16:46 < mooseman447> i could also do this on a update to date version of ubuntu 16:48 < mooseman447> which do you think would be better? 16:49 < krzie> mooseman447, if you are scared to compile programs and kernels you might want to reconsioder running linux 16:49 < krzie> reconsider 16:50 < mooseman447> lol its alright ill do it in a little 16:50 < ecrist> mooseman447: I *know* the ubuntu stuff works. 16:50 < mooseman447> i have to go get some food 16:51 < krzie> ecrist, i suggested compiling the driver into the kernel yesterday or the day before (days blurring together) 16:51 < krzie> i saw it fixed the same error in a forum 16:51 < mooseman447> which should i do compille the driver into kernel or compile openvpn? 16:51 < ecrist> mooseman447: did you try what krzie recommended? 16:51 < ecrist> mooseman447: it's not going to do you any good if you don't have a tap driver in your kernel. 16:51 < ecrist> :\ 16:51 < krzie> mooseman447 niether one could hurt, try one then the other 16:52 < ecrist> most of the time, it can be loaded dynamically, but your system seems broken. 16:52 < ecrist> try it on your ubuntu box, first. 16:52 < mooseman447> ercrist i must have the tap driver if i see tun and bridge in lsmod 16:52 < krzie> module 16:52 < krzie> im saying try losing the module in favor of compiling it in 16:53 < mooseman447> oh ok 16:53 < krzie> (you will no longer see it in lsmod cause it wont be a mod) 16:53 < mooseman447> well ill be back in a few 16:53 < krzie> a module is like an extention to the kernel 16:54 < krzie> in a forum i posted to you awhile back (yesterday or the day before) someone fixed that problem by compiling it in 16:54 < krzie> i dont see why it *should* matter, but it did for him 16:56 -!- Valect [n=aaron@71.39.93.58] has quit [Read error: 110 (Connection timed out)] 17:09 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:25 < mooseman447> ok im back ill first compile openvpn 17:26 < mooseman447> when i compile it doesnt add the automatic startup scripts right? 17:33 < krzie> you're not asking an openvpn question, you're asking a question about your linux distro, which i cant answer 17:33 < krzie> might wanna try the channel for your distro for distro specific stuffs 17:34 < krzie> (or someone here might know, but not i) 17:36 < mooseman447> ok well i just compiled openvpn 17:36 < krzie> oh dug i can answer that 17:36 < krzie> s/dug/duh 17:36 < krzie> no it wont load a startup script or anything 17:37 < mooseman447> ok thats what i thought 17:37 < krzie> sorry the packages are whats OS specific 17:37 < mooseman447> i removed the bridge-utils package do i need to compile that too? 17:37 < krzie> <-- semi braindead today 17:37 < mooseman447> no worries 17:37 < krzie> bridge-utils should be fine from packages 17:38 < mooseman447> oh ill reinstall it in a sec 17:44 < mooseman447> should i try that openvpn --mktun --dev tap0? 17:45 < mooseman447> still no tap0 device 17:45 < krzie> same error? 17:46 < krzie> i cant speak for if you will see it in /dev/ or not in linux 17:46 < krzie> the trippy part about it to me is that it sees it at first 17:46 < krzie> (the part of your error i pasted earlier this morning) 17:46 < mooseman447> yea same errors 17:47 < krzie> gimme the pastebin again? 17:47 < krzie> or re=pastebin it 17:47 < mooseman447> ok ill put the fresh log up 17:48 < mooseman447> http://pastebin.com/d60e679fe 17:48 < vpnHelper> Title: pastebin - collaborative debugging tool (at pastebin.com) 17:52 < mooseman447> anything? 17:55 < mooseman447> how woulld i start recompiling the kernel like you recommended? 17:56 < krzie> thats distro specific 17:57 < krzie> just google [your distro] recompile kernel openvpn 17:57 < krzie> !bridge 17:57 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 17:57 < mooseman447> but what did you think of the log file? 17:58 < krzie> did you read all notes at: http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 17:58 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 17:58 < krzie> Ethernet Bridging Notes 17:59 < mooseman447> yea why? 18:00 < krzie> # When you set up an ethernet bridge, you should manually set the IP address and subnet of the bridge interface and not use an ifconfig directive in the OpenVPN config. This is because unlike a TUN/TAP interface, OpenVPN cannot programmatically set the IP address and netmask of a bridge interface. 18:00 < krzie> you did that? 18:01 < krzie> show me your ifconfig tap0 18:01 < krzie> in fact, after you show me your ifconfig tap0 pastebin your server and client configs 18:01 < mooseman447> i thought the bridge-start script did that stuff 18:03 < mooseman447> http://pastebin.com/d70f38f2c 18:03 < vpnHelper> Title: pastebin - collaborative debugging tool (at pastebin.com) 18:03 < krzie> try not using bridge-start 18:03 < krzie> its important you understand what its doing 18:03 < krzie> once you do, using he script which does it becomes easier 18:04 < mooseman447> server config: http://pastebin.com/d67f8261a 18:04 < vpnHelper> Title: pastebin - collaborative debugging tool (at pastebin.com) 18:06 < krzie> did you edit your bridge-start? 18:06 < mooseman447> yea i need to add a gw so i would lose connection 18:06 < mooseman447> want to see? 18:06 < krzie> add a gw? 18:07 < mooseman447> http://pastebin.com/d34f7db7b 18:07 < vpnHelper> Title: pastebin - collaborative debugging tool (at pastebin.com) 18:07 < krzie> i dont see that anywhere in sample-scripts/bridge-start from http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 18:07 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 18:07 < mooseman447> line 41 18:07 < krzie> whyd you do that? 18:08 < mooseman447> orginally when i ran it i wouldnt be able to ping google or anything outside my subnet 18:08 < krzie> something tells me if that was meant to be there it would have came in the script 18:09 < mooseman447> i saw some posting that someone else did and it was fine 18:09 < mooseman447> i think they modeled the sample as if openvpn was on the gateway like a firewall or something 18:09 < ecrist> foo 18:10 < ecrist> krzie: didn't you put that exclude regex into the bot? 18:10 < krzie> ya just diodnt reload, lol 18:10 < krzie> !quit brb 18:10 < vpnHelper> krzie: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 18:10 < krzie> bleh 18:10 < krzie> !quit brb 18:10 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["brb"] 18:11 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:11 < mooseman447> http://tinyurl.com/5qgrbh thats were i learned to add that gateway 18:11 < vpnHelper> Title: OpenVPN - Bridging two networks « Tech Stuff (at tinyurl.com) 18:11 < krzie> www.pastebin.com 18:11 < ecrist> www.pastie.net 18:11 < krzie> http://www.pastebin.com 18:12 < vpnHelper> Title: pastebin - collaborative debugging tool (at www.pastebin.com) 18:12 < krzie> bleh 18:12 < krzie> nice regex :-p 18:12 < ecrist> .*paste.* should have done it. 18:12 < ecrist> hrm, wonder if it needs ^.*paste.*$ 18:12 < ecrist> hrm, wonder if it needs ^.*past.*$ rather 18:13 < ecrist> otherwise, pastie wouldn't match 18:13 < krzie> nothing without http:// will 18:13 < krzie> www.ircpimps.org 18:13 < krzie> http://www.ircpimps.org 18:13 < vpnHelper> Title: IRC Pimps... (at www.ircpimps.org) 18:14 < krzie> hah i forgot to save the file ;x 18:14 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit] 18:15 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:15 < krzie> http://www.pastebin.com 18:15 < vpnHelper> Title: pastebin - collaborative debugging tool (at www.pastebin.com) 18:15 < krzie> well it was saved that time 18:15 -!- teerawi [n=allouh1@91.186.230.10] has joined ##openvpn 18:15 < teerawi> hello 18:15 < teerawi> anyone here can help me with open vpn 18:16 < krzie> your question? 18:17 < teerawi> iam using the windows version, and i want the program to auto login and reconnect whrn connection failure 18:17 < teerawi> iam using the windows version, and i want the program to auto login and reconnect when connection failure 18:17 < ecrist> only one time 18:17 < ecrist> only one time 18:17 < mooseman447> :) 18:18 < teerawi> my adsl disconnect frequently 18:18 < teerawi> so i need it to reconnect when the adsl reconnects 18:19 < teerawi> plz 18:19 < ecrist> teerawi: there's an option in the config file to reconnect automatically. 18:19 < ecrist> also, I'd suggest getting better DSL connection. 18:20 < krzie> !configs 18:20 < vpnHelper> krzie: Error: "configs" is not a valid command. 18:20 < krzie> !config 18:20 < vpnHelper> krzie: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 18:20 < krzie> !sample 18:20 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 18:20 < krzie> ahh, there they are 18:21 < krzie> in server: keepalive 10 120 18:21 < krzie> in client: resolv-retry infinite 18:21 < krzie> persist-key 18:21 < krzie> persist-tun 18:21 < teerawi> can u tell me whatis the option in the config file 18:21 < krzie> the persists go in both 18:22 < krzie> you may or may not want to adjust the keep-alive 18:22 < krzie> but those are the options you want to read up on 18:23 < teerawi> actualy iam using a modified version for open vpn called ultravpn 18:25 < krzie> well you want to contact the ultravpn developers or support or help channel then 18:25 < krzie> and please do not message me 18:25 < krzie> talk in here 18:25 < teerawi> ok 18:25 < krzie> also dont send me files, and i am not going to edit them for you 18:25 < teerawi> plz check the config 18:25 < krzie> lol 18:25 < teerawi> just check it 18:25 < krzie> i will lead you to water 18:25 < krzie> you must drink or not 18:25 < krzie> i told you what to read up on 18:26 < krzie> !howto 18:26 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:26 < krzie> and if you arent even running openvpn i dont know how valid that howto and the config options i told you are 18:26 < teerawi> i never used the original openvpn 18:26 < krzie> check with the ultravpn people 18:26 < krzie> i never even heard of it before 18:27 < teerawi> they dont offer any support 18:27 < teerawi> just check the config and u will understand 18:27 < krzie> dude 18:27 < mooseman447> haha 18:27 < krzie> pastebin 18:27 < krzie> dont dcc me stuff 18:29 < teerawi> client 18:29 < teerawi> dev tun 18:29 < teerawi> proto udp 18:29 < teerawi> hand-window 15 18:29 < teerawi> remote-random 18:29 < teerawi> ;remote 87.98.157.30 1194 18:29 < teerawi> ;remote 87.98.241.72 24 18:29 < teerawi> remote 88.191.93.119 21 18:29 < teerawi> remote 88.191.93.119 443 18:29 < teerawi> remote 213.251.133.164 24 18:29 < teerawi> ;remote 87.98.241.72 21 18:29 < teerawi> ;remote 87.98.157.31 80 18:29 < teerawi> resolv-retry infinite 18:29 < teerawi> nobind 18:29 < teerawi> persist-key 18:29 < teerawi> persist-tun 18:29 < teerawi> ca ca.crt 18:29 < teerawi> comp-lzo 18:29 < teerawi> # Set log file verbosity. 18:29 < teerawi> verb 3 18:29 < teerawi> auth-user-pass 18:29 < teerawi> this is what in the config file 18:29 < teerawi> just tell me what to add 18:30 < teerawi> ??? 18:30 < krzie> dude 18:30 < krzie> pastebin 18:30 < teerawi> what is this? 18:32 < krzie> "[##openvpn] Welcome to ##openvpn - recently moved 18:32 < krzie> from #openvpn. Please don't post more than 5 lines to the channel. 18:32 < krzie> We help those who try to help themselves." 18:32 < krzie> www.pastebin.com 18:32 < krzie> and seriously, you arent even using openvpn 18:32 < krzie> we cant help you 18:32 < krzie> you need ultravpn help 18:33 < krzie> thats like going to #osx and asking a windows question just because microsoft decided to use osx's stuff ;] 18:34 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."] 18:34 < teerawi> ok 18:34 < teerawi> here is pastebin 18:34 < teerawi> http://pastebin.com/m31cd7b3 18:35 < teerawi> ultravpn is openvpn program with a pre config file 18:37 < krzie> you looked at keepalive? 18:39 < teerawi> no 18:40 < krzie> krzie> in server: keepalive 10 120 18:40 < krzie> in client: resolv-retry infinite 18:40 < krzie> persist-key 18:40 < krzie> persist-tun 18:41 < krzie> the persists go in both 18:41 < krzie> you may or may not want to adjust the keep-alive 18:41 < krzie> but those are the options you want to read up on 18:42 < teerawi> ok 18:42 < teerawi> thanks, ill try it 18:43 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:44 < krzie> http://www.ircpimps.org 18:44 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit] 18:46 < mooseman447> do you know if i should get 1 when i do cat /proc/sys/net/ipv4/ip_forward 18:47 < krzie> if ip forwarding is enabled, yes 18:48 < krzie> if it is not, no 18:51 < krzie> ecrist 18:51 < krzie> that's not a regex 18:51 < krzie> m/.*paste.*/ is 18:52 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:52 < krzie> (i didnt know better either) 18:52 < krzie> http://www.pastebin.com 18:52 < krzie> http://www.IRCpimps.org 18:52 < vpnHelper> Title: IRC Pimps... (at www.IRCpimps.org) 18:52 < krzie> nice 18:53 < ecrist> actually, he's wrong, .*paste.* *is* a regex, m// is telling it to 'match' that string. 18:53 < ecrist> I assumed you were putting my regex in some function or another. 18:53 < krzie> *shrug* now we know what the bot wants 18:53 < ecrist> m// s//, etc are functions, they're not part of the actual regex. 18:53 < ecrist> tell jamessan he's a fuck tard, with all due respect. :) 18:54 < ecrist> indeed, we do. 18:54 < krzie> no way, hes main dev of supybot and i appreciate his effort :-p 18:54 < ecrist> and, change that to .*past.* 18:54 < ecrist> or, m/.*past.*/ rather 18:54 < krzie> i think theres likely to be a lot of domains with past in them 18:54 < krzie> paste, not so many 18:55 < ecrist> ok, add one for pastie then as well. 18:55 < ecrist> or 18:55 < krzie> k 18:55 < ecrist> how about this 18:55 < ecrist> m/*.past[ie].*/ 18:55 < ecrist> bulid a char class for i and e. 18:55 < krzie> that works 18:55 < ecrist> :D 18:56 < krzie> !quit rehashing regex 18:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit] 18:56 < krzie> i also found out that the bot writes its config on exit 18:56 < krzie> so i must make the changes live (which im not sure how yet) or do them AFTER killing the bot 18:57 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:57 < krzie> http://www.pastie.com 18:57 < krzie> http://www.pastebin.com 18:57 < krzie> http://www.IRCpimps.org 18:57 < vpnHelper> Title: IRC Pimps... (at www.IRCpimps.org) 19:02 < krzie> !learn ask as don't ask to ask, just ask your question please 19:02 < vpnHelper> krzie: The operation succeeded. 19:02 -!- teerawi [n=allouh1@91.186.230.10] has quit [Read error: 110 (Connection timed out)] 19:07 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 19:08 < krzie> !learn ask as http://www.latinsud.com/answer/ 19:08 < vpnHelper> krzie: The operation succeeded. 19:09 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 19:29 -!- Irssi: ##openvpn: Total of 29 nicks [0 ops, 0 halfops, 0 voices, 29 normal] 19:44 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 19:46 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 20:14 -!- erimar77 [n=Administ@75-132-242-158.dhcp.stls.mo.charter.com] has joined ##openvpn 20:15 < erimar77> quick question if anyone's around 20:17 < krzie> !ask 20:17 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/ 20:19 < erimar77> any tricks to getting a windows 2008 server client working 20:19 < erimar77> i copied everything over from an xp installation that was working great 20:19 < krzie> ive never even seen win2k8... 20:20 < krzie> (not a win user) 20:20 < erimar77> the network just kinda seems to die although i do get an ip from the vpn server 20:20 < krzie> is it having problems adding routes? 20:20 < erimar77> i believe that's the issue 20:20 < krzie> try route-method exe 20:21 < krzie> i saw that on the mail list, seemed to help some people with some windows versions 20:21 < erimar77> just stick that in the conf file somewhere 20:21 < krzie> ya i believe so 20:21 < erimar77> i'll give it a whirl and will be back if it disconnects 20:21 < krzie> prolly nice and early in the config 20:21 < krzie> cool ya let me know if it works too pls 20:22 < krzie> that way i know for the next person who asks =] 20:29 -!- erimar77 [n=Administ@75-132-242-158.dhcp.stls.mo.charter.com] has quit [Read error: 104 (Connection reset by peer)] 20:30 < aia> http://gizmodo.com/5035456/blue-screen-of-death-strikes-birds-nest-during-opening-ceremonies-torch-lighting 20:30 < vpnHelper> Title: Olympic Fail: Blue Screen of Death Strikes Bird's Nest During Opening Ceremonies Torch Lighting (at gizmodo.com) 20:30 -!- erimar77 [n=Administ@75-132-242-158.dhcp.stls.mo.charter.com] has joined ##openvpn 20:30 < erimar77> ok, that seemed to work, but locked up my irssi and my freenode account for some reason 20:30 < aia> hmm 20:31 < erimar77> kept saying i was already connected, but anyways the route-method exe worked 20:40 < krzie> nice 20:40 < krzie> ya makes sense it killed your connection 20:41 < krzie> changed your default route 20:41 < krzie> !learn winroute as try route-method exe 20:41 < vpnHelper> krzie: The operation succeeded. 20:42 < krzie> thanx for the feedback erimar77 20:45 * ecrist notes that it shouldn't matter where it is in the config, as long as it's there. 20:47 -!- erimar77 [n=Administ@75-132-242-158.dhcp.stls.mo.charter.com] has quit [Read error: 104 (Connection reset by peer)] 20:51 < ecrist> 85 downloads of my ssl-admin freebsd port since jul 21. 20:51 < ecrist> :) 20:53 < krzie> nice 20:54 < krzie> only reason i said early in the config is i had problems with route command not working low in config but working high in same config 20:54 < krzie> i need to checkout your ssl-admin still 20:54 < krzie> i like how it looks a lot 20:54 < krzie> you should add a !command for it 21:04 -!- near [n=near@83-155-184-101.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:04 -!- near [n=near@88-122-26-186.rev.libertysurf.net] has joined ##openvpn 21:14 < ecrist> rowr 21:14 < mooseman447> hi? 21:15 < ecrist> hi 21:17 < ecrist> my IMAP server doesn't want to answer logins. 21:18 < mooseman447> what imap server do you use? 21:19 < ecrist> dovecot 21:20 < mooseman447> oh 21:20 < ecrist> pop3 is working fine, but imap won't auth users 21:21 < mooseman447> what do the logs say? 21:22 < ecrist> nothing, that's the crappy thing. 21:22 < ecrist> auth_worker. just hangs. 21:23 -!- rmull is now known as rmull_ 21:23 < mooseman447> well thats just annoying 21:24 < ecrist> fortunately, I only use IMAP for webmail, and don't really have any users that depend on webmail, so it's not a huge deal. 21:25 < mooseman447> yea i once setup a little mail setup but never did anything with it 21:28 < ecrist> I've been running a little mail setup for over 10 years. :) 21:29 < mooseman447> everytime i sent an email to someone because i didnt have a regular static ip it would get filtered as spam... 21:30 < ecrist> yeah, it's pretty hard to run mail well without statics ips 21:41 < mooseman447> i just asked in the debian channel and apparently tap0 shouldnt have a device 21:42 < ecrist> didn't think it should... 21:42 < ecrist> it should only exist in kernel memory. 21:43 < mooseman447> its kinda odd though because the openvpn log says it cant open /dev/tap0 22:00 < ecrist> ok, figured out my dovecot stuff - it's ssl related, but I don't care enough to actually remedy it tonight 22:00 < ecrist> g'night folks 22:01 < mooseman447> ok good night 22:03 -!- near [n=near@88-122-26-186.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 22:04 -!- near [n=near@88-122-26-215.rev.libertysurf.net] has joined ##openvpn 22:06 < mooseman447> haha #debian can't figure it out and send me here 22:12 < mooseman447> without the up /usr/sbin/bridge-start then the bridge wont come up right? 22:32 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 22:33 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 22:43 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 22:55 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 23:39 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 23:45 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 23:46 < krzee> mooseman447, i think you're supposed to run bridge-start before openvpn 23:46 < mooseman447> doesnt it know that when i put in the config with up? 23:46 < krzee> i believe up gets run on successful connection 23:47 < mooseman447> ok ill try running manually 23:47 < mooseman447> did you hear about no tap0 in /dev? 23:47 < krzee> ya 23:47 < krzee> like i said i dunno bout linux much 23:47 < krzee> in fbsd it exists 23:48 < mooseman447> yea i thought it would exist though because there is /dev/net/tun which i guess is the tun device 23:49 -!- SirFunk [n=jeffutte@206-159-155-246.netsync.net] has joined ##openvpn 23:50 < SirFunk> i have a strange situation here... i have 3 boxes 2 windows 1 linux and a openvpn server (linux) ... the windows boxes can connect to the linux boxes or the server... however nothing (even the server) can connect to the windows boxes 23:50 < SirFunk> i can't figure it out 23:51 < krzee> windows firewall 23:51 < SirFunk> i can't even ping them 23:51 < SirFunk> nor connect to services that should be open 23:52 < mooseman447> krzee ok i just started openvpn and the error isnt in the log 23:52 < mooseman447> ill connect a client and see what happens 23:52 < krzee> go into security center, firewall, advanced, and uncheck your openvpn interface 23:55 < krzee> luckily i have a windows laptop i just fixed handy to know how to get there 23:55 < krzee> hehe 23:55 < SirFunk> hmm... one of them is server 2003 which claims the firewall is turned off 23:55 < SirFunk> i still can't ping it 23:55 < mooseman447> hmm so far i dont think its working i cant ping anything 23:55 < krzee> SirFunk, routed or bridged? 23:56 < SirFunk> routed 23:56 < krzee> mooseman447, looks like you have another problem as well then 23:56 < krzee> SirFunk, does the windows machine have the route? 23:56 < krzee> !winroute 23:56 < vpnHelper> krzee: "winroute" is try route-method exe 23:56 < krzee> !forget winroute 23:56 < vpnHelper> krzee: The operation succeeded. 23:56 < SirFunk> that machine can ping the server, so i'm assuming so 23:56 < mooseman447> well the openvpn client came up fine i dont see any errors in the log but then again it worked fine before too 23:57 < SirFunk> oh i lied! 23:57 < SirFunk> :-P 23:57 < SirFunk> too many boxes, i guess i hadn't tried pinging form that one 23:57 < krzee> !learn winroute as in windows if the route cannot be added, try route-method exe in your config file 23:57 < vpnHelper> krzee: The operation succeeded. 23:58 < krzee> mooseman447, you usiong verb 6? 23:58 < krzee> using 23:58 < mooseman447> verb 6? 23:58 < mooseman447> im using this http://openvpn.se/ 23:58 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 23:58 < krzee> whats that pastebin to your config files? 23:59 < SirFunk> the logs say "routing gateway is not reachable on any adapter" --- Day changed Tue Aug 12 2008 00:00 < krzee> [22:21] what do the logs say? 00:00 < krzee> [22:22] nothing, that's the crappy thing. 00:00 < krzee> [22:22] auth_worker. just hangs. 00:00 < mooseman447> just to test im using a laptop on wifi which is on a different subnet 192.168.2.x vs 192.168.1.x for my regular lan 00:00 < mooseman447> http://pastebin.com/d128744e 00:01 < krzee> ecrist, try traceing the process and see what syscall it hangs on 00:01 < krzee> err 00:01 < krzee> same lan, no router in between just diff subnets? 00:02 < mooseman447> i have a firewall with different interfaces 00:02 < mooseman447> i can only connect to one machine on that lan and thats the vpn server with 1194 udp 00:03 < krzee> i have no idea whether that will be a problem 00:03 < krzee> but it may 00:03 < mooseman447> ok well i cant go anywhere to truley test from the internet 00:04 < mooseman447> i would think that if i defiently cant ping a machine without the vpn then once i get a working vpn i could right? 00:04 < krzee> ya, as long as routing isnt going to get confused 00:05 < krzee> what is your vpn subnet? 00:05 < mooseman447> what do you mean? 00:05 < krzee> oh right its tap 00:05 < mooseman447> i got 192.168.1.201 from the server 00:06 < mooseman447> haha all this damn effort was for that tap... 00:06 < SirFunk> imagine that.. internet connection settings trusted zone junk was blocking it 00:06 < krzee> its 1am and im not fully sober :-p 00:06 < krzee> SirFunk, yup 00:06 < mooseman447> fair enough 00:06 < krzee> windows is fun like that =/ 00:06 < krzee> haha 00:06 < krzee> ok, what do clients in the LAN have as their default router in 192.168.2.x lan 00:07 < mooseman447> 192.168.2.1 00:08 < mooseman447> and the regular lan uses 192.168.1.1 which is the same physical computer with just 3 nics 00:08 < krzee> so once we get the bridge up you will need to tell 192.168.2.1 to route 192.168.1.X to 192.168.2.vpn-endpoint 00:08 < krzee> which is where doing this one same LAN gets fucked up 00:09 < krzee> because 192.168.2.1 already has a route for 192.168.2.X 00:09 < krzee> err 1.X 00:09 < krzee> since its a LAN directly attached as well 00:09 < krzee> see what i mean? 00:09 < mooseman447> ok hang lets see if i can find some free wifi somewhere around my house 00:18 -!- mooseman557 [n=mooseman@pool-72-92-98-52.phlapa.east.verizon.net] has joined ##openvpn 00:18 < mooseman557> god its annoying to register a new nick 00:18 < mooseman557> ok im on a new network 00:20 < mooseman557> omg its working 00:24 < krzee> hehe 00:24 < mooseman557> i think you might just be a genius 00:25 < mooseman557> well i cant believe the solution was that tap was just fine but i was trying to run it when it was already started... 00:25 < krzee> *shrug* thats how ya learn =] 00:25 < mooseman557> yea it was fascinating 00:25 < mooseman557> ok im going to bed now 00:26 < mooseman557> thanks a million man 00:26 < mooseman557> i really do appreciate it 00:27 -!- mooseman557 [n=mooseman@pool-72-92-98-52.phlapa.east.verizon.net] has quit ["it works!"] 00:28 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 00:36 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 00:57 -!- int [n=quassel@wikia/int] has quit [Remote closed the connection] 01:59 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 02:14 < kraut> moin 02:14 < krzee> !learn kraut as moin 02:14 < vpnHelper> krzee: The operation succeeded. 02:15 < krzee> thats like clockwork 02:15 < krzee> lol 02:23 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:44 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 04:04 -!- mcp [n=hightowe@wolk-project.de] has quit ["changing servers"] 05:22 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 05:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:44 -!- edeca [n=david@emo.two-pebbles.com] has joined ##openvpn 05:44 < edeca> Is there any easy way for my users to change the passphrase on .key files I give them, in Windows? 05:45 < krzee> not sure if thats what it does, but openvpn GUI has a change password feature 05:46 < krzee> worth looking at and seeing if it uses .key files 05:46 < krzee> it might just be what you are talking about 05:46 < edeca> It does? Meh, idiot me! :) 05:46 < edeca> I'll look 05:46 < krzee> (im not a windows user) 05:46 * edeca boots Windows 05:46 < krzee> but pls do inform me 05:46 < edeca> Me neither :0 05:49 < edeca> That works fine, thanks! 05:49 < krzee> nice, thank you 05:50 < krzee> !learn winpass as openvpnGUI for windows has a change password feature that will change the passphrase on your .key files 05:50 < vpnHelper> krzee: The operation succeeded. 06:16 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has joined ##openvpn 06:17 < thrope> does openvpn work for a lot of clients behind the same nat connecting to the same vpn? 06:18 < krzee> let the other clients connect through 1 06:18 < krzee> much easier! 06:18 < krzee> all you need to do is add the route on their gateway and done 06:19 < krzee> (and let openvpn know about it) 06:19 < hawk> thrope: That should work okay... It's plain UDP (or TCP if you configure it that way) 06:19 < thrope> can you forward dns through the gateway as well 06:20 < krzee> why not 06:20 < thrope> it wasn't working with another package (ipsec based) 06:20 < krzee> ahh 06:20 < krzee> well yup =] 06:20 < krzee> you can forward * through it if you like 06:20 < thrope> so could just do a static point to point openvpn 06:23 < krzee> thrope, what do you mean? 06:23 < thrope> sorry - just found the static key howto 06:23 < thrope> so thats the sort of config we would use 06:23 < krzee> less secure 06:23 < krzee> why would you need static key? 06:24 < krzee> you just need a standard setup from what you said so far 06:24 < krzee> just link 1 machine from lan to server 06:24 < krzee> and tunnel the lan through the vpn link 06:24 < krzee> !sample 06:24 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 06:24 < krzee> thats a good starting point 06:25 < krzee> !route 06:25 < vpnHelper> krzee: Error: "route" is not a valid command. 06:25 < krzee> you'll just need to add a route for the LAN 06:25 < krzee> to the server config 06:26 < krzee> well, is the lan behind server or client? 06:26 < krzee> you might need iroute 06:26 < krzee> !iroute 06:26 < vpnHelper> krzee: "iroute" is does not bypass the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 06:27 < krzee> but ya, its meant for that 06:27 < krzee> you dont need a bunch of vpn links, just 1 06:27 < krzee> then you route over it 06:47 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has quit [Remote closed the connection] 06:48 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has joined ##openvpn 06:56 < krzee> !menu 06:56 < vpnHelper> krzee: Error: "menu" is not a valid command. 06:58 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 06:59 < kexman> wtf is wrong with my tap adapter ? 06:59 < kexman> why wont it come online when i start openvpn ? 06:59 < krzee> not sure yet 06:59 < kexman> it was working before 06:59 < krzee> heh 06:59 < kexman> krzee: helloo 06:59 * krzee consults his magic 8-ball 06:59 < kexman> okay 06:59 < krzee> it said "not enough information" 07:00 < kexman> looking at logs 07:00 < kexman> :) 07:00 < kexman> yeah 07:00 < kexman> no log file :P 07:00 < kexman> nor status :) hehe 07:00 < krzee> pastebin the error logs at verb 6 07:00 < krzee> and the configs 07:00 < krzee> but first of all, are you sure you want bridge? 07:01 < krzee> !bridge 07:01 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 07:01 < krzee> !more 07:01 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 07:01 < kexman> krzee: yep 07:01 < kexman> its all bridged 07:01 < kexman> vpn eth and wlan :) 07:01 < kexman> into openwrt :) 07:01 < kexman> its good 07:01 < kexman> yeah i know routing works too 07:01 < kexman> but its good like hits 07:01 < kexman> *this* 07:01 < kexman> better for me i think 07:01 < kexman> also i can use shares (windows) and play games (udp bcast) 07:01 < krzee> wait, your vpn is for inside the lan? 07:01 < kexman> naaa 07:02 < kexman> its just bridged to it 07:02 < krzee> oh ok 07:02 < kexman> its for me connecting from outside 07:02 < cpm> intra-lan vpn, , 07:02 < kexman> let me add a status and log an ill be back in a sec 07:02 * cpm shudders 07:02 < krzee> gotchya 07:02 < kexman> cpm: that's cool 07:02 < krzee> cpm, ya wouldnt work 07:02 < kexman> why not ? :) 07:02 < cpm> oh, it'll work. 07:02 < kexman> aaa 07:02 < kexman> yeah 07:02 < krzee> that was part 2 of moose's problem 07:02 < krzee> i got him on another network and boom it worked 07:02 < cpm> spend all that money on a lan, that will end up performing like 10base-2 over coax 07:03 < krzee> no, wont even work 07:03 < krzee> routing gets all confused 07:03 < kexman> i had to remove my logging since i installed openvpn on a router 07:03 < cpm> combined with managed vlans, it works. 07:03 < krzee> well ya 07:03 < kexman> which would had died of all that logging :) 07:03 < kexman> well hmm now that i think of 07:03 < kexman> it could had logged to ramfs 07:03 < krzee> well now you wanna turn it on 07:03 < kexman> ehh never mind, thinking out loud :)) hehe 07:03 < krzee> can turn it off after :-p 07:03 < kexman> krzee: working on it 07:04 < kexman> but this the client :) so i can turn it on. not even sure why was turned off 07:04 < krzee> 07:58] * kexman (i=kexman@unaffiliated/kexman) has joined ##openvpn 07:04 < krzee> [07:59] wtf is wrong with my tap adapter ? 07:04 < krzee> [07:59] why wont it come online when i start openvpn ? 07:04 < krzee> chuckles at that before looking at logs 07:04 < krzee> ;] 07:04 < kexman> i was looking 07:04 < kexman> at /var/log/messages 07:05 < kexman> log openvpn.log 07:05 < kexman> i now have that 07:05 < kexman> but no openvpn.log 07:05 < kexman> should i add the full path ? 07:05 < krzee> give it a shot 07:05 < kexman> status openvpn-status.log 07:05 < kexman> log /etc/openvpn/openvpn.log 07:09 < kexman> http://rafb.net/p/FztRaS94.html 07:09 < vpnHelper> Title: Nopaste - No description (at rafb.net) 07:09 < kexman> not good 07:10 < krzee> thats verb 6? 07:10 < kexman> nope :( 07:10 < kexman> verb 3 :) 07:10 < kexman> uff :) 07:10 < krzee> [08:00] pastebin the error logs at verb 6 07:11 < kexman> sorry 07:11 < krzee> np 07:11 < krzee> but im going to sleep soon 07:13 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 07:13 < kexman> ] pid=23 DATA len=100 07:13 < kexman> Tue Aug 12 15:13:07 2008 us=23649 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 07:14 < kexman> Tue Aug 12 15:13:07 2008 us=23762 TLS Error: TLS handshake failed 07:14 < kexman> Tue Aug 12 15:13:07 2008 us=24136 TCP/UDP: Closing socket 07:14 < kexman> Tue Aug 12 15:13:07 2008 us=24202 SIGUSR1[soft,tls-error] received, process restarting 07:14 < krzee> pastebin! 07:14 < kexman> Tue Aug 12 15:13:07 2008 us=24242 Restart pause, 2 second(s) 07:14 < kexman> before it i get alot of this : ] pid=23 DATA len=100 07:14 < kexman> this is the actual error 07:14 < krzee> dude 07:14 < krzee> paste 07:14 < krzee> bim 07:14 < krzee> bin 07:14 < kexman> im sorry 07:14 < krzee> its only 1 sentance 07:14 < krzee> [08:10] [08:00] pastebin the error logs at verb 6 07:14 < krzee> if you follow the manual that well how will you get openvpn working? 07:14 < krzee> :-p 07:14 < kexman> http://rafb.net/p/tgqT9O90.html getting lots of these then what i pasted here 07:15 < kexman> krzee: the only thing i change 07:15 < kexman> is mtu 07:15 < kexman> i told eth0 to work at 1500 07:15 < kexman> hmm 07:15 < krzee> you cant do that 07:15 < kexman> and restarted eth0 07:15 < krzee> not on tap 07:15 < kexman> no ? 07:15 < kexman> not on tap 07:15 < krzee> right 07:15 < kexman> on my eth0 locally 07:15 < krzee> maybe 07:15 < krzee> change it back and try 07:15 < kexman> ill try to set it back and see 07:15 < kexman> yeah 07:15 < kexman> that was i thinking 07:15 < kexman> but i wanted to see the verb 6 log before :) 07:16 < krzee> did you change both sides of the tunnel =? 07:17 < kexman> krzee: it was working very well 07:17 < kexman> and i didnt used it for a bit couple hours 07:17 < kexman> changed that mtu 07:17 < kexman> and now it just wont work :) 07:17 < krzee> [08:16] did you change both sides of the tunnel =? 07:17 < kexman> krzee: i didnt changed anything on the server 07:17 < krzee> well 07:18 < krzee> i wouldnt expect that to work 07:18 < krzee> even if you can change a tap, ild expect both sides to need to be = 07:18 < krzee> with tun you adjust inside openvpn so it keeps both = 07:18 < kexman> and changin back the mtu and still nothing 07:18 < kexman> wait 07:18 < kexman> what are you talking about ? 07:18 < kexman> i didnt touched nothing on my openvpn settings 07:19 < kexman> and it was working okay 07:19 < kexman> my tap adapter wont come online 07:19 < krzee> i know, you changed the interface 07:19 < kexman> now 07:19 < kexman> noooo 07:19 < kexman> i changed the mtu of interface eth0 07:19 < kexman> which is my NIC on this laptop 07:19 < krzee> bridge-stop bridge-start 07:19 < kexman> nononono i didnt changed nothing in openvpn.conf 07:19 < kexman> hmmm 07:19 < krzee> dude i know 07:19 < kexman> maybe router bokred out ? 07:19 < krzee> to tune a TUN one you do that 07:19 < kexman> krzee: when would this happen ? 07:19 < kexman> powerfailure ? 07:20 < krzee> dude, what are you talking about? 07:20 < krzee> you're changing interfaces that are inside a bridge already 07:20 < kexman> bridge-stop bridge-start ? where ? 07:20 < krzee> kill the bridge 07:20 < krzee> change the interface back 07:20 < krzee> start the bridge 07:20 < kexman> krzee: i didnt changed no interface 07:20 < krzee> dude 07:20 < kexman> krzee: i did not change no interface nowhere 07:20 < kexman> didnt touched openvpn.conf 07:20 < krzee> you are changing the MTU on the interface 07:21 < kexman> yes i changed it back to normal 07:21 < kexman> and resarted it 07:21 < krzee> is english your first language? 07:21 < kexman> no :) as you have just guessed :P 07:21 < krzee> k =] 07:21 < kexman> and its 30C here :) and im dying of hot 07:21 < krzee> did you kill your bridge and re-bridge it? 07:21 < kexman> krzee: so wait 07:21 < kexman> no 07:21 < kexman> how do i do that ? 07:21 < kexman> :) 07:21 < krzee> give that a shot 07:21 < kexman> on the client you mean ? 07:21 < krzee> i dont use bridges 07:22 < kexman> well 07:22 < kexman> so for a bridge to work 07:22 < krzee> on whatever you were tuning the MTU on 07:22 < kexman> i need it to bridge it on the client as well ? 07:22 < kexman> damn 07:22 < krzee> however you bridged it before, undo it and redo it 07:22 < kexman> krzee: the bridging is done on the server, no ? 07:22 < krzee> dude 07:22 < krzee> which did you tune MTU on? 07:22 < kexman> laptop 07:23 < kexman> from 576 to 1500 07:23 < krzee> is there a bridge on it? 07:23 < kexman> how can i know ? :) 07:23 < kexman> i didnt set up on here 07:23 < krzee> if you dont know how to see theres a bridge or not you might not want to use tap 07:23 < kexman> but when openvpn starts there is no tap0 that is what i see and its different then before 07:23 < kexman> hmm 07:23 < kexman> krzee: but on the router i know how to see if there is a bridge 07:24 < kexman> router = openvpn server 07:24 < kexman> laptop = openvpn client 07:24 < krzee> laptop OS? 07:24 < kexman> both will have bridges when using tap ? 07:24 < kexman> linux 07:24 < krzee> ifconfig 07:24 < krzee> heh 07:24 < krzee> i dont use tap 07:24 < krzee> havnt in yrs 07:24 < kexman> :) 07:24 < krzee> so while i dont know, i think both get a bridge 07:24 < kexman> i didnt had no problem with it before 07:24 < kexman> aha 07:24 < kexman> well i didnt knew this before 07:25 < kexman> but all i know there is no tap here 07:25 < kexman> and it should be when i start openvpn 07:25 < krzee> !bridge 07:25 < krzee> doh 07:25 < kexman> looking it up 07:25 < kexman> krzee: thanx for the support 07:25 < kexman> ill get to it 07:25 < kexman> go to sleep :) 07:25 < kexman> dont bother with this bridge 07:25 < kexman> its not that important anyway 07:25 < kexman> ill fix it somehow 07:26 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 07:26 < rmull_> vpnHelper: Hello 07:26 < vpnHelper> rmull_: Error: "Hello" is not a valid command. 07:26 < rmull_> :( 07:26 < krzee> !bridge 07:26 -!- rmull_ is now known as rmull 07:26 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 07:26 < krzee> read those links 07:26 < krzee> they are filled with bridge info 07:27 < krzee> rmull, thats his way of saying good morning ;] 07:27 < kexman> :) 07:27 < kexman> krzee: maybe routing was better :) 07:27 < kexman> i had that working 07:27 < krzee> i cant sleep just yet 07:27 < krzee> gotta finish rebuilding my server 07:28 < krzee> well if you dont need games/ windows sharing with wins, then routing is def better 07:28 < krzee> but for the lan gaming and windows sharing with no WINS, you need bridge 07:29 < krzee> but #1 and #2 have tons of info 07:29 < kexman> krzee: im looking at the log on the server now 07:29 < krzee> besides my anti-brdige propaganda in #3 and #4 07:29 < krzee> hehe 07:29 < kexman> krzee: i know 07:29 < kexman> i read all inside out the openvpn doc :) 07:29 < kexman> i had routing working 07:30 < kexman> then worked alot to make bridgin working 07:30 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 07:30 < kexman> for starcraft to work :) 07:30 < kexman> Jan 1 03:27:43 OpenWrt daemon.err openvpn[882]: 82.79.113.68:31779 TLS Error: TLS object -> incoming plaintext read error 07:30 < kexman> Jan 1 03:27:43 OpenWrt daemon.err openvpn[882]: 82.79.113.68:31779 TLS Error: TLS handshake failed 07:30 < kexman> this is the problem 07:30 < kexman> on the server 07:30 < krzee> pastebin the whole log with verb 6 07:30 < kexman> VERIFY ERROR: depth=1, error=certificate is not yet valid 07:30 < kexman> omfg :) 07:30 < krzee> !learn log as please pastebin your logfile with verb set to 6 07:30 < krzee> ahhh 07:30 < krzee> ntpdate time.nist.gov 07:31 < krzee> on both 07:31 < kexman> yeah router didnt had date set right 07:31 < kexman> restarting and trying again 07:31 < kexman> grrr 07:31 < krzee> which machine made the certs? 07:31 < kexman> working :)))) 07:31 < kexman> krzee: 3rd one :) 07:31 < krzee> hehe right on 07:31 < kexman> but wtf ? 07:31 < krzee> if it had been router you woulda had to remake them 07:31 < kexman> openvpn started up before date was set and that borked everything ? 07:32 < krzee> no idea 07:32 < kexman> hmm 07:32 < kexman> strange 07:32 < krzee> (no idea why it worked before i mean) 07:32 < kexman> rebooting router to test 07:32 < kexman> hmm 07:32 < kexman> wait 07:32 < kexman> krzee: i didnt had internet when the router rebooted 07:32 < kexman> cable modem syncronizes slower 07:32 < kexman> hmmm 07:32 < kexman> still strage 07:34 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 07:34 < krzee> there hes back now 07:34 < krzee> had to reboot into new system 07:34 < krzee> vpnHelper, krzee 07:34 < vpnHelper> krzee: "krzee" is http://www.ircpimps.org/pimpin.jpg 07:34 < krzee> hehe 07:35 < kexman> krzee: thanx for the support 07:35 < krzee> yw 07:35 < kexman> thinking now what to do to make certificates valid even if this happens ..... 07:36 < krzee> have a script start openvpn after it syncs the time 07:36 < kexman> krzee: and starts only after the sync ? 07:36 < kexman> good point 07:36 < krzee> right 07:36 < kexman> otherwise what would happen 07:36 < krzee> sync && openvpn 07:36 < kexman> lets say certificates are valid from 2008 07:36 -!- m0b [i=elusive@neighborhood.dopeslinger.com] has joined ##openvpn 07:36 < m0b> hello 07:36 < kexman> and openvpn starts with those certs in 2001 :) 07:37 < krzee> hey m0b 07:37 < kexman> doesnt loads the certificates ? 07:37 < ecrist> hi m0b 07:37 < kexman> anyone can connect ??? 07:37 < kexman> no one can connect ? 07:37 < kexman> good question ! 07:37 < m0b> im having troubl getting my network routed thru the vpn 07:37 < krzee> kex 07:37 < krzee> [08:30] VERIFY ERROR: depth=1, error=certificate is not yet valid 07:37 < m0b> i can ping it and all 07:37 < krzee> not a good question, you already had it happen and figured out the problem 07:37 < kexman> krzee: wait wait wait 07:37 < kexman> but what happens then ? 07:37 < ecrist> m0b: are you doing routed or bridged vpn? 07:37 < m0b> routed 07:37 < krzee> mornin ecrist 07:37 < kexman> so it doesnt loads the server certificate ? 07:37 < m0b> linux 07:37 < kexman> who can connect then ? 07:38 < krzee> kexman, it checks it and says error=certificate is not yet valid 07:38 < krzee> nobody 07:38 < krzee> you just had tha problem! 07:38 < ecrist> m0b: can you show me your vpn server config, please? 07:38 < m0b> oh that is a date problem 07:38 < m0b> isnt it? 07:38 < m0b> server config ? 07:38 < kexman> krzee: okay :) 07:38 < ecrist> m0b: yes 07:38 < m0b> ok 07:38 < kexman> i mean but without using any certificates :) 07:38 < kexman> i was just thinking if openvpn would go into "failsafe" mode :)) 07:39 < kexman> stupid idea :) okay i know :) 07:39 < krzee> thank god it wont 07:39 < kexman> :) yeah 07:39 < krzee> haha 07:39 < kexman> openvpn was designed with that in mind 07:39 < kexman> stupid from me to ask such a question 07:39 < m0b> can i paste in here 07:39 < m0b> ? 07:39 < m0b> or in pm? 07:39 < krzee> m0b, pastebin please 07:39 < ecrist> no, use pastebin or something. 07:39 < krzee> !pastebin 07:39 < m0b> ok 07:39 < vpnHelper> krzee: Error: "pastebin" is not a valid command. 07:39 < kexman> krzee: look someone suggested adding date -s in the startup script :) 07:39 < kexman> good idea 07:39 < kexman> and set the date to the boundry of the cert 07:39 < ecrist> ick 07:39 < kexman> hmm ? :) well its a dirty hack :) 07:40 < krzee> !learn pastebin as please paste anything with more than 5 lines into pastebin or a similar website 07:40 < vpnHelper> krzee: The operation succeeded. 07:40 < m0b> http://pastebin.ca/1167921 07:40 < krzee> mob, also please do this: 07:40 < krzee> !logs 07:40 < vpnHelper> krzee: Error: "logs" is not a valid command. 07:40 < ecrist> why are you hacking the date? what did I miss? 07:40 < krzee> !log 07:40 < vpnHelper> krzee: (log ) -- Logs to the global Supybot log at critical priority. Useful for marking logfiles for later searching. 07:40 < m0b> hehe i had the date problem 07:41 < m0b> i had to make both server and client in same timezone 07:41 < ecrist> m0b: why are you using ifconfig instead of server? 07:41 < krzee> !learn logs as please pastebin your logfile with verb set to 6 07:41 < vpnHelper> krzee: The operation succeeded. 07:41 < m0b> erm dunno i was having trouble and a friend gave me his configs 07:41 < krzee> server and client dont need to be in the same timezone 07:41 < krzee> they just need to be at same time 07:41 < krzee> based on UTC 07:41 < m0b> ah 07:42 < kexman> krzee: i could make a script that loops ntp-client && openvpn right ? 07:42 < m0b> well the server is bsd the client is linux 07:42 < krzee> ntpdate time.nist.gov will make that right regardless of timezone 07:42 < krzee> kexman, loops!? 07:42 < ecrist> kexman: run ntpd 07:42 < kexman> so it would look until ntp-client exits with okay :) 07:42 < ecrist> just keep your server's date set correctly - you can't account for poor administration of the remote users. 07:42 < ecrist> :) 07:42 < kexman> krzee: well it i do just ntp-client && openvpn and ntp-client failt then openvpn would not start ! 07:42 < kexman> but i need it to start 07:43 < kexman> so it should try try try and retry until end of days :) 07:43 < krzee> kexman, does your router keep time across power losses? 07:43 < kexman> ecrist: embedded router 07:43 < kexman> krzee: nope 07:43 < m0b> perhaps i mixed the server/client conf up ? 07:43 < m0b> heh 07:43 < m0b> i thought for sure that was right tho 07:43 < ecrist> m0b: looks like it 07:44 < m0b> so you say use the server line instead of the ifconfig ? 07:44 < krzee> until ntpdate 07:44 < ecrist> yes 07:44 < krzee> sleep 5 07:44 < krzee> done 07:44 < krzee> openvpn 07:44 < kexman> krzee: hmm :) 07:44 < ecrist> why're you using port 443, rather than 1194? 07:44 < kexman> have to look it up when its started 07:44 < kexman> and how :) 07:44 < kexman> krzee: or the openvpn script itself ? 07:44 < krzee> ecrist, is it tcp? 07:45 < krzee> openvpn script i guess, however you start it now... 07:45 < kexman> yep 07:45 < m0b> hmmmmm 07:45 < m0b> but i thought the client connected to the server 07:46 < ecrist> krzee: is what tcp? 07:46 < krzee> nm, when you said port 443 i was thinking if it was tcp could be for firewall reasons 07:46 < m0b> =\ 07:46 < m0b> sigh 07:46 < krzee> m0b, heres some configs 07:46 < ecrist> m0b: do you have a firewall you're trying to pass through? 07:46 < krzee> !sample 07:46 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 07:46 < m0b> can you pastebin me some working configs that will go behind my router 07:46 < ecrist> why aren't you using 1194 udp? 07:47 < kexman> krzee: sleep 10 would be less drasticright ? :) 07:47 < m0b> udp is firewalled 07:47 < krzee> kexman, whatever 07:47 < krzee> m0b, you're using udp 07:47 < m0b> er 07:47 < krzee> oh wait no 07:47 < krzee> tcp-server 07:47 < krzee> my bad 07:47 < m0b> heh 07:48 < ecrist> m0b: remove the ifconfig line, add the server line 07:48 < krzee> im calling your work and telling the IT dept! 07:48 < ecrist> back in 07:48 < krzee> lol 07:48 < m0b> for the server ? 07:48 < ecrist> yes 07:48 < kexman> krzee: you really helped :) supported :) 07:48 < kexman> thank you very much 07:48 < krzee> you're welcome 07:49 < m0b> hm 07:49 < m0b> netmask invalid 07:49 < m0b> 255.255.255.0 ? 07:49 < kexman> krzee: is this good like this : http://rafb.net/p/2LjSnQ78.html 07:49 < vpnHelper> Title: Nopaste - No description (at rafb.net) 07:49 < ecrist> make it read 10.1.0.0 255.255.255.0 07:49 < ecrist> not 10.1.0.1 07:50 < kexman> i added it to /etc/init.d/openvpn 07:50 < m0b> k 07:50 < kexman> problem is i dont have ntpdate :P lol 07:50 < kexman> uff 07:50 < krzee> whatever you use to sync time 07:50 < kexman> can i add until /etc/init.d/ntpclient start ? 07:50 < kexman> until "/etc/init.d/ntpclient start" ? 07:51 < kexman> config_load ntpclient& 07:51 < ecrist> kexman: wtf? no ntpdate? 07:51 < kexman> no ntpdate :) 07:51 < cpm> get one 07:51 < krzee> hes using embedded router 07:51 < kexman> ecrist: router has 4mb of storage :)) 07:51 < cpm> what os? 07:51 < ecrist> m0b: you also seem to be missing a few SSL arguments. 07:51 < krzee> kexman, play with it til it works 07:52 < cpm> what firmware? 07:52 < krzee> ecrist, one of those lame static key setups =/ 07:52 * krzee h8 07:52 < ecrist> kexman: my freebsd binary for ntpdate is 30K... 07:56 < m0b> ok 07:56 < m0b> i just used your sample configs 07:56 < m0b> and modded 'em 07:56 < m0b> i can ping 10.1.0.1 now 07:56 < m0b> but still no route thru 07:57 < m0b> sec 07:57 < krzee> what do you mean by route through 07:58 < m0b> http://pastebin.ca/1167939 07:59 < m0b> i want my traffic to go thru the vpn. 07:59 < kexman> ecrist: okay :) 07:59 < kexman> ill try to add that 07:59 < kexman> thanx for the help guys 07:59 < kexman> i got to go now 07:59 < m0b> like ... default gw 10.1.0.1 07:59 < kexman> see ya later 07:59 < m0b> heh 07:59 < ecrist> np 07:59 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 08:00 < krzee> you will need NAT too 08:00 < ecrist> m0b: you need nat on the other end, now. 08:00 < krzee> !nat 08:00 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 08:00 < krzee> =] 08:00 < krzee> <3 the bot 08:00 < m0b> other end = serveR? 08:00 < krzee> right 08:00 < krzee> click the link my bot gave you 08:01 < m0b> is there a freebsd cmd 08:01 < m0b> i did 08:01 < m0b> looks like linux 08:01 < m0b> iptables is for linux only right? 08:01 < ecrist> if you're on freebsd, you'll need to use ipfw or pf to nat outbound traffic. 08:01 < ecrist> I'd recommend pf. 08:01 < krzee> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 08:01 < vpnHelper> Title: Network Address Translation (at www.freebsd.org) 08:01 < m0b> server is freebsd 08:02 < m0b> client is linux 08:02 < ecrist> client doesn't matter 08:02 -!- tkbeat [n=tk@80.64.182.204] has joined ##openvpn 08:02 < ecrist> this is a server issue. 08:02 < tkbeat> hi there 08:02 < m0b> perfect 08:02 * krzee tags ecrist in 08:02 < m0b> that example image looks exactly as im tryin to configure it 08:02 < m0b> heh 08:02 < krzee> 9am i better think about sleep 08:02 < krzee> nite guys 08:02 < m0b> goodnite thanks 08:03 < krzee> !learn bsdnat as http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 08:03 < vpnHelper> krzee: The operation succeeded. 08:04 < tkbeat> i have a little question - i have a client that have to authenticate with user and pass . now i wanna automate this . but in the configfile --auth-user-pass file.txt is not working . why ? 08:05 * ecrist looks 08:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 08:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:06 < m0b> guess i gotta rebuild kernel to add ipdevert 08:06 < m0b> heeh 08:06 < ecrist> m0b: use pf 08:06 < ecrist> no kernel rebuild required. 08:06 < m0b> how? 08:06 < krzee> yes, pf > * 08:06 < m0b> awesome 08:06 < ecrist> kldload pf 08:07 < ecrist> tkbeat: have you read the howto on dual-factor authentication? 08:07 < m0b> done.. 08:07 < krzee> tkbeat, tried /path/to/file.txt ? 08:07 < tkbeat> ahh no ?! 08:07 < tkbeat> file is in the same subdir 08:08 < m0b> ecrist: anything else? 08:08 < ecrist> tkbeat: you should always use full path. 08:08 < krzee> Note: OpenVPN will only 08:08 < krzee> read passwords from a file if it has been built with the --en- 08:08 < krzee> able-password-save configure option, or on Windows by defining 08:08 < krzee> ENABLE_PASSWORD_SAVE in config-win32.h). 08:08 < ecrist> m0b: hang one. 08:08 < krzee> from man page 08:08 < m0b> np 08:08 < krzee> easily found by looking for --auth-user-pass [up] 08:08 < ecrist> mob, mv /etc/pf.conf /etc/pf.conf.default 08:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 08:09 < ecrist> then, create a new /etc/pf.conf with the following lines: 08:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:09 < tkbeat> but i can put theso what can i do in the windows version ? 08:09 < m0b> err /etc/pf.os ? 08:09 < ecrist> m0b: no, you should have a /etc/pf.conf 08:09 < krzee> in man pages you can search by typing /searchstring 08:09 < m0b> heh.. /etc/pf.os is all i have 08:10 < ecrist> what version of freebsd? 08:10 < m0b> 7.0 08:10 < krzee> tkbeat, 08:10 < ecrist> okie 08:10 < krzee> [09:08] able-password-save configure option, or on Windows by defining 08:10 < krzee> [09:08] ENABLE_PASSWORD_SAVE in config-win32.h). 08:10 < ecrist> so, create /etc/pf.conf 08:10 < ecrist> in the file, have the following lines: 08:10 < krzee> what i dont get is this: 08:11 < m0b> k 08:11 < krzee> why have passwords if you are gunna save them in a file? 08:11 < m0b> lol 08:11 < krzee> is that any better than your certificates? 08:11 < ecrist> ext_ip = 192.168.1.247 08:11 < m0b> worse probablly 08:11 < ecrist> set block-policy drop 08:11 < ecrist> scub in all 08:11 < krzee> m0b, doesnt take away from your certs, but sure doesnt add to them any 08:12 < krzee> scrub is why i love pf 08:12 < krzee> well its the first reason 08:12 < m0b> scrub or scub? 08:12 < krzee> scrub 08:12 < ecrist> scrub 08:12 < ecrist> sorry 08:12 < m0b> typo? 08:12 < m0b> k 08:12 < m0b> 3 lines so far. 08:12 < krzee> he is waking up im falling asleep, between us you have 1 fully awake person 08:12 < ecrist> oh, up above, under ext_ip, add vpn_net = 10.1.0.0/24 08:12 < ecrist> lol 08:12 < tkbeat> where can i found that file ? config-win32.h should i compile openvpn for windows by myself ? krzee there is no other solution in my case 08:13 < ecrist> then, under the scrub, 08:13 < krzee> how is there no other solution? 08:13 < m0b> ok. 08:13 < krzee> tkbeat, you run the client and server? 08:13 < m0b> man this chan is so much help. 08:13 < ecrist> nat on $ext_if from $vpn_net to any -> $ext_ip 08:14 < m0b> i just had a problem with booting and joined #fedora 08:14 < m0b> those people are morons! 08:14 < krzee> ecrist, can you save that stuff to a link for the bot to link to? 08:14 < m0b> i will post it in a pastbin 08:14 < m0b> when done 08:14 < ecrist> m0b: when you're done, copy that to pastebin for my review. 08:14 < tkbeat> no i am only run the client 08:14 < ecrist> krzee: one of these days, yeah. 08:14 < m0b> done now? 08:14 < tkbeat> the serverr is a linuxbox ...client is wondows 08:14 < ecrist> m0b: that's it so for. 08:14 < ecrist> far. 08:15 < m0b> k 08:15 < m0b> http://pastebin.ca/1167961 08:15 < krzee> then yes, you need to compile it in to win version 08:15 < krzee> if you want pw from file 08:16 < krzee> but if the admin finds out expect a backhand 08:16 < krzee> haha 08:16 < tkbeat> hrhr 08:16 < ecrist> m0b: add ext_if = eth0 to the top of the config 08:16 < krzee> for good security people chose 2 of the 3: something you have, something you know, something you are 08:17 < krzee> he chose something you have (certs) and something you know (pass) 08:17 < krzee> you're turning it into 2 something you haves 08:17 < m0b> eth0 is for server? 08:17 < krzee> he wouldnt approve :-p 08:17 < m0b> or client 08:17 < ecrist> then, add pf_load="YES" to /boot/loader.conf 08:17 < tkbeat> ok much thanx anyway 08:17 < ecrist> m0b: that should be the interface that's your external interface. 08:17 < m0b> im useing rl0 on freebsd as default for ipv4 08:18 < ecrist> then use rl0 08:18 < m0b> linux has eth0 08:18 < m0b> k 08:18 < m0b> making sure :) 08:18 < krzee> tkbeat, but yes it can be done, requires compiling it yourself after changing what i pasted 08:18 < ecrist> I'm just going off your pastes. 08:18 < m0b> boot/loader or rc.conf ? 08:19 < ecrist> also, change ext_ip to match your internet ip address. 08:19 < ecrist> I took that IP from the same paste I got eth0 from. 08:19 < m0b> ok 08:19 < ecrist> put that line in /boot/loader.conf 08:19 < m0b> k 08:19 < ecrist> you need to add pf_enable="YES" to /etc/rc.conf 08:19 < ecrist> pf_load="YES" tells the kernel to load the pf module. 08:20 < krzee> your skill-level instantly goes up when you load that module 08:20 < krzee> and clouds part 08:20 < ecrist> pf_enable="YES" tells rc to actually load the ruleset. 08:21 < m0b> err 08:21 < m0b> ok 08:21 < ecrist> oh, crap 08:21 < ecrist> add pass all to the bottom of that ruleset. 08:21 < ecrist> or two lines: pass in all and pass out all, if you prefer. 08:23 < ecrist> are you local, or remote, to the box? 08:23 < m0b> remote 08:23 < ecrist> ok, next run crontab -e 08:24 < ecrist> enter this line: (press i for insert in vi) 08:24 < m0b> pf_enable="YES" >> /etc/rc.conf 08:24 < m0b> pf_load="YES" >> /boot/loader.conf 08:24 < m0b> i know how to use vi. :) 08:24 < ecrist> */20 * * * * /sbin/pfctl -d 08:24 < m0b> crontab -e as root right? 08:24 < ecrist> add that to root's crontab 08:24 < m0b> k 08:25 < m0b> done 08:25 < ecrist> that's a 'don't shoot yourself in the foot' line 08:25 < ecrist> worst case, if you accidentally lock yourself out with a misconfig of the firewall, it will disable pf every 20 minutes. 08:25 < ecrist> when we're done testing, make sure to remove that line. 08:26 < m0b> nice 08:26 < krzee> dont remove it 08:26 < krzee> comment it out 08:26 < krzee> for later usage =] 08:26 < ecrist> now, try /etc/rc.d/pf start 08:26 < m0b> http://pastebin.ca/1167976 08:26 < m0b> good ? 08:27 < ecrist> yep 08:27 < m0b> k 08:27 < m0b> ... 08:27 < m0b> http://pastebin.ca/1167979 08:28 < m0b> tun0 is the interface the vpn is on.. 08:29 < m0b> does that matter any here? 08:35 < m0b> vpn_if = tun0 08:36 < m0b> ? 08:37 < ecrist> now try no 08:38 < ecrist> sorry, was cooking a hot pocket. 08:38 < m0b> ? 08:38 < ecrist> mmmmm 08:38 < m0b> heh 08:38 < ecrist> no, you don't need vpn_if 08:38 < m0b> np 08:38 < m0b> did you check the pastebin 08:38 < ecrist> looking 08:39 < m0b> vpn_nat perhaps rather than vpn_net ? 08:39 < ecrist> hang on 08:39 < m0b> k 08:39 < ecrist> re-paste your /etc/pf.conf for me. 08:39 < m0b> http://pastebin.ca/1167976 08:40 < ecrist> ok, change the two lines to read: 08:40 < ecrist> ext_ip="70.204.9.21" 08:41 < ecrist> vpn_net="10.1.0.0/24" 08:41 < ecrist> then, /etc/rc.d/pf reload 08:41 < m0b> ext_if="rl0" 08:41 < m0b> is good too? 08:42 < m0b> Reloading pf rules. 08:42 < m0b> No ALTQ support in kernel 08:42 < m0b> ALTQ related functions disabled 08:49 < ecrist> ok, that's all OK. 08:49 < m0b> ok 08:49 < m0b> dont i need a route cmd on my linux box 08:49 < m0b> ? 08:49 < ecrist> can you pass traffic from the VPN to the public now? 08:49 < ecrist> no extra commands on the linux box 08:49 < m0b> ehm 08:50 < m0b> must i restart the vpns ? 08:50 < ecrist> no, you shouldn't need to 08:50 < m0b> hm 08:51 < ecrist> can you ping 10.1.0.1? 08:51 < m0b> i dont really understand.. 08:51 < m0b> yes 08:51 < m0b> i can ping both from each other 08:51 < m0b> but 08:51 < ecrist> ok, that's good 08:51 < m0b> my linux(the client) doesnt go through 10.1.0.1 for inet 08:52 < m0b> it goes thru 192.168.1.1 ... 08:52 < ecrist> can you paste you server openvpn config again? 08:52 < m0b> sure 08:53 < m0b> http://pastebin.ca/1168010 08:54 < ecrist> ah 08:54 < ecrist> you're missing the push "default-route" or whatever that is 08:54 < m0b> ok 08:55 < ecrist> you had it in your first config. 08:55 < m0b> push "redirect-gateway" 08:55 < m0b> ? 08:57 < ecrist> yes 09:00 < m0b> ok 09:00 < m0b> didnt work 09:00 < m0b> i seee bad source address 09:00 < m0b> in the servers status window 09:00 < ecrist> paste, pls 09:01 < m0b> MULTI: bad source address from client [192.168.1.247], packet dropped 09:01 -!- tkbeat [n=tk@80.64.182.204] has quit [Read error: 104 (Connection reset by peer)] 09:01 < ecrist> um, something's wrong 09:01 < ecrist> did you restart your VPN? 09:01 < m0b> yes 09:01 < ecrist> after adding the redirect-gateway, you need to restart the openvpn server and the clients. 09:02 < m0b> i did.. 09:02 < ecrist> ok, your VPN server shouldn't be seeing the 192.168.1.247 address at all 09:03 < m0b> what about some metric option 09:03 < m0b> i think i may have changed this before 09:03 < ecrist> ? 09:03 < m0b> tryin to get it to work 09:03 < m0b> some kinda metric -1 09:03 < m0b> ifconfig option 09:03 < m0b> i believe 09:05 < ecrist> not familiar with it, but afaik, you shouldn't need that. 09:06 < ecrist> what I've helped you set up is pretty much exactly what I've got setup here at the office. 09:07 < m0b> hm 09:09 -!- decoder [n=decoder@mordor.cs.uni-sb.de] has joined ##openvpn 09:10 < ecrist> what does /var/openvpn/openvpn-status.log show? 09:11 < m0b> doesnt exist 09:11 < ecrist> on the server. 09:11 < m0b> doesnt exist. 09:11 < ecrist> what does /var/log/openvpn.log sohw? 09:11 < m0b> doesnt exist either 09:11 < ecrist> :\ 09:12 < ecrist> did you install openvpn from the freebsd ports tree? 09:12 < m0b> yea 09:12 < m0b> i think so 09:12 < ecrist> hrm 09:13 < ecrist> add these two lines to your vpn server config: 09:13 < ecrist> status /var/openvpn/openvpn-status.log 09:13 < ecrist> log-append /var/log/openvpn.log 09:13 < ecrist> you may need to create /var/openvpn directory 09:14 < m0b> ook 09:15 < m0b> ok 09:15 < m0b> i tried to restart it and it doesnt load now 09:15 < ecrist> what error are you getting? 09:15 < m0b> it created the logfile tho 09:16 < m0b> oh 09:16 < m0b> perhaps it just didnt spit anythinginto the window 09:16 < m0b> its all in the logfile 09:16 < m0b> heh 09:16 < ecrist> :) 09:18 < m0b> ok 09:19 < m0b> restarted and it still did not work 09:19 < ecrist> what didn't work? 09:19 < m0b> i had to ssh into a box on local lan to get out without killing it or messing with route cmd 09:19 < m0b> well 09:19 < m0b> i reran the vpn on both sides 09:20 < m0b> i dont see what 10.1.0.5 09:20 < m0b> has to do with anything 09:20 < ecrist> what? 09:21 < m0b> what about the stuff in the ccd dir 09:21 < m0b> what should that look like 09:21 < m0b> and ipp.txt 09:21 < m0b> Tue Aug 12 09:16:55 2008 us=789465 /sbin/ip addr add dev tun0 local 10.1.0.6 peer 10.1.0.5 09:21 < ecrist> you don't need to worry about any of that. 09:21 < m0b> the client is 10.1.0.6 the server is 10.1.0.1 09:21 < m0b> according to my ping replies 09:22 < m0b> i do not see where 10.1.0.5 belongs 09:22 < ecrist> ignore that. 09:22 < ecrist> you're configuring for static IPS? 09:22 < m0b> yeah 09:22 < m0b> well 09:22 < ecrist> well, that's what those messages are all about 09:22 < m0b> i guess 09:23 < ecrist> OpenVPN 2.0.9 creates a /30 subnet for each IP. 09:23 < ecrist> although you're not seeing it attached to the interface, 10.1.0.5 is the server's side of the /30 for 10.1.0.6. 09:24 < m0b> ok 09:24 < ecrist> with OpenVPN 2.1.x, you can do away with the /30s. 09:24 < m0b> but its unpingable 09:24 < m0b> hrm 09:24 < ecrist> can you ping 10.1.0.1? 09:24 < edeca> ecrist: And save yourself some private IP space? Wooh! heh 09:24 < m0b> yes 09:24 < m0b> i can ping it 09:24 < m0b> both sides are pingablle 09:24 < m0b> from each other 09:25 < ecrist> edeca: it's a pain when you've got a ton of statics to configure. :) 09:25 < ecrist> m0b: ok, so the VPN is working. 09:25 < m0b> looking at the openvpn log 09:25 < ecrist> it's all routing and nat. 09:25 < m0b> its still w/ source error 09:25 < m0b> bad source 09:25 < ecrist> paste the logs, please. 09:27 < edeca> ecrist: Hah, I hadn't thought of that ;) 09:28 < m0b> er.. i cannot access the internet hehe 09:28 < m0b> unless i kill it 09:28 < m0b> can i paste here? 09:28 < m0b> im connected thru another box on my LAN hehe 09:29 < m0b> Tue Aug 12 09:20:43 2008 us=413409 beware.evilgrin.org/70.204.9.21:43494 MULTI: bad source address from client [192.168.1.247], packet dropped 09:29 < m0b> but like x100 09:30 < m0b> well not 100 but at least 20 :) 09:33 < m0b> OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Aug 9 2008 09:33 < ecrist> oh, in your pf.conf, change the IP ip from the 70.x to 69.42.223.2 09:33 < ecrist> restart pf 09:34 < ecrist> oh, and remove that crontab line. 09:35 < m0b> so the pf ext_ip should be of the server itself 09:35 < m0b> ? 09:35 < ecrist> yes 09:35 < m0b> ah 09:35 < ecrist> it should be an IP that exists on the server running openvpn 09:35 < m0b> k 09:35 < m0b> restart 'em both? 09:37 < m0b> hm 09:37 < m0b> still no luck ;[ 09:38 < m0b> perhaps i need to flush my route 09:39 < m0b> iill reboot 09:39 < ecrist> no 09:39 < m0b> and see if that helps 09:39 < ecrist> you don't need to reboot 09:39 < ecrist> on the server, paste to me, pfctl -N 09:39 < m0b> heh i know that but im not sure else how to flush the routes 09:39 < ecrist> erm 09:39 < ecrist> pfctl -s 09:39 < m0b> No ALTQ support in kernel 09:39 < m0b> ALTQ related functions disabled 09:40 < ecrist> what is flushing the routes going to do for you? 09:40 < m0b> = pfctl -N 09:40 < m0b> on my linuxbox .. 09:41 < m0b> Tue Aug 12 09:37:26 2008 us=389555 ERROR: Linux route add command failed: shell command exited with error status: 2 09:41 < m0b> saw that in status 09:42 < ecrist> m0b: these commands are for the server, not the client 09:42 < ecrist> pfctl -s on the server, please. 09:42 < m0b> i know that 09:42 < m0b> ^ that was on the client 09:43 < m0b> $ pfctl -s 09:43 < m0b> pfctl: option requires an argument -- s 09:43 < m0b> usage: pfctl [-AdeghmNnOqRrvz] [-a anchor] [-D macro=value] [-F modifier] 09:43 < m0b> [-f file] [-i interface] [-K host | network] [-k host | network ] 09:43 < m0b> [-o [level]] [-p device] [-s modifier ] 09:43 < m0b> [-t table -T command [address ...]] [-x level] 09:43 < ecrist> pfctl -s nat 09:43 < ecrist> sorry 09:44 < m0b> nat on rl0 inet from 10.1.0.0/24 to any -> 69.42.223.2 09:45 < ecrist> ok, that looks good 09:45 < ecrist> now, on the client, netstat -r 09:45 < ecrist> what does default say 09:46 < m0b> 10.1.0.5 09:47 < ecrist> what does traceroute yahoo.com show 09:47 < m0b> cant ping 4.2.2.2 so i doubta trace will work but im tryin it 09:48 < m0b> hasnt done anything yet 09:48 < m0b> finally it resolved 09:48 < m0b> traceroute to yahoo.com (68.180.206.184), 30 hops max, 40 byte packets 09:48 < m0b> 1 * * * 09:49 < m0b> etc 09:50 < ecrist> oh, um 09:50 < ecrist> forgot 09:50 < ecrist> add gateway_enable="YES" to /etc/rc.conf 09:51 < ecrist> then sysctl net.inet.ip.forwarding 1 09:51 < m0b> ok 09:51 < m0b> ok 09:51 < m0b> done 09:52 < ecrist> now try the traceroute 09:52 < m0b> looks like its gonna be the same 09:52 < m0b> taking forever to resolve 09:52 < ecrist> well, use the IP, rather than the dns name 09:53 < m0b> what should be in client /etc/resolv.conf ? 09:53 < m0b> anything special ? 09:53 < ecrist> nope 09:54 < ecrist> traceroute to an IP that's local to the vpn server. 09:54 < m0b> ok 09:54 < m0b> but 09:54 < m0b> the vpn's server's DC blocks udp * 09:54 < m0b> blocks traceroute / ping 09:55 < m0b> * * * is all i get 09:55 < m0b> for anything 09:55 < ecrist> hard to test things, then. 09:55 < ecrist> the config you've got should work - i've got a similar thing working here with many users. 09:55 < ecrist> I don't know at this point, and can't give you any more of my time this morning. 09:55 < ecrist> sorry. 09:56 < m0b> ok 09:56 < m0b> hehe 09:56 < m0b> thanks 09:56 < m0b> appreciate your time :] 10:10 -!- m0b [i=elusive@neighborhood.dopeslinger.com] has quit [Read error: 104 (Connection reset by peer)] 10:14 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 10:14 < SilenceGold> UDP is blocked? 10:15 < SilenceGold> sounds like DNS is too 10:15 < SilenceGold> oh 10:15 < SilenceGold> he left 10:15 < SilenceGold> heh 10:16 -!- rickb|server [n=admin@cpe-24-29-248-203.neo.res.rr.com] has joined ##openvpn 10:17 < rickb|server> Hello, I was wondering, would it be posible to link IRC servers together witn a vpn? Just create a vpn, get each server onto the VPN and have them link internally through the VPN not just simply through the internet. 10:20 < cpm> ummm, sure. 10:20 < rickb|server> yay. :p 10:21 < rickb|server> I am trying to integrate servers and admins, making it easier for people to fix other peoples things.. Also, it would be very secure. :p 10:21 < rickb|server> The best parts about linux and the best parts about VPN's converge. :) 10:22 < cpm> VPN is a poor servant and a brutal master. Only use where you need to use. 10:23 < rickb|server> Would it be fast enough for IRC servers? I mean the only thing between servers would be the linking, clients would still connect to the public access points. 10:33 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:45 < ecrist> rickb|server: it's going to be plenty fast. 10:45 < rickb|server> :p 10:45 < rickb|server> thanks. 10:45 < ecrist> however, 10:45 < ecrist> you're better off using SSL for server linking - VPN adds an unneccessary layer of complexity. 10:46 < ecrist> especially since the servers are public, anyways. 10:46 < rickb|server> True True. 10:47 < rickb|server> A little over kill.. 10:57 -!- ke4qqq [n=ke4qqq@64.89.94.194.nw.nuvox.net] has joined ##openvpn 10:58 < ke4qqq> hey guys quick question - how do you control access to your VPNs - what I mean is that I work in a relatively tech savvy company. We maintain two vpn instances one for our machines and one for end user machines. End user machines are far less trusted. However I'd like to have a way to keep people from being able to take the .conf/.ovpn file and the certs and move them around to another machine. thoughts? 10:59 < ke4qqq> I suppose there is no way to identify a specific machine 10:59 -!- araknozzo [i=lepta@89-97-184-210.ip18.fastwebnet.it] has joined ##openvpn 10:59 < araknozzo> hi pple 11:00 < araknozzo> i have a problem 11:00 < araknozzo> i am having a server-bridge configuration 11:00 < araknozzo> but i cant rich the client or the server side of my openvpn 11:01 < araknozzo> would you help my 11:01 < araknozzo> ? 11:10 -!- araknozzo [i=lepta@89-97-184-210.ip18.fastwebnet.it] has quit ["Leaving"] 11:18 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:23 -!- rickb|server [n=admin@cpe-24-29-248-203.neo.res.rr.com] has quit [Remote closed the connection] 11:33 < ecrist> ke4qqq: ther is 11:33 < ecrist> there* 11:33 < ecrist> use two different OpenVPN servers. 11:33 -!- decoder [n=decoder@mordor.cs.uni-sb.de] has quit [Read error: 54 (Connection reset by peer)] 11:34 < ecrist> use two different CAs to sign the certificates. 11:35 < ke4qqq> ecrist: I have done that, but what keeps someone from copying certs/configs from one machine to another? 11:35 < ecrist> you should password protect the CAcert. 11:35 < ecrist> erm, certficate 11:36 < ecrist> don't give those users access to the certificate files. 11:36 < ecrist> also, you could add in some scripting, comparing the certificate CN to the hostname of the system connecting 11:36 < ecrist> if they don't match, drop the connection. 11:37 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:38 < ke4qqq> how do you deny access to the cert files? 11:38 < ke4qqq> tell me about the scripting of comparing CN to hostname 11:38 < ecrist> do these *users* have root access to the system? 11:38 < ke4qqq> assume yes 11:39 < ecrist> well, then either, 1) the users are trusted, and should behave, or 2) the machines *can't* be trusted. 11:39 < ke4qqq> the machines can't 11:40 < ecrist> you said you have trusted machines. 11:40 < ke4qqq> I should have put that word in quotes.....they are company owned machines 11:40 < ke4qqq> but they let users run around as localadmin, so they are certainly not trustworthy 11:40 < ecrist> ok, and how would the users benefit from taking the certificates from the other machines? 11:41 < ecrist> do the VPNs on those non-user machines need to be restarted often? 11:41 < ke4qqq> constantly - they are laptops 11:42 < ke4qqq> moving around 11:42 < ecrist> well, there's not much you can do, then. 11:42 < ke4qqq> and the benefit is that there are less restrictive firewall rules on the 'trusted' machine vpn 11:43 < ecrist> ke4qqq: your logic is flawed 11:44 < ecrist> if you don't have full control of a machine, you can't trust it more than a user-owned machine, given the user has the same rights. 11:44 < ecrist> your setup sounds wonky, and wouldn't be easily supported under _any_ VPN config 11:45 < ke4qqq> I agree - just trying to work with what has been thrust upon me..... 11:46 < ecrist> there's nothing you can really do. 11:46 < ecrist> other than tell the users what they can and cannot do. 11:46 < ecrist> should and should not do, rather. 11:46 < ecrist> given they have admin privs, they *can* do anything they liike 12:10 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 12:10 < weatherhead> hello there, I'm setting up a small vpn and getting a bit confused about routing 12:12 < weatherhead> I am trying to allow the client to connect to my LAN and access LAN services. All my local machines have IP addresses in 192.168.2.x 12:13 < weatherhead> the openVPN server is at IP address 192.168.2.102, and when someone connects they get an ip address of 10.8.0.1 12:13 < rob0> you need to look for a simple IP routing tutorial. The basic tidbit is that all routing has to be bidirectional. It's not enough for one side to know where to send to the other, if the other doesn't know how to send back. 12:14 < weatherhead> I have read through a couple of tutorials, 12:14 < rob0> Then openvpn is an excellent educational tool, it's how I learned routing. 12:14 < weatherhead> but I'm an audio geek, and have no clue about networks 12:14 < weatherhead> heh ok 12:14 < weatherhead> I've tried a few things but nothing seems to work 12:15 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Remote closed the connection] 12:16 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 12:16 < weatherhead> sorry about that, xorg crash 12:18 < rob0> ok, anyway, reread and keep thinking about the "tidbit" I gave you. 12:18 < weatherhead> right 12:18 < rob0> "The basic tidbit is that all routing has to be bidirectional. It's not enough for one side to know where to send to the other, if the other doesn't know how to send back." 12:18 < weatherhead> so I think I have to configure it such that any traffic from anywhere on my LAN to 10.8.x.x gets routed to the openVPN server 12:18 < rob0> 99% of routing problems boil down to that 12:19 < rob0> yep 12:19 < weatherhead> which is where I hit a problem.... my router is just an off the shelf box thing 12:19 < weatherhead> which doesn't seem to do internal IP routing 12:23 < rob0> You can manually enter routes on just about any TCP/IP-enabled OS. Or, turn off DHCP on the router and manage DHCP from another box. 12:23 < pumkinhed> weatherhead: sorry to jump in late, i could scrollback, openvpn isnt running on your default gateway?? 12:24 < weatherhead> it is not 12:24 < weatherhead> I have an embedded debian box 12:24 < weatherhead> used as a NAS 12:24 < pumkinhed> ok, whats your default gateway? 12:24 < pumkinhed> linksys box? 12:24 < weatherhead> openVPN is running on this. My gateway is forwarding the ports to it 12:24 < weatherhead> no, it's some crappy edimax thing 12:24 < weatherhead> I've looked for openwrt support, and it doesn't exist... 12:25 < pumkinhed> ahh, ok, you have two options figure out how to add a route to that box, or add a route to each client 12:26 < weatherhead> do you mean client as in openVPN client, or client as in LAN client 12:26 < pumkinhed> client as in LAN client, the openvpn clients already know how to route back to your network 12:27 < pumkinhed> presumably you have an ifconfig "push options" in your openvpn config 12:27 < pumkinhed> err push "route 192.168.0.0 255.255.255.0" even 12:28 < pumkinhed> so openvpn clients are routing to you... nothing to wrry about there 12:28 < pumkinhed> are you in a domain environment? 12:28 < pumkinhed> *windows domain 12:29 < weatherhead> I have "route 192.168.2.1 255.255.255.0" 12:29 < weatherhead> I am not. There are quite a few boxes here all running either opensuse or OSX 12:29 < pumkinhed> ok, that makes it a little more difficult... you could turn the debian comp into your default gateway, and have its default gateway pointed at your edimax box.... 12:30 < pumkinhed> then the debian box will route all your network traffic appropriately 12:30 < pumkinhed> is that an option? 12:30 < weatherhead> the problem is the debian box isn't always on. 12:30 < pumkinhed> ah, are a large number of users on your LAN going to need to access the other side of the VPN? 12:31 < weatherhead> and it's pretty slow. We use the network to stream a lot of audio and video traffic, so it's not ideal if everything is going through the debian box 12:31 < weatherhead> pumkinhed: no 12:31 < pumkinhed> or are users from the VPN going to access a lot of boxes on the other side? 12:31 < weatherhead> basically, the VPN is needed so we can have just 1 or 2 remote clients on the LAN 12:31 < pumkinhed> because it would probably be easier just to add the static routes 12:31 < pumkinhed> to the servers 12:31 < weatherhead> yes that's probably easiest 12:32 < weatherhead> I can pretty quickly deploy a routing table to all the machines if I knew what worked 12:32 < pumkinhed> ie: on windows: route add 10.8.0.0 mask 255.255.255.0 192.168.1. 12:32 < weatherhead> do I need this "push" option in the openvpn conf? 12:32 < weatherhead> in front of the "route" parameter 12:33 < pumkinhed> yes 12:34 < pumkinhed> that is telling openvpn clients how to route back to your 192 network 12:34 < pumkinhed> but you need to correct it 12:34 < weatherhead> I think the first thing is, what routing table do I need on the debian box itself? it connects to the rest of the network via eth0, and the VPN is through tun0 12:36 < pumkinhed> the debian box should have the routes it needs 12:37 < pumkinhed> but it needs to be config'd to route traffic 12:37 < weatherhead> I have enabled IP forwarding 12:38 < pumkinhed> perfect 12:38 < weatherhead> its routing table only has one option at the moment 12:38 < pumkinhed> if you run netstat -nr on the debian box, you can see its routing table 12:39 < weatherhead> 0.0.0.0 gw: 192.168.2.1 mask: 0.0.0.0 12:39 < pumkinhed> what you are looking for is an entry like 10.8.0.0/24 10.8.0.2 12:39 < weatherhead> it doesn't have such an entry 12:39 < pumkinhed> if you run sysctl -a | grep forward, is forwarding 1? 12:39 < weatherhead> it is 12:40 < weatherhead> net.ipv4.ip_forward=1 12:42 < pumkinhed> ok then, manually add the route i suppose, route add -net 10.8.0.0 10.8.0.2 12:42 < pumkinhed> any experts disagree? 12:42 < pumkinhed> 12:42 < weatherhead> oh hell sorry openvpn isn't actually running atm 12:43 < weatherhead> two seconds 12:43 < weatherhead> ah it has added the route 12:47 < weatherhead> ok, I guess that route in the openVPN config file is wrong, because it'll route all the traffic to my gateway, where they will just be lost? am I right? 12:50 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:27 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:28 -!- bandini [n=bandini@host161-22-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 13:30 -!- dmarkey_ [n=dmarkey@79.97.241.103] has joined ##openvpn 13:30 < dmarkey_> hi, this is probably a very common question 13:31 < dmarkey_> but which is faster, tun or tap 13:33 < ecrist> heh 13:34 < ecrist> depends on what you're doing. 13:34 < ecrist> theoretically, tap is faster, with less overhead for routing and subnetting. 13:38 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:38 < dmarkey_> but is there not more layers? 13:39 < ecrist> you could get into the coding of the drivers, etc, but the difference is going to be *very* minimal 13:39 < dmarkey_> oh ok 13:40 < dmarkey_> because im having trouble with tun 13:40 < ecrist> what problems? 13:40 < dmarkey_> well, the client get an IP but cant reach the other side 13:41 < dmarkey_> doesnt matter anyway, works with tap 13:42 < ecrist> dmarkey_: most probably a routing issue. 13:42 < dmarkey_> hmm.. but all i cahnged in the config was tun/tap 13:42 < rob0> No, tun has less network overhead. 13:43 < dmarkey_> is there more configuration on the client side for tun? 13:43 < rob0> !bridging 13:43 < vpnHelper> rob0: Error: "bridging" is not a valid command. 13:43 < dmarkey_> i think it could be an issue with netbsd 13:43 < ecrist> dmarkey_: it's a routing issue 13:43 < ecrist> trust me. 13:44 < dmarkey_> rob0: im using routing and a different subnet, with tap 13:44 < dmarkey_> so im not using a bridge 13:45 < dmarkey_> oh... hmm.. if i use tun on the server, should i use tun on the clients too? 13:45 < ecrist> yes 13:45 < dmarkey_> it wont work mis matching? 13:45 < ecrist> your server and client configs need to match. 13:46 < ecrist> why do you think it would? 13:47 < ecrist> Si je parle francais, pouvez-vous me comprendre? 13:47 < ecrist> Je crois pas. 13:47 < ecrist> :) 13:48 < dmarkey_> ecrist: genious 13:49 < dmarkey_> now will i have less latency in general or will i even notice it 13:49 < ecrist> you won't notice a difference, save a misconfiguration, of course. 13:50 < dmarkey_> hmm 13:50 < dmarkey_> i think i notice some latency. or could i be imagining it? 14:09 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 14:12 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Remote closed the connection] 14:17 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:22 < pumkinhed> dmarkey_: latency is probably being caused by transmission through the internet, the overhead openvpn will add during processing will be minimal by comparison 14:29 < ecrist> dmarkey_: you're not going to notice the difference between tun and tap 14:35 < pumkinhed> anyone w experience using openvpn to provide laptops connectivity back to domain? 14:35 < pumkinhed> ie, why is SMB so slow 14:36 < ecrist> pumkinhed: I'd guess it's slow remote link. 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 < pumkinhed> well, define `slow`, its high latency (100ms-200ms), ~50KB/s either direction, is that not enough 14:37 < ecrist> 100 to 200ms is pretty slow, but not unbearable. 14:38 -!- ke4qqq [n=ke4qqq@64.89.94.194.nw.nuvox.net] has quit [Client Quit] 14:38 < ecrist> 50KB's isn't exactly fast, though. 14:39 < pumkinhed> ok, i may have to force users to live with it (nice thing about openvpn is its always on, bad thing about it is that you can't force windows to dial the connection for group policy sync) 14:41 < ecrist> sounds like a plan to me. 14:42 < pumkinhed> i guess maybe the right angle to try, is to get offline files working appropriately... 14:42 < pumkinhed> when users are `online`, its quite slow, when users are `offline` its very quick 14:43 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 14:44 < aia> Is there a Privoxy channel? 14:45 < pumkinhed> maybe #tor, your guess is as good as mine 14:47 < aia> hmm 14:47 < aia> thx 15:00 * ecrist heads home 15:03 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:04 -!- dmarkey_ [n=dmarkey@79.97.241.103] has quit [Remote closed the connection] 16:10 -!- m0b [i=elusive@neighborhood.dopeslinger.com] has joined ##openvpn 16:18 < rmull> Emergency. 16:19 < rmull> I have a remote vpn client and I had to make some changes to the DNS 16:19 < rmull> I had the remote client connecting to a.com and I had to change it to b.com 16:20 < rmull> So I made sure b.com resolved to the correct IP (same IP as a.com) and made a second conf with the new DNS entry 16:20 < rmull> And to test it I ran "openvpn second.conf" while the original VPN connection was up 16:20 < rmull> Thinking that it would just tell me it would not work, and if it did work, it would still connect to the same server and get the same info and everything 16:21 < rmull> But that's not the case. I lost connectivity. 16:21 < rmull> OMG thank you 16:21 < rmull> It came back online 16:21 < rmull> WHEW 16:21 < rmull> Lol 16:28 < SirFunk> i have 2 windows hosts connected to my open vpn network.. both get different ips.. it seems like whichever one connects later can ping the other but not visa vera 16:30 -!- K| [n=K@stgt-5d834f2c.pool.einsundeins.de] has joined ##openvpn 16:31 < K|> hi, i was following the tutorial, and couldn't quite find out what to do with 0{n}.pem and am missing so far the dh1024.pem 16:37 < SirFunk> The local and remote VPN endpoints cannot use the first or last address within a given 255.255.255.252 subnet 16:37 < SirFunk> isn't that impossible? don't .252 subnets only include 2 addresses 16:37 < SirFunk> thus they would both be first or last? 16:39 < ecrist> SirFunk: no 16:40 < ecrist> it's a /30, which gets you exactly 4 ips 16:40 < ecrist> one network, 2 host, 1 broadcast. 16:40 < SirFunk> hmm ok 16:40 < SirFunk> man openvpn on windows is frustrating 16:41 < ecrist> it shouldn't be that bad. 16:41 < ecrist> I've got 50+ year old women running it... 16:41 < SirFunk> i have 2 windows hosts... whichever one connects LATER is pingable by the other one... but it cannot ping the other one 16:41 * ecrist goes out for a beer. 16:42 -!- decoder [n=decoder@146-229-024-217.ip-addr.teresto.net] has joined ##openvpn 16:54 -!- decoder [n=decoder@146-229-024-217.ip-addr.teresto.net] has left ##openvpn ["*gone*"] 17:10 -!- K| [n=K@stgt-5d834f2c.pool.einsundeins.de] has quit [Remote closed the connection] 19:07 < ecrist> blah 19:10 < ecrist> evening, kids 19:26 < aia> hey folks 19:42 < ecrist> hola 21:12 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 21:40 -!- near [n=near@88-122-26-215.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:40 -!- near [n=near@88-122-27-106.rev.libertysurf.net] has joined ##openvpn 21:53 < aia> why am I not able to get web traffic through the vpn server? 21:54 < aia> or access the web 21:54 -!- djs [n=djs@unaffiliated/djs26] has quit ["leaving"] 21:54 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 21:56 -!- djs26 is now known as djs 21:57 -!- kaynine [i=5684dc5d@gravity.spherecarrier.org] has joined ##openvpn 22:08 < kaynine> Hi all. I'm setting up OpenVPN server on linux, with clients which include w2k; w2k seems to require dev tap which I'm comfortable with; but I don't think I need any bridging (though maybe I do). Clients can ping/smb each other, and server; but server can't ping/smb any clients. 22:10 < kaynine> Is it possible for this server to ping/smb the clients, as if it were a client itself? 22:11 < kaynine> I tried running client on the same host as server; without success. 22:13 < kaynine> While I think I'm understanding the lack of routing information from server to clients, my lan gateway easily "sees" other hosts on the same subnet, so I know I'm missing something fundamental here. 22:19 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 22:32 < mooseman447> hey 22:58 < ecrist> heya, folks 22:59 < ecrist> kaynine: with a bridging VPN, you should be able to see your VPN clients as though they are on the local LAN. 22:59 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 23:00 < krzee> I just realized bridging opens people up to MITM attack if 1 machine on one of the lans is compromised 23:00 < krzee> never thought of that 23:00 < krzee> although it should have been obvious 23:07 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 23:11 < kaynine> ecrist: do I need to bridge through eth* just in order to see other hosts on the tap* subnet? 23:11 < kaynine> or can I bridge to lo ? :) 23:12 < kaynine> I hadn't thought of bridging to the lo interface before; it might be the ticket. 23:17 < ecrist> kaynine: you need to bridge ethx 23:18 < ecrist> that's what the start-bridge scripts are supposed to help you with. 23:19 < krzee> haha 23:19 < krzee> bridging localhost 23:19 < krzee> so your localhost can talk to the tap... but the tap cant connect to the inet cause its not bridged to it 23:20 < kaynine> well, the bridge isn't intended to serve the clients; I don't really need or want them to have access to the eth+ interface 23:20 < krzee> you need the tap to see the network interface if you want it to do ANYTHING over the inet 23:20 < krzee> for bridging this is done with a bridge 23:20 < krzee> for routing it is done with a route 23:21 < ecrist> kaynine: for your LAN to access the VPN, you need to bridge tap0 and your LAN ethernet interface. 23:21 < ecrist> or, give up. 23:21 < ecrist> :) 23:21 < kaynine> yes, for inet access; but I'm looking mostly for secure samba filespace 23:22 < ecrist> eth != inet 23:22 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 23:25 < kaynine> I don't need to lan to access the tap hosts; I only need the localhost to access the tap clients 23:25 < krzee> dude 23:25 < krzee> there are no tap clients without bridging in an inet interface 23:25 < krzee> how do you get tap clients with no inet? 23:26 < krzee> they come from... the internet 23:26 < kaynine> yes they do 23:26 < krzee> unless your clients are connecting from localhost, in which case wtf 23:26 < krzee> they connect from localhost to localhost? 23:26 < kaynine> they connect via the inet 23:27 < krzee> then you need an inet interface bridged to tap interface 23:27 < krzee> haha 23:27 < ecrist> kaynine: your samba server needs to listen to ::1 then. 23:27 < krzee> ok when i say inet interface 23:27 < krzee> i mean network interface 23:27 < krzee> sorry if that confused you 23:27 < kaynine> before samba, ..... server 10.8.0.1 cannot ping any of the tap clients 23:28 < krzee> !logs 23:28 < vpnHelper> krzee: "logs" is please pastebin your logfile with verb set to 6 23:28 < krzee> !forget logs 23:28 < vpnHelper> krzee: The operation succeeded. 23:28 < krzee> !learn logs as is please pastebin your logfiles from both client and server with verb set to 6 23:28 < vpnHelper> krzee: The operation succeeded. 23:38 < kaynine> I now provide on vpn server, without bridging, client access to outbound gateway, and a secure channel to samba shares on the vpn server; without bridging; using tap0 23:39 < kaynine> clients can access each other for netbios over tcp shares also 23:39 < krzee> may i see your configs? 23:39 < kaynine> but the vpn server cannot ping any of the clients on tap0 23:40 < krzee> they cant ping but they can access samba shares? 23:40 < kaynine> no 23:41 < kaynine> there's no routing information to them from the tap0 server 23:41 < krzee> no kidding 23:41 < krzee> cause if you want tap (aka bridged mode) you need a bridge 23:41 < krzee> if you want routed, you want to use tun 23:41 < krzee> if its all within lan, you are using the wrong program 23:41 < krzee> this is for connecting lans 23:42 < krzee> it will not work all in the same lan 23:42 < kaynine> w2k doesn't seem to use tun 23:42 < krzee> oh windows 23:43 < krzee> please pastebin your configs 23:43 < kaynine> on some clients, yes 23:43 < kaynine> not on server 23:43 < krzee> so the server is using tun right...? 23:44 < kaynine> can I tun on server and tap on client? 23:44 < kaynine> (I think I tried that, without success) 23:46 < kaynine> you know, the traditional office ethernet lan is configured ala tap, not ala tun, with their ifconfigs 23:46 < mooseman447> hmm after a while my client disconnects and reconnects to the server and this in the client log Inactivity timeout (--ping-restart), restarting 23:47 < kaynine> krzee: I'll sleep on it ..... Thank you for caring. 23:47 < krzee> np 23:48 < krzee> maybe windows uses tap 23:48 < krzee> havnt read the windows docs in awhile 23:48 < krzee> didnt realize you meant win tap with routed when i was saying that 23:48 < kaynine> I was OK with tun until I introduced the windows clients 23:49 < kaynine> though static IP seleciton was a pain 23:52 < kaynine> as long as clients can reach each other, and the server, I probably don't need the server to connect back to the clients (i.e. for pulling backups); I'll just set up a client to do that :) 23:53 < kaynine> (it's easier for me to pull a backup from a windows client than it is for me to figure out how to get windows clients to push one/it :) 23:53 < kaynine> g'nite anyway. .... 23:53 * kaynine goes afk 23:54 < kaynine> (log on) --- Day changed Wed Aug 13 2008 00:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:28 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 00:42 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:56 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:00 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 01:15 -!- bandini [n=bandini@host161-22-dynamic.20-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 01:34 < kraut> moin 02:17 < krzee> !kraut 02:17 < vpnHelper> krzee: "kraut" is moin 02:17 < krzee> heh 02:18 < krzee> i should add a plugin just to respond to kraut every night =] 02:50 -!- dmarkey [n=dmarkey@nat/ibm/x-294c1f9d2daf96a9] has joined ##openvpn 02:50 < dmarkey> hello 02:52 < krzee> hey 02:55 < m0b> hello 02:55 < m0b> i still cant get this shit to work ;[ 02:55 < m0b> i even bought a swissvpn account and that wont work either 02:56 < dmarkey> so, what can i do to lower latency in openvpn 02:56 < krzee> m0b, nice hostname! 02:56 < krzee> dmarkey, tun or tap? 02:56 < m0b> hehe thx! :P 02:57 < m0b> how did you get yours to /unaffil 02:57 < m0b> ? 02:57 < krzee> an oper that trusts you has to add it to your registered nickserv account 02:57 < m0b> oh 02:57 < m0b> i see 02:57 < dmarkey> tun, altho i can switch to tap if its faster 02:57 < krzee> dmarkey, it is slower 02:57 < dmarkey> tun is swoer? 02:58 < krzee> i woulda said tun is if you said tap 02:58 < krzee> nah tun is faster 02:58 < krzee> you use udp? 02:58 < dmarkey> yes 02:58 < krzee> good 02:58 < krzee> !mtu 02:58 < vpnHelper> krzee: "mtu" is you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 02:58 < dmarkey> its adding about 5ms latency to my connection as it is 02:58 < krzee> if you are fragmenting after the fragmentation your MTU is set to, you will be adding extra overhead 03:00 < dmarkey> hmm.. whats the linux eq to test this 03:00 < krzee> not sure, play with it 03:00 < dmarkey> is 5ms about the norm? 03:00 < krzee> dunno 03:00 < krzee> never been concerned with it 03:00 < krzee> btw do you notice 5ms? 03:00 < krzee> even on voip you shouldnt notice 5ms 03:02 < krzee> kaynine, I was OK with tun until I introduced the windows clients 03:03 < krzee> kaynine, you were ok tunneling over the LAN? 03:16 -!- Bushmills [n=Bushmill@ip-77-25-162-229.web.vodafone.de] has joined ##openvpn 03:17 < Bushmills> g'day 03:21 < Bushmills> it appears that, when client connects to server, server open a connection to the client in return. that's what googling for error "read UDPv4 [ECONNREFUSED]: Connection refused (code=111)" (from server log) seems to indicate - found answers saying "client process doesn't listen". and in fact, i can't connect client from server under its ip, no ping, and mtr stops at a hop halfway. 03:23 < Bushmills> it appears that my provider (i'm on a mobile phone connection) blocks attempts to connect to my machine. now, is there a way i can configure openvpn client and/or server around this? 03:26 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 03:27 < krzee> hrm 03:27 < krzee> can your mobile phone connect to arbitrary encrypted websites? 03:27 < Bushmills> doesn't seem to be related to inactivity timeout, but the "refused"message is followed by one, a minute later 03:28 < Bushmills> krzee, https? yes. 03:28 < krzee> try using tcp and port 443 on your server 03:28 < Bushmills> krzee, this is actually a linux computer with an umts modem 03:28 < krzee> i dont usually recommend tcp 03:28 < krzee> but sometimes you have no choice 03:28 < krzee> !tcp 03:28 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 03:29 < Bushmills> ok, will try 03:29 < krzee> this could be one of those sometimes 03:29 < krzee> also 03:29 < krzee> try udp 53 03:29 < krzee> assuming you can directly query an arbitrary NS 03:29 < Bushmills> there's a dns running on the openvpn server 03:29 < krzee> some admins are lazy in their blocking 03:29 < krzee> ahh 03:29 < Bushmills> and i'm the server admin 03:29 < krzee> not server admin 03:29 < krzee> firewall admin 03:29 < Bushmills> also firewall admin 03:29 < krzee> assuming thats whats stopping you 03:30 < Bushmills> no. server side is ok, works with other machines 03:30 < krzee> it appears that my provider (i'm on a mobile phone connection) blocks attempts to connect to my machine. now, is there a way i can configure openvpn client and/or server around this? 03:30 < krzee> that firewall admin 03:30 < krzee> the one you just said you suspect is blocking it 03:30 < krzee> hehe 03:30 < Bushmills> ah. provider router, not openvpn client/server, you mean? 03:30 < krzee> if hes lazy maybe udp 53 (which you cant use anyways) 03:31 < dmarkey> can i use tun on windows? 03:31 < Bushmills> because on provider router mtr stops 03:31 < krzee> if not, maybe tcp 443 03:31 < krzee> !windows 03:31 < Bushmills> yeah, i'll try 443, because the web server on openvpn machine has no https enabled 03:31 < vpnHelper> krzee: Error: "windows" is not a valid command. 03:31 < krzee> bleh i should add one for that 03:33 < dmarkey> yup 03:35 < dmarkey> ok, so you can use tun, but one still has to install the tap driver? 03:37 < krzee> from what im seeing 03:37 < krzee> seems windows does routed over tap 03:37 < krzee> im really outta the windows loop 03:38 < dmarkey> hmm.. it would have been handy to not have to install the tap driver 03:38 < krzee> why? 03:40 < krzee> !learn new as http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 03:40 < vpnHelper> krzee: The operation succeeded. 03:40 < krzee> err 03:40 < krzee> !forget new 03:40 < vpnHelper> krzee: The operation succeeded. 03:40 < krzee> !learn vpn as http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 03:40 < vpnHelper> krzee: The operation succeeded. 03:43 -!- kaushal [n=kaushal@bbs.webaroo.com] has joined ##openvpn 03:43 < kaushal> hi 03:43 < krzee> heh busy night 03:43 < kaushal> krzee, hi 03:43 < krzee> hey 03:44 < krzee> only here for a few min then back to the movie 03:44 < krzee> whats goin on 03:44 < kaushal> I am using Ubuntu 8.04 Linux 03:44 < kaushal> every time when i need to connect to Open VPN Server 03:44 < kaushal> I need to add the route command 03:45 < Bushmills> kaushal, server can push routes to client 03:45 < krzee> server and client both on ubuntu? 03:45 < kaushal> sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0 03:45 < krzee> you do that on client? 03:45 < kaushal> yeah 03:45 < krzee> look at push command 03:46 < krzee> you can push the route 03:46 < krzee> (like Bushmills said) 03:46 < kaushal> Bushmills, is it possible on the client side 03:46 < Bushmills> kaushal, on the client side is what you do now 03:46 < krzee> the server config pushes to client 03:47 < krzee> for automation 03:47 < krzee> that way server controls things 03:47 < Bushmills> kaushal, but instead, you can ask server to instruct client to do that instead 03:47 < kaushal> ok 03:47 < kaushal> Bushmills, what will be the command syntax 03:47 < kaushal> on the server side 03:48 < kaushal> based on sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0 03:48 < Bushmills> kaushal, i forgot. push-route .... or push ... 03:49 < Bushmills> kaushal, for example: push "route 78.47.17.170 255.255.255.255" 03:49 < Bushmills> that's for one single address, not a net 03:50 < kaushal> Bushmills, It works fine for windows client 03:51 < kaushal> only on Linux client I have the issue 03:51 < Bushmills> i never tried that on windows, but it works fine with linux here 03:51 < krzee> just like the route command, but you push it 03:51 < krzee> you can push a lot of commands 03:52 < krzee> man page has a few examples 03:52 < kaushal> is that possible from client side 03:52 < kaushal> that was my concern 03:52 < krzee> as Bushmills said 03:52 < krzee> you already do it on client side 03:52 < kaushal> since i dont have access to the server 03:52 < kaushal> on Client side 03:53 < krzee> put your command in a -up script then 03:53 < kaushal> ok 03:53 < krzee> or try the route command in client config 03:53 < krzee> ild expect it to work 03:53 < kaushal> krzee, please give me a moment 03:54 < krzee> seeing as pushed options make the command seem to be in the client config 03:54 < kaushal> krzee, i dont have up script under /etc/openvpn 03:54 < krzee> read docs 03:54 < krzee> they are your friend 03:54 < krzee> !howto 03:55 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:55 < krzee> !google 03:55 < vpnHelper> krzee: (google [--{language,restrict} ] [--{notsafe,similar}]) -- Searches google.com for the given string. As many results as can fit are included. --language accepts a language abbreviation; --restrict restricts the results to certain classes of things; --similar tells Google not to filter similar results. --notsafe allows possibly work-unsafe results. 03:55 < kaushal> I have only update-resolv-conf 03:55 < krzee> heh, dog 03:55 < krzee> doh 03:55 < krzee> yes, you make your own up script 03:55 < krzee> read docs for info 03:55 < krzee> man page is good too 03:55 < kaushal> krzee, if you can give me an example that would be helpful 03:55 < krzee> ild rather point you in the right direction than do it for you 03:55 < kaushal> i have read all the docs 03:56 < krzee> obviously not the part on up scripts 03:57 < krzee> !learn man as http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 03:57 < vpnHelper> krzee: The operation succeeded. 03:58 < krzee> --up cmd 03:58 < krzee> Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel. 03:58 < krzee> Typically, cmd will run a script to add routes to the tunnel. 03:58 < krzee> i swear its not hard 03:58 < krzee> heh 03:59 < krzee> and command that can be passed via -- can be added to config 03:59 < krzee> up "sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0" 03:59 < krzee> fine you got me to do it 03:59 < krzee> =[ 04:00 < kaushal> krzee, thanks for you patience 04:00 < krzee> all cause of missing rar files in my movie im redownloading =/ 04:00 < kaushal> where do i add this 04:00 < krzee> you're welcome 04:00 < kaushal> I mean up "sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0" 04:00 < krzee> sorry im kinda short, havnt gotten much sleep last couple days 04:01 < krzee> in your client config 04:01 < kaushal> krzee, i completely agree with you 04:01 < kaushal> I dont have anything under /etc/openvpn/ 04:01 < krzee> huh? 04:02 < krzee> open your client config file 04:02 < krzee> and add the line 04:02 < krzee> if you dont have a client config file, then you have some work to do! 04:03 < Bushmills> krzee, going through tcp 443 looks better, no more err 111. but a new one: server log says now "SIGUSR1[soft,connection-reset] received, client-instance restarting". no sign of any log or reason for sigusr1 on client. 04:03 < kaushal> krzee, is it update-resolv-conf 04:03 < krzee> Bushmills 04:03 < krzee> !logs 04:03 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:03 < krzee> kaushal, dude 04:04 < krzee> if you dont know where your client config is, i cant hel you 04:04 < krzee> help 04:04 < krzee> your openvpn configuration file 04:04 < krzee> yanno, the one you setup so you can run openvpn... 04:04 < krzee> haha 04:04 < krzee> looks something like this... 04:04 < krzee> !configs 04:04 < vpnHelper> krzee: Error: "configs" is not a valid command. 04:04 < krzee> !sample 04:04 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:05 < kaushal> krzee, i am used Network Manager under ubuntu 04:05 < krzee> oh dude 04:05 < krzee> good luck 04:05 < kaushal> to configure openvpn 04:05 < krzee> mail list is full of examples of that sucking 04:05 < krzee> i personally have not and will not try that or learn about it 04:05 < krzee> so ya, best of luck to ya there 04:06 < dmarkey> can i get a server to listen on both udp and tcp 04:06 < krzee> by running 2 instances of openvpn 04:06 < krzee> @ dmarkey 04:07 < dmarkey> can they use the same keys etc? 04:07 < krzee> sure 04:07 < dmarkey> and the same tun and subnet? 04:07 < krzee> just dont let them overlap ips they hand out 04:07 < krzee> and you're fine 04:08 < dmarkey> ok thanks 04:08 < krzee> np =] 04:08 < Bushmills> krzee, http://scarydevilmonastery.net/ovpn.log 04:09 < Bushmills> server log, after starting openvpn on client. both tcp/443 04:09 < krzee> Bushmills, and other log? 04:09 < krzee> "from both client and server" 04:09 < krzee> time is running out 04:09 < krzee> download finished 04:09 < krzee> unrar'ing 04:09 < Bushmills> i don't seem to have any client side log 04:10 < krzee> you should prolly fix that... 04:11 < Bushmills> prolly. new machine, a netbook. openvpn preinstalled, fedora. not done a lot on customizing yet 04:11 < Bushmills> just grepped for ovpn through logs 04:11 < krzee> well ya edit your client config file to your needs 04:11 < krzee> !sample 04:11 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:12 < krzee> lol i seem to not be specifiying a logfile on my client either 04:12 < krzee> *shrug* 04:12 < krzee> does is output to /var/log/messages? 04:13 < krzee> i dont use fedora 04:13 < krzee> btw 04:13 < Bushmills> neither do I, usually 04:14 < krzee> trying to run something without configuring it really is asking for problems 04:14 < Bushmills> i took over a known good client config from another client, modded it 04:14 < krzee> ah werd 04:14 < krzee> well find logs 04:14 < krzee> they will lead you 04:14 < krzee> google will help 04:15 < krzee> assuming my movie works this time 04:15 < krzee> yay finally got past rar18 04:16 < krzee> but ya, specifiy a log in config file will be the easy way 04:16 < krzee> as seen in my server config file 04:16 < krzee> adios, movie time 04:16 < krzee> (again) 04:36 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 04:39 < kaushal> krzee, hi again 04:40 < kaushal> krzee, yt ? 05:12 -!- edeca [n=david@emo.two-pebbles.com] has left ##openvpn [] 05:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:49 -!- onre [i=esp@static.fi] has joined ##openvpn 05:49 < onre> hiya. anyone ever set up openvpn on a solaris 10 box with multiple zones? 05:50 < onre> i sort of did just that but i can't access zones other than the global zone on the host running sol10. 05:51 < onre> the vpn addresses are in 10.0.1.0/24 space, whereas the zones live in 10.0.0.0/24. i can ping 10.0.0.1, which is the global zone, and login via ssh, but i can't do same for 10.0.0.2 which is another zone in the same host. 06:13 < krzee> never heard of it being done but if you get it working and dont mind making a little writeup of how ill add it to the bot for the next people 06:14 < cpm> what on earth do you mean by 'zones' ? 06:15 < cpm> what you describe is multiple subnets 06:15 < cpm> !iroute 06:15 < vpnHelper> cpm: "iroute" is does not bypass the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 06:16 < krzee> virtual machines kinda 06:16 < cpm> ah, okay. 06:16 < krzee> Zones 06:16 < krzee> Zones provide a new isolation primitive for the Solaris OS, which is secure, flexible, scalable and lightweight: virtualized OS services which look like different Solaris instances. Together with the existing Solaris Resource management framework, Solaris Zones forms the basis of Solaris Containers. 06:16 < cpm> right right. 06:16 < cpm> okay, I thought you were talking some kinda strange alien solaris speak for subnetting or something. yes, I remember zones. 06:17 < cpm> cool stuff 06:18 < cpm> I think you need to review the routing table for all your zones, can they see the vpn netblocks? 06:18 < cpm> if the vpn can see them, but they can't see the vpn, well, 06:19 < krzee> http://article.gmane.org/gmane.network.openvpn.user/23575 06:19 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org) 06:19 < krzee> that person seems to have gotten openvpn working in zones 06:19 < krzee> not sure if they can help 06:19 < krzee> (on the openvpn mail list the other day) 06:20 < cpm> solaris people are weird 06:20 < cpm> :) 06:20 < krzee> hey, they gave us ZFS 06:20 * krzee respects 06:21 < cpm> they are still weird 06:21 < krzee> haha 06:22 < krzee> ya and its mainly PJD that brought it to fbsd 06:22 < krzee> so most that respecting goes to him! 06:22 < cpm> yeah, I have a secret respect for them too, in their ivory towers, with their monolithic architectures, and no linux-creeps to annoy them, trying to NT-ise their clean environments, 06:22 < krzee> lol 06:23 < krzee> *cough*ubuntu*cough* 06:23 < cpm> Egg-zactly. 06:23 < cpm> although RH-esque stuff is pretty near as bad 06:23 < krzee> damn man its 7:30am again 06:23 < krzee> i need to adjust my sleep schedule hah 06:23 < cpm> When was the last time you saw a solaris environment? 06:23 < krzee> hah 06:23 < krzee> no time recent 06:24 < cpm> been a few years, and i was poking around as root, stunned, 'man, it's so /clean/ !' 06:24 < krzee> i think i had an irix box more recent than i seen solaris 06:24 < krzee> lol 06:25 < krzee> aight, shower/bed 06:25 < krzee> nite 06:28 < onre> cpm, zones are a solaris feature... 06:28 < onre> as someone already explained. :/ 06:29 < onre> thanks for replies, though :) reading the gmane url... 06:30 < krzee> !google openvpn solaris zones 06:30 < vpnHelper> krzee: http://blog.pebcak.de/archives/697-BrandZ-Linux-inside-a-Solaris-Zone.html - BrandZ - Linux inside a Solaris Zone - Doomshammer's Weblog 06:30 < krzee> bleh it skipped the one i wanted 06:30 < krzee> Solaris 10 + OpenVPN (tun/tap) 06:30 < krzee> Looks like tun interface *must* be in a global zone, ... (comp.unix.solaris); Re: [SLE] openvpn ... On Thu, 16 Oct 2003 11:10, Paul Alfille wrote: . ... 06:31 < krzee> http://www.google.com/search?hl=en&q=openvpn+solaris+zones&btnG=Google+Search 06:31 < vpnHelper> Title: openvpn solaris zones - Google Search (at www.google.com) 06:31 < onre> yea, you can't do much anything with interfaces in zones other than the "global" zone 06:31 < onre> or routes 06:32 < krzee> then you prolly cant do it, but if you figure out a way pls do report 06:32 < onre> yup... when i set up routes in the global zone, those get inherited into other zones, though 06:32 < cpm> oh, it's got to be doable. 06:32 -!- Bushmills [n=Bushmill@ip-77-25-162-229.web.vodafone.de] has quit [Remote closed the connection] 06:32 < onre> yea, i'm sure someone has got this to work :) 06:33 < krzee> umm 06:33 < krzee> if routes must be made in global 06:33 < krzee> why not route the other zones through the vpn that is setup on global zone? 06:34 < krzee> seeing as they get inherited 06:35 < dmarkey> onre: are you on sparc or x86? 06:35 < onre> x86. 06:36 < onre> on the routing suggestion - what you mean by "through the vpn"? 06:49 < onre> also, is it normal for the endpoint ip of the link to be not pingable? 06:50 < onre> that is, when i connect from the laptop, i can ping this host using 10.0.1.1, but not 10.0.1.5 which is windows' idea of gateway to other 10.0.x networks 07:14 < ecrist> morning, kids 07:15 < rmull> morning ecrist 07:24 < ecrist> onre: that's normal 07:25 < cpm> morn'n ecrist 07:26 < onre> thanks. after some extensive use of snoop(1M), i'm almost certain now that i'm somehow failing with convincing the solaris box to actually forward the packets 07:28 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 08:20 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 08:25 < kaynine> krzee: I'm solved ! 08:26 < kaynine> needed to remove the SNAT routing in the servers nat table /g 08:27 < kaynine> Postit: "90% of the time its a firewall issue" :) 08:48 < ecrist> kaynine: correction "90% of the time, it's a firewall or routing issue." 08:49 < kaynine> :) 08:49 < kaynine> So I have the foundation I sought, and from which to build one step at a time. 08:52 < kaynine> tap ... no bridging 08:53 < kaynine> options to deploy: bridging, and redirecting gateway 08:54 < kaynine> and tuning :) 08:54 < ecrist> tap is the bridging interface, properly configured, of course. 08:55 < kaynine> right; I won't try bridging with tun 08:55 < kaynine> but tap certainly doesn't require a bridge 09:14 -!- kaushal [n=kaushal@bbs.webaroo.com] has quit ["Leaving"] 09:21 < dmarkey> does anyone know where i could get support for racoon? 10:06 < ecrist> people still use that? 10:12 -!- decoder [n=decoder@mordor.cs.uni-sb.de] has joined ##openvpn 10:12 -!- decoder [n=decoder@mordor.cs.uni-sb.de] has left ##openvpn ["*gone*"] 10:44 -!- harpal [n=Harpal@122.169.108.195] has joined ##openvpn 10:45 -!- bandini [n=bandini@host161-22-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 10:45 < harpal> Hey when I start openvpn it shows me TUN/TAP support is not available in this kernel. whats meaning of that? I have TUN/TAP in kernel 10:47 < ecrist> can you pastebin the error? 11:11 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 11:11 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 11:13 -!- bandini [n=bandini@host161-22-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 11:14 < harpal> ecrist: sorry I was not at desk. complete error? 11:18 < ecrist> of course 11:22 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:23 < mooseman447> would it make since to alter my /etc/init.d/openvpn to run bridge-start before openvpn starts? 11:29 < ecrist> folow the how to, and you'll be fine. 11:29 * ecrist is out for lunch. 11:36 < harpal> ecrist: ok 11:43 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 11:52 -!- bandini [n=bandini@79.31.110.236] has joined ##openvpn 11:59 -!- harpal [n=Harpal@122.169.108.195] has quit [Connection timed out] 12:06 -!- b3nj [n=legeek@ANancy-257-1-122-163.w90-40.abo.wanadoo.fr] has joined ##openvpn 12:20 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 12:31 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 12:32 * ecrist is back. 12:32 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 12:33 < weatherhead> hello 12:36 < weatherhead> I am still having routing problems :-$ 12:38 < ecrist> what problems? 12:38 < weatherhead> I'm trying to set up openVPN on my LAN 12:39 < weatherhead> I have a router at 192.168.2.1, and the openVPN server is running on a debian box at 192.168.2.102 12:39 < weatherhead> I'm not able to set up routing tables on the gateway, so I'm setting routing tables individually on all the clients 12:40 < ecrist> that's not the most efficient 12:40 < ecrist> can you share your configs, via pastebin? 12:43 < weatherhead> ecrist: how would you suggest doing it? 12:44 < ecrist> can you share your configs, via pastebin? 12:44 < weatherhead> I have decided to start again from scratch with the routing and thought I'd ask on here 12:44 < weatherhead> so, ummm, no not really. I can post the openvpn config, but that doesn't seem to be the problem. Client can connect without issues 12:44 -!- b3nj [n=legeek@ANancy-257-1-122-163.w90-40.abo.wanadoo.fr] has quit ["Leaving"] 12:45 < ecrist> ok, I don't doubt they can connect, it will help me assist you with your routes. 12:46 < weatherhead> ok which config files would you like me to paste 12:47 < ecrist> server 12:47 < weatherhead> ok coming up 12:47 < ecrist> that's the only one I need to see. 12:47 < m0b> ecrist 12:47 < ecrist> m0b 12:47 < m0b> i got a swissvpn account and still have trouble but ive had it working before 12:47 < m0b> isnt there something like a route command for routing the gateway thru the vpn 12:48 < m0b> i must be missing something ;/ 12:48 < ecrist> push 'redirect-gateway' on the server. 12:48 < m0b> i habve that 12:48 < ecrist> that should be all you need. 12:49 < weatherhead> http://www.pastebin.ca/1170025 12:55 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Remote closed the connection] 12:56 < ecrist> lol 12:57 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 12:58 < ecrist> weatherhead: is this for a single connection VPN? 12:58 < weatherhead> yes it is 12:58 < weatherhead> just wanting a single remote administrator to be able to connect 12:58 < ecrist> and, your client connects, and you get an IP, rights? 12:58 < ecrist> right* 12:58 < weatherhead> the client connects and is able to ping 10.8.0.1 12:59 < weatherhead> and 10.8.0.2 12:59 < ecrist> what's the client's IP address? 12:59 < ecrist> also, your push route is wrong, it should be 'push route 192.168.2.0 255.255.255.0' 13:00 < weatherhead> oh ok 13:00 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 13:01 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Remote closed the connection] 13:01 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:02 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 13:02 < weatherhead> sorry, my damn X server keeps crashing 13:02 < weatherhead> could you repeat your last 13:03 < ecrist> also, your push route is wrong, it should be 'push route 192.168.2.0 255.255.255.0' 13:03 < weatherhead> ok I have changed that 13:03 < ecrist> what's the client's IP address? 13:03 < ecrist> VPN IP, that is. 13:03 < weatherhead> you mean intenet IP address? 13:04 < weatherhead> isn't it 10.8.0.1? isn't that what the config says 13:04 < ecrist> I'm not asking what the config says, what is the IP address that the client gets. 13:04 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:04 < aia> oh hello there 13:04 < weatherhead> 10.8.0.1 13:05 < ecrist> ok, now, is that client able to ping the LAN? 13:05 < weatherhead> no, except 10.8.0.2 13:05 < ecrist> are you forwarding packets on the server? 13:05 < ecrist> what OS is the server? 13:06 < weatherhead> the server is running debian PPC 13:06 < weatherhead> IP forwarding is enabled 13:07 < ecrist> ok, is the VPN client able to ping the other IPs on the VPN server? 13:07 < weatherhead> I was told that nothing would work, because the machines the packets are being sent to have no idea where to respond 13:07 < weatherhead> I don't understand, sorry 13:07 < ecrist> what IPs are on the server? 13:07 < ecrist> aia - hi. 13:07 < aia> Just curious 13:07 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 13:08 < aia> I have my vpn network setup yet I'm not getting any web traffic through, why is that the case? 13:08 < aia> I can connect to rdp fine, etc, etc, but no web traffic 13:08 < weatherhead> the server is at IP 192.168.2.102 13:08 < ecrist> can the VPN ping that IP address? 13:09 < weatherhead> no 13:09 < ecrist> then you don't have IP forwarding setup correctly. 13:10 < weatherhead> ok 13:10 < ecrist> if you have that configured, the VPN will be able to ping all the IPs on the server. 13:10 < ecrist> unless there's a firewall you're not telling me about. 13:10 < weatherhead> there is no firewall except on the internet router 13:11 < weatherhead> if i do cat /proc/sys/net/ipv4/ip_forward I get 1 13:11 < ecrist> *shrug* 13:11 < ecrist> all I know. 13:12 < ecrist> ;) this isn't #debian 13:12 < weatherhead> ok I will try and get that working 13:13 < ecrist> aia: are you doing bridged, routed? 13:14 < aia> let me see 13:18 < aia> I have an ethernet tunnel it's not routed 13:19 < aia> dev tap is enabled not dev tun 13:20 < ecrist> ok, is your remote internet gateway allowing web traffic from the VPN, and NATting correctly? 13:20 < aia> There is no NAT 13:20 < aia> it should be... 13:21 < aia> it's on a deadicated server 13:25 < ecrist> aia, you're assigning your VPN users internet-routable IPs? 13:26 < aia> I do not have server-bridging enabled... 13:26 < aia> what do you mean I don't fully understand. 13:26 < ecrist> please pastebin your vpn config 13:27 < ecrist> the server config, that is. 13:31 < aia> okay 13:34 < aia> http://pastebin.com/d7e131e1f 13:34 < ecrist> looking... 13:34 < aia> thanks 13:35 < ecrist> ah 13:35 < ecrist> so, your VPN clients are being given 10.8.0.0/24 internet addresses, which doesn't route across the internet, you need to nat your VPN clients to your public internet address. 13:36 -!- mooseman447 [n=mooseman@pool-72-92-98-52.phlapa.east.verizon.net] has joined ##openvpn 13:36 < weatherhead> ecrist: I am pretty sure IP forwarding is working now, but my client still can't pin 192.168.2.102 13:36 < weatherhead> what should the routing table of the openVPN server look like? 13:37 < ecrist> weatherhead: can I see the client config, too, please? 13:37 < weatherhead> yes, two minutes, I will get him to send it to me 13:37 < aia> ecrist: I'm sorry but how would I do that? 13:37 < ecrist> what operating system in on the server? 13:38 < aia> Windows 2003 server 13:39 < ecrist> aia, you need to setup NAT on the Windows 2003 server. 13:39 < ecrist> however, you're not pushing a new gateway, so I don't know why you're having web browser problems. 13:44 < aia> hmm 13:44 < aia> I just would like to web traffic go through the vpn as well 13:46 * cpm believes in pushing all traffic through the vpn. 13:47 < ecrist> cpm, that's not always a good idea, or necessary. 13:48 < aia> cpm: I'm not saying all traffic per se but the web traffic and a few applications 13:48 < ecrist> aia, you need to add "push 'redirect-gateway'" to your config, and setup proper NAT for VPN outbound traffic on your Win2k3 box, then. 13:49 < ecrist> the latter topic is not generally supported here. 13:49 < ecrist> #windows can probably help you. 13:49 < aia> understood 13:49 < aia> Thank you for your help 14:11 < cpm> ecrist, not too sure I agree. If you have a vpn client that is multihomed, you've -de facto- compromised your lan. 14:11 < ecrist> cpm, sure, in some regards. 14:11 < ecrist> there is the bandwidth consideration to be considered, however. 14:11 < cpm> sure. 14:12 < ecrist> many homes have broadband >= that of the remote VPN server. 14:12 < ecrist> you get a p2p setup trying to operate over that, and you're in a pickle. 14:12 < ecrist> not worth the headache, imho. 14:12 < cpm> but this is a case of convenience of pr0n vs having a vpn in the first place. vpn > pr0n in priority. 14:12 < ecrist> and, really, as soon as you put an end-user on your LAN, you've -de facto- compromised your lan. 14:13 < ecrist> I'm not saying pr0n in the convenience, it's a problem for the remote LAN. 14:13 < cpm> agreed. Machines you don't have a high level of control over shouldn't have access to the nice soft chewy lan. 14:14 < cpm> now, if you are talking a vpn bridge, different considerations take place. 14:14 < ecrist> for example, my cable connection at home is 2Mb up, 10Mb down, with 5/50 available (comcast, mpls, ftw) 14:14 < weatherhead> ecrist: this is the client confi 14:14 < weatherhead> http://pastebin.com/d98adb11 14:14 < ecrist> that's FAR greater than my 1.5Mb connection on the office pipe. 14:15 < ecrist> could I use pf/ALTQ to shape VPN traffic, sure. But then the remote LAN becomes unusable. 14:15 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:15 < cpm> ecrist, yes. And when you are logged in to do work, work is what you should be doing. If you need pr0n, and it's not on your file server, , well, you just have to wait until the vpn is down. 14:15 < cpm> ecrist, what is the internet for? 14:15 < ecrist> cpm - a lot of people maintain a semi-permanent connection to the VPN. 14:15 < weatherhead> to quoth a great broadway musical, the internet is for pr0n 14:16 < cpm> weatherhead ++ 14:17 < cpm> ecrist, so in essence, you have a hole to the intarwebs outside your corporate edge firewall. 14:17 < ecrist> sure. 14:17 < cpm> this is less than optimal 14:17 < ecrist> *but* my VPN endpoint is behind it's own firewall. 14:17 < ecrist> 99% of what we do via VPN is through ssh, so I'm not too concerned. 14:18 < ecrist> the other 1% is jabber/irc/intraweb 14:18 < cpm> so, your vpn endpoint is in a firewalled dmz? 14:18 < ecrist> yep 14:18 < cpm> with no internal lan bridging? 14:18 < ecrist> yep 14:18 < cpm> makes sense. 14:19 < ecrist> the VPN isn't a fool-proof be-all security solution. 14:19 < ecrist> it's designed to simply be _another_ layer of security. 14:20 < weatherhead> ecrist: does that client config look ok to you? 14:20 < ecrist> weatherhead: sorry, didn't look 14:20 < weatherhead> ok 14:20 < weatherhead> http://pastebin.com/d98adb11 14:20 < weatherhead> there it is 14:20 < ecrist> looking... 14:20 < weatherhead> ok 14:21 < ecrist> :\ 14:21 < ecrist> weatherhead: you have mis-matched tun/tap devices. 14:21 < weatherhead> ?? 14:21 < weatherhead> I have tun on both ends 14:21 < ecrist> http://pastebin.com/d7e131e1f <-- look to line 52 14:22 < weatherhead> that is not my config file 14:22 < ecrist> oh, that must be aia's 14:22 < weatherhead> yes 14:23 < weatherhead> http://www.pastebin.ca/1170025 14:23 < weatherhead> that is my server conf 14:23 < ecrist> ok, on the client, do you see a route for the 192.168.2.0/24 network? 14:23 < weatherhead> I will ask him :-) 14:26 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 14:26 < ecrist> Elvis is dead. 14:27 * ecrist sets mode +b ##openvpn *!?=Elvis@* 14:27 < ecrist> :] 14:29 < weatherhead> ecrist: the route is not there 14:29 < ecrist> weatherhead: that's why pings are failing. 14:29 < ecrist> route add 192.168.2.0/24 10.8.0.2 14:29 -!- Tex-Twil_ [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 14:29 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit [Client Quit] 14:29 < ecrist> pings should work fine. 14:30 < ecrist> Elvis is dead. 14:30 < weatherhead> ecrist: that is a command for windows isn't it? 14:30 < cpm> isn't! 14:30 < cpm> take it back! 14:30 < ecrist> Elvis is dead. 14:30 < ecrist> Elvis is dead. 14:30 < ecrist> Elvis is dead. 14:30 < ecrist> :P 14:30 -!- Tex-Twil_ is now known as Tex-Twil 14:30 < ecrist> weatherhead: I think that works on windows, yeah. 14:30 < weatherhead> well I'm on debian 14:30 * ecrist beats weatherhead 14:31 < weatherhead> hehehe sorry 14:31 < ecrist> that's a unix command too, doofus 14:31 < weatherhead> ok 14:31 < weatherhead> I know little to nothing of networks, 14:32 < weatherhead> I can configure NFS and that is about it 14:32 < ecrist> weatherhead: can I see a more current copy of your server config, please? 14:33 < weatherhead> ecrist: it's working now :-D since the client manually added the route 14:34 < weatherhead> oh, actually it isn't working, but he can now ping 192.168.2.102 14:34 < weatherhead> which is a start I guess. I'm pasting new server config file 14:36 < weatherhead> http://pastebin.com/d6f7f5a72 14:36 -!- harpal [n=Harpal@122.169.108.195] has joined ##openvpn 14:40 < ecrist> weatherhead: that's a start. 14:40 -!- kralor [n=kralor@hackincorp.net] has left ##openvpn [] 14:40 < ecrist> now, you need to tell your remote default gateway to route 10.8.0.0/24 to 192.168.2.102 14:41 < ecrist> that way, machines on the LAN will work. 14:41 < weatherhead> ecrist: that's not doable 14:41 < ecrist> why not? 14:41 < weatherhead> the default gateway is a dumb router 14:41 < ecrist> weatherhead: most dumb routers can add static routes. 14:41 < weatherhead> hence why I was originally going to add routing tables to every LAN client 14:41 < ecrist> what kind of router isi t? 14:41 < weatherhead> ecrist: by dumb router, I mean dumb consumer grade router 14:42 < weatherhead> it's some edimax thing 14:42 < ecrist> weatherhead: if you're doing that, why not setup bridged and give the VPN a LAN IP? 14:42 < weatherhead> oh...... only because the tutorial said routed was better :-p 14:42 < weatherhead> but yes that sounds an awful lot simpler 14:43 < weatherhead> does that mean using TAP instead of TUN 14:44 < ecrist> yes, tap instead of tun. 14:45 < weatherhead> ok 14:45 < ecrist> plus, you need to run the bridging scripts on the server. 14:45 < weatherhead> right 14:45 < weatherhead> is there a tutorial for me to look at? 14:45 < ecrist> !howto 14:45 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:46 < weatherhead> ok am looking 14:46 < weatherhead> ok 14:47 < weatherhead> so which way will be better for me, allowing my DHCP server to give out IPs or making the VPN server to IPs 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 < ecrist> I'd just allow your DHCP server do it. 14:47 < weatherhead> ok 14:55 -!- mooseman447 [n=mooseman@pool-72-92-98-52.phlapa.east.verizon.net] has quit ["Leaving"] 14:57 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 14:58 < harpal> ecrist: Hi, I have in log only TUN?TAP support is not available in this kernel 14:58 < ecrist> harpal, compile it in. 14:58 * ecrist goes home. 14:58 < ecrist> I 14:58 < ecrist> 'll be online from there. 14:58 < harpal> ecrist: but where can I find it in kernel 14:59 < harpal> I Searched that but it shows one module and its enabled 15:23 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Remote closed the connection] 15:39 * ecrist is home 15:42 < ecrist> harpal: have you looked on google or the openvpn howto for that error? 16:00 -!- harpal [n=Harpal@122.169.108.195] has quit [Connection timed out] 16:36 -!- harpal [n=Harpal@121.246.75.165] has joined ##openvpn 16:36 < harpal> ecrist: hey have you reached home? are you around? 16:52 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 16:52 < weatherhead> ecrist: are you there? 16:57 < harpal> weatherhead: I dont think. I am also searching for him 16:59 < weatherhead> ok 17:01 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Read error: 60 (Operation timed out)] 17:18 < ecrist> I'm here now. 17:20 < ecrist> going once... 17:23 < ecrist> going twice... 17:25 < harpal> ecrist: hey 17:25 < harpal> Can you tell me what should I do? 17:26 < ecrist> harpal: have you looked on google or the openvpn howto for that error? 17:26 < harpal> in openvpn howto there is not such error I dound 17:27 < ecrist> and google? 17:28 < harpal> ecrist: tried google but not found solution of that 17:28 < ecrist> can you tell me the 'exact' error? 17:30 < harpal> ya its TUN/TAP support is not available in this kernel 17:30 < ecrist> that's verbatim? 17:31 < ecrist> and you're using debian? 17:31 < ecrist> what version 17:32 < harpal> ecrist: no I am using gentoo 17:33 < harpal> I have same error in my log also. nothing more 17:33 < ecrist> and you have tun/tap enabled in your kernel? 17:33 < ecrist> see if this helps you: http://gentoo.linuxhowtos.org/openvpn/openvpn.htm 17:33 < vpnHelper> Title: Gentoo Linux Howtos: openvpn -> openvpn install (at gentoo.linuxhowtos.org) 17:33 < ecrist> I've got to go again for a while. 17:34 < ecrist> !learn gentoo http://gentoo.linuxhowtos.org/openvpn/openvpn.htm 17:34 < vpnHelper> ecrist: Invalid arguments for learn. 17:34 < ecrist> !learn gentoo http://gentoo.linuxhowtos.org/openvpn/openvpn.htm foo 17:34 < vpnHelper> ecrist: Invalid arguments for learn. 17:34 < ecrist> fucking bot 17:34 * ecrist kicks vpnHelper 17:35 < harpal> hey thanks. I am just checking that. 17:46 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 145 (Connection timed out)] 17:55 -!- Pavel [n=pavel@207-180-185-17.c3-0.sbo-ubr1.sbo.ma.cable.rcn.com] has joined ##openvpn 18:04 < harpal> ecrist: Hey thanks its working fine. I solved error. I have enable anoter module of TUN/TAP which is not required. now I rebuild kernel and its working fine 18:19 < Pavel> Hello. Following the HowTo, I am "almost there" getting a VPN to work on a Debian server and client, with the client being behind a NAT firewall. The client connects to the server and everything initializes successfully. However, I cannot ping the the server, and when I try to, the server gives repeated "MULTI: bad source address from client [NAT.public.address.here], packet dropped" messages, and there is no reply, alth 18:19 < Pavel> ough there is DNS resolution. 18:21 < Pavel> Never mind... 18:21 < Pavel> I think I understand. 18:35 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 18:51 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 18:53 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 19:06 -!- Pavel [n=pavel@207-180-185-17.c3-0.sbo-ubr1.sbo.ma.cable.rcn.com] has quit ["Client exiting"] 19:28 -!- SilenceGold [n=chris@70.232.50.35] has quit [Nick collision from services.] 19:28 -!- SilenceGold [n=chris@adsl-70-232-106-91.dsl.ltrkar.sbcglobal.net] has joined ##openvpn 19:41 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 19:42 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Read error: 104 (Connection reset by peer)] 20:18 < krzee> !learn gentoo as http://gentoo.linuxhowtos.org/openvpn/openvpn.htm 20:18 < vpnHelper> krzee: The operation succeeded. 20:18 < krzee> haha 20:20 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 20:47 -!- qkit [n=ykkiew@219.93.198.237] has joined ##openvpn 20:47 < qkit> morning all, guys wonder can i do a vpn server to vpn server tunneling? 20:47 < qkit> if it can be done where can i get more resource / information about it? 20:48 < kaynine> unofficial response: OpenVPN is peer; not client/server (except in TLS negotiation) 20:49 < kaynine> more information at openvpn.net :) 20:49 < krzee> ymm 20:49 < krzee> umm 20:49 < krzee> its client/server 20:49 < krzee> BUT 20:49 < krzee> with the same app 20:49 < krzee> just slight change in config 20:49 < krzee> qkit, what is your real goal? 20:51 < kaynine> krzee: you haven't been reading your man page :) 20:51 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 20:52 < qkit> my goal is that i want the branch office vpn server always tunneling to hq vpn server mean connectivity on both side, as i understand it only can be client and server right. 20:52 < krzee> kaynine, well then they chose very bad name for config options 20:52 < krzee> !sample 20:52 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 20:52 < krzee> client-config-dir /home/krzee/vpn/ccd 20:52 < krzee> server 10.8.1.0 255.255.255.0 20:53 < krzee> client 20:53 < krzee> dev tun 20:53 < kaynine> I did notice the confusion; and was glad to have it straightened out 20:53 < krzee> kaynine, however, there does exist the possibility of using static keys, in which case there are no client/server 20:53 < krzee> anyways 20:53 < kaynine> it turns out that 'client' and 'server' are just macros 20:54 < krzee> qkit, normal setup from what it sounds like 20:54 < kaynine> the manpage reads "Note that client or server designation only has meaning for the TLS subsystem. It has no bearing on OpenVPN's peer-to-peer, UDP-based communication model. 20:54 < kaynine> " 20:54 < krzee> server config listens, client config connects 20:54 < krzee> kaynine, any suggestions for calling it something other than client and server? 20:55 < kaynine> not yet, krzee; I'm brand new here 20:55 < krzee> cause listening peer and connecting peer just dont have the same ring 20:55 < krzee> hehe 20:55 < krzee> ahh, welcome =] 20:55 < krzee> and good job for reading the man, you may or may not be surprised how unread it is 20:55 < krzee> i havent read the whole thing in awhile 20:56 < krzee> (but then again my clients and servers are all working perfect) 20:56 < krzee> hehe 20:56 < kaynine> in spite of what the manpage says, in my first setup, there's one server and multiple clients. 20:56 < krzee> ya 20:56 < qkit> thanks karynine, reading on it now. 20:57 < krzee> qkit, from what you describe thats a very normal setup 20:57 < krzee> my sample configs should work 20:57 < kaynine> I found the HOWTO to be extremely good; and the manpage to have very valuable additional information 20:57 < krzee> if you want the lans behind the client/server to work you will need routes, and iroutes 20:57 < krzee> may even need to push routes 20:57 < krzee> kaynine, agreed 20:58 < krzee> !howto 20:58 < krzee> !man 20:58 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:58 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 20:58 < krzee> there has only been one thing i had to dig into source code for, but thats when i was doing something that it seems nobody else ever cared to document (or possibly even use) 20:59 < kaynine> It's the best HOWTO tutorial I have ever seen. I'm really impressed with that. Kudos to whoever. 20:59 < krzee> totally 20:59 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 21:00 < qkit> hmm, sorry to asking a noob question, i still in the progress to finishing the man and how to. hmm, if it set to client and server will it only the client can access the server but not the server access the client. mean one way connection? 21:01 < krzee> no 21:01 < krzee> they communicate both ways 21:01 < krzee> only real diff is who innitiates it 21:02 < krzee> and server issues clients VPN ips 21:03 < qkit> mean the connection are not permanent establish ,only when there have the traffic requested to have a vpn then the clients will initiate the vpn connection from the server which act as a client? 21:04 < kaynine> yeah; that's more 'server' than 'peer' isn't it? 21:04 < krzee> no they stay connected 21:04 < krzee> kaynine, imo, yes 21:04 < krzee> but i guess as far as internal code maybe not 21:04 < krzee> *shrug* 21:04 < krzee> whoever wrote the manpage knows more than me about openvpn 21:04 < krzee> hehe 21:05 < kaynine> qkit: only root/administrator can start/stop the vpn 21:06 < kaynine> a,/,|, 21:06 < krzee> connection stays regardless of traffic flowing over the connection 21:06 < krzee> and if you look at my samples 21:06 < krzee> !sample 21:06 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 21:06 < krzee> keepalive 10 120 21:06 < krzee> that allows it to see when tunnel is down and restart it 21:07 < krzee> persist-key 21:07 < krzee> persist-tun 21:07 < krzee> that allows it to keep the keyfiles and tunnel it was using even after it has dropped its root privs 21:07 < krzee> so it can reconnect still 21:08 -!- harpal [n=Harpal@121.246.75.165] has quit [Read error: 104 (Connection reset by peer)] 21:12 < ecrist> evening, folks. 21:13 < qkit> hmm, thanks krzee, well i think i better head for the man and how to, to learn more before i ask again ..thanks for the tips and info :P 21:13 * qkit reading..... 21:14 < krzee> np 21:14 < krzee> evening ecrist 21:14 < krzee> i added gentoo for you 21:15 < ecrist> :) 21:15 < krzee> its learn key as info 21:15 < krzee> as 21:15 < ecrist> ah, missing that key word. 21:15 < krzee> aye 21:38 -!- near [n=near@88-122-27-106.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@88-122-19-193.rev.libertysurf.net] has joined ##openvpn 21:44 -!- chesty [n=chesty@chesterton.id.au] has left ##openvpn [] 23:14 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 23:32 -!- desrt [n=desrt@ubuntu/member/desrt] has joined ##openvpn 23:33 < desrt> Thu Aug 14 00:29:25 2008 us=542519 VERIFY X509NAME ERROR: /CN=openvpn-copacetic.desrt.ca, must be openvpn-copacetic.desrt.ca 23:33 < desrt> doesn't that seem a little bit harsh? 23:33 * desrt would have assumed that the name given in tls-remote was the certificate common name 23:34 < desrt> (giving the full x509 name works... it just seems a little bit ridiculous) 23:35 < desrt> and considering the manpage actually says that giving the common name is supported, this seems like a bug 23:38 < desrt> am i missing something very obvious, or where should i file a bug? 23:58 -!- qkit [n=ykkiew@219.93.198.237] has left ##openvpn [] 23:59 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] --- Day changed Thu Aug 14 2008 00:03 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 00:20 -!- rmull is now known as rmull_ 00:25 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 00:48 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 00:50 -!- desrt [n=desrt@ubuntu/member/desrt] has left ##openvpn [] 01:01 -!- bandini [n=bandini@79.31.110.236] has quit [Remote closed the connection] 01:51 < kraut> moin 02:02 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:24 -!- mooseman447 [n=mooseman@24.229.203.41.res-cmts.sm.ptd.net] has joined ##openvpn 02:25 -!- mooseman089 [n=mooseman@24.229.203.41.res-cmts.sm.ptd.net] has joined ##openvpn 02:31 -!- mooseman447 [n=mooseman@24.229.203.41.res-cmts.sm.ptd.net] has quit [Read error: 60 (Operation timed out)] 02:33 -!- mooseman447 [n=mooseman@pool-70-20-169-3.phil.east.verizon.net] has joined ##openvpn 02:49 -!- mooseman089 [n=mooseman@24.229.203.41.res-cmts.sm.ptd.net] has quit [Read error: 110 (Connection timed out)] 03:03 -!- mooseman447 [n=mooseman@pool-70-20-169-3.phil.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 03:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:25 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit [Remote closed the connection] 03:50 -!- bandini [n=bandini@host236-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 03:57 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 04:17 -!- bandini [n=bandini@host236-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 04:18 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 06:40 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 07:42 -!- SirFunk [n=jeffutte@206-159-155-246.netsync.net] has quit [Read error: 110 (Connection timed out)] 07:49 < ecrist> good morning, kids. 08:29 < ecrist> you guys suck 08:30 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 08:45 < onre> yeah, we do. 09:03 -!- djs [n=djs@unaffiliated/djs26] has quit [No route to host] 09:42 -!- ITguru [n=Mr@82.108.189.20] has joined ##openvpn 09:43 < ITguru> network manager and openvpn, and really doing my head in!! 09:45 < ecrist> ? 09:45 < ecrist> you may have to be a bit more specific. 09:45 < ecrist> :) 09:59 < ITguru> oh, sorry! 09:59 < ITguru> Basically, I've got a .p12 file to use to connect, which is fine from the command line 10:00 < ITguru> network manager on the other hand, doesn't really like p12 files, and i've had to split the files into a CA file, a CRT file, and a key file 10:00 < ITguru> after about three weeks, I realised that the CA file required, is the one from the openvpn server 10:01 < ITguru> I can't find the damn CA file on the server :( - all my other openvpn servers, I have the CA file already, and this one is a plugin for smoothwall, so the files are in diffrent locations 10:04 < krzee> then just rebuild your keys 10:04 < krzee> btw ive heard nothing but bad things about using network manager and openvpn together 10:15 < ITguru> krzee, same here - it does work, but they should implement p12 support 10:16 < ecrist> ITguru: if you look int he server config file, should give you the path to the ca file. 10:17 * ecrist finally figures out mediawiki templates. 10:18 < ITguru> ecrist, I think I found it, it's a PEM file 10:25 -!- snowboarder04 [n=un@serv.bemail.co.uk] has joined ##openvpn 10:27 < snowboarder04> I'm writing an article on openvpn, does anyone know roughly when the "OpenVPN Tool Box Value Add Package" (as seen in the Coming Soon box top-right of the openvpn website) is due to be launched and if this package will be charged / subscription based? 10:28 * ecrist doesn't know. 10:28 -!- rmull_ is now known as rmull 10:53 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:55 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 11:09 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 11:09 < ^scott^> yay vista! I've got OpenVPN-gui configured to run at startup, and I've selected the check box to run it as administrator, but windows blocks the program from starting up 11:09 < ^scott^> Has anyone seen this before? 11:10 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:10 < ecrist> Vista is the devil. 11:10 < ^scott^> and so many other negative words which can't be spoken of in front of little children. 11:10 < xattack> jajajaja 11:11 < ^scott^> nonetheless, it's a total pain to buy a computer running anything other than Vista now a days, so it's something I have no choice in supporting :-( 11:13 < ^scott^> Lemme try putting the checkbox on the openvpn executable instead, maybe Vista is not bright enough to watch forks() 11:14 < ecrist> ^scott^: for sure. you have to add an exception somewhere, don't know where, to allow it to run as an administrator. 11:14 < ^scott^> Ugh, no go. 11:15 < ^scott^> What's worse, is if you do add it to the openvpn-gui, Windows Defender catches this and disallows execution. 11:15 < ^scott^> If you look at the help file, it says that you should contact the vendor to see if there is a newer version 11:15 < ecrist> Windows Defender should be configurable to allow it, shouldn't it? 11:15 < ecrist> lol 11:15 < ^scott^> Of course, they don't say what magic back flip they expect the vendor to pull 11:17 < ^scott^> Yea, let's start down that pathway. I'd like to leave this feature on in general.In pricipal, it sounds great, but if only UAC could ask me once when I click that run as admin check box. Alas, it does not prompt me using UAC when I click that check box (logic in this one?) 11:18 < ^scott^> pffft 11:18 < ^scott^> Wikipedia states thusly: 11:19 < ^scott^> Windows Defender in Windows Vista automatically blocks all startup items that require administrator privileges to run (this is considered a bad behavior for a startup item). There is no known easy way to automatically unblock these items, the only suggestion given is to contact the software vendor for an updated version which is Windows Vista compatible (does not require administrator privileges to run). This automatic blocking is related to the UAC (User Acc 11:19 < ^scott^> functionality in Windows Vista, and requires the user to manually run each of these startup items each time they log in. 11:20 < ^scott^> Evidently OpenVPN-gui is supposed to be written such that I guess there's a service and a user-facing prog that doesn't require admin rights to interface with the service. 11:22 < ^scott^> Hmm . . . there is the openvpn service. If memory serves me right, there was a way to do this. 11:24 < ^scott^> Ah hah, I seek docs and I shall find. 11:27 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 11:33 -!- ITguru [n=Mr@82.108.189.20] has quit [Remote closed the connection] 11:38 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 11:50 < ^scott^> :-( Now I'm trying to figure out how to let a User start/stop services 11:51 < ecrist> ^scott^: would you do me a favor, and if you get it all figured out, document it for me? 11:51 < ecrist> I've got a wiki, https://www.secure-computing.net/wiki/index.php?OpenVPN 11:51 < vpnHelper> Title: Main Page - Secure Computing Wiki (at www.secure-computing.net) 11:52 < ecrist> create a page, let me know where it is. 11:52 < ecrist> help other users out. :) 11:52 < ^scott^> Sure, it's mostly going to be driven on http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html 11:52 < vpnHelper> Title: HowTo Run OpenVPN as a non-admin user in Windows (at openvpn.se) 11:53 < ^scott^> Directions are mostly helpful, the only thing I need now is vista-specific for letting a user interact with a service. I'm about to find that, I can feel it! 12:00 < ^scott^> I'm reaching the point where I'm considering giving up. The easy fix is to not start openvpn-gui at startup 12:00 < ^scott^> Leave the app with the magic checkbox to run as admin, and have the client run it interactively, so that the UAC prompt can occur. 12:07 < ^scott^> Yea, I hate to say it, letting the user start/stop the service isn't the best pathway to go down. The service really should start at system startup, but not connect VPN (unless configured to start at boot) until openvpn-gui starts talking to it, and then there ought to be a comm channel (mathias mentions a TCP socket in that doc page) that allows for the starting of the OpenVPN connection from anywhere. 12:07 < ^scott^> *le sigh* then anyone could connect to that TCP socket (albeit locally) to control that openvpn service, that's not ideal. 12:10 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 12:24 -!- Bushmills [n=Bushmill@verhau.de] has joined ##openvpn 12:24 < krzee> running vista is not ideal too :-p 12:25 < krzee> hehehe 12:27 < Bushmills> krzee: openvpn between the mobile phone client and server works now, i was here yesterday with the problem of err111, because server couldn't connect back to client. 12:28 < Bushmills> thanks for your help 12:42 < ^scott^> lol client just called. They said, in so many words " 12:42 < ^scott^> "vista wtfbbq, we didn't order no stinkin' vista!" 12:42 < ^scott^> Disaster averted! 12:56 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 13:28 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:36 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 13:57 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 14:01 -!- Axet [n=john@82.227.5.9] has joined ##openvpn 14:01 < Axet> hi all 14:03 < Axet> I've been playing around with openvpn's client-conf-dir for the first time and would like some help if possible. My openvpn server is running in a vserver, I've created the tun device for it but I don't understand how openvpn can cope with the multiple clients and how it is supposed to assign the tun devices to each client 14:04 < Axet> I'm interested in using the client-conf-dir to avoid opening a port per client (I use openvpn mainly for site to site vpns) 14:04 < ecrist> Axet: usually, ccd is for static IPs or custom authentication rules. 14:05 < Axet> ecrist: my idea is to use it to assign static ips for site to site vpns 14:06 < Axet> I've never used the pool option 14:06 < Axet> I've always used static ips 14:08 < ecrist> ok, so what's the problem, exactly? 14:09 < Axet> I think I'm getting mixed up because of how vserver handles devices, someone is explaining it to me on the official vserver chan 14:09 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:09 < Axet> thanks anyway :) 14:09 < ecrist> Axet: only one tun device gets created. 14:09 < ecrist> period. 14:10 < ecrist> with 2.0.x, anyways 14:14 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 14:14 -!- kala [i=kala@tux.linux.ee] has joined ##openvpn 14:21 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 14:28 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has quit [Read error: 110 (Connection timed out)] 14:54 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 15:22 -!- kala_ [i=kala@uba.linux.ee] has quit ["leaving"] 15:22 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 15:25 -!- am88b [i=siim@uba.linux.ee] has joined ##openvpn 15:26 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:27 -!- am88b [i=siim@uba.linux.ee] has left ##openvpn [] 15:30 -!- kala_ [i=kala@uba.linux.ee] has quit ["leaving"] 15:30 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 15:57 -!- mcp [n=hightowe@wolk-project.de] has joined ##openvpn 16:30 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 54 (Connection reset by peer)] 16:38 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:46 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 16:57 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:16 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 113 (No route to host)] 17:17 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 17:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:01 -!- Cyllene [i=DMFxUxOv@unaffiliated/cyllene] has joined ##openvpn 18:01 < Cyllene> krzee: Hey 18:01 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 18:04 < Cyllene> You here? 18:14 < ecrist> how goes, Cyllene 18:15 < Cyllene> I heard a rumor that EFnet's servers have been broken into 18:15 < Cyllene> I want to call bullshit. 18:17 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 60 (Operation timed out)] 18:45 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 19:09 -!- mooseman557 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 19:17 -!- mooseman557 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 19:27 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 19:37 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 19:55 -!- Optic [n=dfraser@miso.capybara.org] has joined ##openvpn 19:56 < Optic> hey, what was that nat-traversal technique called? I'm looking for the article on it again 19:56 * Optic pokes rmull 19:58 < Optic> hole punching! i remembered :) 20:13 -!- Axet [n=john@82.227.5.9] has quit [] 20:31 -!- Cyllene [i=DMFxUxOv@unaffiliated/cyllene] has quit ["leaving"] 21:02 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 21:05 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 21:05 < Valect> ok i'm completely lost 21:05 < Valect> i have a subnet on 192.168.1.0/24, and openvpn is configured as such:server 192.168.10.0 255.255.255.0 21:05 < Valect> push "route 192.168.1.0" 21:06 < Valect> but i can't seem to reach the 192.168.1.0/24 subnet with clients 21:10 < SilenceGold> 192.168.1.0 is invalid gateway ip address 21:11 < SilenceGold> you give the clients the gateway ip that the openvpn is using unless you are using bridge .. 21:11 < Valect> so what should my config look like 21:11 < SilenceGold> hrm I said that wrong 21:11 < SilenceGold> Valect I don't know...I have no idea what you want to do. 21:11 < SilenceGold> I do not hold hands 21:11 < SilenceGold> there are plenty of documentations to get things working 21:12 < Valect> i want to be able to reach another subnet on the lan the openvpn server is on 21:12 < SilenceGold> if you are using the route engine of openvpn 21:12 < SilenceGold> openvpn will grab an ip address to use as the gateway ip address 21:12 < Valect> could the issue be that the client happens to be on a 192.168.1.0/24 subnet? 21:12 < SilenceGold> the client will need a route to the openvpn's server ip address... 21:12 < SilenceGold> then when the openvpn connection is, there will be a new route created that will redirect all traffic to go toward to the openvpn's created router ip address 21:13 < SilenceGold> *then when the openvpn connection is established, there 21:13 < Valect> i know, and my configuration isn't working, and i'm trying to figure out why 21:13 < SilenceGold> that's what "push route .." does 21:13 < SilenceGold> try reading some examples in some freely available documentations 21:14 < Valect> i've read every god damned page, 20 something odd configurations, and people telling me eactly what to do, and it still isn't working 21:14 < Valect> thanks for the philosophy 21:14 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has left ##openvpn [] 21:37 -!- near [n=near@88-122-19-193.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:37 -!- near [n=near@83-155-185-247.rev.libertysurf.net] has joined ##openvpn 21:41 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 21:41 < Valect> sorry 21:41 < Valect> anyway, the issue was what i thought 21:41 < Valect> same subnet = no good 21:42 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has left ##openvpn [] 22:08 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 22:09 -!- djs26 is now known as djs 22:43 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] --- Day changed Fri Aug 15 2008 00:25 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 00:26 < mooseman447> hey does anybody know if there is a why to configure a server to run command whenever someone connects like send an email? 00:28 < krzee> --client-connect script ] 00:29 < krzee> or in config, client-connect script 00:29 < mooseman447> ok awesome 00:29 < mooseman447> pki is a pretty secure way of connecting right? 00:30 < krzee> lemme see your server config 00:30 < krzee> pastebin 00:30 < mooseman447> ok give me a sec 00:31 < mooseman447> http://pastebin.com/d4891a177 00:31 < mooseman447> i know running as a non-root user is a good security step but ill do that later 00:32 < krzee> why later? 00:32 < krzee> its just 2 entries on the config 00:32 < mooseman447> im lazy? 00:32 < krzee> !sample 00:32 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 00:32 < krzee> user vpn 00:32 < krzee> group vpn 00:32 < mooseman447> oh i thought i had to all this fancy stuff 00:32 < krzee> or nobody 00:32 < krzee> or whatever 00:32 < mooseman447> and it just works like that? 00:32 < krzee> only for windows 00:33 < krzee> err 00:33 < krzee> only for windowsit needs fancy stuff 00:33 < mooseman447> oh well my server is linux 00:33 < krzee> then its simple 00:33 < krzee> just choose a sandbox user/group that nothing else is using 00:33 < krzee> *done* 00:33 < mooseman447> good deal 00:33 < krzee> it drops its privs after 00:34 < krzee> persist-key 00:34 < krzee> persist-tun 00:34 < krzee> add those too 00:34 < krzee> !user 00:34 < vpnHelper> krzee: (user [] ) -- Returns the last time was seen and what was last seen saying. This looks up in the user seen database, which means that it could be any nick recognized as user that was seen. is only necessary if the message isn't sent in the channel itself. 00:34 < mooseman447> the other thing i need to fix is it doesnt start automatically yet but i think thats because i need to run bridge-start before openvpn 00:34 < krzee> !privledges 00:34 < vpnHelper> krzee: Error: "privledges" is not a valid command. 00:36 < mooseman447> so how is my config that i showed you? 00:36 < krzee> !learn privledges as just choose a sandbox user/group that nothing else is using, then in config use: user vpnuser and group vpngroup , and if it is the server add: persist-key and persist-tun 00:36 < vpnHelper> krzee: The operation succeeded. 00:36 < krzee> looks good 00:36 < krzee> you're using hmac verification 00:36 < krzee> tls auth 00:36 < krzee> as well as standard certs 00:37 < krzee> client uses ns-cert-type server 00:37 < krzee> ? 00:38 < mooseman447> yes 00:38 < krzee> ya you did it right 00:38 < krzee> only way it could be beefed up is keysizes 00:38 < krzee> but yours is good 00:39 -!- xybr2 [n=xybre@bb4win/users/fluffy] has joined ##openvpn 00:39 < mooseman447> ok so with a non-root user and email notifications it will be pretty safe 00:39 < krzee> as good as it gets 00:39 < krzee> =] 00:40 < mooseman447> any advice on making sure bridge-start runs before openvpn on boot? 00:40 < krzee> start it via a script which runs both 00:41 < krzee> either via the OS's method or turn off the OS's method and add a @reboot crontab entry 00:41 < xybr2> I have a linux server running openvpn server, and I can see my incoming connections, but it wont actually connect 00:41 < mooseman447> ok and also can i fit in my script to add iptable rules too? 00:41 < krzee> xybr2 00:41 < krzee> !logs 00:41 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 00:42 < xybr2> right. 00:42 < krzee> mooseman447, you can put anything in it you feel like =] 00:42 < mooseman447> yay! 00:48 < xybr2> http://pastebin.com/d1e3bac5a 00:51 < xybr2> I killed the openvpn process after that, btw 00:53 < krzee> different internal lans? 00:53 < krzee> err, ip blocks on the lans are different? 00:54 < xybr2> Client side has 168, and there really isnt a lan on the server side 00:54 < krzee> cool 00:54 < krzee> what kind of link are they on? 00:55 < krzee> decent? 00:56 < xybr2> Client has an 8meg line, server side is data center, I forget the pipe 00:56 < krzee> paste your configs 00:56 < krzee> pls 00:59 < xybr2> Server is the default config, onyl sifferences are cert/key names, no compression, and verbosity. 01:00 < xybr2> Same for client 01:00 < krzee> well if you dont care to have your configs checked ild say you should regenerate your keys 01:01 < krzee> seemed to help other people with the same error 01:01 < xybr2> I did vimdiff to compare 01:02 < krzee> server config drops privs? 01:02 < krzee> if so, does it have persist-key 01:02 < krzee> persist-tun 01:02 < krzee> is there a keep-alive 01:02 < krzee> s/-// 01:04 < xybr2> http://pastebin.com/d4edeb68a 01:05 < krzee> fun to read with all the comments 01:05 < krzee> heh 01:05 < xybr2> Yeah 01:05 < xybr2> Default config >.< 01:17 < krzee> http://pastebin.com/m5393d486 01:19 < krzee> ya looks like you should regen certs 01:19 < krzee> you followed the howto while making them? 01:19 < krzee> !howto 01:19 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:50 < xybr2> Yeah I followed the howto 01:50 < xybr2> Maybe I did somethign wrong :/ 01:54 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 01:57 < krzee> it never fully connects and works right? 02:02 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 02:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:06 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["moose is tired..."] 02:16 < xybr2> kraut, right 02:38 -!- kala_ [i=kala@uba.linux.ee] has quit ["leaving"] 02:41 -!- kala [i=kala@tux.linux.ee] has quit ["leaving"] 02:41 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 02:47 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 02:47 -!- kala_ [i=kala@uba.linux.ee] has quit [Client Quit] 02:48 -!- Axet [n=john@glou.nurvnet.org] has joined ##openvpn 02:48 < Axet> hi all 02:49 < Axet> quick question... does openvpn 2.0.9 support RFC3021 style addressing ? 02:56 -!- OpenTokix [i=peter@0x2a.se] has joined ##openvpn 02:56 < OpenTokix> morning, Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: topology (2.0.9): 1 Time(s) <-- what does that mean? The VPN is working, but the error seems.... not optimal =) 02:58 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 03:03 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 03:16 < kraut> moin 03:26 -!- Axet [n=john@glou.nurvnet.org] has quit [Read error: 113 (No route to host)] 03:30 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 03:46 -!- DGnome [i=mindre@mupp.fi] has joined ##openvpn 03:50 < DGnome> Hi! my routed roadwarrior setup works so far as that the client connects and can ping the vpn-server tun0 inet addr. But when I add 'push "route xxx.x...." for access to our internal network, no traffic goes through the tunnel. Any ideas? 03:56 < hawk> DGnome: You may want to examine the logs and the resulting local routing table 04:00 < DGnome> hawk: everything seems allrigt :/ 04:37 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 04:45 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 04:46 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 04:49 -!- Bushmills [n=Bushmill@verhau.de] has left ##openvpn ["Leaving."] 04:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:05 -!- Axet [n=john@glou.nurvnet.org] has joined ##openvpn 06:05 < Axet> hi all 06:20 -!- manueld [n=manueld@unaffiliated/manueld] has joined ##openvpn 06:42 -!- Axet [n=john@glou.nurvnet.org] has quit [Read error: 104 (Connection reset by peer)] 06:42 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:05 -!- pornizzle [i=pornizzl@195.226.105.137] has joined ##openvpn 07:05 < pornizzle> hello, i have aproblem 07:06 < pornizzle> i always become this error 07:06 < pornizzle> Fri Aug 15 13:48:50 2008 us=204368 There is a problem in your selection of 07:06 < pornizzle> --ifconfig endpoints [local=10.0.8.7, remote=10.0.8.8]. 07:06 < pornizzle> The local and remote VPN end points must exist within the same 07:06 < pornizzle> 255.255.255.252 subnet. 07:06 < pornizzle> This is a limitation of --dev tun when used with the TAP-WIN32 driver. 07:06 < pornizzle> Try 'openvpn --show-valid-sub nets' option for more info. 07:06 < pornizzle> Fri Aug 15 13:48:50 2008 us=204749 Exiting 07:06 < pornizzle> Press any key to continue... 07:06 < manueld> pornizzle: are you german? 07:06 < pornizzle> yeah 07:06 < manueld> man siehts ^^ 07:07 < pornizzle> wieso ? :x 07:07 < manueld> become ist falsch 07:07 < manueld> become heisst werden 07:07 < manueld> get heisst bekommen ;) 07:07 < pornizzle> jaja stimmt 07:07 < pornizzle> sorry 07:07 < pornizzle> :D 07:07 < pornizzle> bin gerade mega angepisst 07:07 < pornizzle> vor 20 min lief das vpn noch 07:07 < pornizzle> und nun nimmer 07:07 < pornizzle> kannst mir dabei helfen ? 07:08 < manueld> naja, spontan w"urd ich ja mal sagen, dass das subnet falsch zugewiesen wird 07:08 < manueld> so stehts ja auch in der fehlermeldung 07:08 < manueld> hab den fehler selber aber noch nicht gehabt 07:08 < pornizzle> liegt das dann am server 07:08 < manueld> eigentlich ja 07:08 < pornizzle> bringt es dir was wenn du meine conf siehst ? 07:08 < manueld> der client bekommt die ip ja "uber dhcp vom server, oder? 07:08 < pornizzle> sollte 07:08 < pornizzle> aber ich will auch static machen 07:08 < manueld> ja, paste mal deine conf 07:09 < manueld> dann musst halt die richtige subnetmask eintragen, wenn du static machst 07:09 < pornizzle> float 07:09 < pornizzle> port 1194 07:09 < pornizzle> dev tun 07:09 < pornizzle> dev-node ovpn 07:09 < pornizzle> proto tcp-client 07:09 < pornizzle> remote xxxxxx 1194 07:09 < pornizzle> ;ifconfig 192.168.2.3 192.168.2.1 # Tun0 ip-address 07:09 < pornizzle> ;route 192.168.5.0 255.255.255.0 # Route for corporate network 07:09 < pornizzle> ping 10 07:09 < manueld> NNNEEEIIIIIIIN 07:09 < pornizzle> persist-tun 07:09 < manueld> stop 07:09 < pornizzle> persist-key 07:09 < pornizzle> tls-client 07:09 < pornizzle> ca ca.crt 07:09 < pornizzle> cert client1.crt 07:09 < pornizzle> key client1.key 07:09 < pornizzle> ns-cert-type server 07:09 < manueld> http://pastebin.com 07:09 < pornizzle> #comp-lzo ? to enable LZO remove the # 07:09 < pornizzle> pull 07:09 < manueld> nicht direkt hier rein 07:09 < pornizzle> verb 4 07:09 < pornizzle> ?! 07:09 < manueld> hier: http://pastebin.com 07:10 < manueld> und dann den link hier reinschreiben 07:10 < pornizzle> http://pastebin.com/m7035ac31 07:10 < manueld> schon besser 07:10 < pornizzle> sorry =( 07:10 < kaynine> -->>> /topic <<<-- 07:10 < manueld> wart mal kurz, ich connect mal schnell zu meinem server und schau meine noch an 07:11 < pornizzle> ahhh das war die falsche 07:11 < pornizzle> mom 07:11 < pornizzle> http://pastebin.com/m6eda45a6 07:12 < pornizzle> das mit static 07:15 < pornizzle> hmm 07:15 < manueld> im moment weiss ich da auch nicht weiter 07:15 < pornizzle> weil auf der firewall hab ich 07:15 < pornizzle> address pool 07:15 < pornizzle> 10.0.8.0/24 07:15 < pornizzle> entspricht ja 255.255.255.0 07:17 < pornizzle> manueld wenn ich das ifconfig etc. raus amche und dhcp aktiviere müsste es doch laufen oder ? 07:17 < manueld> eigentlich ja 07:17 < pornizzle> also die conf schaut doch gut aus 07:17 < manueld> jo, auf den ersten blick schon 07:17 < pornizzle> und ich war ehute schon via vpn connected 07:17 < manueld> hab da jetzt nix gravierendes gefunden 07:17 < pornizzle> und nun gehts nimmer 07:17 < pornizzle> ich verstehs net 07:18 < pornizzle> porkys gesetzt 07:18 < pornizzle> - t 07:19 < pornizzle> boah ich raste glei aus 07:21 < pornizzle> gibts doch net 07:21 < pornizzle> ich gib doch nirgens subnet an 07:33 -!- pornizzle [i=pornizzl@195.226.105.137] has quit [Client Quit] 07:42 < ecrist> wtf was that? 07:42 < rmull> ze germans! 08:05 < Optic> moooooo 08:31 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has joined ##openvpn 08:31 < plaerzen> harro 08:33 < rmull> harro plaerzen 08:34 < plaerzen> been a little while 08:34 < rmull> Yes indeed. 08:34 < plaerzen> I was hanging out in security and postfix for a bit there. 08:34 < rmull> I took a hiatus as well 08:35 < rmull> Taishi's stopped showing up a while ago 08:35 < plaerzen> Ah, too bad. He was good entertainment 08:35 < rmull> He was. 08:35 < Optic> moo 08:35 < rmull> :o 08:35 < ecrist> ==> 08:36 < plaerzen> my office is so freaking cold all day. It's like we have two settings for air conditioning: off and nuclear 08:36 < ecrist> plaerzen: my office is the same way. 08:36 < Optic> i'd rather have cold than hot 08:37 < plaerzen> Yeah, me too. At least I can put a hoodie on. 08:37 < Optic> unfortunately we have these... women... in our office 08:37 < ecrist> I think it's stupid to have to bring a hoodie to work when it's 93 outside, though. 08:37 < ecrist> :\ 08:37 < plaerzen> ecrist: Totally agree. 08:37 < Optic> who need the temperature to be kept at above about 35C, or they "get cold" 08:37 < Optic> hehe 08:38 < plaerzen> 35C, wtf. that's insane 08:38 < cpm> yeah, we have a number of areas in the building, where the thermostat for the ac zone, is not actually inside the ac zone it controls. 08:38 < plaerzen> I would get heat stroke at 35C. 08:38 < Optic> well, i might be exadurating 08:38 < Optic> a bit 08:38 < plaerzen> ah, I see. 08:38 < rmull> They turn the AC off in our building over the weekend 08:38 * plaerzen brb bio. 08:39 < rmull> And our servers overheat because there's no easy way to drain the condensation collector on our server room AC unit. 08:39 < rmull> Fail 08:39 < ecrist> our office is layed out as individual offices around the outside of the building, and cubes in the middle. There are two thermostats. one in the center of the cube area, and one in *one* of the offices that controls air to ALL offices. 08:39 < ecrist> my office *cold* 08:39 < Optic> rmull: you need a condensation pump that drains it over the boss's desk :) 08:39 < ecrist> the thermostat is on a wall, in direct sunlight. 08:40 < rmull> Optic: It's not the boss' fault - it's the building owners. 08:40 < rmull> It's us and a bunch of other small businesses in here 08:40 < Optic> just dump it into a wall somewhere then :) 08:40 < Optic> hehe 08:40 < rmull> The building owners charge $35 an hour to keep the AC on over the weekend, lol 08:40 < Optic> drill hole in drywall, insert hose, forget :) 08:40 < rmull> lol Optic 08:41 < rmull> not-so-drywall 08:43 < plaerzen> lol 08:43 < rmull> Is there a decent way to use an openvpn routed tunnel (as opposed to bridged) vpn and still let clients use windows netbios names? 08:44 < plaerzen> I like your bofh-esque attitude Optic. 08:44 -!- Haris1 [n=Haris@unaffiliated/haris] has joined ##openvpn 08:44 < Haris1> Hello people 08:44 < plaerzen> harro 08:44 < rmull> helo 08:44 < Haris1> Does openvpn support connecting to multiple vpn destinations at the same time? 08:44 < ecrist> rull, yes 08:45 < rmull> Haris1: Yes, one for each client instance I'd imagine 08:45 < rmull> ecrist: Do I have to be running a WINS server? 08:45 < Haris1> rmull: I don't understand the part after yes, 08:45 < ecrist> iirc, you can build a VPN "routed" with a subnet equal to your LAN 08:46 < rmull> Haris1: You'd run one client for every vpn link you want to have. 08:46 < rmull> ecrist: But NetBIOS is broadcast and should not cross a routed tunnel 08:46 < rmull> Right? 08:46 < Haris1> rmull: curious, why? but its great. Would that cause any problems with routing? 08:46 < rmull> Haris1: Routing would be a problem if any of the subnets overlap 08:46 < ecrist> rmull, just a sec. 08:47 < rmull> ecrist: fosho 08:47 < plaerzen> I love how routing is about 95% of all problems in here. 08:47 < Haris1> rmull: Great, that means, it'll work 08:47 < Haris1> thanks guys 08:47 -!- Haris1 [n=Haris@unaffiliated/haris] has left ##openvpn ["Time to jet!"] 08:47 < rmull> plaerzen: Lol, yeah - I tend to have trouble with it myself 08:47 * plaerzen does too. 08:48 < rmull> Like - what if a road warrior connects from a subnet that is the same as mine, server side? 08:48 < plaerzen> editing configs, creating keys, etc is the easy part. I'm still trying to wrap my head around routing, OSI technicalities and all that stuff. 08:49 < rmull> I can't seem to figure a way to guarantee that clients coming from diverse networks will not overlap my network that they need to be routed into. 08:50 < plaerzen> I wonder if there's any way to script their route table. 08:50 < rmull> I think you can execute scripts on link-up and link-down 08:51 < plaerzen> But 08:51 * plaerzen ponders. 08:51 < plaerzen> is there even any way around client and server working on same physical local subnet ? 08:52 < rmull> I don't think you can do that, right? 08:52 < plaerzen> I don't think so either. 08:52 < rmull> Starting ovpn would fail 08:52 < plaerzen> although I'm no expert. 08:52 < rmull> likewise 08:55 < ecrist> sorry, rmull, was on the phone actually *working* 08:55 < ecrist> sheesh, having to work at work. what's the world coming to. 08:56 < ecrist> rmull, I think you can hack the subnets such that you can trick the openvpn clients into being on the same subnet as your lan, it would be a nasty hack, though. 08:56 < ecrist> I think that's what a PDC/WINS server would be best suited for. 08:56 < ecrist> if I were setting it up myself, I'd build a bridged VPN, or better yet, get rid of the windows boxes. 08:58 < rmull> The latter would be nice 08:58 < rmull> I suppose I'll just go bridged and send the mess of broadcasts out over the vpn 08:59 * rmull does not like windows 08:59 < Optic> windows is pooptastic 08:59 < rmull> My favorite part is that the boss is running windows dhcp and dns services 08:59 < ecrist> rmull: we had a similar issue here, we just made the decision to drop support for windows file sharing and require users to use sftp/scp now. 09:00 < ecrist> we never did a ton of windows stuff, though. 09:00 < rmull> And they do this thing where if a client fetches a dhcp lease, it'll automatically add the hostname of that machine to the dns 09:00 < rmull> So we have a ton of leftover laptop hostnames that resolve to random IPs that are handed out to new laptops with different hostnames 09:00 < rmull> I can't even log into my university's machine from this network because it uses strict reverse-lookup checking, which fails 09:00 < rmull> Lol at us. 09:01 < rmull> We were a 100% windows shop until they hired me. 09:01 < plaerzen> have you guys heard of ikat ? 09:01 < rmull> neg 09:02 < rmull> http://en.wikipedia.org/wiki/Ikat ? 09:02 < vpnHelper> Title: Ikat - Wikipedia, the free encyclopedia (at en.wikipedia.org) 09:02 < plaerzen> interactive kiosk attack tool. for public internet kiosks. 09:02 < rmull> Oh 09:02 < rmull> Lol 09:02 * ecrist thought apple was making german felines. 09:02 < Optic> OS 10.6: Drunk Cougar 09:02 < plaerzen> yo go to the webpage while logged into one and it basically downloads some javascript / actionscript / whatever and lets you break the kiosk security software. 09:05 < rmull> http://ikat.ha.cked.net/ 09:05 < vpnHelper> Title: iKAT - Interactive Kiosk Attack Tool (at ikat.ha.cked.net) 09:05 < rmull> Link for convenience. 09:05 < Optic> i like the photo 09:05 < plaerzen> also, they have a nice ass-banner on their webpage 09:06 < ecrist> now I've got to clean my desk, thanks. 09:06 < ecrist> :) 09:06 < plaerzen> :P 09:06 * rmull will visit during non-business hours 09:07 < ecrist> rmull: not that bad, it SFW. 09:07 < ecrist> sorta 09:07 < plaerzen> meh, it's not that bad 09:07 < rmull> Lol 09:07 < rmull> Maybe after this meeting then. 09:07 < Optic> pretty cool hacks actually 09:08 < Optic> i've done some kiosk stuff, this page would have been handy 09:08 < plaerzen> Optic: nod. I listen to an it security podcast and the author was interviewed just now. 09:10 * Optic bookmarks to delicious 09:12 < rmull> plaerzen: Which podcast? 09:16 < plaerzen> rmull risky business 09:16 < plaerzen> http://itradio.com.au/security/ 09:16 < vpnHelper> Title: Risky Business (at itradio.com.au) 09:16 < plaerzen> I'm not australian, but it's still a good podcast. 09:19 * Optic listens to ratatat 09:24 -!- manueld [n=manueld@unaffiliated/manueld] has quit ["Nettalk6 - www.ntalk.de"] 09:28 < plaerzen> what kind of music do you guys listen to when you're "in the zone" 09:28 < plaerzen> ? 09:28 < ecrist> barry white. 09:29 < ecrist> oh, not that zone, orgy 09:29 < ecrist> seriously, Orgy's dreaming in digital is pretty tight. 09:29 < plaerzen> ja? 09:30 < ecrist> at least, back in the day, when I was much younger, and, um, testing other folks' security vulnerabilities for them. 09:30 < plaerzen> I like how you phrased that. 09:30 < plaerzen> Not so much these days ? 09:30 < ecrist> not so much of that these days. 09:31 < ecrist> I do some side work in LE, so it wouldn't be very conducive to my job there... 09:34 < ecrist> 09:35 < ecrist> that, and I don't have time for it anymore. 09:36 < ecrist> there's never enought time in the day. :( 09:41 < ecrist> any of you guys have an OpenVPN gui you recommend for linux? 09:43 < plaerzen> LE ? 09:44 < ecrist> law enforcement 09:45 < ecrist> just on the weekends, though. 09:45 < plaerzen> side work in law enforcement... I like that concept. I do some side work in law deforcement. 09:45 < ecrist> lol 09:45 < ecrist> I just work parks and waterways for a local county. 09:45 < plaerzen> Ah, I see. 09:46 < ecrist> when some kid gets lost and the news says '350 volunteers searched for...', I'm usually one of those volunteers. 09:47 < ecrist> gets me off my ass, out doing something. 09:47 < ecrist> :) 09:48 < plaerzen> I do things like rock climbing, camping, hiking, etc. on weekends 09:48 < plaerzen> this past weekend I camped out in B.C. near a town called Nelson for 5 days - for a music festival. T'was amazing. 09:52 < ecrist> that sounds like fun 09:55 < plaerzen> it was :) and tonight I'm driving up to the foothills to visit my parents for 4 days. Man, payed vacation is rough. 09:55 < ecrist> sounds like it. 09:55 * plaerzen stretches out luxuriously. 09:56 < ecrist> come write my perl jabber bot for me. 09:56 < plaerzen> what are you making a jabber bot for ? 09:56 < ecrist> work 09:57 < ecrist> we've been using IRC for some years, I'm migrating us to jabber now 09:57 < ecrist> I wrote a bot in perl for IRC to essentially read RSS feeds from our svn server, wiki, and nagios. 09:57 < ecrist> I've gotta re-write him for jabber. 09:58 -!- pornizzle [i=pornizzl@195.226.105.137] has joined ##openvpn 09:58 < ecrist> working on re-parsing the incoming text now, got it connecting, authenticating, etc. 09:58 < ecrist> hi proni 09:58 < ecrist> erm, pornizzle 09:58 < pornizzle> ? 09:58 < ecrist> hi 09:58 < pornizzle> hi 09:58 < pornizzle> whats up 09:58 < pornizzle> :D 09:58 < plaerzen> we're using google apps. Google talk, e-mail, sites, etc. 09:59 < plaerzen> it's not bad, and fully hosted and managed. 09:59 < pornizzle> my linux client can't open DEV TUN ) error=2) 09:59 < plaerzen> A bit insecure though 09:59 < ecrist> I've got a side business I use google's stuff for, don't like it, tbh. 09:59 < ecrist> I work for a medical claims clearing house - we *can't* use something like google. 09:59 * plaerzen coughs. 10:00 < ecrist> pornizzle: can you pastebin your logs? 10:00 < plaerzen> I work for a dental practice management software company. 10:00 < pornizzle> mom 10:00 < pornizzle> http://pastebin.com/d2231f809 10:01 < pornizzle> i tryed it with tun, tun0 10:01 < pornizzle> didn't work 10:01 < ecrist> ok, can you pastebin your server config file, and youre client config file? 10:01 < pornizzle> ähhm server file i can't but client sure 10:02 < rob0> porn, either "modprobe -v tun" or you've got a permission problem on /dev/net/tun . 10:02 < plaerzen> ifup tun0 10:02 < pornizzle> i havn't modprobe :) 10:02 < ecrist> pornizzle: are you running the client as root? 10:02 < pornizzle> sure 10:02 < pornizzle> http://pastebin.com/d210f4bd6 10:02 < rob0> no modprobe? What OS? 10:03 < pornizzle> don't knew exactly but its linux 10:03 < pornizzle> its on a very very very smale machine 10:03 < rob0> Well you don't have tun support. You're out of luck. 10:03 < pornizzle> it worked yesterday 10:03 < pornizzle> but today doesn't 10:04 < pornizzle> didn't changed anything 10:04 < rob0> Learn how to use your OS. You don't have the tun driver loaded. 10:04 < plaerzen> ifconfig tun0 up 10:04 < pornizzle> i knew where the driver is 10:04 < pornizzle> its tun.ko 10:04 < pornizzle> or ? 10:05 < pornizzle> No such device 10:05 < pornizzle> ... 10:05 < rob0> On any normal Linux "modprobe tun" does it. If you're not using a normal Linux, talk to your distributor about that. 10:05 < pornizzle> what is normal ? :P 10:05 < pornizzle> ;) 10:05 < pornizzle> but i knew what u mean 10:06 < pornizzle> don't knew how to handle this tun.ko file 10:07 < pornizzle> hmmpf 10:07 < plaerzen> pornizzle: normal is a word. the definition of normal (correct me if I'm wrong) is: "Most widely accepted standard" 10:07 < rob0> 15:05 < pornizzle> but i knew what u mean 10:08 < pornizzle> fact is i haven't modprobe 10:08 < pornizzle> of course u are right plaerzen 10:08 < pornizzle> this is a reciever 10:08 < pornizzle> satelit 10:09 < pornizzle> and i put linux on 10:10 < pornizzle> all works fine, but openvpn does't 10:12 < pornizzle> ok guys 10:12 < pornizzle> thanks for help 10:12 < pornizzle> bb 10:15 -!- pornizzle [i=pornizzl@195.226.105.137] has quit [] 10:24 -!- rob0 [n=rob0@tuxaloosa.org] has quit [Read error: 113 (No route to host)] 10:49 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:52 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 113 (No route to host)] 11:09 < plaerzen> thank god it's friday. I'm a zombie right now. 11:14 < cpm> there are a lot of zombies around. That kinda friday I think 11:17 < plaerzen> I even had an extra long weekend last weekend and has monday off. Probably why I'm a zombie. Not used to working 11:18 < ecrist> I'm having fun. 11:18 < ecrist> my jabber bot is going to rule the work. 11:18 < ecrist> world. 11:18 < ecrist> apparently, my fingers have taken today off. 11:24 < rmull> BRAAAIIIINNNNSSSS 11:24 < ecrist> I know! 11:25 * ecrist sets mode ##openvpn +b zombie!death@*.* 11:25 < rmull> rofl 11:27 < cpm> danged zombies 11:28 -!- Alocado [n=matthias@dslb-088-068-049-222.pools.arcor-ip.net] has joined ##openvpn 11:28 < Alocado> hello 11:28 < Alocado> how can i define a banner text which my users see on connect? 11:32 < hawk> Can you? 11:40 < Alocado> no idea 11:41 < kala> connect to what? 11:45 < cpm> umm, unless your users are using the command line to drive their connections, they ain't gonna see much of a banner. 11:51 < pumkinhed_> lol, the beauty of openvpn is that it doesnt bother the user 11:53 * plaerzen forgets how to change which channel to talk to in irc. 11:53 < ecrist> Alocado: what protocol are they using to connect? 11:54 < Alocado> tcp? 11:55 < ecrist> have you read the howto? 11:55 < Alocado> yes 11:56 < Alocado> but i found no possibility for such messages 11:58 < kala> Alocado: which component should display the message? The OpenVPN GUI? Windows OS? Linux OS? TAP network driver? 11:58 < kala> browser? 12:00 < kala> you can perhaps redirect user browsers to a "message of the day" website, but other than that ... the functionality isn't really ment to be there. 12:04 < kala> oh. in case of Windows users, you can perhaps use the Windows builtin "net send" command to send a message to their desktop and in case of Linux users, you could perhaps use the "wall" or "talk" command. But these days everybody disables them, so I doub't they will work. 12:04 < plaerzen> net send comes disabled by default in windows I think 12:06 < kala> right 12:21 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has quit [Read error: 110 (Connection timed out)] 12:21 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 12:26 < ecrist> or, custom roll a vpn gui for you that requests a motd file from the vpn server... 12:28 -!- pUmkInhEd [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 12:36 < cpm> Alocado, describe how you imagine this magic would appear to your user? 12:37 * cpm wonders why the question mark. 12:37 -!- mooseman557 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 12:44 -!- kaushal [n=kaushal@59.184.3.130] has joined ##openvpn 12:44 < kaushal> hi 12:45 < kaushal> I have configured openvpn client using Network Manager on Ubuntu 8.04 Linux Desktop, The issue is that I need to add sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0 every time whenever i need to connect to openvpn server 12:46 < kaushal> For windows user, they dont have any issue 12:46 < kaushal> any clue 12:47 < kaushal> is there a way to push it on the client side 12:51 < kaushal> anybody awake here 12:53 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 12:53 -!- Alocado [n=matthias@dslb-088-068-049-222.pools.arcor-ip.net] has left ##openvpn ["Ex-Chat"] 12:58 -!- mooseman557 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 12:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:00 < ecrist> kaushal: yes 13:01 < kaushal> ecrist, I have spoken to the Server Admin 13:01 < kaushal> regarding this issue 13:01 < kaushal> Windows users have no issues 13:01 < ecrist> ok 13:01 < ecrist> I don't remember your issue, sorry 13:01 < kaushal> Linux users have this issue 13:02 < kaushal> I have configured openvpn client using Network Manager on Ubuntu 8.04 Linux Desktop, The issue is that I need to add sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0 every time whenever i need to connect to openvpn server 13:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:06 < kaushal> krzee, hi 13:07 < krzee> hey 13:08 < kaushal> krzee, how are you doing today 13:09 < krzee> good, just woke up 13:09 < krzee> gunna shower and go visit a girl 13:09 < krzee> just waiting for the water to heat up 13:10 < ecrist> krzee: I've already seen her this morning. 13:10 < ecrist> sorry man. 13:10 < ecrist> ;) 13:10 < krzee> haha 13:10 < krzee> riiight 13:10 < krzee> your spanish must be good :-p 13:10 < ecrist> there wasn't a lot of talking - a little moaning, but that's universal. 13:10 < kaushal> krzee, any clue 13:10 < krzee> hehe 13:11 < krzee> kaushal, 13:11 < krzee> [13:56] kaushal, the problem is none of us use network manager 13:11 < krzee> [13:56] oh wait, thats on client 13:11 < krzee> [13:56] just push it to the client from the server 13:12 < kaushal> krzee, I have issue only with the Linux Desktop 13:12 < kaushal> Windows users work fine 13:12 -!- mooseman557 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 13:12 < ecrist> kaushal: don't use network manager, user cli 13:12 < krzee> aye 13:13 < krzee> the mail list is full of examples of network manager being the reason stuff dont work 13:13 < cpm> indeed 13:13 < kaushal> ecrist, ok 13:14 < kaushal> so can i be connected when my system boots up using cli 13:14 < krzee> !learn ubuntu as dont use network manager! 13:14 < vpnHelper> krzee: The operation succeeded. 13:14 < krzee> haha 13:15 < ecrist> kaushal: you can still boot in gui 13:15 < ecrist> just open a terminal and run openvpn from there. 13:15 < krzee> or 13:15 < krzee> just toss it in crontab with @reboot 13:15 < krzee> or use your OS's real method of starting scripts 13:15 < ecrist> or, press Ctl-Alt-F2, login, run openvpn, press Ctl-F8, and enjoy. 13:15 < krzee> in freebsd i know of 3 ways to start anything on boot... 13:16 < krzee> (i dont use ubuntu but i garuntee its not hard) 13:17 < ecrist> I'm using Kubuntu now, for my work desktop, with my MacBook Pro sitting next to that. 13:17 < ecrist> I have ~37 FreeBSD servers sitting in a datacenter 10 miles esat. 13:17 < ecrist> east* 13:17 < ecrist> damn my fingers 13:18 -!- mooseman557 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 13:20 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:21 < cpm> http://www.inquisitr.com/2357/has-bigfoot-been-found/ 13:21 < vpnHelper> Title: Has Bigfoot Been Found? (at www.inquisitr.com) 13:31 -!- kaushal [n=kaushal@59.184.3.130] has quit ["Leaving"] 13:43 < rmull> Any of the regulars want a free month of netflix? 13:45 < plaerzen> ohh 13:45 < plaerzen> do I count as a regular? :D 13:45 < krzee> i dont think i even CAN get netflix 13:45 < krzee> haha 13:46 < krzee> the mail system out here barely even works 13:46 < plaerzen> out where ? 13:46 < krzee> my bills are hand delivered to my house without envelope 13:46 < krzee> lol 13:46 < krzee> caribbean 13:46 < plaerzen> I have no sympathy. 13:46 < krzee> lol 13:46 < krzee> tru 13:47 < plaerzen> "Woe is me. I live in a tropical paradise" 13:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:47 < plaerzen> :P 13:47 < rmull> plaerzen: You want it? 13:47 < plaerzen> rmull: for sure :) 13:48 < rmull> Okay, I don't have the code on my now, but I'll /msg it to you tonight. 13:48 < rmull> Don't let me forget. 13:48 * plaerzen nods. 13:48 < plaerzen> I might not be around later. I'm heading out in about 3 hours. 13:48 < rmull> No rush 14:07 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 14:23 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:24 * ecrist cheers 14:24 < ecrist> my bot is working. 14:54 < rmull> Hmm, anybody ever seen this in their openvpn logs? http://pastebin.ca/raw/1173340 14:54 < rmull> When I try to connect I just keep getting I/O WAIT every 1 second with all that other noise 14:58 < rmull> Using bridging over udp 14:58 < rmull> Full logs and confs on request 15:03 < rmull> Same behavior for tun and tap. Hm! 15:05 < rmull> Actually ,one sec 15:06 < plaerzen> clients in the office =/ 15:06 < plaerzen> although 90% of the people in this industry are women. So it evens out. 15:10 < snowboarder04> i asked this yesterday but no-one was around who knew... thought I might as well ask it again... 15:10 < snowboarder04> I'm writing an article on openvpn, does anyone know roughly when the "Ope 15:10 < snowboarder04> be launched and if this package will be charged / subscription based? 15:10 < snowboarder04> nVPN Tool Box Value Add Package" (as seen in the Coming Soon box top-right of the openvpn website) is due to 15:22 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 15:27 < rmull> snowboarder04: We're around, but I think none of us know. 15:35 < plaerzen> snowboarder04: that was one dyslexic paste. 15:36 < plaerzen> an rmull is right in that none of us know. At least I don't anyway. 15:36 < plaerzen> But I don't know much. 15:41 < snowboarder04> dyslexic how? 15:45 < snowboarder04> cheers anyway guys :) 15:49 < rmull> Good luck, we're probably interested in reading the article when you're done with it 15:50 < plaerzen> we are 15:50 < snowboarder04> I'll try to drop by with a link when the editor's finished with it 16:53 -!- OpenTokix [i=peter@0x2a.se] has quit [Read error: 104 (Connection reset by peer)] 17:03 < ecrist> *yawn* 17:05 < ecrist> it was very backwards. 18:20 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:49 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:58 -!- m0b [i=elusive@neighborhood.dopeslinger.com] has quit ["changing servers"] 19:18 < rmull> plaerzen: Ping 19:23 -!- djs [n=djs@unaffiliated/djs26] has quit ["Lost terminal"] 19:23 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 20:39 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 21:05 -!- dgilmore [n=dgilmore@fedora/dgilmore] has joined ##openvpn 21:06 < dgilmore> hey all i have a quick question 21:06 < dgilmore> i have a CA that serves many pourposes 21:07 < dgilmore> id like to configure openvpn so it will only accept certs if its in the organisational Unit is OpenVPN ? 21:07 < dgilmore> is that possible 21:10 < rmull> Can't you just distribute the correct ca.crt and use the correct ca.key for your vpn and that's that? 21:10 < rmull> The org-unit doesn't matter if the crt and key must match up anyway 21:11 < dgilmore> rmull: they will have that 21:12 < dgilmore> rmull: but most of the certs signed by the ca will not be for vpn but for other purposes 21:12 < rmull> As long as the certs are signed by the ca.key that you're using for your vpn server, no other ca's certs will be allowed. 21:12 < dgilmore> rmull: i want a way to say this cert is good for vpn. but this other one is not 21:13 < dgilmore> rmull: all will be signed by the same ca 21:13 < dgilmore> some are for vpn others are not 21:13 < rmull> Oh, I see what you're saying now, sorry 21:13 < dgilmore> i dont want to run multiple CA's 21:13 < dgilmore> google is not being kind to me 21:13 < rmull> The path to the cert is specified explicitly in the conf - is that not good enough? 21:14 < dgilmore> or maybe its not possible 21:14 < rmull> You don't want people swapping certs in? 21:14 < dgilmore> most of the certs are for authentication on other apps. they dont have vpn access 21:15 < dgilmore> we dont want them to use the vpn 21:15 < rmull> Okay, let's see 21:16 < rmull> Yeah man, off the top of my head I'm not sure 21:16 < dgilmore> im trying to go from 3 CA's to 1 21:19 < dgilmore> --ns-cert-type client|server 21:19 < dgilmore> i think that will do what i want 21:19 < dgilmore> rmull: cheers 21:37 -!- near [n=near@83-155-185-247.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@91-172-127-8.rev.libertysurf.net] has joined ##openvpn 21:43 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] --- Day changed Sat Aug 16 2008 01:37 -!- dgilmore [n=dgilmore@fedora/dgilmore] has left ##openvpn [] 01:49 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:51 < kala> uh, dgilmore left 02:52 < kala> I think there is a way ... to use --auth-user-pass-verify option and then cook up a specific script, which verifies the user's DN which is in the certificate 02:53 < kala> but then the client needs to give dummy --auth-user-pass file option 02:57 < kala> no, there is a better way. --tls-verify cmd 02:57 < kala> I'm planning this kind of setup as well, so I had to look it up :) 04:24 -!- Axet [n=john@glou.nurvnet.org] has joined ##openvpn 04:24 < Axet> Hi all, I've set up my openvpn with client-conf-dir but it doesn't push out the ip I specified in the ccd directory for my client 04:25 < Axet> any ideas ? 04:25 < Axet> what did I do wrong ? :) 04:33 < krzee> just let openvpn give the ip and use ipp.txt to always give the same one 04:41 < Axet> krzee: isn't it possible to use ccd for that ? 04:44 < krzee> dont believe so 04:44 < krzee> it also would be a much bigger pita 04:49 < Axet> krzee: currently openvpn isn't pushing any ip at all 04:49 < Axet> krzee: doesn't it use a default ip range if none is specified ? 04:49 < krzee> bridge or routed? 04:49 < Axet> routed 04:49 < krzee> first ip is .6 04:49 < krzee> it uses /30 subnets 04:50 < Axet> I want it to use 10.0.1.0/30 04:50 < krzee> umm, thats the server 04:50 < Axet> I don't get it ... I'm not understanding something 04:50 < krzee> first client gets the next /30 04:51 < krzee> server keeps .1/30 for itself 04:51 < Axet> what for ? doesn't it use 10.0.1.1 for itself and 10.0.1.2 for the client ? 04:51 < krzee> no 04:51 < Axet> how come ? 04:51 < krzee> as i said, each client gets a /30 04:51 < krzee> that makes the next ip .6 04:52 < krzee> s/client/machine 04:52 < Axet> but the server has an ip in each /30 doesn't it ? 04:52 < Axet> so it's on the same network 04:53 < Axet> if I were to use the next /30 my client would get 10.0.1.6 and the server would use 10.0.1.5 right ? 04:53 < krzee> !/30 04:53 < vpnHelper> krzee: Error: "/30" is not a valid command. 04:53 < Axet> !prefix 30 04:53 < vpnHelper> Axet: Error: "prefix" is not a valid command. 04:53 < krzee> !learn /30 as http://openvpn.net/index.php/documentation/faq.html#slash30 04:53 < vpnHelper> krzee: The operation succeeded. 04:54 < krzee> there ya go 04:54 < krzee> !/30 04:54 < vpnHelper> krzee: "/30" is http://openvpn.net/index.php/documentation/faq.html#slash30 04:54 * Axet is reading 04:56 < Axet> well I was right about the server using an ip for itself in the /30 04:56 < krzee> yup, but it wont respond to that address 04:57 < krzee> If you know that only non-Windows clients will be connecting to your OpenVPN server, you can avoid this behavior by using the ifconfig-pool-linear directive. 04:59 < Axet> I use openvpn for site to site vpns mainly 04:59 < Axet> between linux hosts 05:01 < Axet> but since I do occasionnaly connect from windows machines I'd like to keep a config that is multiplatform compatible 05:01 < krzee> then you should know what to do 05:01 < krzee> live with the /30 ;] 05:01 < Axet> =) 05:02 < krzee> could try using .6 in your ccd/ 05:02 < krzee> .10 as your next ip 05:07 < Axet> does this look correct to you ? : ifconfig-push 10.0.1.6 10.0.1.5 05:08 < Axet> ah looks as if it'ws working 05:08 < krzee> no idea, i never considered trying it 05:08 < krzee> i'ld just doctor up a ipp.txt based on the entry from the first client to connect 05:08 < krzee> 1 file = easier management 05:09 < Axet> !ipp.txt 05:09 < vpnHelper> Axet: Error: "ipp.txt" is not a valid command. 05:09 < Axet> !ipp 05:09 < vpnHelper> Axet: Error: "ipp" is not a valid command. 05:09 < Axet> :p 05:09 < krzee> its not there 05:09 < krzee> tried reading the docs? 05:09 < krzee> !howto 05:09 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:10 < krzee> man page is good too 05:10 < krzee> !man 05:10 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 05:10 < krzee> but the main explanation of ipp.txt ive seen is in the config file 05:11 < krzee> which you can see by searching for ipp.txt in the howto 05:12 < Axet> vpn works =) 05:12 < krzee> i take it back 05:12 < krzee> you were right on your method 05:12 < krzee> from man page: They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push 05:12 * krzee eats his words 05:12 < Axet> ok :) 05:12 < Axet> I prefered using ccd anyway 05:12 < Axet> that way I can add extra push options if needed 05:13 < Axet> and that way I only have 1 file to manage per client 05:13 < Axet> with all the options for each client in one files 05:14 < krzee> OpenVPN's internal client IP address selection algorithm works as follows: 05:14 < krzee> 1 -- Use --client-connect script generated file for static IP (first choice). 05:14 < krzee> 2 -- Use --client-config-dir file for static IP (next choice). 05:14 < krzee> 3 -- Use --ifconfig-pool allocation for dynamic IP (last choice). 05:14 < Axet> ok great 05:15 < Axet> now I need to have a go with quagga =) 05:15 < krzee> --ifconfig-push local remote-netmask 05:15 < Axet> could I use that option to use different netmasks ? 05:15 < krzee> without the /30 netmask it's working with 2 clients 05:15 < Axet> I'm interested in using /31 netmasks 05:15 < krzee> there is no /31 05:15 < krzee> heh 05:15 < Axet> yes there is 05:16 < Axet> RFC3021 05:16 < Axet> people call me stupid everytime I talk about /31 netmasks ... :p 05:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:17 < Axet> but it exists 05:17 < krzee> This would be the host table if a /31, if it existed: 05:17 < krzee> Network part Subnet . Host part Host Address 05:17 < krzee> 192.168.1.32 0010000.0 UNUSABLE - HOST PART IS ALL 0's 05:17 < krzee> 192.168.1.33 0010000.1 UNUSABLE - HOST PART IS ALL 1's 05:17 < Axet> http://www.faqs.org/rfcs/rfc3021.html 05:17 < vpnHelper> Title: RFC 3021 (rfc3021) - Using 31-Bit Prefixes on IPv4 Point-to-Point Links (at www.faqs.org) 05:18 < krzee> 192.168.1.4/30 05:18 < krzee> 192.168.1.4 -- Network address 05:18 < krzee> 192.168.1.5 -- Virtual IP address in the OpenVPN Server 05:18 < krzee> 192.168.1.6 -- Assigned to the client 05:18 < krzee> 192.168.1.7 -- Broadcast address. 05:18 < krzee> doesnt look very rfc3021 compliant, due to reasons you already read 05:19 < Axet> I'm not saying that it'll work with openvpn, I'm saying that /31 netmasks exist 05:19 < krzee> [06:01] but since I do occasionnaly connect from windows machines I'd like to keep a config that is multiplatform compatible 05:19 < krzee> [06:01] then you should know what to do 05:19 < krzee> [06:01] live with the /30 ;] 05:19 < krzee> [06:15] I'm interested in using /31 netmasks 05:19 < Axet> krzee: I can mix the 2 05:20 < Axet> use one ip range for site 2 site vpns and the other range for clients 05:20 < Axet> and use /30 for clients 05:20 < krzee> give it a shot if you wanna deal with keeping track of it 05:20 < krzee> ild think it would work 05:20 < krzee> but have no clue 05:21 < Axet> I'd rather trust your openvpn expertise on this one :) 05:21 < Axet> I need to finish moving all the services from my old box to this new one before the 20th 05:21 < Axet> =) 05:21 < krzee> is there a reason you dont want /30? 05:21 < Axet> I'm using vservers for the first time 05:21 < krzee> gunna run out of ips? 05:21 < Axet> krzee: no, I was just interested in trying it out 05:22 < krzee> ahh 05:22 < krzee> well if you end up testing it im interested in knowing how it went 05:22 < Axet> ok :) 05:22 < krzee> not cause i'll ever do it, but just curiosity since you posed the ? 05:23 < Axet> every played with vservers yourself ? 05:23 < Axet> -y 05:23 < krzee> virtualization? 05:23 < Axet> yes but specifically using vserver 05:24 < krzee> done it with xen on freebsd, parallels and vmware on osx, vmware in win 05:24 < Axet> it's not the same thing 05:24 < krzee> from a quick google vserver looks like its linux 05:24 < Axet> xen and vmware emulate hardware 05:24 < Axet> vserver shares the server's hardware and kernel 05:24 < Axet> it's based on chroot technology 05:24 < krzee> like freebsd jails? 05:24 < Axet> yeah 05:24 < krzee> k 05:25 < krzee> nah never hearda it 05:25 < krzee> sounds cool tho 05:25 < Axet> It's sort of a pain in the butt dealing with devices 05:25 < krzee> i know jails for fbsd are very nice 05:25 < Axet> I have to create them manually for the vserver 05:25 < Axet> http://linux-vserver.org/Welcome_to_Linux-VServer.org 05:25 < vpnHelper> Title: Welcome to Linux-VServer.org - Linux-VServer (at linux-vserver.org) 05:25 < krzee> thats a good thing, only access to the devices you specify 05:25 < Axet> yep 05:26 < Axet> good for security but adds extra work to set it up ;) 05:26 < krzee> ahh 05:26 < krzee> good trade 05:26 < Axet> hehe 05:26 < Axet> well thanks for the help with the /30 issue 05:26 < Axet> and pointing out the help ^^ 05:27 < krzee> np man 05:27 < Axet> didn't know about the first /30 issue 05:37 < Axet> krzee: is it normal that my client gets a 255.255.255.255 netmask ? 05:37 < Axet> shouldn't it match the server's netmask ? 05:39 < krzee> cant check right now, is it working? 05:39 < krzee> ie: you can ping 05:40 < Axet> it works with either setting but I can't reach any of the server on the vserver host 05:40 < Axet> it might be something else 05:40 < krzee> vserver host = behind server or client? 05:40 < Axet> the vserver host is hosting the openvpn server 05:41 < Axet> the client is my lan's router 05:41 < Axet> th vserver host is a box I rent that I intend using among other things to interconnect sites 05:41 < krzee> the vservers have their own network? 05:42 < Axet> yes 05:42 < Axet> 10.1.0.0/24 05:42 < krzee> you pushed the route to it to clients? 05:42 < Axet> my lan is 10.2.0.0/24 05:42 < Axet> i entered it manually 05:42 < krzee> do it through openvpn 05:42 < Axet> ok 05:43 < krzee> and if the lan behind the client needs to have access to the vpn 05:43 < krzee> !iroute 05:43 < vpnHelper> krzee: "iroute" is does not bypass the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 05:44 < krzee> in fact iroute could be the solution for both of those, ild hafta play with the setup a lil to know 05:44 < Axet> it's either a routing or firewall issue, I'll figure it out thxs 05:44 < Axet> I can now ping the vserver from the router on my lan 05:44 < krzee> np 05:45 < krzee> just now when you send packets at openvpn and IT doesnt already know about the network (even tho kernel does) you'll need iroute 05:45 < krzee> cause otherwise you get "MULTI" errors 05:45 < Axet> I'll check the logs now 05:45 < krzee> MULTI: received packets but didnt know what to do with them 05:46 < krzee> or somethin like that 05:46 < Axet> MULTI: bad source address from client [10.2.0.185], packet dropped 05:46 < Axet> like that ? :) 05:46 < krzee> aye 05:46 < Axet> :D 05:46 < Axet> good thing you mentionned that :p 05:46 < krzee> hehe 05:46 < krzee> btw always check logs first 05:47 < krzee> and use verb6 when testing 05:47 < krzee> can lower it after 05:47 < krzee> just now when you send 05:47 < krzee> meant know 05:48 < Axet> iroute is to add routes for networks behind clients right ? 05:49 < krzee> !learn multi as the error MULTI: bad source address from client [IP], packet dropped means you sent packets at openvpn and it doesnt already know about the network (even tho kernel does) please see !iroute 05:49 < vpnHelper> krzee: Error: "IP" is not a valid command. 05:49 * Axet reads vpnHelper's output and answer's his own question 05:49 < krzee> iroute lets openvpn know what to do with packets it gets but doesnt know what to do with 05:49 < krzee> since multiple clients go through 1 tunnel 05:49 < krzee> kernel sends packets at tunnel interface because kernel says to 05:49 < krzee> openvpn gets it and says WTF 05:49 < Axet> how rude ! ;) 05:50 < krzee> but after you add an iroute, openvpn says oh that goes to client X 05:50 < krzee> iroute = internal route i believe 05:50 < krzee> i havnt seen that said, but its my conclusion 05:50 < krzee> since its only for openvpn internals 05:50 < krzee> kernel route still has to get the packets to openvpn 05:51 < Axet> krzee: if I add an iroute entry to my ccd file will openvpn add the kernel route ? 05:51 < krzee> nope 05:51 < Axet> ok so it's just so openvpn accepts it 05:52 < krzee> !forget iroute 05:52 < vpnHelper> krzee: The operation succeeded. 05:52 < krzee> !learn iroute as does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 05:52 < vpnHelper> krzee: The operation succeeded. 05:52 < Axet> works ! 05:52 < Axet> I can reach the vservers from a client on my lan behind the router =) 05:52 < krzee> =] 05:53 < krzee> im loving my new bot 05:53 < Axet> lol 05:53 < Axet> eggbot ? 05:53 < krzee> makes this stuff so much easier! 05:53 < krzee> supybot 05:53 < krzee> eggdrops are more useful for efnet 05:55 < Axet> iroutes are great ! 05:55 < Axet> I might stick to static routing a bit longer 07:35 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 07:37 < ecrist> morning, kids 07:37 < Axet> hi 07:52 -!- Bushmills [n=nBushmil@verhau.de] has left ##openvpn ["Leaving."] 07:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 09:00 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 10:13 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 10:24 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 10:28 -!- Irssi: ##openvpn: Total of 34 nicks [0 ops, 0 halfops, 0 voices, 34 normal] 10:53 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 10:53 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Client Quit] 11:14 -!- djs [n=djs@unaffiliated/djs26] has quit [Dead socket] 11:24 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 12:10 -!- cferthorney [n=cferthor@cpc5-papw1-0-0-cust957.cmbg.cable.ntl.com] has joined ##openvpn 12:10 -!- cferthorney [n=cferthor@cpc5-papw1-0-0-cust957.cmbg.cable.ntl.com] has left ##openvpn [] 12:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:16 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 13:17 -!- djs [n=djs@unaffiliated/djs26] has quit [Nick collision from services.] 13:17 -!- djs26 is now known as djs 14:17 -!- Alex [i=hauntedu@goatse.co.uk] has quit [Remote closed the connection] 16:04 -!- snowboarder04 [n=un@serv.bemail.co.uk] has left ##openvpn [] 16:29 -!- DGnome [i=mindre@mupp.fi] has quit [Read error: 60 (Operation timed out)] 17:44 -!- ^scott^ [n=scott@stthom.org] has quit ["My damn controlling terminal disappeared!"] 18:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 19:03 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 21:39 -!- near [n=near@91-172-127-8.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:39 -!- near [n=near@83-153-92-109.rev.libertysurf.net] has joined ##openvpn 23:54 -!- level1 [n=level1@c-24-130-211-171.hsd1.ca.comcast.net] has joined ##openvpn --- Day changed Sun Aug 17 2008 00:28 -!- erstazi [n=erstazi@unaffiliated/erstazi] has joined ##openvpn 00:28 -!- erstazi [n=erstazi@unaffiliated/erstazi] has left ##openvpn [] 00:30 -!- jthan [n=jthan@216-164-31-198.c3-0.smt-ubr2.atw-smt.pa.cable.rcn.com] has joined ##openvpn 00:49 < ecrist> hey kids 00:50 < jthan> Anyone familiar with OpenVPN Client setup on Vistax64 Ultimate? 00:52 < ecrist> meh 00:53 < jthan> Very nice. 00:58 < ecrist> there is some experience, what's your problem? 00:59 < jthan> Well It keeps saying that "All TAP-Win32 Connections are busy "when I try to start OpenVPN.. even if I add new ones. I tried running as an admin, restarting, reinstalling a few times. 00:59 -!- Mitchix [n=chatzill@pool-71-177-180-94.lsanca.fios.verizon.net] has joined ##openvpn 01:02 < Mitchix> good evening i'm hoping i've done all the hard part.. and now this will just be something easy... OpenVPN 2.0.9 (mipssel-linux) everything works, unless i use daemon mode... then none of the Virtual addressing works 01:04 < ecrist> jthan - are you *sure* you're running as admin? 01:04 < ecrist> Mitchix: what do you mean by Virtual addressing? 01:05 < jthan> ecrist: yes. But I think I might have just discovered my problem. I forgot AVG was running as *hidden* and therefore I forgot all about it. so let me try with that OFF. If that's the problem I'm shooting myself 01:05 < ecrist> ok 01:06 < jthan> Eh. Nvmd. No such luck 01:07 < Mitchix> sorry was afk.. for a min 01:07 < jthan> ecrist: anyway, def. admin 01:08 < Mitchix> ecrist if you have a openvpn.status file it shows routes plus the address class's.. in daemon mode only the base routes show up.. not the subnet behond the vpn 01:10 < krzee> how do you call openvpn manually? 01:10 < ecrist> jthan - weird. there have been other users here under 64bit Vista w/o problems. 01:10 < ecrist> they might have been using 2.1.x though. 01:10 < ecrist> Mitchix: what OSes, and can you pastebin your config, please? 01:10 < jthan> ecrist: sucks.. 01:11 < krzee> ya ecrist's request is better than my question 01:11 < krzee> !configs 01:11 < vpnHelper> krzee: Error: "configs" is not a valid command. 01:12 < krzee> !learn configs as please pastebin your client and server configs, also include which OS and version of openvpn. 01:12 < vpnHelper> krzee: The operation succeeded. 01:12 < ecrist> hurry, folks. wife's gonna want some nookie soon. 01:12 < Mitchix> krzee starting with just openvpn server.conf everthing works... if i start with openvpn --daemon --config server.conf then i can only ping the vpn servers/clients (1 server 5 clients right now) 01:12 < ecrist> and nookie > * 01:12 < krzee> haha 01:12 < krzee> Mitchix 01:12 < krzee> !configs 01:12 < krzee> and 01:12 < vpnHelper> krzee: "configs" is please pastebin your client and server configs, also include which OS and version of openvpn. 01:12 < krzee> !logs 01:12 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 01:13 < ecrist> !learn logs as please pastebin your logfiles from both client and server with verb set to 6 01:13 < vpnHelper> ecrist: The operation succeeded. 01:13 < Mitchix> no logs.. this is all running on openwrt.. looking up pastbin usage 01:14 < ecrist> Mitchix: it's not hard - go to www.pastebin.com - copy text, click Paste/Save/whatever-button-says 01:14 < ecrist> copy link from address bar, paste url here. 01:14 < krzee> ecrist, whyd you remake logs? 01:14 < krzee> !logs 01:14 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) please pastebin your logfiles from both client and server with verb set to 6 01:14 < krzee> !forget logs 2 01:14 < vpnHelper> krzee: The operation succeeded. 01:17 < krzee> !learn pastebin as a site [ www.pastebin.com | www.pastebin.ca ] where you can paste stuff, and are given a link to give to people who can then help you 01:17 < ecrist> Mitchix: please post your configs 01:17 < vpnHelper> krzee: Error: "www.pastebin.com" is not a valid command. 01:17 < krzee> whoa 01:17 < krzee> !pastebin 01:17 < Mitchix> i'm getting them... 01:17 < vpnHelper> krzee: "pastebin" is please paste anything with more than 5 lines into pastebin or a similar website 01:18 < krzee> ahh thats already a definition too, ill leave it 01:19 < Mitchix> http://pastebin.com/d5ccccb31 server config and one client config 01:19 < Mitchix> i'm getting the screen's that i'm talking about.. take me about 1-2 min's 01:22 < krzee> ### (optional) make local network behind the VPN server accessible for the VPN clients 01:22 < krzee> #push "route 192.168.1.0 255.255.255.0" 01:22 < krzee> would that work? you can push from client? 01:22 < krzee> to server... 01:22 < krzee> ild assume not 01:23 < krzee> also, its not your problem but do you need tcp? 01:23 < krzee> !tcp 01:23 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 01:23 < Mitchix> krzee if i start with out the --daemon all routing works i can ping servers and i can ping clients on both sides of all networks 01:24 < ecrist> Mitchix: your routes are flawed, you could simplify them 01:25 < Mitchix> simplifty them how? don't understand the flaw... (i didn't include the ccd files but they are just the like all the documention says) 01:25 < ecrist> 192.168.0.0/21 01:25 < krzee> Mitchix, i think logs would be helpful 01:25 < krzee> ecrist, it needs to keep its normal route for .2.0/24 01:25 < ecrist> one route, 192.168.0.0 255.255.248.0 01:26 < krzee> (or lose communication in its lan) 01:26 -!- jthan [n=jthan@216-164-31-198.c3-0.smt-ubr2.atw-smt.pa.cable.rcn.com] has left ##openvpn [] 01:27 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:27 < ecrist> krzee: what're you talking about? 01:28 < krzee> push "route 192.168.2.0 255.255.255.0" 01:28 < ecrist> Mitchix: you're missing "push" before lines 27-32 01:28 < krzee> if hes pushing that route to clients, it is behind the vpn 01:29 < krzee> he is pushing the clients a route to his lan behind the server 01:29 < krzee> and telling his server to add routes to send other ip addresses through openvpn 01:29 < ecrist> krzee: he's pushing 8 subnets, actually. 01:29 < krzee> which he should have corresponding iroutes for 01:29 < ecrist> ahhh 01:29 < krzee> no, he isnt 01:30 < krzee> he only has 1 lan behind his server 01:30 < krzee> the rest belong to clients that should have iroutes in ccd entries 01:30 < ecrist> well, tbh, openvpn isn't really the place to put those routes, imho. 01:30 < krzee> thats how hes letting the kernel know about them 01:30 < krzee> i disagree 01:30 < krzee> its the perfect place! 01:30 < krzee> where would you put them? 01:30 < Mitchix> yes i'm pushing multi nets one per connection 01:31 < krzee> erm 01:31 < ecrist> :P 01:31 < Mitchix> http://pastebin.com/d747eab1b this is the openvpn.status files.... 01:31 < krzee> Mitchix, are you doing what i explained? 01:31 < krzee> or is there more than 1 lan behind your server? 01:31 < Mitchix> the first one is with deamon.. the second is with out just from prompt 01:31 < ecrist> Mitchix: is there more than one lan subnet behind the VPN server? 01:31 < krzee> verb 6 Mitchix 01:32 < krzee> is that even a logfile 01:32 < krzee> !sample 01:32 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 01:32 < ecrist> krzee: he pasted a status file, not a log file. 01:32 < krzee> ahh 01:32 < Mitchix> vpn server is 192.168.2.0 each client connects and has one net behind it.. 192.168.1.0/24 another client 192.168.3.0/24 01:33 < krzee> right 01:33 < krzee> so you arent pushing multiple networks 01:33 < ecrist> Mitchix: push those routes. 01:33 < Mitchix> yes... status files show the routing working.. and it's all happy.. unless i start it as daemon.. then it does not add the /c and /24 routes 01:33 < krzee> the thing is, you gotta push them in ccd. 01:33 < krzee> ccd/ 01:34 < krzee> cause you dont wanna push the route to the lan that is behind the client 01:34 < ecrist> no, he can push them as I said. 01:34 < Mitchix> it's 7 offies... with one class C in each office 01:34 < krzee> ecrist, wont that mess up routing to the lan of the client? 01:34 < ecrist> no 01:34 < ecrist> well 01:34 < Mitchix> yes it does.. i did that all ready... 01:34 < krzee> why wouldnt it? 01:34 < ecrist> yes, you're right krzee 01:34 < ecrist> ccd is the right place 01:35 < Mitchix> it puts 2 entrys in the routing table and it doesn't know what one to use.. 01:35 < ecrist> omitting the local LAN for each client 01:35 < krzee> it knows which one, but its the wrong one 01:35 < krzee> hehe 01:35 < ecrist> Mitchix: you need a ccd entry for each client, pushing all the LAN routes *other* than it's own LAN. 01:35 < Mitchix> yes i have that... 01:36 < krzee> and with the iroute for the lan you dont push 01:36 < Mitchix> using there Cname... 01:36 < ecrist> can you show me that? 01:36 < krzee> you can just show one ccd entry 01:36 < krzee> can just paste it in here too 01:36 < krzee> err not 1 entry, 1 file 01:36 < Mitchix> iroute 192.168.1.0 255.255.255.0 01:36 < Mitchix> that is Route1 01:36 < krzee> no pushes? 01:36 < Mitchix> the office that we're testing 01:37 < Mitchix> if i put push it doesn't work 01:37 < krzee> no no 01:37 < krzee> lets say 1.0 should talk to 3.0 lans 01:37 < krzee> it would need to know the route 01:37 < Mitchix> if i put the push in the ccd file it does not work.. i have to put it in the 01:37 < krzee> you gotta push the route to all other client lans 01:37 < krzee> or they wont be able to talk 01:38 < Mitchix> its a little confusing the Server is on net 2... 1 3 4 5 6 7 are the client networks 01:38 < krzee> right 01:38 < ecrist> we figured that out... 01:38 < krzee> so 1 needs a pushed route in its ccd entry for 3,4,5,6,7 01:38 < krzee> or 1 wont know how to route to 3,4,5,6,7 01:39 < krzee> your iroute is correct tho 01:39 < krzee> each ccd entry needs a pushed route to all other client lans 01:39 < Mitchix> they are in the main file with the Route and the Iroute tells vpn what to do when they get there 01:39 < krzee> and iroute for its own 01:39 < ecrist> krzee - you should write up some nice docs on my wiki for that sort of thing. 01:39 < krzee> joogot a wiki!? 01:39 < ecrist> I would, but I don't usually have time. 01:39 < krzee> yes, yes i should 01:39 < Mitchix> that is if i want the clents to be able to talk with each other... right now they only need to talk to the server... and the server needs to talk with all of them 01:40 < ecrist> krzee: https://www.secure-computing.net/wiki 01:40 < krzee> i can copy and paste some of these conversations 01:40 < vpnHelper> Title: Main Page - Secure Computing Wiki (at www.secure-computing.net) 01:40 < krzee> thats how i come up with the !commands 01:40 < ecrist> https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 01:40 < vpnHelper> Title: OpenVPN Server - Secure Computing Wiki (at www.secure-computing.net) 01:41 < Mitchix> what i don't understand is why it works unless i start it as a daemon... 01:41 < krzee> we dont either, cause you havnt posted logs 01:42 < ecrist> Mitchix: if it's as you describe, could be a bug in wrt, or openvpn in priv dropping. 01:42 < Mitchix> you have any idea what a PITA getting logs from openwrt box is like 01:42 < krzee> nope 01:42 < ecrist> i.e. privs are getting dropped before routes are built in daemon 01:42 < krzee> thats why i dont mod my router 01:42 < Mitchix> esp at log level 6 01:42 < krzee> heheh 01:43 < ecrist> Mitchix: asking for logs is far from unreasonable. :\ 01:43 < krzee> ya without them we cant be much more help 01:43 < krzee> although we did solve a problem you had yet to notice 01:43 < krzee> which is always handy 01:43 < Mitchix> i'm not disagreeing with you.. it's how i fixed a number of issues.. but they just scrool by 01:44 < Mitchix> the multi push's.. i had them in.. removed them to simplify the config files 01:44 < krzee> turn up your buffer lines and copy / paste 01:44 < krzee> well you have client to client, which makes me think you want 1. to talk to 3. 01:44 < krzee> without them as i said you wont be able to 01:45 < Mitchix> no.. i'm setting up nagios and it lives on the .2 network... and needs to see everyone... anything else is just extra... 01:45 < krzee> ecrist, can you make an openvpn section to the wiki? 01:45 < Mitchix> but in daemon mode it does not forward ANYTHING except from the routers 01:45 < krzee> ill add stuff to it as it comes up 01:46 < krzee> oh then you can remove client-to-client 01:46 < Mitchix> ok.. give me a min.. i have to figure out how to get it to write a file... 01:46 < ecrist> :( my wife is snoring. 01:46 < Mitchix> ya i just hand not done it yet... 01:46 < krzee> ouch 01:46 < Mitchix> or put the push's back in... 01:46 < krzee> no nookie for youuuu 01:46 < ecrist> krzee: I allow anon edits - create an account and go to town. 01:46 < krzee> ecrist, just push a route to her ;] 01:47 < Mitchix> btw thank you so much for the help.. i've been able to answer all the other issue(related to openvpn) with google.. 01:47 < krzee> np 01:47 < krzee> its always nicer to help people who bothered to read the docs 01:47 < krzee> (and google) 01:48 < krzee> ecrist, i can add to miscellaneous on the left? 01:49 < ecrist> oh, you want a menu option? hang on 01:49 < krzee> cool thx 01:50 < ecrist> done 01:50 < krzee> sweet 01:51 < krzee> !learn wiki as https://www.secure-computing.net/wiki/index.php/OpenVPN 01:51 < vpnHelper> krzee: The operation succeeded. 01:57 < Mitchix> ok have one log file... need the broken one.... 02:02 < krzee> !iroute 02:02 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 02:06 < ecrist> g'night 02:06 < krzee> nite 02:09 -!- Zylogue [n=Zylogue@wsip-98-174-167-3.ok.ok.cox.net] has joined ##openvpn 02:10 < Mitchix> well at first glance.. it seems to be permission issue... in daemon mode it's not reading the ccd file 02:10 < Mitchix> Sat Aug 16 23:54:21 2008 us=562043 Router7/71.118.143.251:1858 OPTIONS IMPORT: reading client specific options from: ccd//Router7 02:10 < Mitchix> this is missing from the daemon version... 02:11 < Zylogue> greetings all! I'm having a bit of difficulty connecting a linux openvpn client to an openvpn service running on a dd-wrt router. as root I run 'openvpn static-home.conf' and the last line displayed is "UDPv4 link remote: 68.12.147.213:1194" 02:11 -!- level1 [n=level1@c-24-130-211-171.hsd1.ca.comcast.net] has quit [Remote closed the connection] 02:11 < krzee> !logs 02:11 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 02:11 < krzee> oh and greetings =] 02:11 < Zylogue> nothing else has displayed in the term for over 5 mintues 02:12 < krzee> verb is set to 6? 02:15 < Zylogue> OK, it looks as though I have a misconfigured .conf file. back to vim! 02:16 < Mitchix> thank you thank you thank you.. as i love to say.. "I'M NOT A COMPLETE IDIOT.... PARTS ARE MISSING" 02:16 < krzee> you figured it out? 02:16 < Mitchix> I had "Client-config-dir ccd/ 02:17 < Mitchix> i needed to have FULL PATH /etc/openvpn/ccd 02:17 < krzee> ahhhhh right 02:17 < krzee> ya i always use full paths 02:17 < krzee> good catch 02:18 < Mitchix> so of course it worked right when i started if from command line (in /etc/openvpn/)... but when throws me is i started it with --daemon in the /etc/openvpn dir... and it still pucked... 02:18 < Mitchix> and usaly do ... that one just sliped right on in there... 02:19 < krzee> Mitchix, if you would stick around for a minute ild appreciate 02:19 < krzee> to checkout my writeup inspired from this 02:20 < Mitchix> sure.... holding breath;) 02:20 < krzee> and tell me if its understandable 02:20 < krzee> haha 02:20 < Mitchix> ok.. i can read.. just don't ask me to write anything... 02:20 < krzee> haha np 02:21 < Mitchix> i'm restarting all the openvpn's backup... so i won't be far 02:24 -!- Bushmills [n=nBushmil@verhau.de] has left ##openvpn ["Leaving."] 02:26 < Mitchix> they are all up and happy:D again thank you so much for the help 02:27 < krzee> you're welcome 02:29 < Zylogue> if i'm using a key file, why does the client require a ca? 02:30 < krzee> hah i need to figure out how to use the wiki 02:30 < krzee> never set one up before 02:30 < krzee> https://www.secure-computing.net/wiki/index.php/OpenVPN 02:30 < vpnHelper> Title: OpenVPN - Secure Computing Wiki (at www.secure-computing.net) 02:30 < krzee> but theres the writeup 02:32 < krzee> --cert file 02:32 < krzee> Local peer's signed certificate in .pem format -- must be signed 02:32 < krzee> by a certificate authority whose certificate is in --ca file. 02:33 < krzee> how do you know if a cert is signed by the right CA without something to compare to 02:33 < krzee> cant just guess, gotta have a trusted CA 02:34 < krzee> same goes for web browsing, but browsers ship with trusted CA's and give you the option of allowing untrusted after alerting you 02:35 < Mitchix> You will need client-config-dir ccd/ in your server config file i would change all references to ccd/ to full path the ccd default(normal) is /etc/openvpn/ccd 02:35 < Mitchix> that's how it got there.. i just copy/pasted it 02:36 < Mitchix> your going to fix the wiki to have each route on it's own line? 02:36 < krzee> yes 02:36 < krzee> You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. 02:37 < Mitchix> and i would reduce example to 3-4 route's not all 6-7 02:37 < Mitchix> yes.. much better.. example... /path/to/ccd/ 02:39 < Mitchix> also sugest copy the client1 to client2 and put example there also and highlight the missing PUSH 02:39 < krzee> huh? 02:41 < Mitchix> make 2 sample ccd/cleint1 and ccd/client3 show the iroute 's and push for each one and point out that you don't push that client's address block 02:41 < Mitchix> it really does mess up the router.. might not hurt if openvpn's not on the gateway... 02:42 < krzee> yes it would 02:42 < krzee> it would cut off all network access 02:42 < krzee> cause the router would be unreachable 02:42 < Mitchix> lol.. ya.. and it's a good thing i noticed before rebooting it... lol... 02:43 < krzee> (would be trying to reach router over vpn, but vpn would cease to exist because no communication with router) 02:45 < Mitchix> i broke dyndns updates on 7... so am dependant on the vpn to find it... till i get it fixed... 02:45 < Mitchix> next on my list.... 02:48 < krzee> https://www.secure-computing.net/wiki/index.php/OpenVPN 02:48 < vpnHelper> Title: OpenVPN - Secure Computing Wiki (at www.secure-computing.net) 02:51 < krzee> there 02:51 < krzee> all better 02:51 < krzee> !lan 02:51 < vpnHelper> krzee: Error: "lan" is not a valid command. 02:51 < krzee> !lans 02:51 < vpnHelper> krzee: Error: "lans" is not a valid command. 02:52 < krzee> !learn lans as https://www.secure-computing.net/wiki/index.php/Multiple_Lans%3B_route%2C_push_route%2C_iroute 02:52 < vpnHelper> krzee: The operation succeeded. 02:52 < krzee> !learn lan as you can NOT run both endpoints of openvpn on the same LAN. 02:52 < vpnHelper> krzee: The operation succeeded. 02:53 < Mitchix> reading 02:56 < krzee> !forget lans 02:56 < vpnHelper> krzee: The operation succeeded. 02:57 < krzee> !learn lans as https://www.secure-computing.net/wiki/index.php/Multiple_Lans-route-push_route-iroute 02:57 < vpnHelper> krzee: The operation succeeded. 02:57 < Mitchix> network 1.0 has a common-name of client1. In ccd/client1 02:57 < Mitchix> 192.168.3.0 LAN would have the following entry for its's ccd/ file: 02:57 < Mitchix> they should both be the same... 02:57 < krzee> huh? 02:58 < Mitchix> Full ip in both... and /ccd/filename 02:58 < Mitchix> network 192.168.1.0 has a common-name of client1. int he ccd./client1... 02:59 < Mitchix> netowkr 192.168.3.0 has a common-name of client3. in ccd/client3.... 02:59 < krzee> if i put client1 and client2 in both maybe some fool wont read more and try it, this way they get the point you name based on common-name 02:59 < krzee> but ill change the ip 02:59 < Mitchix> lol ok 02:59 < Mitchix> looks really good... 03:00 < Mitchix> in sep i have to redo all the rotuers (new version of openwrt) i'll convert to udp at that time 03:00 < krzee> k did that for other part too 03:00 < krzee> he route entries are telling his server to add a route for each of 192.168.1.0, 192.168.3.0, and 192.168.4.0 to its kernel's routing table 03:00 < krzee> easier on the eyes 03:01 < krzee> i strongly recommend it 03:01 < krzee> in fact ild do it sooner than later 03:01 < krzee> tcp-over-tcp really sucks that bad 03:01 < Mitchix> lol yes it is.. also for someone not fully understanding routing and ip's 03:01 < Mitchix> ya.. i'm seeing the packet loss already.. 03:01 < krzee> i tried voip on it and my calls just went further and further downhill til i had to hangup and startover 03:02 < krzee> which did not take long at all 03:02 < Mitchix> right now only traffic over the vpn is nagios 03:02 < krzee> either way 03:02 < krzee> doing it right now is easy 03:02 < krzee> going back and fixing it later takes more effort 03:02 < krzee> including remembering to care 03:02 < Mitchix> ROFLMOL... says U.... 03:03 < krzee> people setup stuff that works 1/2 right 03:03 < krzee> then they never fix it, cause it works "good enough" 03:03 < Mitchix> has to be chagned in all the config files(ok easy) and the firewall scripts... 03:03 < krzee> when they shoulda just taken the time to do it right during setup 03:03 < krzee> yanno? 03:03 < Mitchix> this is true... 03:04 < krzee> also 03:04 < krzee> you should setup secret.key 03:04 < krzee> its very easy to generate 03:04 < krzee> and worth doing 03:04 < Mitchix> it'll bug me and i'll fix it... but right now i can't till i fix dnydns or i'll lose a router 03:04 < krzee> it gives you HMAC verification on every packet 03:04 < krzee> so packets not meant for openvpn wont even be processed 03:04 < Mitchix> ya it's done... i just commented it out to keep things simple 03:05 < krzee> well when you uncomment it (like now ;] ) switch to udp 03:05 < krzee> hahah 03:06 < Mitchix> and watch my router vansih on me... config files don't get changed anymore till i know i'm not going to have a router vanish on me... 03:06 < Mitchix> had to drive 15 miles and sit out side with laptop last time to reconnect it... 03:08 < Mitchix> well again thank's for all the help it's time for me to examine the back of my eyelids 03:11 < krzee> np 03:11 < krzee> have a good night 03:12 -!- Mitchix [n=chatzill@pool-71-177-180-94.lsanca.fios.verizon.net] has quit ["ChatZilla 0.9.83 [Firefox 3.0.1/2008070208]"] 03:50 < krzee> Wiki 03:51 < krzee> !iki 03:51 < vpnHelper> krzee: Error: "iki" is not a valid command. 03:51 < krzee> !wiki 03:51 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 04:33 -!- Zylogue [n=Zylogue@wsip-98-174-167-3.ok.ok.cox.net] has quit ["Leaving"] 04:52 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:24 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 05:58 -!- axu [n=axu@91.208.91.2] has joined ##openvpn 05:58 < axu> hello 06:00 < axu> i am setting up a site 2 site openvpn tunnel with tun. everything works perfect except the push routes hoesnt have an effect. im using 2 linux hosts. anyone a hint. also anyone a hint how i can set routes on the openvpnserver automatically when openvpn launches? 06:14 < krzee> which machine needs routes added to it? 06:15 < axu> krzee: first the client machine. i have 2 lines with push route in my servers config but the client ignores it it seems. then on the server at openvpn startup. i know i could do the second by hand butmy guess is openvpn has some --skkript filename option of some kind 06:16 < krzee> !lans 06:16 < vpnHelper> krzee: "lans" is https://www.secure-computing.net/wiki/index.php/Multiple_Lans-route-push_route-iroute 06:16 < krzee> ya something like --up script 06:16 < krzee> but un-needed 06:16 < axu> a, thank you i have a look at it right away :) 06:17 < axu> krzee: whya unneeded? 06:17 < krzee> i just wrote that up couple hours ago 06:17 < krzee> hope it helps 06:17 < krzee> script unneeded cause openvpn configs can do it 06:19 < axu> krzee: ok, i only have one client and one server, its site2site setup, so push "route 10.21.0.0 255.255.0.0" "route 10.22.0.0 255.255.0.0" should be set on the client. 06:20 < axu> on the serverside the should be 192.168.254.0 255.255.255.0 going to the clientip 06:20 < krzee> no 06:20 < krzee> client dont get anything 06:20 < krzee> server gets all 06:20 < krzee> route for local to server 06:20 < krzee> push route for it to happen to clients kernel config 06:22 < axu> krzee: i dont get it. the whole iroute concept doesnt compile with my brains 06:22 < krzee> its internal to openvpn 06:22 < krzee> !iroute 06:22 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 06:24 < axu> krzee: i have no clou what the kernel is pointing to or what openvpn knows about any networks, i dont get it 06:25 < krzee> i guess its pretty hard to learn networking and openvpn at the same time 06:25 < krzee> might wanna start with networking 06:25 < krzee> or maybe someone else can help later 06:25 < krzee> im watching efnet get owned, then to bed 06:25 < axu> krzee: i think i have a little of a clou on networking 06:25 < axu> krzee: ok, thank you for the help 06:26 < axu> anyone able to tell me how iroute could help me in any ways? 06:28 < axu> push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" .... in the servers config, should set a route at the client. i dont understand why this should not be the case. but, ok, it isnt :) 06:45 < axu> mhm, has the client to be somehow configured to accept push route ? 06:49 < axu> has anyone a hint besides the howto? or dokumentation. for i didnt find much about why my routes aren pushed to the clients in there. 06:53 < krzee> !logs 06:53 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 06:53 < krzee> efnet is still getting owned, cant goto bed yet 06:54 < axu> krzee: ok, got it to 8, im lowering it, mom 06:54 < krzee> i wont be mad at 8 06:55 -!- djs [n=djs@unaffiliated/djs26] has quit [Remote closed the connection] 06:59 < krzee> omfg 06:59 < krzee> 8am 06:59 < krzee> nm i better sleep 06:59 < krzee> but you should pastebin logs and configs 06:59 < krzee> ecrist will prolly be up soon 06:59 < krzee> or someone else 07:01 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 07:02 -!- djs26 is now known as djs 07:09 < axu> krzee: ok, good night 07:09 < axu> http://pastebin.com/m74bf3254 07:09 < axu> here is my 2 configs + the logs from the 2 boxes 07:09 < axu> as i see it the server offers the routes, but the client simply ignores it 07:15 < axu> how about that push and pull thingy. but that needs tls says the logfile, so taht shouldnt be the problem either. i tried with pull in client config. 07:20 < rmull> krzee: You there bud? 07:20 < krzee> yes, but i really wanna sleep 07:20 < krzee> hey just keep owning #efnet 07:20 < krzee> after owning the servers and website 07:20 < rmull> Just have a glance at http://openvpn.deconfused.org, then sleep 07:20 < krzee> and its hard to not stay up and watch 07:20 < rmull> You can feel free to pull the stuff out of that and fit it into your wiki if you'd like 07:21 < rmull> Saw your list post :D 07:22 < rmull> I'm not really sure what the format for quick FAQ-style stuff would be in a wiki, so I'm letting you handle the final formatting. That and I'm lazy. 07:23 < krzee> nice man 07:23 < krzee> its ecrist's wiki 07:23 < krzee> im just posting to it =] 07:23 < krzee> thanx, link bookmarked 07:24 < rmull> ecrist: Ping sir 07:24 < rmull> Okay, gonna go start my day. It's nice to see we finally got a real wiki going - that should be quite helpful. 07:25 -!- rmull is now known as rmull_ 07:25 < krzee> agreed 07:25 < krzee> !wiki 07:25 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 07:25 < krzee> will compliment the bot nicely 07:26 < axu> ok, i did the routing stuff via scripts and up, but its not that nixe, the serverside does refuse to start if it gets killed because the route is allready there 07:26 < axu> can i tell openvpn not to mind what exitstatus the script tells openvpn ? 07:31 < krzee> could make a script call a script 07:31 < krzee> and the outter script exits well no matter what 07:31 < krzee> cause hey... it ran and finished! 07:31 < krzee> at least in theory 07:32 < krzee> but i really need sleep so dont take my word for it 08:21 < kaynine> !wiki 08:21 < vpnHelper> kaynine: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 08:21 * kaynine is pleased 08:31 -!- axu [n=axu@91.208.91.2] has quit [Read error: 110 (Connection timed out)] 08:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:56 < ecrist> rmull_: pong 09:02 < rmull_> ecrist: Just wanted to let you know that the info at http://openvpn.deconfused.org could probably be incorporated into the wiki 09:03 < vpnHelper> Title: Storage for Freenode's #OpenVPN FAQ (at openvpn.deconfused.org) 09:09 < ecrist> ah, alright 09:09 < ecrist> I'm getting ready to go out for the day - will look at it when I get home. 10:08 -!- ProN00b [n=dot@pD9E3B7F0.dip.t-dialin.net] has joined ##openvpn 10:12 < ProN00b> does anyone have a howto for setting up openvpn to act as a proxy ? 10:26 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 10:34 -!- itchi [n=David@unaffiliated/itchi] has joined ##openvpn 10:58 -!- kala [i=kala@uba.linux.ee] has quit [Remote closed the connection] 11:00 -!- ProN00b [n=dot@pD9E3B7F0.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 11:01 -!- ProN00b [n=dot@pD9E3A9E8.dip.t-dialin.net] has joined ##openvpn 11:08 -!- shadowhywind [n=shadowhy@adsl-68-76-157-68.dsl.akrnoh.ameritech.net] has joined ##openvpn 11:08 < shadowhywind> anyone know of a way to manually set the ipaddress of a tap0 device? 11:08 < shadowhywind> or i should say set a static ip address for tap0 11:34 < itchi> Does anyone know where i can find info about openVPN and DDNS? Got somethings working but with a static entry. I saw in the OpenVPN book heading content that there's the word "zones". Someone read that book and can tell me if it's worth to buy this for my missing info? 11:34 -!- shadowhywind [n=shadowhy@adsl-68-76-157-68.dsl.akrnoh.ameritech.net] has quit [Read error: 110 (Connection timed out)] 11:34 < itchi> I want to get bind9 zones updated when a openvpn client connect 11:40 < itchi> Ah, with zones, they mean a zone in a firewall i guess 11:41 < itchi> as this is in that chapter Linux and Firewall. Well, i won't buy the book then :-p 11:50 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 12:01 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:21 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 13:35 -!- onre [i=esp@static.fi] has quit [Read error: 110 (Connection timed out)] 14:02 -!- sega01 [n=sega01@2001:470:8:29:250:4ff:fe20:dbc4] has joined ##openvpn 14:02 < sega01> hey 14:03 < sega01> does 2.5 beta have the recent fixes in 2.1? 14:03 < sega01> or has it just been given a few patches and left unmaintained? 14:04 < sega01> brb 14:06 -!- daemon [n=daemon@mail.daemoncore.org] has quit [Read error: 104 (Connection reset by peer)] 14:07 < ProN00b> does anyone have a howto for setting up openvpn to act as a proxy ? 14:07 < kaynine> ?"act as proxy"? .... you refer to "redirect-gateway" ? 14:09 < ProN00b> i am not sure 14:09 < ProN00b> you know the service "relakks" by chance ? 14:10 < kaynine> then maybe read about 'gateway' in the man page; and note also that the openvpn.net HOWTO is extremely good. 14:10 < kaynine> I do not know of relakks 14:13 < itchi> ProN00b: Do you want to create a VPN tor client? 14:15 < ProN00b> vpn, where the "pn" i connect to is the same internet my connection is coming from 14:33 -!- Ferdinandd [i=c914d38a@gateway/web/ajax/mibbit.com/x-b59cf4af30f298b3] has joined ##openvpn 14:33 < Ferdinandd> Is it possible to use bridge with static keys (--secret) ? 14:34 -!- daemon [n=daemon@mail.daemoncore.org] has joined ##openvpn 14:40 < kaynine> Ferdinandd: I'd say "yes" 14:52 < Ferdinandd> kaynine: I'm getting this: Options error: --server-bridge and --secret cannot be used together (you must use SSL/TLS keys) 14:56 < kaynine> Well, since I haven't configured either bridge or static, I'm the wrong person to be authoritative, but I haven't seen anything in any of the documentation to suggest that the two are mutually exclusive; so I defer to others 14:58 < Ferdinandd> kaynine: that's what I'm very confused ... the documentation does not mention SSL/TLS as needed for bridging 15:13 -!- daemon [n=daemon@mail.daemoncore.org] has quit [Connection reset by peer] 15:20 -!- daemon [n=daemon@mail.daemoncore.org] has joined ##openvpn 15:21 -!- Ferdinandd [i=c914d38a@gateway/web/ajax/mibbit.com/x-b59cf4af30f298b3] has quit ["http://www.mibbit.com ajax IRC Client"] 15:34 -!- daemon [n=daemon@mail.daemoncore.org] has quit [Connection reset by peer] 15:45 -!- daemon [n=daemon@mail.daemoncore.org] has joined ##openvpn 15:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:19 -!- shadowhywind [n=shadowhy@user-0c93gf5.cable.mindspring.com] has joined ##openvpn 16:19 < shadowhywind> hay all i am getting a Cannot allocate TUN/TAP dev dynamically error anyone have any ideas? 16:36 -!- SirFunk [n=SirFunk@cpe-74-71-205-222.twcny.res.rr.com] has joined ##openvpn 16:36 < SirFunk> how can i tunnel all of my traffic on windows through my vpn? 16:38 -!- shadowhywind [n=shadowhy@user-0c93gf5.cable.mindspring.com] has quit [Remote closed the connection] 16:55 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has joined ##openvpn 16:57 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has quit [Client Quit] 17:56 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:15 -!- SirFunk [n=SirFunk@cpe-74-71-205-222.twcny.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 18:23 -!- SirFunk [n=SirFunk@cpe-74-71-205-222.twcny.res.rr.com] has joined ##openvpn 19:06 < kaynine> SirFunk: redirect-gateway 19:45 -!- SirFunk [n=SirFunk@cpe-74-71-205-222.twcny.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 20:32 < ecrist> evening, kids 20:53 < ecrist> krzee/rmull: updates to wiki. 20:54 -!- mode/##openvpn [+o ecrist] by ChanServ 20:55 -!- ecrist changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/index.php/documentation/howto.html | Current Release OpenVPN 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Pastebin.com for >5 lines | Don't feed the trolls. 20:55 -!- mode/##openvpn [-o ecrist] by ecrist 21:19 -!- mhiku [n=mhiku@203.177.57.170] has joined ##openvpn 21:30 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [SendQ exceeded] 21:35 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 21:36 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 21:38 -!- near [n=near@83-153-92-109.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:38 -!- near [n=near@83-155-190-107.rev.libertysurf.net] has joined ##openvpn 22:05 < ecrist> foo 22:10 < ecrist> rmull_: I've moved your FAQ into the wiki, https://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ 22:10 < vpnHelper> Title: OpenVPN/FAQ - Secure Computing Wiki (at www.secure-computing.net) 22:11 < rmull_> ecrist: Cool, thanks, hope it helps 22:53 -!- mhiku [n=mhiku@203.177.57.170] has quit [Read error: 54 (Connection reset by peer)] --- Day changed Mon Aug 18 2008 00:32 -!- mhiku [n=mhiku@203.177.57.170] has joined ##openvpn 00:32 < mhiku> how to use openvpn together with tor? 00:39 < krzee> mhiku, no idea, and this next command is not for you 00:39 < krzee> !wiki 00:39 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 01:05 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 01:13 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 01:50 -!- manueld [n=manueld@unaffiliated/manueld] has joined ##openvpn 01:51 -!- manueld [n=manueld@unaffiliated/manueld] has left ##openvpn [] 02:19 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:49 < kraut> moin 03:47 -!- shai [n=Shai@l192-117-110-233.cable.actcom.net.il] has joined ##openvpn 04:02 < shai> hi :) I'm trying to revoke a key and getting "unable to load certificate" 04:03 < shai> why is that? 04:05 < hawk> It's really the certificate that you're trying to revoke, right? 04:05 < shai> yes... 04:06 < shai> using: ./revoke-full my_laptop 04:14 -!- shai [n=Shai@l192-117-110-233.cable.actcom.net.il] has quit ["Leaving"] 05:34 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 05:38 -!- kala [i=kala@uba.linux.ee] has quit [Client Quit] 05:41 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 05:52 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 05:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:01 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 06:01 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 06:48 -!- ProN00b [n=dot@pD9E3A9E8.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 06:52 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 07:13 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 07:26 < ecrist> morning, folks 07:33 -!- rmull_ is now known as rmull 07:33 < rmull> morning ecrist 07:42 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 07:53 * cpm yawns 07:54 -!- mhiku [n=mhiku@203.177.57.170] has quit [Read error: 110 (Connection timed out)] 08:08 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 08:09 -!- Irssi: ##openvpn: Total of 33 nicks [0 ops, 0 halfops, 0 voices, 33 normal] 08:23 < ecrist> you know what would be a fun experiement? 08:23 < ecrist> on a large room, give some random, non-regular user ops, see what they do. 08:30 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 08:37 < cpm> go for it. 08:38 < ecrist> next random person that comes in, I'll ask chanserv to help them out. :) 08:38 < Optic> haha 08:40 < cpm> won' 08:40 < cpm> t work, We only allow identified user 08:40 < cpm> s 08:41 -!- Bheam [i=Bheam@77.94.234.164] has joined ##openvpn 08:41 < Bheam> does relaying work through vpn? say me and a friend create a vpn tunnel, then my friend has another tunnel with someone else.. will that someone else be able to reach me without having a direct vpn? 08:41 -!- mode/##openvpn [+o Bheam] by ChanServ 08:41 <@Bheam> err 08:41 <@Bheam> wt.? 08:42 < ecrist> ? 08:42 <@Bheam> @ ? 08:42 < ecrist> ? 08:42 <@Bheam> *shrug* 08:42 < ecrist> Bheam: that will work as long as the routes exist, or are created. 08:42 <@Bheam> cool 08:43 <@Bheam> so * ChanServ sets mode: +o Bheam 08:43 <@Bheam> what gives? 08:43 < ecrist> *shrug* 08:44 <@Bheam> so if me and my friend want 100% transparent network, we need to use same subnet and setup a bridged vpn right? 08:44 < ecrist> not really 08:44 <@Bheam> first time i try vpn :) 08:45 < ecrist> you can use routed vpn, and push the proper routes. 08:45 <@Bheam> but ipx and broadcasts don't go over routed it says 08:45 < ecrist> right. 08:45 < ecrist> for those protocols, you'd need bridged. 08:45 <@Bheam> so well 100% transparent include windows networking and old games :p 08:45 <@Bheam> doom 2 for teh win ;) 08:45 < ecrist> sure, why not? 08:45 < cpm> doom 2 == ipx 08:46 <@Bheam> well right 08:46 < ecrist> iirc, you can play doom2 across routes. 08:46 <@Bheam> i remember playing doom 2 with a coax cable across the street to my friend 08:46 <@Bheam> incidentally he pushed cable tv back through the same cable :D 08:46 < ecrist> didn't you just need to know the IP for who was hosting the 'server'? 08:47 <@Bheam> i don't remember doom2 having tcpip but i might be wrong 08:47 < cpm> don't think so. In fact, I know it didn't. At least originally. 08:48 < ecrist> I must be thikning of something else. 08:48 < ecrist> oh, quake 2 I think. 08:48 < ecrist> sorry. 08:48 <@Bheam> probably quake 08:48 <@Bheam> hehe 08:48 <@Bheam> anyway back to my question; for broadcasts to work we also need to be on the same subnet right? 08:48 < ecrist> of course. 08:48 < krzee> !google broadcast domain 08:49 < vpnHelper> krzee: http://en.wikipedia.org/wiki/Broadcast_domain - Broadcast domain - Wikipedia, the free encyclopedia 08:49 <@Bheam> so we need to divide up the subnet between us.. and i'll use a set of ips for static, some for dhcp and some for vpn bridge right? 08:49 < rmull> Broadcasts won't work unless your VPN is bridged, not tunneled. 08:49 <@Bheam> yea that i read :) 08:49 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 08:52 <@Bheam> but there's one part i don't get.. the syntax of server-bridge is 08:52 < ecrist> yep 08:53 <@Bheam> well since we're both connecting to each other, does my ip need to be part of the pool? 08:54 <@Bheam> ie. should we have the same ip pool for vpn clients? 08:54 <@Bheam> or does each vpn connection need it's own private ips? 08:55 <@Bheam> i'm probably confused and confusing :p 08:59 <@Bheam> why do i need to set a ip pool for connecting clients? i mean they have already set their own ip 08:59 < ecrist> Bheam: you're best off having one VPN hub and be part of the same pool. 08:59 < ecrist> with ccds, you can set static IPs. 09:00 <@Bheam> i mean why does the vpn have to manage ips at all? isn't that up to each of the networks by itself? 09:00 <@Bheam> especially when i'm setting bridge mode 09:00 < ecrist> it doesn't *have* to. It can. 09:00 <@Bheam> o. 09:00 <@Bheam> what's 'ccds' 09:00 < ecrist> in bridging, it's all one network. 09:00 < ecrist> !howto 09:00 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:01 <@Bheam> it sounded like i had to reserver extra ips for every vpn connection 09:01 <@Bheam> reserve* 09:04 < krzee> !ccd 09:04 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 09:05 < krzee> hey ecrist i had that part of the wiki named route push route and iroute for google 09:05 < krzee> to get it a better index cause its helpful 09:06 < ecrist> krzee: put that at the head of the file,in a meta or something. 09:06 < ecrist> it was a really ugly URL. 09:06 < krzee> !route 09:06 < vpnHelper> krzee: Error: "route" is not a valid command. 09:06 < krzee> !iroute 09:06 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 09:06 < ecrist> I've not had problems with google indexing pages on the wiki yet, with sensible urls. 09:06 < krzee> bleh what command did i make that 09:08 < krzee> !lans 09:08 < vpnHelper> krzee: "lans" is https://www.secure-computing.net/wiki/index.php/Multiple_Lans-route-push_route-iroute 09:08 < krzee> !forget lans 09:08 < vpnHelper> krzee: The operation succeeded. 09:08 <@Bheam> can i be both a server and a client? 09:08 < ecrist> krzee: that URL will still work, I did a wiki move. 09:08 < krzee> oh 09:08 < ecrist> if you click on it, you will see (Redirected from Multiple Lans-route-push route-iroute) 09:10 < krzee> hey nice 09:10 < krzee> !learn freebsd as https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 09:10 < vpnHelper> krzee: The operation succeeded. 09:11 < krzee> !howto 09:11 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:11 -!- Irssi: ##openvpn: Total of 34 nicks [1 ops, 0 halfops, 0 voices, 33 normal] 09:14 < rmull> So I've got a question for you gents. 09:15 < rmull> http://pastebin.ca/raw/1177468 09:15 < rmull> What's going on here? 09:15 < rmull> This is the client log 09:15 < rmull> Server log shows nothing 09:15 < krzee> maybe it cant resolve my.ip.add.ress 09:15 < krzee> lol jk 09:15 < rmull> <_< 09:15 < krzee> verb 6? 09:15 < rmull> Lol 09:15 < rmull> Yeah 09:15 < rmull> You want more? 09:15 < krzee> 6 is fine 09:16 < krzee> let us get the whole log and server too 09:16 < rmull> Okay, let me do some collecting. 09:17 < rmull> It's basically the stock sample confs. 09:20 < rmull> server.conf: http://pastebin.ca/raw/1177479 09:20 < krzee> nah meant server logs 09:21 <@Bheam> if i want to run without certificates, can i just comment out the ca/cert/key/dh lines? 09:21 < krzee> and turn its verb up to 6 09:21 < krzee> Bheam, no 09:21 <@Bheam> i want to get everything up and running before i add certs :p 09:21 < krzee> and why in the world would you wanna do that? 09:22 <@Bheam> just to simplify the process. i got low brain capacity :p 09:22 < krzee> windows? 09:26 < krzee> rmull, from mail archives looks like either a cert issue or firewall issue 09:26 -!- negboy [i=hamid@unaffiliated/negboy] has joined ##openvpn 09:27 -!- mode/##openvpn [+o negboy] by ChanServ 09:27 < ecrist> ? 09:27 < ecrist> what's up negboy? 09:28 < rmull> krzee: iptables on the vpn server has been turned off for testing, external firewall is a cisco router with 1194/UDP open and identically configured as an existing, working openvpn install 09:28 < rmull> server log: http://pastebin.ca/raw/1177491 09:28 < rmull> krzee: Checking mailing list 09:28 <@negboy> ecrist: hi, i wanna connect with my connection , i was windows user but now im linux user . how do i connect to my connection ? 09:28 < ecrist> what? 09:30 <@negboy> ecrist: openvpn connction.opvn 09:30 <@negboy> ecrist: next what ? 09:30 < Optic> hi 09:30 <@Bheam> docs say: The addresses used for local and remote should not be part of the bridged subnet -- otherwise you will end up with a routing loop. but have no mention of the term 'remote' in that section, clues? 09:30 <@negboy> ecrist: why im op !? 09:30 <@Bheam> i was wondering that too :p 09:30 < Optic> op! 09:31 < rmull> :bow: 09:31 < Optic> hi rmull 09:31 < rmull> Salut, optic 09:31 <@Bheam> chanserv has eaten some buffer overflow i think 09:32 -!- hamid [i=hamid@unaffiliated/negboy] has joined ##openvpn 09:32 -!- hamid [i=hamid@unaffiliated/negboy] has left ##openvpn [] 09:33 <@negboy> im op ! 09:33 <@negboy> why ? 09:33 <@negboy> haha ! irc has broken :P 09:33 -!- mode/##openvpn [-o negboy] by negboy 09:34 < negboy> ecrist: don't you wanna help me ? 09:35 <@Bheam> bbl 09:35 < ecrist> negboy, have some patience, I'm a bit busy as I'm at work. 09:35 < ecrist> you need to also be more specific about what you need. 09:35 < ecrist> what do you have set up, what have you been trying, etc. 09:36 -!- rgsteele||work [n=rgsteele@75.147.74.137] has joined ##openvpn 09:36 < krzee> lol 09:36 < krzee> chanserv likes you Bheam 09:37 -!- mode/##openvpn [+o rgsteele||work] by ChanServ 09:38 < ecrist> my test isn't nearly as exciting as I hoped it would be, cpm. ;) 09:39 <@rgsteele||work> What, opping the next guy who joined the channel? :) 09:39 <@rgsteele||work> Sorry to disappoint ;) 09:39 < negboy> ecrist: so, take it easy. i like the RTFM :) 09:40 < rmull> krzee: Looks like it's a firewall issue - I can connect to the server across the LAN. 09:40 < rmull> hinteresting. 09:40 < krzee> try tcp just for testing 09:40 < krzee> easy to test tcp with telnet 09:42 < krzee> dude efnet is so hacked 09:44 < negboy> for openvpn in linux i should set firefox with it ? 09:46 < cpm> Intrusive firefox settings will vpn access wilting joy not gathered in storms. 09:47 < rmull> lol cpm 09:47 < cpm> Alas, the day. 09:48 <@rgsteele||work> Hey guys - I've got a Windows box that, when the link to the openvpn server drops out for whatever reason, won't reconnect unless manually restarted. It's got the ping-restart option specified, and I've also set persist-tun and persist-key, but it doesn't seem to help: http://pastie.org/254955 09:48 <@rgsteele||work> All the Linux boxes works just fine, and since reconnecting is the client's job, I'm pretty sure it's something local to that machine. Windows firewall is probably not the issue, since manually restarting works. 09:49 < krzee> it reads your cert files!? 09:49 < krzee> i thought windows had to be // 09:49 < cpm> so, it does work, the vpn comes up, connections, and functions correctly for a while, then drops and will not reconnect? 09:49 <@rgsteele||work> It's running in a cygwin environment. 09:49 * cpm runs away 09:50 * krzee follows cpm 09:50 <@rgsteele||work> Well, our ISP sucks and occasionally the link dies out, and when that happens, the Windows box attempts to reconnect to the VPN server at the colo but fails. 09:50 < cpm> I'm a pretty big fan of cygwin. But since the windows openvpn implementations are really quite good, I'd stick with them. 09:50 < krzee> im a pretty big fan of never using windows ;] 09:50 < cpm> well, there is that. 09:51 < krzee> lol 09:51 <@rgsteele||work> It's the only Windows box in the company. 09:51 < cpm> but 'when in hell', 09:51 < krzee> bahaha 09:51 <@rgsteele||work> But, I gotta make it work :) 09:51 < cpm> drop the cygwin openvpn implementation. Go with the windows native 09:51 < cpm> just a thought 09:51 < krzee> !learn windows as im a pretty big fan of never using windows ;] well, there is that. but 'when in hell', 09:51 < vpnHelper> krzee: Error: Spurious "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 09:52 < krzee> !learn windows as im a pretty big fan of never using windows well, there is that. but 'when in hell', 09:52 < vpnHelper> krzee: The operation succeeded. 09:52 < krzee> had to 09:52 <@rgsteele||work> Actually, just looking at it, it looks like it is the Windows native version. 09:53 <@rgsteele||work> Even though cygwin is on the box. 09:53 < krzee> !windows 09:53 < vpnHelper> krzee: "windows" is im a pretty big fan of never using windows well, there is that. but 'when in hell', 09:53 <@rgsteele||work> ...yeah, no openvpn in the ps output 09:53 < kala> rgsteele||work: do you have log file ? 09:53 <@rgsteele||work> Yep, it's in the paste: http://pastie.org/254955 09:54 < kala> process restarting and thats it? 09:54 <@rgsteele||work> It loops over and over on that until it's manually restarted. 09:54 < kala> umm 09:54 < kala> I think I saw something like that 09:55 < kala> my config doesn't use persist-tun 09:55 <@rgsteele||work> I've tried it without that too. 09:56 < krzee> !sample 09:56 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 09:56 < krzee> i dont have ping-restart in client 09:56 < krzee> but i have keepalive 10 120 in server 09:56 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 09:57 < krzee> also 09:57 < krzee> for debugging you need to put verb 6 09:58 < cpm> do not verb nouns! 09:58 <@rgsteele||work> krzee: The manpage says that's for server mode. 09:58 <@rgsteele||work> Can that directive be used on the client side? 09:59 -!- negboy [i=hamid@unaffiliated/negboy] has left ##openvpn [] 09:59 <@rgsteele||work> And, it's it just equivalent to the ping and ping-restart options? 09:59 <@rgsteele||work> Theoretically, they should both be different means to the same end. 09:59 < krzee> rgsteele||work, if the manpage says its for server, whyd you put it in client? 10:00 <@rgsteele||work> The manpage says ping-restart can be used on the client. 10:00 < krzee> oh 10:00 < krzee> ok well put verb 6 if you want useful output in your logs 10:01 <@rgsteele||work> Alright, I'll give it a shot. 10:06 -!- mode/##openvpn [-o rgsteele||work] by ChanServ 10:07 -!- Irssi: ##openvpn: Total of 34 nicks [1 ops, 0 halfops, 0 voices, 33 normal] 10:07 -!- mode/##openvpn [-o Bheam] by ChanServ 10:38 -!- Bushmills [n=nBushmil@verhau.de] has left ##openvpn ["Leaving."] 10:56 < rmull> krzee: Rofl, boss told me to use an IP that we don't own for the VPN server <_< 10:56 < rmull> That's why it wasn't working. 10:56 < rmull> Solved! 10:56 < rmull> :P 10:56 < ecrist> lol 10:58 < rmull> So the websites tell me that to flush my dns cache i restart the nscd service, but I don't run the nscd services. 10:58 < rmull> Can I still clear my DNS cache? 11:00 < ecrist> rmull: on what OS? 11:00 < ecrist> dns cache is OS dependent. 11:01 < krzee> bahaha 11:01 < krzee> if windows ipconfig/flushdns 11:03 < rmull> krzee: That's what I'm trying to duplicate on Linux. 11:04 < krzee> ps auxw|grep nscd 11:04 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has joined ##openvpn 11:06 < krzee> and if theres no nscd service, your box isnt cacheing dns 11:06 < krzee> but your NS might be 11:06 < rmull> krzee: Ahh, that's probably what it is. 11:26 < Bheam> generic bridging question; when i have computer A (router) B (bridge) C (windows desktop) and D (computer on other side of bridge), what do i have to do to make ping from C -> D work ? 11:26 < Bheam> A being default gateway (it doesn't know about D) 11:28 < rmull> !windows 11:29 < vpnHelper> rmull: "windows" is im a pretty big fan of never using windows well, there is that. but 'when in hell', 11:29 < krzee> lol 11:29 < rmull> krzee: Can anyone issue !learn commands, or just you? 11:29 < krzee> all 11:30 < krzee> unless it becomes a problem 11:30 < rmull> Gotcha 11:30 < krzee> !forget windows 11:30 < vpnHelper> krzee: The operation succeeded. 11:30 < krzee> Bheam, could help you if it wasnt a bridge 11:30 < krzee> with tun, i made a writeup on that 11:30 < krzee> !bridge 11:30 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 11:31 < krzee> !more 11:31 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 11:31 < rmull> krzee: I read your writeup 11:31 < krzee> rmull, its !learn as 11:31 < krzee> rmull, did it make sense to ya? 11:31 < rmull> Mostly. Just wanted to simplify things though 11:32 < krzee> !lans 11:32 < vpnHelper> krzee: Error: "lans" is not a valid command. 11:32 < krzee> bleh 11:32 < krzee> !wiki 11:32 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 11:32 < rmull> So in your writeup your scenario is a small pool of clients that want to push routes to their LANs to the rest of the VPN 11:32 < krzee> !learn lans as https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:32 < vpnHelper> krzee: The operation succeeded. 11:32 < krzee> !learn routeing as https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:32 < vpnHelper> krzee: The operation succeeded. 11:33 < rmull> And you're using ccd to do this because you "know" the routes to those client lans ahead of time 11:33 < krzee> in my writeup, there is a lan behind the server, and behind the clients 11:33 < rmull> Right. Say you only care about making the server's lan accessible to the clients 11:33 < krzee> and all lans should communicate with eachother 11:33 < rmull> You'd need to push the route to the clients 11:33 < rmull> But is that enough? 11:33 < krzee> right, but then client lans cannot talk to server 11:34 < rmull> Okay. Which directive would be necessary then? A route from the VPN subnet to the server LAN's subnet? 11:34 < krzee> and server lan gateway needs to know about the route to vpn 11:34 < rmull> I mean, no wait 11:34 < rmull> I don't want to publish the client lans 11:34 < rmull> Just the server lan. 11:34 < krzee> shit i should add something bout that 11:35 < rmull> If I don't control the gateway's routing table, is allowing access to the server's subnet impossible? 11:35 < krzee> forgot to mention this assumes openvpn is on the default router for each lan 11:35 < krzee> yes and no 11:35 < krzee> you can manually add the route to each machine on the lan 11:35 < krzee> see the thing is this: 11:35 < krzee> lan machine gets a packet from vpn server who is on its lan 11:36 < krzee> packet came from client 11:36 < krzee> (vpn client) 11:36 < rmull> ohhh 11:36 < krzee> so it has vpn ip 11:36 < krzee> ? 11:36 < krzee> oops 11:36 < rmull> Yeah, that makes sense 11:36 < krzee> but how does it respond to vpn ip? 11:36 < krzee> if it dont have a route, it sends to default gateway 11:36 < krzee> if default gateway is vpn machine, all is well 11:37 < krzee> if not, it should have a route saying vpn network goes to vpn machine 11:37 < krzee> otherwise, no connection 11:37 < rmull> I guess I was just assuming that openvpn would "rewrite" or "spoof" the source IPs on the VPN packets or something. 11:37 < krzee> NAT 11:38 < krzee> no ovpn leaves NAT to the OS 11:38 < krzee> !nat 11:38 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 11:38 < rmull> Sick, thanks 11:38 < krzee> np 11:39 < rmull> I don't know why I'm asking -- I have to set up ethernet bridging, but I'd much rather run routed tunnel 11:40 < krzee> samba? 11:40 < rmull> Yeah 11:40 < rmull> Well, not technically samba 11:40 < krzee> gotchya 11:40 < rmull> Basically all the servers and clients on this network are windows 11:41 < rmull> So everyone merrily uses netbios names and windows shares 11:41 < krzee> maybe after you get your bridge perfect you could make a writeup on that 11:41 < krzee> im only good with routed 11:41 < rmull> I wouldn't mind, just have to figure it out first. 11:41 < krzee> lol, yup 11:41 < krzee> step 1, figure it out 11:41 < krzee> step 2, write up 11:41 < krzee> step 3, ??? 11:41 < krzee> step 4, profit! 11:42 < krzee> oh god, tequilla hangover + cigarette = gag 11:43 < rmull> Busy Sunday night for ya? 11:43 < rmull> :D 11:43 < krzee> 2 for 1 everything at my fav bar 11:44 < krzee> for guys 11:44 < krzee> its mans night 11:44 < krzee> ladys night is sat, they get free drinks all night 11:44 < rmull> Man's Night? What is this, Germany? 11:44 < krzee> caribbean 11:44 < rmull> ahh 11:45 < krzee> they gave girls a night, but all us owners friends are men 11:45 < krzee> so we needed a night too 11:45 < krzee> lol 11:45 < ecrist> rmull: a properly setup WINS server and DHCP will allow it to work across subnets. 11:46 < krzee> that is tru 11:46 < rmull> ecrist: That's a probable long-term solution- I'm heading back to school at the end of this week, so I don't have ttime to replace all the windows trash on this net 11:47 < krzee> PITA, but tru 11:47 < krzee> ild prolly set it up as a bridge too tho 11:47 < krzee> just to not admin a wins server 11:47 < rmull> I have to get a semi-working openvpn in place, and a bacula network bacup system in place before the end of the week 11:49 < krzee> if i was you ild make sure i guard against arp poisoning when connecting all your networks 11:50 < krzee> 1 comprimised host in 1 lan would = all lans owned 11:50 < krzee> when connecting with bridge 11:50 < rmull> I thought arp-poisoning was a thing of the past, bleh 11:51 * rmull googs 11:51 < krzee> of the past!? 11:51 < krzee> noway! 11:51 < krzee> its the best coffee shop entertainment around 11:51 < krzee> well i guess that and cookie-theft 11:51 < rmull> Could have sworn that modern routers dealt with it invisibly 11:52 < krzee> some 11:52 < krzee> not many ive encountered in the wild 11:53 < rmull> bah. 11:53 < rmull> damn internets 11:53 < rmull> always getting me down 11:53 < rmull> Eventually we'd be fairly VLAN'd out 11:55 < rmull> Okay, gotta get back to my friend Bacula now. 11:55 -!- rmull is now known as rmull_ 11:57 -!- mode/##openvpn [+o krzee] by ChanServ 11:57 -!- mode/##openvpn [-o krzee] by krzee 11:57 < krzee> coo 12:04 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:11 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kraut 12:17 < Bheam> i have a problem :/ 12:17 < Bheam> how do i route traffic to a bridge? :p 12:18 -!- mooseman447 [n=mooseman@207-172-54-23.c3-0.tlg-ubr5.atw-tlg.pa.cable.rcn.com] has joined ##openvpn 12:18 < Bheam> my default gateway is of course my internet connection 12:18 < Bheam> but i have a bridge running on another computer 12:18 < Bheam> does traffic even need to be routed to a bridge or is a bridge listening to all ips? 12:20 -!- mooseman447 [n=mooseman@207-172-54-23.c3-0.tlg-ubr5.atw-tlg.pa.cable.rcn.com] has quit [Client Quit] 12:21 < Bheam> and after i created the bridge, tcpdump won't stop by ctrl+c i have to kill it 12:29 -!- gallatin [n=gallatin@dslb-092-072-075-052.pools.arcor-ip.net] has joined ##OpenVPN 12:32 < ecrist> Bheam: you don't/can't route a bridge 12:33 < ecrist> you need to have ip forwarding enabled on your interfaces/kernel, though. 12:33 < ecrist> on freebsd, it's sysctl net.ip.forwarding, iirc 12:51 < prattfall> since routing v. bridging seems to be popular today - anyone know if bridging is necessary for SIP? 12:51 < prattfall> i'm routing now, but my SIP traffic is getting dumped, and it looks like itshappening at my local openvpn endpoint 12:52 < prattfall> nothing else appears to be affected 12:54 < prattfall> or am i just failing at firewalls? basically, my SIP server lives at 10.80.0.1, as does my openvpn server 12:55 < prattfall> on my client side, there's a Linksys running Freewrt that connects to the openvpn server and i'm using route/iroute to send traffic between 10.80 and the client lan at 10.60.0.0/24 12:56 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 12:56 < prattfall> when the vpn client comes up, it runs a script that says 12:56 < prattfall> iptables -A INPUT -i tun+ -j ACCEPT 12:56 < prattfall> iptables -A FORWARD -i tun+ -j ACCEPT 12:56 < prattfall> iptables -A FORWARD -i br0 -o tun+ -j ACCEPT 12:56 < prattfall> iptables -A FORWARD -i tun+ -o br0 -j ACCEPT 12:56 < prattfall> everything but SIP seems happy with that config 12:57 < krzee> no bridge needed for sip 12:57 < krzee> think of it this way 12:57 < krzee> if it can go over the inet, no need for bridge 12:57 < krzee> if it is lan only, bridge time! 12:58 < prattfall> yeah, that was my thought. SIP is notoriously pissy, but its because of NAT which doesn't apply here 12:59 < krzee> are you using nat traversal? 12:59 < krzee> STUN 12:59 < prattfall> no 12:59 < krzee> use STUN! 12:59 < prattfall> not on this side of the firewall anyway 12:59 < krzee> ohhhh i see 13:00 < prattfall> why would i need stun if i[m not going through a nat? 13:00 < krzee> sip is only going over vpn ips 13:00 < prattfall> right 13:00 < krzee> you are vpn'ed to the phone server 13:00 < krzee> secure comms 13:00 < prattfall> well, my linksys is 13:00 < krzee> nice man 13:00 < prattfall> eyah, till them men in black hijack my linksys :) 13:00 < prattfall> WPA2 FTL 13:00 < krzee> and your linksys gives your computer nat? 13:00 < prattfall> no 13:01 < prattfall> its my openvpn endpoint at theclient location 13:01 < krzee> right 13:01 < prattfall> so it connects clients on 10.60 via openvpn to the server at .80 13:01 < krzee> but its not running voip software... 13:01 < krzee> so what runs the voip? 13:01 < prattfall> ht elinksys? no 13:01 < krzee> an ATA behind the linksys? 13:01 < prattfall> god, i suck at typing today 13:02 < Optic> hi 13:02 -!- rgsteele||work [n=rgsteele@75.147.74.137] has quit [Remote closed the connection] 13:02 < prattfall> there's a SIP softclient (zoiper) on 10.60 13:02 < prattfall> trying to talk to the SIP server on 10.80 13:02 < prattfall> the linksys handles VPN connection from 10.60 to 10.80 13:02 < krzee> i dont get your ip notation 13:02 < krzee> 10.60.x.x 13:03 < krzee> or 192.168.10.60 13:03 < prattfall> right 13:03 < krzee> ok 13:03 < prattfall> no, 19.60.x.x 13:03 < prattfall> 10 13:03 < krzee> so vpn is 10.80.x.x 13:03 < prattfall> yes 13:03 < krzee> and lan is 10.60.x.x 13:03 < prattfall> yeah 13:03 < krzee> linksys gives out 10.60.x.x ips 13:03 < prattfall> correct 13:03 < krzee> that is called NAT 13:03 < krzee> use stun 13:04 < prattfall> buh? 13:04 < krzee> :-p 13:04 < prattfall> but the server at 10.80.0.1 can ping my 10.60 hosts 13:05 < krzee> right 13:05 < ecrist> foo 13:05 < prattfall> i used iroute on the openvpn server to send stuff back to 10.60 13:05 < krzee> your linksys is doing nat right 13:05 < krzee> and your vpn is right 13:05 < krzee> setup a stun server for internal vpn ip usage 13:05 < krzee> on your voip box 13:06 < krzee> and life will be good 13:06 < prattfall> ok... i'm gonna need to do STUN eventually when I open SIP up to the public tubes... 13:06 < prattfall> but i'm confused where NAT comes into play 13:07 < prattfall> i thought with iroute i was just routing between the 2 subnets 13:08 < prattfall> like my hosts on 10.60.x.x and 10.80.x.x can talk back and forth over their regular IPs 13:16 -!- mooseman447 [n=mooseman@207-172-54-23.c3-0.tlg-ubr5.atw-tlg.pa.cable.rcn.com] has joined ##openvpn 13:17 < mooseman447> hey 13:18 < mooseman447> why would i get a lot of waiting for tun/tap interface to come up in the client log when i know the vpn server works 13:18 < krzee> ok nat comes in to play with voip 13:18 < krzee> NOT with your vpn 13:18 < krzee> your vpn is fine prattfall 13:19 -!- mode/##openvpn [+o mooseman447] by ChanServ 13:19 < prattfall> ok 13:19 < krzee> lookup STUN 13:19 < krzee> it is NAT traversal 13:19 < krzee> for VOIP 13:19 < prattfall> but it sounds like you're saying there's a NAT between my 2 subnets 13:19 < krzee> dude, your linksys is a nat-box 13:19 < krzee> it does nat! 13:19 < krzee> your vpn doesnt mind at all 13:20 < krzee> but your SIP does! 13:20 <@mooseman447> if im on a wifi that uses the same ip subnet as my vpn servers network is that a problem? 13:20 < krzee> yes 13:20 < ecrist> mooseman447: yes 13:20 < ecrist> very much so 13:20 < krzee> big problem 13:20 < prattfall> my linksys does NAT out to the internet, but it should just be routing VPN traffic across the VPN 13:20 < krzee> like, not gunna work style 13:20 <@mooseman447> ok would could i do to remedy it 13:21 < krzee> change one of the LANs 13:21 < ecrist> mooseman447: change your VPN subnet 13:21 < ecrist> most LANs use 192.168.x or 10.x 13:21 < ecrist> try to use 172.30.x for your vpn 13:21 < krzee> hes saying both sides of the LAN use same subnet 13:21 <@mooseman447> my vpn is bridging mode though so i wouldnt i need to change my entire network? 13:21 < krzee> personally to avoid that stuff ild go to 10.99.x.x or somethin 13:22 < krzee> or 10.20.30.x 13:22 < ecrist> krzee: no, stay out of 10.x 13:22 <@mooseman447> yea my home uses 192.168.1.x and apparently this wifi im using is 192.168.1.x also 13:22 < krzee> ecrist, i just stay out of common 10.x 13:22 < krzee> its easier to remember 13:22 < ecrist> 10.x is a class A subnet. 13:22 < ecrist> often used as such. 13:22 < ecrist> correctly or not. 13:23 < krzee> i can never remember the 172 1918 ips 13:23 < krzee> i can remember the RFC but not the 172 ips 13:23 < krzee> haha 13:23 < ecrist> mooseman447: you could change your home LAN to 192.168.37.x, to avoid such problems. 13:23 < krzee> yup 13:23 < ecrist> krzee: 172.x/8 is 1918 13:23 < krzee> ahh 13:24 < krzee> err no 13:24 < krzee> 172.16.0.0/12 13:24 < ecrist> !learn 1918 as http://www.faqs.org/rfcs/rfc1918.html 13:24 < vpnHelper> ecrist: The operation succeeded. 13:24 <@mooseman447> hmm that would be pretty annoying because im very used to my current setup... 13:24 < ecrist> oh, yeah 13:24 < ecrist> mooseman447: annoying how? 13:24 < ecrist> setup local DNS and IPs don't matter. 13:24 < ecrist> :\ 13:25 < krzee> !learn 1918 as http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html 13:25 < vpnHelper> krzee: The operation succeeded. 13:25 < krzee> !forget 1918 1 13:25 < vpnHelper> krzee: The operation succeeded. 13:25 < krzee> !1918 13:25 < vpnHelper> krzee: "1918" is http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html 13:25 <@mooseman447> hmm i guess thats true 13:25 < ecrist> you're foolish if you're going to dwell on IP assignments. 13:25 < krzee> [14:20] my linksys does NAT out to the internet, but it should just be routing VPN traffic across the VPN 13:26 < krzee> you need stun for your voip 13:26 < krzee> you are not having a vpn problem 13:26 < krzee> argue about it in a voip channel =] 13:26 < prattfall> i'm not arguing, i'm trying to understand why i'd need nat traversal on a network with no nat 13:26 < krzee> dude 13:26 < krzee> do you have a problem with your vpn? 13:27 -!- mode/##openvpn [+o prattfall] by ChanServ 13:27 < krzee> or just with your voip? 13:27 <@prattfall> i think there's a problem where traffic that's supposed to hit the vpn isn't 13:27 < krzee> its only 1 protocol not working? 13:27 <@prattfall> agreed, the only thing that seems to be affected is voip 13:27 < ecrist> prattfall: what do your routing tables lookl ike? 13:28 < krzee> ecrist, its only SIP that is not working 13:28 < ecrist> oh 13:28 < krzee> i used to 1/2 run a voip company 13:28 < ecrist> what's the symptom? 13:28 < krzee> and he needs stun 13:28 < ecrist> krzee: come figure out my SIP problems, then. 13:28 < krzee> you need stun too! 13:28 < krzee> stun for all!!! 13:28 < krzee> lol 13:29 * prattfall is stunned 13:29 < krzee> bahaha 13:29 < krzee> nice one 13:29 < ecrist> naw, I've got a Polycom phone that, after firmware update to 3.0, wo'nt connect to our SIP provider. 13:29 < krzee> ouch 13:29 < ecrist> but 7 other phones work fine. 13:29 < krzee> tried reloading the firmware again? 13:29 < ecrist> can't 13:30 < ecrist> I enter config, try to give it an FTP server address, and it ignores it. 13:30 < ecrist> as if it weren't there. 13:30 < ecrist> :\ 13:31 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:31 < krzee> weaksauce 13:31 < krzee> tried sniffing to see whats going on? 13:32 < krzee> like is it even trying for the config / sip provider? 13:32 < ecrist> no 13:32 < ecrist> well, yes 13:32 < krzee> thats a good place to start 13:32 < krzee> get all sniffy 13:32 < ecrist> the phone keeps asking for BOOTP, but ignores responses. 13:32 < ecrist> I tried providing DHCP option 66, but didn't do any good. 13:34 < krzee> hrmz 13:34 < krzee> that sucks man 13:34 < krzee> ild hafta play with it to have a clu 13:34 < krzee> sounds like a brick but i wouldnt give up on it 13:35 < ecrist> waiting for a response back from our SIP provider. 13:35 < ecrist> it's still under warranty, so I'm not sweating it. 13:35 < krzee> oh sweet 13:35 < krzee> who you guys use for sip? 13:35 < ecrist> ironvoice 13:35 < ecrist> formerly heavylogic 13:35 < krzee> sounds beefy 13:35 < krzee> IRONVOICE 13:36 < krzee> like you hafta say it in a deep voice 13:36 < rmull_> Heavylogic? Ironvoice?? 13:36 < rmull_> BEEFCAKE 13:36 < krzee> lol 13:36 * ecrist starts an SIP provider call 'Cheesy Poofs' 13:36 -!- mode/##openvpn [+o rmull_] by ChanServ 13:36 < krzee> ecrist, dude, thats actually a good idea 13:36 < krzee> except you'll never get the domain 13:37 < krzee> nevaaaahhhhhhhh 13:38 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:38 < ecrist> yeah, prolly. 13:39 < ecrist> well, I've gotta bail, head down to our data center. 13:39 < ecrist> heya, ompaul 13:39 -!- mode/##openvpn [-o rmull_] by ChanServ 13:39 -!- mode/##openvpn [-o mooseman447] by ChanServ 13:39 -!- mode/##openvpn [-o prattfall] by ChanServ 13:41 < ompaul> ecrist, evening 13:41 < Bheam> grrrr 13:41 < Bheam> i can't figure out how to make a client-client over bridge setup :( 13:44 < ecrist> Bheam: someone's gotta be a server. 13:50 -!- mooseman447 [n=mooseman@207-172-54-23.c3-0.tlg-ubr5.atw-tlg.pa.cable.rcn.com] has quit [Read error: 110 (Connection timed out)] 13:51 < Bheam> yes but how can i setup bridge for the client? 13:51 < Bheam> as the bridge directive is server-bridge 13:52 < Bheam> and it doesn't go with the client directive 14:10 -!- gallatin [n=gallatin@dslb-092-072-075-052.pools.arcor-ip.net] has quit [Remote closed the connection] 14:25 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has quit ["leaving"] 14:25 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 14:27 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 14:38 -!- Axet [n=john@glou.nurvnet.org] has quit [Read error: 104 (Connection reset by peer)] 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:00 < rmull_> lol chanserv 15:08 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:10 -!- sega01 [n=sega01@2001:470:8:29:250:4ff:fe20:dbc4] has quit ["leaving"] 15:40 -!- mooseman447 [n=mooseman@24.115.241.137.res-cmts.sm.ptd.net] has joined ##openvpn 15:43 -!- mooseman447 [n=mooseman@24.115.241.137.res-cmts.sm.ptd.net] has quit [Client Quit] 16:30 < Bheam> right 16:30 < Bheam> i got it working with the minimal commandline example now 16:30 < Bheam> now.. is there any way to add certs without having a server/client configuration? 16:30 < Bheam> or any kind of encryption 16:54 < Bheam> and i'm having trouble coexisting with the bridged network :( 17:15 -!- krzy [i=krzee@unaffiliated/krzee] has joined ##openvpn 17:21 < rmull_> plaerzen: You there? 17:44 < krzy> !learn router as is you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 17:44 < vpnHelper> krzy: The operation succeeded. 17:44 < krzy> !forget router 17:44 < vpnHelper> krzy: The operation succeeded. 17:44 < krzy> !learn router as if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 17:44 < vpnHelper> krzy: The operation succeeded. 17:48 -!- onre [i=esp@static.fi] has joined ##openvpn 18:04 < krzy> !learn netman as if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list 18:04 < vpnHelper> krzy: The operation succeeded. 18:09 < Bheam> so i have a bridged vpn working.. but want to add traffic shaping, which interface should traffic shaping run on? eth0? br0? or tap0? 18:14 < krzy> good question 18:14 < krzy> my guess is br0 18:14 < krzy> when you get that figured out i would like to know too 18:21 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 18:32 < Bheam> hm tried something called htb-gen and set eth0 and local and tap0 as remote, but it doesn't seem to intercept any traffic.. i tried br0/br0 also 18:33 < krzy> no idea how that software works 18:34 < krzy> i just use the O'\s firewall for that stuff 18:34 < krzy> err OS's 18:34 < krzy> not really an openvpn question tho tbh 18:35 < krzy> you should prolly ask whoever makes or supports htb-gen 18:42 < krzy> !learn notopenvpn your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 18:42 < vpnHelper> krzy: Invalid arguments for learn. 18:42 < Bheam> well my problems might be bridge/vpn related 18:42 < krzy> !learn notopenvpn as your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 18:42 < vpnHelper> krzy: The operation succeeded. 18:42 < krzy> no, you are wondering if while using htb-gen on a bridge, which interfaces to choose as remote and local 18:43 < Bheam> well i've come down to that it doesn't matter.. i'm not getting any traffic regardless 18:43 < Bheam> so there's a different problem 18:44 < krzy> oh you were trying to setup traffic shaping on your bridge before you got your bridge working? 18:44 < Bheam> no.. 18:44 < Bheam> the traffic shaper is supposed to be marking packets with iptables, but no packets get marked... 18:44 < Bheam> so obviously the common syntax doesn't apply for vpn bridges 18:44 < krzy> is your bridge working? 18:44 < Bheam> yes 18:44 < krzy> ok 18:45 < Bheam> i've tried tcpdump and all 3 bridge interfaces show data 18:45 < krzy> then its no longer a ovpn issue, but ill look on google for ya 18:46 < krzy> your real question is "how do i setup traffic shaping on a bridge?" 18:47 < Bheam> hmm there's something called 'ebtables' 18:47 < Bheam> that is the real question ;) 18:47 < krzy> and i bet asking in a linux channel would get you a fast answer 18:48 < krzy> however, im checking google anyways 18:48 < Bheam> trying thanks :p 18:48 < Bheam> :D 18:48 < krzy> although i only have about 10min left that im here 18:52 < krzy> http://mailman.ds9a.nl/pipermail/lartc/2003q2/008744.html 18:52 < vpnHelper> Title: [LARTC] Shaping traffic over a linux bridge (at mailman.ds9a.nl) 18:52 < krzy> 5th result from google: bridge traffic shaping 18:52 < krzy> looks like what you want 18:59 < krzy> funny too cause the guy posted, then he posted again with more info and a bribe, then he posted again answering his question 18:59 < krzy> he never got help but he did document stuff for you =] 19:53 -!- near [n=near@83-155-190-107.rev.libertysurf.net] has quit [Read error: 60 (Operation timed out)] 20:09 -!- near [n=near@88-122-24-90.rev.libertysurf.net] has joined ##openvpn 21:29 < krzee> !dev 21:29 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has joined ##openvpn 21:29 < vpnHelper> krzee: Error: "dev" is not a valid command. 21:29 -!- SilenceGold [n=chris@adsl-70-232-106-91.dsl.ltrkar.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 21:29 < Optic> moo 21:38 -!- near [n=near@88-122-24-90.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:38 -!- near [n=near@88-122-20-14.rev.libertysurf.net] has joined ##openvpn 21:43 < krzee> werd 22:02 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has quit [] 23:36 < ecrist> Bheam: did you get everything fixed up? --- Day changed Tue Aug 19 2008 01:25 -!- negboy [i=hamid@unaffiliated/negboy] has joined ##openvpn 01:26 < negboy> hi guys, anybody can help me . 01:28 < negboy> i have this config for windows on openvpn but now i want start openvpn on linux ==> http://freevpn.987mb.com/config.zip 01:29 < negboy> Please tell me, how do i use this connection on linux ? 01:38 < krzee> have you tried? 01:38 < krzee> you shouldnt hafta change much at all 01:39 < krzee> its platform independant 01:39 < krzee> also, unzip and pastebin 01:40 -!- mode/##openvpn [+o negboy] by ChanServ 01:40 <@negboy> ! 01:40 <@negboy> krzee: i unziped it 01:40 -!- mode/##openvpn [-o negboy] by ChanServ 01:40 < negboy> krzee: and cd to it folder 01:41 < krzee> pastebin the config 01:41 < krzee> !pastebin 01:41 < vpnHelper> krzee: "pastebin" is please paste anything with more than 5 lines into pastebin or a similar website 01:41 < krzee> !learn pastebin as ie: www.pastebin.ca 01:41 < vpnHelper> krzee: The operation succeeded. 01:42 < krzee> !pastebin 01:42 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 01:42 < negboy> krzee: ow ! 01:42 < krzee> ? 01:43 < negboy> krzee: http://www.pastebin.ca/1178416 01:45 < krzee> you need tcp for a reason? 01:45 < krzee> !tcp 01:45 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 01:45 < krzee> that should work 01:45 < krzee> you might want to give it full paths 01:45 < krzee> !path 01:45 < vpnHelper> krzee: Error: "path" is not a valid command. 01:46 < negboy> !paths 01:46 < vpnHelper> negboy: Error: "paths" is not a valid command. 01:46 < krzee> !learn path as always use full paths in your config file, it makes things easier 01:46 < vpnHelper> krzee: The operation succeeded. 01:46 < krzee> !learn paths as always use full paths in your config file, it makes things easier 01:46 < vpnHelper> krzee: The operation succeeded. 01:46 < krzee> you should also consider dropping privledges 01:47 < negboy> krzee: where is the file config of openvpn on debian ? 01:48 < negboy> krzee: how to set openvpn as default for send and recieving from it ? 01:48 < krzee> !nat 01:48 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 01:48 < krzee> i dont know where debian puts anything 01:49 < krzee> you installed from package or source? 01:49 < negboy> krzee: package 01:50 < krzee> /etc/openvpn/ 01:50 < krzee> user nobody 01:50 < krzee> group users 01:50 < krzee> or something like that 01:50 < krzee> some user and group that isnt root/wheel 01:51 < krzee> http://www.annoying.dk/2007/10/14/quick-simple-tutorialhowto-on-openvpn-with-debian/ 01:51 < vpnHelper> Title: Quick simple tutorial/howto on OpenVPN with Debian | www.annoying.dk (at www.annoying.dk) 01:51 < krzee> that has debian specific stuff 01:51 < negboy> krzee: thx. 01:51 < krzee> you dont need to follow the whole thing, just skim it to catch anything debian specific 01:51 < krzee> np 02:04 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: negboy 02:06 -!- Netsplit over, joins: negboy 02:12 < kraut> moin 02:13 -!- negboy [i=hamid@unaffiliated/negboy] has left ##openvpn [] 02:21 < krzee> !kraut 02:21 < vpnHelper> krzee: "kraut" is moin 02:50 -!- gallatin [n=gallatin@dslb-092-072-072-132.pools.arcor-ip.net] has joined ##OpenVPN 03:14 -!- tcccp [i=hey@223.66.238.89.arpa-addr.in] has joined ##openvpn 03:15 < tcccp> hmmm 03:15 < tcccp> I know I forgot one channel... 03:34 < krzee> hehe 03:34 < krzee> wassssup 03:35 < tcccp> nothing right now 03:35 < tcccp> I'm suffering 03:35 < tcccp> needz sleep 03:35 < krzee> ? 03:35 < krzee> ahh 03:35 < krzee> gnite =] 03:35 < tcccp> hrhr 03:35 < tcccp> 1035am here 03:35 < tcccp> no sleepz for ceiling cat 03:36 < krzee> haha 03:36 * tcccp is watching his rodents having a nap ;) 04:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 04:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:13 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 04:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:03 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 05:24 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 05:30 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 05:35 < Bheam> oi 05:35 < Bheam> can i talk to a running openvpn and make it output like verb9? 05:35 < kala> via management interface 05:36 < Bheam> i'm trying to copy a file over windows networks, and i'm getting the data in chunks of about 1MB and ping is skyrocketing 05:36 < Bheam> is there any way to monitor udp packet loss? 05:37 < Bheam> and is tcp-queue-limit and/or txqueuelen gonna help me? 05:44 < krzee> !mtu 05:44 < vpnHelper> krzee: "mtu" is you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 05:44 < krzee> sorry thats not drected @ you 05:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:19 < Bheam> is there any way to reduce the amount of 'pathcost' packets? 06:20 < Bheam> also is there any way to view the tunneled data? --verb 9 gives some info, but nothing with regards to what is actually passing through 06:25 < rmull_> Bheam: Tcpdump could probably help in that regard. 06:26 < Bheam> i'm running a bridge 06:28 < Bheam> nm found it 06:28 < Bheam> was on wrong interface :p 06:29 < Bheam> 13:26:56.682026 IP 192.168.0.33.ssdp > 239.255.255.250.ssdp: UDP, length 319 06:29 < Bheam> will this traverse the vpn bridge? 06:29 < Bheam> .33 is my router and it keeps spamming that stuff like 15 times every second 06:42 -!- gallatin [n=gallatin@dslb-092-072-072-132.pools.arcor-ip.net] has quit [Remote closed the connection] 07:08 < Bheam> so i learn it's upnp.. i don't want that over the vpn 07:09 < cpm> iptables 07:15 < Bheam> i don't understand this bridge shit :p what interface do i iptables it on? eth0 - br0 - tap0 ? :p 07:19 < kala> maybe you should build a routed vpn? 07:47 < Bheam> lol no i'm gonna play doom2! 07:48 < ecrist> morning, kids 07:49 < kala> Bheam: you know, there P2P VPN software available? works on L2 level. Very cool... 08:00 < rmull_> ecrist: mornin 08:03 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 08:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:23 < Bheam> l2 level? 08:23 -!- rmull_ is now known as rmull 08:23 < Bheam> p2p vpn? i do that with openvpn :p 08:23 < ecrist> Bheam: you still having problems? 08:23 < Bheam> well everything works, i'm just on the tweaking phase 08:24 < Bheam> preventing certain traffic from being tunneled 08:25 < Bheam> and i have a problem.. if i stop a packet at the bridge(br0) the box itself won't get it (right?) 08:25 < Bheam> or does bridges also use the FORWARD rule? 08:25 < Bheam> do* 08:26 < ecrist> I wouldn't recommend blocking at the bridge. 08:26 < Bheam> so do i block at tap0 then? 08:26 < ecrist> either blockon the physical interface, or block on the tap device 08:27 < Bheam> but the physical interface doesn't have an ip anymore, can i still use iptables on it? 08:28 < ecrist> I'm not familiar with iptables. 08:28 < ecrist> more firewall softwares I've worked with don't need an IP on the interface to filter traffic, though. 08:28 < cpm> it's a linux specific kludge. And no, they don't need IP. Just the interface. 08:29 < Bheam> ok probably doesn' then 08:29 < Bheam> but again, i can't block it on the physical since i want the box to receive it 08:29 < Bheam> so tap0 it is 08:32 < Bheam> arg 08:32 < Bheam> iptables -A FORWARD -p udp -o tap0 --dport ssdp -j DROP 08:33 < Bheam> does nothing at all 09:01 -!- near [n=near@88-122-20-14.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 09:02 -!- near [n=near@83-155-187-61.rev.libertysurf.net] has joined ##openvpn 09:04 -!- Irssi: ##openvpn: Total of 32 nicks [0 ops, 0 halfops, 0 voices, 32 normal] 09:16 < rmull> !nat 09:17 < vpnHelper> rmull: "nat" is http://openvpn.net/howto.html#redirect 09:17 < rmull> thanks vpnHelper 09:42 -!- Pici [n=Pici@ubuntu/member/pici] has joined ##openvpn 09:42 -!- Pici [n=Pici@ubuntu/member/pici] has left ##openvpn [] 09:45 -!- pred2k5 [n=Torsten@dslb-088-069-199-156.pools.arcor-ip.net] has joined ##openvpn 09:45 < pred2k5> hi 09:46 < ecrist> howdy 09:46 < pred2k5> I push redirect-gateway for every client, how to skip this, without creating a client-config-file, where I have to put in every route per hand? 09:46 -!- pornizzle [n=pornizzl@yamuk.erdem-online.net] has joined ##openvpn 09:46 < ecrist> push the routes in your main server config. 09:48 * cpm pushes ecrist 09:48 < cpm> hey, sorry. 09:49 < pornizzle> hi guys, i always get a p-t-p connection ... but i use tun with ifconfig 09:49 < pornizzle> http://pastebin.com/d44c42e6 09:50 < pornizzle> here my config 09:50 < pornizzle> http://pastebin.com/d79686149 09:50 < pred2k5> ecrist I do 09:50 < pred2k5> I meant I push redirect-gateway in the main server conf :D 09:53 < pred2k5> do I get routes pushed by iroute, when I use client config dir? 09:55 * pornizzle slaps ecrist around a bit with a large trout 09:55 * pornizzle slaps cpm around a bit with a large trout 09:55 < pornizzle> hi :) 09:56 < cpm> no fish-slapping allowed 09:56 < pornizzle> :o 09:56 < cpm> python_violation=1 09:58 * ecrist slaps pornizzle around a bit with a large penis. 09:59 < cpm> onoes! 09:59 < ecrist> pred2k5: what're you trying to do? 09:59 < cpm> penis_violation=1 09:59 < pornizzle> oO 09:59 < ecrist> the question is, who got violated? /me thinks pornizzle. 10:00 < ecrist> ok, I'm sorry. I'm done now. 10:01 < pornizzle> pff 10:05 < pred2k5> I just want one client not to redirect-gateway 10:07 < ecrist> why only one? 10:10 < pred2k5> cause its "the" one 10:10 < pred2k5> the chosen one 10:13 < ecrist> don't think you can do what you want, save having ccs for each client you *want* redirect-gateway 10:15 < pred2k5> yes, thats what I wanted to avoid 10:16 < ecrist> well, for super-special dude, give them their own instance of openvpn, say, another port, that doesn't push that option. 10:18 -!- pornizzle [n=pornizzl@yamuk.erdem-online.net] has quit [] 10:30 < rmull> Man, ethernet bridging and me don't get along. 10:30 * rmull is insufficient 10:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:47 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 10:48 < mooseman447> hey would using redirect-gateway def1 on the client allow me to use a vpn even though the servers subnet and the client one are the same? 10:51 < ecrist> no 10:51 < ecrist> that's a broken setup, fix it. 10:51 < mooseman447> darn ok 11:30 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 12:11 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 54 (Connection reset by peer)] 12:12 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 12:12 -!- pred2k5 [n=Torsten@dslb-088-069-199-156.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 12:37 -!- SilenceGold [n=chris@adsl-70-232-106-91.dsl.ltrkar.sbcglobal.net] has joined ##openvpn 12:42 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:49 -!- bandini [n=bandini@host169-105-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 13:18 -!- sega01 [n=sega01@2001:470:8:29:250:4ff:fe20:dbc4] has joined ##openvpn 13:19 < sega01> is openvpn's 2.5 beta branch maintained with the patches that go into 2.1? 13:21 < ecrist> depends. 13:22 < ecrist> something specific you're after? 13:27 < sega01> i'm just wondering if 2.5 is an old version with the udp6 patch or if it has been maintained 13:30 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 13:33 < ecrist> you'd have to talk to a developer or look to the source tree. 13:33 < ecrist> iirc, you can see it in svn. 13:37 < ecrist> Chuck Norris has two speeds, walk and kill. 13:37 < rmull> -_- 13:49 < cpm> Chuck Norris's tears can cure cancer 13:49 < cpm> Chuck Norris never cries 13:58 < ecrist> Chuck Norris doesn't take showers, he takes blood baths. 14:02 < rmull> Hey, I've got a question 14:02 < rmull> So you know how you can set openvpn to try a list of vpn servers in order in the client.conf 14:03 < rmull> And if it fails to connect to the first one it tries the second one? 14:04 < ecrist> yep 14:08 < rmull> What if one server is TCP and one is UDP? 14:08 < rmull> Can I still use a single client.conf for that? 14:09 < rmull> Actually, never mind. 14:09 < rmull> I'm looking to have a backup vpn server that clients will fail back on if they're behind HTTP proxies 14:10 < rmull> But I may need an extra directive in the conf specifying the location of the proxy anyhow 14:11 < rmull> So I doubt I can use a single client.conf for this. 14:14 < ecrist> no 14:14 < ecrist> you cannot do what you're seeking. 14:15 < ecrist> you could wrap it in a script that would determine whether the user is behind a proxy, and dynamically build a config based on that. 14:17 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 14:18 < rmull> Okay, I'll check it out, thanks bud 14:21 < ecrist> np, that's what I'd do if it were an issue here. 14:23 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit [Remote closed the connection] 14:26 < kala> ecrist: but then you would need to have your own daemon code and proxy detection and things? 14:27 < kala> it would seem to me that it would make sense to have both UDP and TCP and PROXY servers to the same OpenVPN config file. I know, we would need to write a patch for that :) 14:34 < rmull> Something like that might require logic in the config 14:35 < kala> well, there's logic for TCP servers currently? 14:36 < kala> "single type of servers" 14:36 < kala> to choose another, if first one doesn't respond 14:36 < kala> and to shoose randomly 14:36 < kala> choose 14:37 < rmull> That's true 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:00 < ecrist> kala: it would be stupid easy to write a script as I mentioned. 15:06 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:48 -!- rmull [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has quit [Read error: 110 (Connection timed out)] 15:58 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:09 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:34 < ecrist> evening, kids 17:34 < ecrist> I think I'm going to paint my cupboards today. 17:34 < ecrist> well, the last set of them. 17:38 -!- joyrom [n=mirama@87.19.114.220] has joined ##openvpn 17:39 -!- joyrom [n=mirama@87.19.114.220] has left ##openvpn [] 18:43 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 19:30 -!- rmull [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has joined ##openvpn 19:31 -!- rmull is now known as rmull_ 20:41 < Optic> hi 20:44 -!- preaction [n=doug@68-185-172-125.dhcp.mdsn.wi.charter.com] has joined ##openvpn 20:55 < ecrist> hi 21:20 -!- preaction [n=doug@68-185-172-125.dhcp.mdsn.wi.charter.com] has quit [Read error: 110 (Connection timed out)] 21:22 -!- near [n=near@83-155-187-61.rev.libertysurf.net] has quit [Read error: 60 (Operation timed out)] 22:11 -!- JohnMahowald [n=john@fedora/fedorared] has joined ##openvpn 22:41 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: epsilon, rsc, kala, Bheam, sega01, kraut, rmull_ 22:42 -!- Netsplit over, joins: rmull_, sega01, kraut, rsc, Bheam, kala, epsilon 23:53 -!- rickb|server [n=admin@cpe-24-29-248-203.neo.res.rr.com] has joined ##openvpn 23:54 < rickb|server> Hello.. This may seem stupid.. But I have openvpn on my server, I didn't set it up and I know practically nothing about it.. To get the certs and keys needed to add a client, how do I do that? Is it on the man page? --- Day changed Wed Aug 20 2008 00:00 < krzee> make new keys and certs 00:00 < krzee> !new 00:00 < vpnHelper> krzee: Error: "new" is not a valid command. 00:00 < krzee> !openvpn 00:00 < vpnHelper> krzee: Error: "openvpn" is not a valid command. 00:01 < krzee> bleh 00:01 < krzee> !howto 00:01 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 00:01 < krzee> !keys 00:01 < vpnHelper> krzee: Error: "keys" is not a valid command. 00:01 < krzee> !learn keys as http://openvpn.net/howto#pki 00:01 < vpnHelper> krzee: The operation succeeded. 00:01 < rickb|server> I found a good help thing. :p I don't expect people to run me through every step, it's not linux then.. :p 00:02 < krzee> well we'll help ya when you get stuck 00:02 < krzee> but ya you gotta do the reading and trying 00:02 < krzee> just read that 00:02 < krzee> http://openvpn.net/howto#pki 00:02 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 00:02 < krzee> the howto and man page are EXTREMELY good 00:03 < krzee> if you were to read both youd understand a lot about openvpn 00:03 < krzee> and it would not be hard to help you with anything you got stuck at most likely 00:03 < krzee> =] 00:04 < rickb|server> :) 00:04 < rickb|server> Thx 00:05 < krzee> np 00:05 < krzee> ohhh 00:05 < krzee> and if you use freebsd 00:05 < krzee> !sslserver 00:05 < vpnHelper> krzee: Error: "sslserver" is not a valid command. 00:06 < krzee> !ssl-server 00:06 < vpnHelper> krzee: Error: "ssl-server" is not a valid command. 00:06 < krzee> !ssl_server 00:06 < vpnHelper> krzee: Error: "ssl_server" is not a valid command. 00:06 < krzee> bleh whats he call it 00:07 < krzee> !ssl-admin 00:07 < vpnHelper> krzee: Error: "ssl-admin" is not a valid command. 00:07 < rickb|server> Well.. I am trying to create the public key.. I just added the user, chowned and chmod'd all of the appropriate directories.. What next? lol 00:07 < krzee> you in fbsd? 00:07 < rickb|server> I'm actuall on Linux. 00:08 < rickb|server> FC6 00:08 < krzee> !learn ssl-admin as https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 00:08 < vpnHelper> krzee: The operation succeeded. 00:09 < rickb|server> Does the ssl-admin give you any control over the clients? 00:09 < krzee> its for keeping track of certs 00:09 < krzee> server.conf and ccd entries give you control over the client 00:09 < krzee> go read the howto 00:09 < rickb|server> kk 00:09 < krzee> DO NOT think you will get openvpn up right without it 00:10 < krzee> you may get it working with some website, but you wont understand openvpn and therefor will have problems 00:10 < krzee> read the howto, and you will be at a point where people can help you 00:11 < krzee> if you want it done for you i always accept cash for setting things up ;] 00:11 < krzee> otherwise help is free, but you must read docs 00:12 < rickb|server> krzee: Yeah, you are right, it is worth it for the security though.. 00:12 < rickb|server> I mean, it's a little bit of a hassle at first, but.. Security comes with a price, or a couple cups of coffee. 00:12 < krzee> hah 00:13 < krzee> if you want to know howto do anything, expect to read its docs 00:13 < krzee> its not just about security, its about knowing wtf you're doing 00:16 < rickb|server> lol 00:16 < rickb|server> True. 00:16 < rickb|server> I have it setup nicely, works great, I have my server only showing like 3 public services running with a little help from my firewall, it's prety sweet. 00:16 < rickb|server> (Not me, my friend) :) 00:41 -!- bandini [n=bandini@host169-105-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 00:48 < rickb|server> Ok, I got that.. The client I need to be able to connect to me is running in a non-gui environment, how would I get him online through command line? :) 00:49 < krzee> so you read the howto? 00:49 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 00:50 < krzee> (no, you did not) 00:50 < rickb|server> yeah 00:50 < krzee> no 00:50 < krzee> read the whole howto 00:50 < rickb|server> I may have skimmed, brb. :p 00:50 < krzee> dude 00:50 < krzee> dont bother asking stuff till you read the howto 00:50 < rickb|server> k 00:54 < rickb|server> I see said the blind man as he pee'd into the wind.. 00:55 < aia> Anyone fimilar with getting auth tls server running on windows? 01:24 < krzee> no different than in *nix 01:27 -!- rickb|server [n=admin@cpe-24-29-248-203.neo.res.rr.com] has quit [Remote closed the connection] 02:00 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:02 < aia> How do I do it? 02:02 < aia> any channels talk about it here? 02:05 < BoomSie> =) 02:10 < krzee> !howto 02:10 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:10 < krzee> is this nobody reads the docs day? 02:11 < krzee> http://openvpn.net/index.php/documentation/howto.html#security 02:11 < vpnHelper> Title: HOWTO (at openvpn.net) 03:00 -!- xybr3 [n=xybre@bb4win/users/fluffy] has joined ##openvpn 03:07 < Bheam> hlep.. 'shaper' doesn't work as expected :p 03:07 < Bheam> i put "shaper 50000" in config and now i get 10 sec lag :p 03:08 < krzee> tcp or udp? 03:08 < Bheam> udp 03:08 < krzee> adjusted mtu accordingly? 03:09 < Bheam> didn't think i have to with that big a shape 03:09 < krzee> big? 03:09 < Bheam> 50000 bytes? 03:09 < krzee> thats under 50kb/s 03:09 < Bheam> mtu is like 1400, so that should be like 40 packets/sec 03:10 < Bheam> i don't get it :p 03:10 < Bheam> besides why does mtu even matter, it's a byte-measure 03:10 < Bheam> i see why mtu matters if i choose values low as 1000 03:11 < Bheam> but for 50kb it shouldn't 03:12 < krzee> didnt really analyze it, but its easy to check if its an issue or not 03:12 < krzee> !mtu 03:12 < vpnHelper> krzee: "mtu" is you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 03:12 < krzee> and you're right 03:12 < krzee> manual does say if its 1000 / s 03:12 < Bheam> yes 03:15 < krzee> i wonder if making it base2 would help any 03:17 < krzee> like 65536 03:17 -!- xybr2 [n=xybre@bb4win/users/fluffy] has quit [Read error: 110 (Connection timed out)] 03:27 -!- Araknozzo [n=asdfcdf@poisson.phc.unipi.it] has joined ##openvpn 03:28 < Araknozzo> hallo. i want to migrate my openvpn server 03:28 < Araknozzo> can i just copy my server ssl keys to the new machines? 04:00 < kala> ecrist: I still disagree that its stupid easy to write a script for fallback from TCP servers to UDP servers. Script in what language? working on Windows, Linux, Mac? 04:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 05:06 -!- Araknozzo [n=asdfcdf@poisson.phc.unipi.it] has quit ["Lost terminal"] 05:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:20 < ecrist> kala, Mac/BSD/Linux 07:34 -!- rmull_ is now known as rmull 07:46 -!- DaPrivateer [i=Privatee@crimson.66fruit.com] has quit ["—I-n-v-i-s-i-o-n— 2.0 Build 3515"] 07:51 < ecrist> the script could be in almost any language. I'd probably use sh, but perl, python, etc, would work. 08:05 < Optic> good morning 08:05 -!- ke4qqq [n=ke4qqq@64.89.94.194.nw.nuvox.net] has joined ##openvpn 08:08 < ke4qqq> hey guys - I have a user using openvpn-gui on winxp. (along with about 40 other users) This particular user has the systray icon disappear on her and of course it causes her to lose vpn control. If she tries to restart openvpn gui she gets an error saying that it is already running. She can close openvpn-gui via taskmgr and restart openvpn-gui and successfully connect, and often stay connected for hours. 08:08 < ecrist> ok 08:09 < ke4qqq> any suggestions on how to make that 'disappearing icon' behavior stop? 08:11 < ecrist> sounds like a bug in openvpn-gui, or windows xp 08:13 < ecrist> what version are you using? 08:14 < ke4qqq> 1.03 08:14 < ke4qqq> I see some list traffic from back in 2005 08:14 < ke4qqq> where matthias was going to have it retry to register up to 10x. 08:16 < ke4qqq> but that was in Sept 2005 08:16 * ke4qqq goes to read recent changelogs 08:16 < ecrist> wow, you know there are much newer versions of openvpn-gui, right? 08:16 < ecrist> erm, was looking at wrong version 08:16 < ke4qqq> that 1.0.3? don't think so. 08:17 < ke4qqq> latest stable is listed as 1.0.3 on the website - this is of the gui not openvpn proper 08:19 < ke4qqq> actually when I download the source of this it doesn't appear that it's been fixed per the changes.txt. 08:20 < ke4qqq> I'll post to the mailing list and ask matthias 08:22 < ecrist> let us know here if you find anything out. 08:23 < ke4qqq> k 08:29 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has joined ##openvpn 08:31 < Whoopie> Hi, I tried to compile OpenVPN 2.1-rc9 for my mipsel-based embedded system. I got a compile error. I made a patch (http://en.pastebin.ca/1179628), but I'm not sure if it's correct. 08:31 < Whoopie> Any hints? 08:33 < ecrist> you'd have to talk to the developers on the mailing list for that one. 08:35 < ke4qqq> openvpn-devel Whoopie 08:36 < Whoopie> ok, thanks. I just saw that a fix was added to the SVN. I'll have a look. 08:40 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has left ##openvpn ["Bye"] 09:39 -!- chadeldridge [n=celdridg@12.109.108.18] has joined ##openvpn 09:41 < chadeldridge> Hello everyone, I am running openvpn on windows 2003 server with microsoft DNS server. I am unable to get my clients to register in dns even though secure updates are turned off in dns and both the server and suffix are pushed to the clients. can anyone help me please? 09:41 -!- araknozzo [n=asdfcdf@poisson.phc.unipi.it] has joined ##openvpn 09:41 < araknozzo> hallo 09:41 < araknozzo> i need to make a vlan on tap0 09:41 < araknozzo> is it possibile? 09:41 < araknozzo> i need to reach a different ip 09:41 < araknozzo> my tap0 is bridged on 192.168.0.1 09:42 < araknozzo> i need from clients to reach a unmodifieble ip 09:42 < araknozzo> 10.0.0.1 09:42 < araknozzo> so on tap0 i have to reach 192.168.0.1 .. and that i do perferctly 09:43 < araknozzo> but i have to reach through a "virtual" 10.0.0.1 which still doesnt exist 09:43 < araknozzo> any idea plz? 09:43 < araknozzo> through tap0* 09:43 < araknozzo> maybe tap0:0 09:44 < araknozzo> a vlan interface with assigned ip? 09:44 < araknozzo> routed with tap0 09:47 < ecrist> araknozzo: sounds like a routing issue 09:47 < ecrist> not a VLAN issue, per se 09:49 < araknozzo> but i need those clients to reach an ip which doesnt exist 09:49 < ecrist> that doesn't even make sense. 09:49 < chadeldridge> not in the least 09:50 < araknozzo> these clients were programmed to make an update on 10.0.0.1 09:50 < chadeldridge> Is there a command for the server config or client config that tells it to register itself in DNS ? 09:50 < araknozzo> nothing works in dns 09:50 < araknozzo> everything on static ips 09:50 < araknozzo> client and server work great 09:51 < araknozzo> and external application on client needs to connect on 10.0.0.1 09:51 < araknozzo> i need to simulate this ip trought 192.168.0.1 09:51 < chadeldridge> that cant be true ,..there is options to push dns and wins .. registration to wins works fine .. but not dns 09:51 -!- preaction [n=doug@static-72-1-4-143.ntd.net] has joined ##openvpn 09:51 < araknozzo> what am i supposed to do with wins? 09:51 < araknozzo> i got none 09:52 < chadeldridge> 2 seperate issues ... sorry .. read above your wall o text 09:52 < chadeldridge> nevermind .. you came in after 09:53 < araknozzo> kkk 09:53 < ecrist> chadeldridge: didn't see your post, sorry. 09:53 < chadeldridge> \ufeffHello everyone, I am running openvpn on windows 2003 server with microsoft DNS server. I am unable to get my clients to register in dns even though secure updates are turned off in dns and both the server and suffix are pushed to the clients. can anyone help me please? 09:53 < chadeldridge> there ya go :-D 09:53 < ecrist> you issue isn't an OpenVPN issue, it's a DNS issue. 09:53 < chadeldridge> not really ... its openvpn failing to send the registration to dns 09:54 < chadeldridge> packet sniffer shows no port 53 traffic is actually occuring when the client connects 09:54 < chadeldridge> although wins works 09:54 < ecrist> you using bridge or routed vpn? 09:54 < chadeldridge> routed 09:55 < chadeldridge> server 10.29.0.0 255.255.255.0 09:55 < chadeldridge> push "dhcp-option DNS 10.29.0.1" 09:55 < chadeldridge> push "dhcp-option DOMAIN commandassist.local" 09:55 < chadeldridge> those look right ? 09:55 < ecrist> yep 09:55 < chadeldridge> server being .1 and dns running on .1 09:56 < ecrist> the client should be sending the update to DNS, not the DHCP server. 09:56 < ecrist> which means it's not an openvpn issue, directly. You may be blocking traffice for the updates, or your clients aren't properly configured. 09:57 < chadeldridge> is there something that should be in the client config ? 09:57 < ecrist> no, it's a function of the client machine's network stack. 09:57 < chadeldridge> so windows then .. /sigh 09:57 < chadeldridge> let me try my unix machine have yet to test on it 09:57 < chadeldridge> 1 sec 09:58 < ecrist> fwiw, I have windows machines here that seem to work that way just fine. 09:58 < ecrist> my guess is a firewall problem. 09:58 < chadeldridge> i have that machine on DMZ 09:58 < chadeldridge> well wait ... i have that machines real ip on DMZ 09:59 < chadeldridge> i wonder if i need to do the internal 10.29.x.x net as well 10:02 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 10:03 < ecrist> somebody buy me these LG monitors. 10:03 < ecrist> I'll be your friend *forever* 10:03 < chadeldridge> lol 10:03 < chadeldridge> still no go for me ... added both the 10.29.0.0/24 and the external IP on DMZ and same result 10:03 < chadeldridge> /sadface 10:04 -!- araknozzo [n=asdfcdf@poisson.phc.unipi.it] has quit ["leaving"] 10:05 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 104 (Connection reset by peer)] 10:12 < chadeldridge> just a question ... if a machine was a member of an AD would it register its DNS with a machine that is not in that AD or in a differnt domain suffix ? 10:13 < ecrist> not sure on that one. sounds like a #windows question 10:14 * ecrist doesn't use windows anymore 10:14 < ecrist> nothing against it, just a skill that's slowly slipping away. 10:14 < chadeldridge> yeah .. i agree .. i use linux all day, but have to support some of these stupid windows apps written 100 years ago it seems 10:15 < ke4qqq> neither do I - thats part of the problem 10:16 < ke4qqq> it just works for me in Linux..... 10:16 < chadeldridge> yeah .. my linux box registered just fine .. its windows ip stack being non-standard and horribly written 10:16 < chadeldridge> *standards ... wtf are standards .. lol 10:16 < ke4qqq> but chadeldridge - it will try to report it's location to DNS server - but it's up to the DNS server for if it will accept forward that on 10:17 < chadeldridge> yeah .. i have actually tried a few dns servers on this box .. but its something in the 2k3 ip stack that seems to say no to the traffic 10:17 < chadeldridge> no idea what is causing it .. but still looking 10:17 < ecrist> try tcpdump, see if there's something obvious 10:18 < chadeldridge> am now 10:18 < chadeldridge> along with wireshark 10:18 -!- preaction [n=doug@static-72-1-4-143.ntd.net] has quit ["Leaving"] 10:19 < chadeldridge> bbl .. thanks all 10:24 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 11:35 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:45 < plaerzen> Hello channel 11:45 * plaerzen is back from vacation. 11:49 -!- mto [n=richard@CPE000129fda0dd-CM0016b5312c66.cpe.net.cable.rogers.com] has joined ##openvpn 11:50 < mto> \ufeffHey guys! I am having trouble with openvpn. I can get an authenticated connection, but I am not getting a local IP on the tun0 device. ideas? 11:50 < mto> Connections from windows with the same config work fine, so its something at the ubuntu client end... 11:52 < chadeldridge> when you say the same config do you mean the exact same config .. because the formatting for inside unix and the formatting for windows is different 11:52 < chadeldridge> on the config file level that is 11:55 < mto> Well... ubuntu's network manager didn't seem to actually be loading in the file, so I manually entered in all the data. If I used the commandline, I used the same file. 11:55 < mto> You mean lines ending with carriage-returns and line feeds, right? 11:56 < chadeldridge> well for example in the windows version of the config.ovpn you have to \\ directory location as where in unix you dont ... other differences like that 11:56 < chadeldridge> are you starting the config file manually from the shell ? 11:58 < ecrist> mto: have you tried manually running openvpn as root, instead of going through connection manager? 11:59 < chadeldridge> yeah .. may want to try to sudo the openvpn command and see what happens 11:59 < mto> Yeah. I have a file gloplug.ovpn. I run "sudo openvpn gloplug.ovpn". It connects, asks for a username/password, does a bunch o' stuff, and tries to add some routes (which fail) and then says "initialization sequence completed" but if I now look at ifconfig or route -n, there is no IP on tun0, and I cannot reach anything in the office. 12:00 < mto> I just removed all the ^M's from the file, that made no difference. 12:02 < chadeldridge> so the issue is the route addition failing ? 12:03 < ecrist> the route additions fail because the IP isn't assigned. 12:03 < ecrist> mto: sounds like you've got a conflict of some sort between the client and server. 12:03 < mto> I think that's secondary. "ifconfig tun0" does not show an ip address. Therefore, I have no route to 10.10.4.1, and therefore any route I add with "... gw 10.10.4.1" is guaranteed to fail. 12:03 < ecrist> can you paste your client config for us? 12:04 < chadeldridge> yeah i would like to see your config 12:04 < mto> sure. hold on. 12:05 < mto> http://pastebin.com/m4c126d87 12:09 < chadeldridge> dont you need to specify dev tun or dev tap in the config file ? 12:10 < mto> there's a line in there, 8th from the bottom "dev tap". Is that not right? I assumed it was because it worked with windows. 12:10 < chadeldridge> sorry missed it .. 12:10 < chadeldridge> but you are using tun and not tap .. correct ? 12:10 < chadeldridge> not sure if it makes a diff 12:11 < chadeldridge> my client config is massively less complex than yours so im shootin in the dark here. we do everything via CCD on the server 12:12 < mto> I think I confused myself with tap vs tun. I *thought* I saw a tun device earlier, but right now, I see a /dev/tap0... But it still doesn't have an IP, so the symptoms haven't changed... 12:13 < ecrist> mto: what kind of vpn do you have? 12:13 < ecrist> tun or tap? 12:13 < ecrist> the server and client need to match. 12:13 -!- near [n=near@88-122-30-103.rev.libertysurf.net] has joined ##openvpn 12:15 < mto> the server is running zeroshell. which is a sort of bundled opensource firewall thingy. It created the .ovpn file. AFAIK, its using a tap device, and I see a tap device on my machine. I misspoke earlier when I called it a tun device. 12:26 -!- SilenceGold [n=chris@adsl-70-232-106-91.dsl.ltrkar.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 12:26 -!- SilenceGold [n=chris@70.232.106.91] has joined ##openvpn 12:28 < mto> hmmm. If I do an "ifconfig tap0 10.10.4.200 netmask 255.255.255.0" and then manually add routes, it works fine. Unfortunately, .200 is a randomly chosen IP, so its not a solution I can share across the corporation. 12:34 < ecrist> mto - as I said, your routes are failing because there's no IP being assigned. are you using statically assigned IPs? 12:36 < mto> I'm trying to figure out what the server is doing. It should be dynamic, because I'm not supposed to need to go to the server every time another user wants to set up a vpn from a new laptop. 12:37 < ecrist> you said linux clients work OK? 12:38 < mto> Windows clients work OK, linux clients do not. 12:38 < ecrist> hrm, there should be no difference. 12:39 < ecrist> our network here has Mac, Linux, FreeBSD, and Windows 98/XP working fine with dynamic IPs. 12:40 < mto> I'm seeing these 2 lines in the openvpn server log: 13:20:58 99.234.87.233:63626 [admin] No Virtual IP automatically assigned" and "13:20:58 admin/99.234.87.233:63626 MULTI: no dynamic or static remote --ifconfig address is available for admin/99.234.87.233:63626" 12:40 -!- fzzzt [n=fzzzt@rrcs-72-43-92-186.nys.biz.rr.com] has joined ##openvpn 12:40 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 12:52 < chadeldridge> why wont dns just work .. its making me crazy 12:54 < ecrist> can you paste your server config and your logs, please? 12:54 < chadeldridge> sure let me pastebin them both 12:55 < chadeldridge> !pastebin 12:55 < vpnHelper> chadeldridge: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 12:55 < mto> I think I fixed it. It looks like the server didn't have a properly configured dynamic IP range set. 12:55 < ecrist> :) 12:57 < chadeldridge> www.pastebin.ca/1179859 12:57 < chadeldridge> is the server config 12:58 < chadeldridge> what else would you like to see / 12:58 < ecrist> logs 12:59 < chadeldridge> not much to see in the logs .. but posting 12:59 < chadeldridge> http://www.pastebin.ca/1179863 13:00 < chadeldridge> you want the ccd for a client as well / 13:01 < chadeldridge> i have 2 types of clients .. local and admin ... local gets 10.29 and admin gets 10.30 via ccd 13:01 < chadeldridge> local cant see local .. but admin can see all 13:02 < ecrist> sure, more info I have, the better I can help you out. 13:02 < chadeldridge> ok 13:03 < chadeldridge> the ccd is nothing more than the static ip being pushed .. and the route to the other network 13:03 < chadeldridge> and all of that works fine .. just dns doesnt ... although wins does just fine 13:05 < chadeldridge> i am using ms dns server and allow non-secure updates is checked 13:05 < ecrist> so, only admins have a ccd entry, right? 13:05 < chadeldridge> yes 13:05 < chadeldridge> correct 13:05 < chadeldridge> local users just get a dynamic 13:05 < chadeldridge> in the 10.29 range 13:06 < ecrist> and the DNS server is 10.29.0.1? 13:06 < chadeldridge> both those ips 10.29 and the 12.109 address are the same machine and yes that is the dns server 13:07 < ecrist> iirc, windows won't send DNS updates to a DNS server off it's own subnet 13:07 < chadeldridge> ahh 13:07 < ecrist> so 13:07 < chadeldridge> well that could be a problem 13:07 < fzzzt> Hi guyes, wonder if you can help me figure something out. I need to move a machine between locations, but still access it securely from both locations, so I would like to use OpenVPN. It's currently on 10.0.1.2/29 and will be moving to 10.0.1.65/29 at the new place. Is is possible to connect two networks like that with OpenVPN in such a way that the current clients can still talk to 10.0.1.2/29 and it gets routed through to 10.0.1.64/29, 13:07 < fzzzt> transparent to the client? 13:07 < chadeldridge> although once connected to openvpn they are kinda on the same 13:08 < fzzzt> eek 13:08 < chadeldridge> although 'ras' connections may just not be able to register 13:08 < chadeldridge> do you think that may be the case / 13:09 < ecrist> fzzzt: you'd have to do some IP redirect stuff. 13:09 < ecrist> I know pf can handle that for you. 13:09 -!- patok [n=patok@r9ay214.net.upc.cz] has joined ##openvpn 13:10 < ecrist> is it the end of the world for them to not register? 13:10 < fzzzt> hmm 13:10 < ecrist> if you really need them to, add an IP for the DNS server on the 10.30 subnet and push proper DNS server via dhcp-option 13:11 < chadeldridge> yeah basically it breaks the entire system 13:12 < chadeldridge> if i was using linux server for this and bind would i have the same issue 13:13 < chadeldridge> so you mean maybe running a client machine that is connected to openvpn that is running the dns server / 13:13 < ecrist> you confused me there. 13:13 < chadeldridge> lol sorry 13:14 < chadeldridge> basically they will not register if they are not on the same subnet through windows .. correct 13:14 < ecrist> yes, i believe so. 13:14 -!- mto [n=richard@CPE000129fda0dd-CM0016b5312c66.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 13:14 < chadeldridge> what if i setup a machine that connected via openvpn and ran the dns server and i pointed the clients to that machine for their dns 13:14 < patok> hi, need help, please... when I have freebsd router with LAN after it and on the router I'm running OpenVPN... when I connect VPN from linux, everything works OK, but when I connect from windows, there is problem with netbios names resolving... so question is - can windows OpenVPN clients resolve netbios names? thx 13:15 < chadeldridge> i dont think you can resolve netbios through openvpn without wins or dns .... 13:16 < chadeldridge> maybe wrong though 13:17 < ecrist> chadeldridge: why aren't you just using bridging? 13:17 < ecrist> you would do away with all these problems. 13:17 -!- Pride [i=platyna@platinum.edu.pl] has joined ##openvpn 13:17 < Pride> Hello. 13:17 < ecrist> hello 13:17 < Pride> It seems that you have broken configure. 13:18 < Pride> 'gcc: `-V' option must have argument' 13:18 < Pride> And configure fails. 13:18 < ecrist> I have broken nothing. 13:18 < chadeldridge> i not sure we can with the config we have to maintain. here is our situation. we use this for a client connection into our building. clients cant have the ability of seeing other clients and internal admins have to be able to see all them. i thought routing was the only way to accomplish this 13:18 < Pride> I have looked in the configure code. 13:19 < patok> chadeldridge: ok, so when I install samba wins server on router, it should works? 13:19 < chadeldridge> push the wins address to your clients and that should resolve your names fine yes 13:19 < Pride> ecrist: You are a developer of OpenVPN? 13:19 < ecrist> chadeldridge: that's what firewalls are for. 13:19 < ecrist> Pride: no. 13:20 < ecrist> I don't think anyone here is. 13:20 < Pride> Mhm. OK. See you then. 13:20 -!- Pride [i=platyna@platinum.edu.pl] has left ##openvpn ["Live Free Or Die!"] 13:20 < patok> chadeldridge: ok, so it's not so painful :) 13:20 < patok> thx :) 13:20 < ecrist> lol 13:20 < chadeldridge> nah 13:21 < chadeldridge> ecrist ... thanks for you help .. its at least keeping me thinking 13:21 < chadeldridge> been working on this for days now 13:21 < ecrist> np 13:21 < chadeldridge> just not sure why dns is being such a pita 13:21 < ecrist> it's a subnetting issue. 13:22 < chadeldridge> yeah i think so too 13:22 < chadeldridge> do you think the client connected dns server would work / 13:22 < ecrist> you *may* be able to config the network stack to update, regardless of subnet, somewhere. 13:22 < ecrist> chadeldridge: shouldn't even be that hard. 13:22 < chadeldridge> network stack of the server or the clients / 13:22 < ecrist> just give the DNS/VPN server an IP on the 10.30 subnet. 13:22 < chadeldridge> well that subnet doesnt really exist .. its created by openvpn 13:23 < ecrist> so? 13:23 < ecrist> you can still assign an IP to the server, or tell DNS to listen to 10.30.0.1 13:24 < chadeldridge> well i could i guess hardcode a 10.30 address to the network card.... but how would that be any different than the 10.29 address already used on the tap adapter / 13:25 < ecrist> because the clients on 10.30 would be on the same subnet 13:25 < ecrist> better yet, why not give the admins their own vpn instance? 13:25 < ecrist> will a different config? 13:25 < chadeldridge> well no one can register dns .. not 10.29 or 10.30 clients 13:26 < ecrist> hrm, you implied above that only the 10.30.x clients had problems. 13:26 < chadeldridge> ohh no sorry .. both subnets are dead for dns 13:26 < chadeldridge> my fault .. bad explination 13:28 < ecrist> I don't know, then. I don't think it's a VPN thing, as OpenVPN doesn't do filtering at all. 13:29 < chadeldridge> k 13:30 -!- plik [i=gorph@phalse.2600.COM] has joined ##openvpn 13:30 < plik> hi 13:30 < ecrist> howdy 13:34 < plik> I'm trying to set up openvpn 2.0.6 on FreeBSD 7.0 (from Ports), following the howto, to build-ca but I get a permission denied error... 13:34 < plik> [root@brian /usr/local/etc/openvpn/easy-rsa]# . ./build-ca 13:34 < plik> bash: /usr/local/etc/openvpn/easy-rsa/pkitool: Permission denied 13:34 < plik> any suggestions please? 13:34 < ecrist> update your ports tree, first 13:34 < ecrist> current version is 2.0.9 13:34 < ecrist> actually 13:35 < ecrist> !freebsd 13:35 < vpnHelper> ecrist: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:35 < plik> ok, that'll be a good start thanks 13:35 < ecrist> if you have questions, let me know 13:35 < ecrist> I wrote that. 13:35 < plik> cheers :) 13:35 * plik goes to upgrade & read 13:52 -!- DaPrivateer [i=Privatee@crimson.66fruit.com] has joined ##openvpn 13:52 -!- DaPrivateer [i=Privatee@crimson.66fruit.com] has left ##openvpn [] 13:53 -!- DaPrivateer [i=Privatee@crimson.66fruit.com] has joined ##OpenVPN 13:54 -!- chadeldridge [n=celdridg@12.109.108.18] has left ##openvpn [] 14:02 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:08 < ecrist> afternoon, krzee 14:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:09 < ecrist> well, fuck you then. 14:09 < ecrist> :\ 14:09 < tcccp> lol 14:09 < ecrist> sure, 'Connection reset by peer.' That's what my last girlfriend said when I asked why she broke up with me. 14:09 < tcccp> odd 14:09 * ecrist runs away, flailing his arms, sobbing. 14:10 < patok> can be dhcp server pushed explicitly in configuration file please? now I see I have 192.168.x.0 instead 192.168.x.1 as an DHCP server.... its strange. 14:10 < ecrist> patok: I don't follow. 14:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:16 < krzee> !tcp 14:16 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 14:17 * ecrist wishes his last name was Titz 14:19 < krzee> hah 14:21 < cpm> ecrist, you'll pay for that in the afterlife. 14:22 < ecrist> cpm, it's a long list, one more thing won't hurt any. 14:23 < cpm> very well. 14:23 < cpm> your punishment begins now. 14:23 < cpm> http://www.badgerbadgerbadger.com/ 14:23 < vpnHelper> Title: Badger Badger Badger.com! The Original Dancing Badgers! (at www.badgerbadgerbadger.com) 14:23 < cpm> view it, and keep viewing it. 14:25 < ecrist> is there an end? 14:25 < ecrist> loops after snake? 14:25 * ecrist gouges out his eyes.. 14:26 < ecrist> I think the snake part is the worst. 14:28 * ecrist can't believe he's still watching it. 14:28 < cpm> are you sorry now! 14:29 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [Connection timed out] 14:29 < ecrist> ew: http://www.badgerbadgerbadger.com/footy.html 14:29 < vpnHelper> Title: Footy and the Football Badgers England England England (at www.badgerbadgerbadger.com) 14:31 < ecrist> that one keeps track of the number of loops with the 'score' 14:41 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 14:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:53 < patok> I've realised that my OpenVPN client gets everytime the same address - it is the first in the range in DHCP pool, so I would say it gets lease from DHCP server properly, but on the DHCP server is not an information about it at all and it causes IP address asign conficts then... Have anyone ever see something like that? :-O 14:56 < ecrist> patok: are you using OpenVPN as your DHCP server for VPN clients, or do you have a different server you're using? 14:58 < patok> I use dnsmasq on the same server as OpenVPN runs on. 14:59 < ecrist> sounds like OpenVPN is acting as the DHCP server and your VPN subnet and local subnet overlap 15:01 < rmull> I'd agree with that. 15:01 < rmull> patok: Bridged or tunneled? 15:04 < patok> bridged 15:06 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: krzee 15:06 -!- Netsplit over, joins: krzee 15:07 < patok> maybe you have right, yeah... I use pfSense on the router... there is "Dynamic IP (Assume dynamic IPs, so that DHCP clients can connect.)" checked - maybe I could try to uncheck it... 15:07 < patok> now I'm not sure if I've understood pfSense documentation well... 15:13 < rmull> patok: Do you have the "server-bridge ... " directive in your server.conf? 15:13 < rmull> If so, that defines the pool of IPs openvpn assigns. 15:13 < rmull> Either change that to a pool outside of the DHCP range, or comment that directive out so that DHCP leases go out to the clients. 15:14 < rmull> However, if you use a DHCP server to assign addresses to bridged clients, you have to configure it so that MAC addresses starting with 00:FF:... don't get their default gateway reassigned. 15:14 < rmull> It's in the HOWTO 15:17 < patok> aha, maybe it will be better to define one pool for LAN and second for VPN clients, how I see.... and now I've finished unfortunately :)) unchecking options I'd been talking about lead to the cutting off the vpn... :) 15:19 < patok> but thanks a lot... I'll try it tomorrow - it sound like really good hint, and I'm quite sure it will work then. 15:26 -!- ke4qqq [n=ke4qqq@64.89.94.194.nw.nuvox.net] has quit ["Konversation terminated!"] 15:26 < rmull> patok: Good luck. Make sure you read the DHCP caveat in the HOWTO. 15:28 < plaerzen> hey guys; what do you all use for password management in the organization? 15:28 < plaerzen> just curious 15:36 < rmull> plaerzen: Did you ever get that netflix code I sent you? 15:42 * plaerzen shakes his head. 15:42 < rmull> okay, one sec 15:42 < plaerzen> I was away all weekend, monday and tuesday 15:42 < plaerzen> thanks 15:43 < rmull> Enjoy 15:44 < plaerzen> rmull: ..... hrm, does netflix work in canada? 15:46 < plaerzen> ah shit, it seems like it doesn't 15:49 < plaerzen> rmull: might as well give it to someone else 15:49 < rmull> plaerzen: :( 15:49 < rmull> Hokay 15:49 < rmull> Free netflix for sale 15:51 * plaerzen is a sad panda. 15:59 -!- fzzzt [n=fzzzt@rrcs-72-43-92-186.nys.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)] 15:59 -!- fzzzt` [n=fzzzt@rrcs-72-43-92-186.nys.biz.rr.com] has joined ##openvpn 16:09 < patok> rmull: ok, thx again... I'm going :) bye 16:09 -!- patok [n=patok@r9ay214.net.upc.cz] has left ##openvpn [] 16:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 16:37 < plaerzen> I'm going to hang out in security for a little while. Need to talk about some security related subjects. 16:37 < plaerzen> bbl 16:37 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has quit ["[BX] I wonder what this button marked "EOF" does..."] 16:54 -!- fzzzt` [n=fzzzt@rrcs-72-43-92-186.nys.biz.rr.com] has quit ["Leaving"] 17:02 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has joined ##openvpn 17:02 < plaerzen> #security sucks 17:11 < rmull> lol plaerzen 17:56 < plaerzen> ldap, kerberos oh my. I wish credential management was easy. 18:09 < onre> i've actually thought of running ldap with cleartext auth in environment where no data gets moved across non-vpn connections 18:09 < onre> because setting up ldap authentication etc in diverse environments can be a royal PITA 18:16 < plaerzen> yeah. We have alot of diversity I want to try and integrate into one system. 18:16 < plaerzen> But... I don't know if it's realistic 18:31 < onre> well, it's supposedly feasible... depending on what are the exact features you'll need. 18:32 -!- adie [n=adie@tapeworm.5sh.net] has joined ##openvpn 18:34 < adie> I've just been caught by the "--script-security" option in debian lenny.. my working vpn config has broken, failing on executing the script. 18:35 < adie> /usr/sbin/openvpn --script-security 2 --writepid /var/run/openvpn.TrLe-UDPTun.pid --daemon ovpn-TrLe-UDPTun --status /var/run/openvpn.TrLe-UDPTun.status 10 --cd /etc/openvpn --config /etc/openvpn/TrLe-UDPTun.conf 18:36 < adie> fails with: ovpn-TrLe-UDPTun[6873]: script failed: could not execute external program 18:36 < adie> removing the reference to the "up" script in my config fixes the problem... any suggestion/ideas? 18:37 < adie>  18:41 < plaerzen> onre: well, I want to integrate with salesforce, google apps, ssh, vpn... and have employees all see and manage their own credentials 18:42 < plaerzen> using a web form of some kind 18:46 * adie spots his problem with a quick strace.. 18:46 < onre> that might get quite hairy and scary 18:46 < onre> adie, right on :) 18:46 < adie> version 2.1_rc9 seems to have changed the way it calls scripts significantly.. you can't do: 18:47 < adie> up "/path/script.sh myarg" 18:47 < plaerzen> onre: yes. I won't develop any system myself. I will see if we can get a shrink wrapped solution (most likely not) or just do some basic ldap stuff 18:48 < adie> anymore.. it'll try to execve the whole string, rather than just the script with the arg. 18:50 * plaerzen waves. 18:51 < plaerzen> ok, home time. peace out. 18:51 < plaerzen> until tomorrow. 19:41 < ecrist> evening, kids 19:43 < ecrist> onre: what're your needs in an authentication system? 20:54 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: dogmeat, onre 21:38 -!- near [n=near@88-122-30-103.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:39 -!- near [n=near@88-122-21-114.rev.libertysurf.net] has joined ##openvpn 21:52 -!- Whoopie_ [i=Whoopie@unaffiliated/whoopie] has joined ##openvpn 22:04 -!- SilenceGold [n=chris@70.232.106.91] has quit [Read error: 110 (Connection timed out)] 23:20 < Optic> moo 23:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Thu Aug 21 2008 01:34 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 02:00 < kraut> moin 02:04 < krzee> !kraut 02:04 < vpnHelper> krzee: "kraut" is moin 02:31 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 02:31 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 02:47 -!- SilenceGold [n=chris@adsl-70-232-78-19.dsl.ltrkar.sbcglobal.net] has joined ##openvpn 04:22 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 145 (Connection timed out)] 04:34 -!- djs [n=djs@unaffiliated/djs26] has quit [Remote closed the connection] 05:07 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 05:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:03 < krzee> http://digg.com/security/EFNet_IRC_net_and_Website_get_hacked 06:03 < vpnHelper> Title: Digg - EFNet IRC net and Website get hacked (at digg.com) 06:33 -!- tcccp [i=hey@223.66.238.89.arpa-addr.in] has quit [Remote closed the connection] 06:40 < ecrist> good morning kids 06:55 -!- steve [i=steve@bouncer.stephen.marsh.name] has joined ##openvpn 06:55 < steve> hi all 06:55 < ecrist> morning 06:56 < steve> I was wondering whether it's possible to direct all routing via a VPN, so I can connect to internet destinations via the VPN rather than just on the local subnet? 06:56 < steve> so effectively my default route would be the VPN 06:56 < steve> but obviously i'd need a route for the VPN over the real connection 06:56 < steve> this is on a windows client btw 06:56 < ecrist> yes, have you read the documentation? 06:57 < steve> I couldn't find anything which explained that particular question 06:57 < ecrist> !howto 06:57 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:57 < steve> could you direct me to the relevant section? :) 06:58 < ecrist> seriously. go to the link above, read the bulleted topics at the top. You'll find the exact topic you're looking four about half way down. 06:58 < ecrist> :\ 06:59 < steve> got it.. sorry :) 07:30 < rmull> mornin doods 07:35 < adie> has anyone tried openvpn with a via nano cpu/system yet? if so what throughput do you get? 07:41 < cpm> I get 1 dollar 07:50 < rmull> adie: I'd imagine pretty good throughput if you have the Padlock stuff configured correctly. 08:03 < adie> rmull: well the old stuff had trouble pushing 40mbit over the wire due to choking on bus bandwidth.. 08:04 < adie> the padlock specs are pretty good... I'm wanting to do gbit crypto, and there's nothing software/oss available that works. 08:07 < rmull> adie: Oy, 40Mbit is a lot, yeah, I'm not sure about that 08:07 < rmull> I ran some benches on my VIA C7 (not nano) with padlock enabled 08:08 < rmull> But they were just openssl speed tests 08:10 < plaerzen> morning irc 08:22 < sega01> is there a useful way to see svn changes? 08:22 < sega01> http://svn.openvpn.net/projects/openvpn/branches/BETA25/openvpn/ is not helpful 08:22 < vpnHelper> Title: Revision 3259: /branches/BETA25/openvpn (at svn.openvpn.net) 08:26 < sega01> nevermind 08:27 < sega01> 2.5 hasn't been changed since december 2005 :-( 08:31 -!- Bushmills [n=nnBushmi@verhau.de] has joined ##openvpn 08:39 < adie> rmull: I'm currently getting around 300mbit/s on a xeon, and connection roundrobining accross multiple openvpn tunnels to get best speed.. but I want 1gbit. :-/ 08:43 < cpm> do you get 1gbit against raw ftp? 08:44 < cpm> raw ftp it my favorite benchmark of actual net performance. 08:44 < cpm> s/it/is 08:46 -!- Bushmills [n=nnBushmi@verhau.de] has left ##openvpn ["Leaving."] 08:47 < sega01> netcat would work well 08:47 < sega01> but ftp is more realistic for "real world" throughput 08:47 < sega01> then again, ftp has very little overhead at all 08:50 * ecrist roars. 08:50 < rmull> ftp pisses me off. 08:51 < ecrist> lol, why's that? 08:52 * ecrist is working on renumbering his network today. 08:53 < cpm> Ewwww! 08:53 < cpm> why are you renumbering? 08:55 < ecrist> more just moving hosts around. 08:56 < ecrist> there's a lot of legacy numbers in there that don't need to be. 08:56 < ecrist> for example, my web server has like 8 IPs right now. 08:56 < ecrist> doesn't need that many any more. 08:57 < ecrist> and, I want to open a few up for DHCP from VoIP phones and such, since the apple airport extreme base station doesn't want to play nice with my voip phone. 08:57 < ecrist> :( 08:57 < plaerzen> nerd 09:02 < cpm> yeah, nerd! 09:03 * cpm give ecrist a wedgie 09:03 -!- abien [n=abien@watergate.tradehaven.de] has joined ##openvpn 09:05 < abien> My opinion is that i should be able to bundle/channel multiple DSL lines (from different providers) with a semi-advanced openvpn setup involving bonding of tap devices.. Anyone disagree or can kindly point me to a howto about this or similar topics? 09:06 < abien> or tell me im wrong and it will never work :x 09:06 < cpm> I radically disagree. Good luck. 09:07 < cpm> doing something akin to ad-hoc bgp with dsl is certainly doable. 09:07 < cpm> folks do it. 09:07 < cpm> There are 'black box' approaches to this, and that is definitely the most painless approach 09:08 < abien> yeah but its 3k a pop and i really think that inside theyr just using the same technique 09:08 < cpm> now, doing a vpn over it will encounter issues. As you are not going to be able to propgate and publish a route as you would if you were running bgp, you will not necessarily achive full duplex speed. 09:08 < cpm> naw, you can get them much cheaper than that. 09:09 < cpm> more like $1K to $1.5K or there abouts. 09:09 < cpm> still cheaper than a decent router. 09:09 < abien> Hmm.. ok im gonna read up. i still think it can be done though. as long as you control both endpoints you should be able to do pretty much anything 09:09 < ecrist> anyone here a dhcpd guru? 09:09 < abien> i didnt mention i control both endpoints though.. 09:10 < abien> the idea is to make the VPN go from the dsl lines to a server in a colocation 09:10 < abien> and goto the www from there.. 09:10 < cpm> true, you didn't. Might be easier then, but again, since you don't control the entire route, it's still sketchy. 09:11 < ecrist> abien: you'd have to setup BGP on either side and build a vpn tunnel across the each link 09:11 < cpm> if both of your providers otoh, will do ebgp for you, and publish your route, should be just like doing a regular multihomed subnet. 09:11 < cpm> ah, that's an interesting approach. 09:11 < abien> In my head i shouldnt have to use bgp 09:11 < cpm> do ibgp, across multiple vpns, 09:11 < cpm> hmm, that's interesting 09:12 < cpm> abien, what, you mean like doing mlppp ? 09:12 < ecrist> ick, that would be nasty 09:12 < cpm> truely. 09:13 < abien> one vpn across each link, results in 3 vpn tunnels. take those 3 tunnel interfaces (tap1 - tap3) and bond them resulting in bond0 distrbuting incoming packets via the attached devices (tap 0 - tap3) 09:13 < abien> sind it a layer2 tunnel, it shouldnt need any routing protocol 09:13 < abien> maybe i cant explain it to well, but in my head it looks really good ! :P 09:13 < cpm> I think you will drop packets like water out of a noodle strainer. 09:14 < cpm> but you could lab it up, and give it a try. 09:14 < cpm> that wouldn't be *that* hard to mock up. 09:17 < abien> yeah 09:18 < abien> i was just gonna check, if theres a obvious reason why it shouldnt work. 09:18 < abien> so i dont spend the day for nothing :P 09:18 < plaerzen> ugh. At least you have something interesting to work on. 09:18 < plaerzen> I have to go visit a client and troubleshoot our new data backup solution. 09:18 * plaerzen sighs. 09:19 < abien> yeah well.. i made the mistake to publicly announce to my coworkers that my setup would solve our problems 09:19 < abien> so now it better work 09:19 < cpm> plaerzen, is that it that different from your old data back up solution? 09:19 < cpm> abien, yeah, that was a mistake. 09:19 < cpm> but that's how you learn. 09:19 < plaerzen> cpm: yeah, our old one was rsync over ovpn. This new 3rd version is a 3rd party software 09:20 < cpm> plaerzen, yer doing off site? 09:20 < plaerzen> cpm: yeah 09:20 < cpm> which 3rd party? 09:20 < plaerzen> storagepipe 09:20 < cpm> interesting to learn what you find out. 09:20 < plaerzen> so far I have mixed emotions. It's got a nice interface, seems pain free, etc. However I can't see a list of all files each client has backed up..... 09:21 < plaerzen> And that's fairly important 09:21 < cpm> umm, well, the restore dialogues should give you a clue, eh? 09:21 < plaerzen> But, they say they can backup read-locked files.... so if they can do that, it will solve much of our problems 09:22 < plaerzen> cpm: yeah I'm going to the client (beta) site today to check it out - see what information I can glean from the client interface. 09:22 < cpm> abien, it's an interesting problem. What is it predicated on? I'm guessing it's a remote office issue? 09:24 -!- hulatang [n=hulatang@216.129.199.133] has joined ##openvpn 09:24 < hulatang> is there any hardware device that act as openvpn server that's easy to configure? 09:25 < hulatang> I used openvpn server with smoothwall firewall, the configuration is difficult imo 09:25 < cpm> there isn't anything simple about vpns 09:25 < cpm> it's not a simple task. 09:25 * plaerzen nods. 09:26 < plaerzen> I'm actually surprised it's not called sovpn (in the same vein as smtp, sasl, soap, etc) 09:27 * plaerzen laughs at his own joke. Haaaa..... 09:30 < ecrist> hulatang: install freebsd on a box and configure openvpn. 09:31 < ecrist> !freebsd 09:31 < vpnHelper> ecrist: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 09:31 < hulatang> thx 09:33 < plaerzen> !lag 09:33 < vpnHelper> plaerzen: Error: "lag" is not a valid command. 09:33 * plaerzen is feeling silly. 09:33 < plaerzen> afk, smoke break 09:33 < cpm> at the core of the issue, is that folks don't really get what a vpn is. The massive confusion betwixt routing and bridging speaks to this, , loudly. 09:34 < plaerzen> routing confuses me daily 09:34 < plaerzen> rcmd 09:35 < cpm> routing is yet still another classic, if you don't get it, you really don't get it. once you get it, while it's easy to miscalculate stuff, it's simple to understand. 09:39 < ecrist> most people in here with questions have routing questions. 09:40 * ecrist changes channel to #routing 09:42 < adie> isn't #lartc for that? 09:42 < abien> a tap device will automaticly get an ip adress, but it doesnt have to have one correct? after the tap-tunnel is established, i could ifconfig tap0 0.0.0.0 without impact ? 09:43 < abien> i just want layer2 tunneling 09:43 < adie> cpm as I said, I only get around 300mbit/s... I want gbit. 09:44 < cpm> do you get 1gbit against raw ftp? 09:47 < adie> erm you mean over raw ether? 09:47 < adie> well I get 2gbit with two tcp streams accross the line. 09:47 < adie> (duplex of course). 09:47 < cpm> I mean over the same path as you wish to get yer 1gbit over vpn 09:49 < adie> aye 09:49 < adie> the problem is my vpn processes are cpu bound 09:49 < adie> I can only crypt at 300ish mbit/s per stream 09:50 < cpm> umm, well, yeah. 09:50 < adie> as that's 100% cputime. 09:50 < cpm> ya need more power capt'n! 09:51 < adie> so I'm wondering if the via nano cpu systems have enough bus bandwidth combined with the padlock stuff to push 1gbit of aes256 09:51 < rmull> adie: Here's that benchmark I mentioned a bit ago: http://deconfused.org/etc/crypto.txt 09:52 * cpm yawns 09:53 < rmull> So I'd be inclined to say no, that the VIA systems can't push a gigabit of crypto traffic through padlock, and so you won't get the gig across your bus 09:53 < rmull> Actually, I take that back 09:53 < cpm> ya want huge bandwidth on a cryptographic link, there are hardware solutions. They've fallen out of favor due to the low cost of cpu power. 09:53 < rmull> Those numbers are in bytes 09:53 < cpm> so, now folks want huge bandwidth, without dedicating the hardware to the problem? 09:53 * cpm goes back to sleep. 09:54 < rmull> lol cpm 09:54 < hulatang> the DHCP push option, for DNS what should I use? 09:55 < adie> rmull: aye, the c7 systems don't have the bus bandwidth though.. http://www.via.com.tw/en/products/processors/nano/ has very shiny specs 09:55 < vpnHelper> Title: VIA NanoTM Processor - VIA Technologies, Inc. (at www.via.com.tw) 09:55 < hulatang> the vpn server ip or internal dns ip? 09:55 < adie> if they can do a quarder of that I'd be very happy 09:58 < cpm> since you can buy a quad core box + available ram + 2 gigE nics for < $1K, , , well, , , dunno where to go with that. 09:58 < rmull> ovpn doesn't effectively multithread though, no? 09:58 < rmull> so the quad wouldn't help? 10:00 < cpm> http://openvpn.net/archive/openvpn-users/2004-08/msg00186.html 10:00 < vpnHelper> Title: Re: [Openvpn-users] 2.0 pthread support? (at openvpn.net) 10:00 < rmull> What I read about that said it didn't do much to improve stuff 10:01 < cpm> did you read the posting? 10:01 < cpm> Answer: Run multiple server mode daemon, , , , 10:01 < adie> cpm: because openvpn isn't threaded and it's on a quad core box atm 10:02 * cpm sighs 10:02 < adie> cpm: it's currently loadballencing connections accross openvpn processes. 10:02 < adie> so it'#s s limited at that 300mbit/s I keep talking about. 10:02 < cpm> sorry, I'm still not seeing this 300mbit boundry 10:03 < adie> well you get a xeon, you throw as much data down a openvpn process as possible, and you reach 300mbit/s. 10:03 < cpm> where is this boundry defined? 10:03 < ecrist> adie: can you show your math on that? 10:04 < adie> if you try to spread a single tcp/udp stream accross multiple processes with roundrobin packets, the packets get out of order and choke the connection. 10:04 < adie> ecrist: no maths, it's all practical real world benchmarking 10:05 < hawk> adie: Well, the multiple processes suggestion looked more like a way to handle lots of connections, not to achieve crazy speeds for a single connection. 10:06 < adie> hawk: yes, and that's what I'm currently doing:- roundrobing connections on the link. 10:06 < cpm> hawk, true, iow, achieve what's needed to get the job done. I personally get very bored when folks talk about needing crazy bandwidth across long distances. 10:06 < adie> I've got 100 engineers at my location, and a gig link to another location with lots of hardware down there. 10:07 < cpm> adie, I think that when you add up the overhead traffic inherent in a vpn, even if you could shove the packets down, you'd still not hit 1gig data throughput. 10:08 < adie> cpm: it's 40KM[24 miules] of fibre to a location around 2 miles away. latency isn't the issue.. it's all about computation. 10:08 < cpm> fair enough. 10:09 < cpm> but why are you dicking around with mickey mouse hardware to solve a significant infrastructure challenge? 10:09 < adie> cpm: I'm aware of all the issues, I've got other issues with a link from manchester/uk to california/us... 10:09 < adie> that's all latency related.. 10:10 < ecrist> adie: if you're running fibre like that, be a man and use commercial hardware for it. 10:10 < ecrist> if it's that big a deal, use the professional stuff. 10:10 * cpm concurrs. Purchase what you need from your bandwidth vendor. Done. 10:10 < ecrist> put two cisco PIXs in place, and run IPSec. 10:11 < adie> aye, I keep taling about that.. 10:11 < ecrist> and actually, if it's private fibre, you should be able to trust it. 10:11 < cpm> Ipsec been velly velly good to me. 10:11 * cpm is iffy on that one. even for private fibre, encapsulating it in ipsec doesn't create many problems, and removes a lot of variables. Worth doing I think. 10:11 < adie> I'm trying to battle not-so-clueful management to convince them to let me remove the crypto. they don't want to shell out for proper kit. 10:12 < ecrist> well, then tell them to deal with 300Mbit 10:12 < cpm> they don't want to shell out for proper kit for 100 developers? fuck'em. 10:12 < ecrist> you sure you're not losing packets on the glass? 10:12 < adie> nope it's all fine. 10:12 < cpm> adie, you *could* run openswan ya know. 10:12 < ecrist> can you run non-encrypted traffic at 1Gbps? 10:13 < cpm> probably. 10:13 < adie> cpm: I know.. but unfortunatly it really doesn't provide that much performance improvement, and you also can't split multiple processes over your cores, so achieve more than 300mbit total. 10:13 < adie> ecrist: yes. as I said.. it's all cpu bound 10:14 < cpm> adie, dunno, the asa's from this side of the pond have no inherent 300mbit boundry limit. 10:15 < adie> cpm: asa? 10:15 < cpm> those new all-in-one PIXes 10:15 < cpm> new-ish 10:15 < adie> ah 10:16 < adie> I'm talking about crappy x68 boxen running openvpn/other vpn software. 10:16 < adie> s/868/86/ 10:16 < ecrist> adie, use real hardware. 10:16 < ecrist> that's our official response. 10:16 < adie> :) 10:17 * plaerzen seconds that motion. 10:17 * adie would vote to ditch the crypto. 10:18 < plaerzen> Those are your options: live with 300 mbit, ditch crypto or use real hardware. (sometimes I like to summarize things) 10:18 < cpm> errr, , , , I'd have doubts. 10:18 * cpm likes crypto 10:18 < plaerzen> yeah, I do too. 10:19 < ecrist> cpm, leased glass doesn't need crypto unless you're doing certain things. 10:20 < adie> think ours is contractual 10:20 < cpm> ecrist, if it leaves my building, it leaves my control. due diligence suggests wrapping it with crypto. 10:20 < ecrist> now, if they're simply tapping into an IP network running on that glass, that's different. 10:21 < adie> we light up the glass ourselves. 10:21 * adie yawns 10:21 < plaerzen> cpm: I like that philosophy 10:22 < adie> I'm just intrested whether the new nano's have the buss bandwidth to push 1gbit. 10:22 < ecrist> I agree with the sentiment, but disagree in practice. 10:22 < adie> aye, crypting gbit is kinda expensive still :-/ 10:22 -!- bandini [n=bandini@host169-105-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 10:23 < ecrist> cpm: do you wear a tinfoil hat? 10:23 < ecrist> :P 10:23 < hawk> Are tinfoil hats out of fashion? 10:23 < adie> nah 10:23 < adie> I've got 3 10:24 < adie> and I'm wiv teh kool kids and run vister... ;) 10:28 < cpm> adie, well fortunately for me, in my shop, we can't buy any decent bandwidth. So, it's a non issue for me. 10:31 < ecrist> I still find it comical that your company will spend the money on a fibre lease, the termination hardware for 1Gbps, but demands crypto and won't pay for it. 10:31 < ecrist> fwiw, Cisco PIX 501s on ebay for a couple hundred bucks... 10:31 < adie> ecrist: you're not the only one who finds it comical. 10:31 < cpm> more sad than comical really. Sounds like a classic 'go look for a different shop' case. 10:32 < hawk> ecrist: Can those do Gbit vpn, then? 10:32 < adie> I'd doubt it for a 501 10:32 < cpm> bespeaks a certain prioritizing algorithm that may not be acceptable over the long run. 10:32 < hawk> "Cisco PIX 501 delivers up to 60 Mbps of firewall throughput, 3 Mbps of Triple Data Encryption Standard (3DES) VPN throughput, and 4.5 Mbps of Advanced Encryption Standard-128 (AES) VPN throughput." 10:32 < adie> the management prefer to spend the cash directly on toys for the code monkeys 10:32 < hawk> :> 10:33 * ecrist is bored with this. 10:34 * cpm is just boring 10:35 * plaerzen is excite. 10:37 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 10:39 < ecrist> apparently you're borat, too. 10:40 * ecrist throw's voip phone against wall. 10:40 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 10:41 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 10:42 < cpm> heh 10:42 < cpm> great stuff, that voip, ain't it? 10:43 < ecrist> voip isn't the problem today, it's the retarded dhcpclient they use on this phone. 10:43 < cpm> which phone? 10:44 < cpm> don't say grandstream. You loose points if you do. 10:48 < cpm> Anyway, you could do a gig vpn with a pair of cisco 2821s. 10:48 < cpm> if all you needed was ipsec vpn 10:48 < ecrist> cpm, I'm using Polycom SoundPoint IP 330s 10:49 < cpm> http://www.cisco.com/en/US/products/ps5880/index.html 10:49 < vpnHelper> Title: Cisco 2821 Integrated Services Router - Cisco Systems (at www.cisco.com) 10:49 < cpm> SP330s should work okay. 10:49 < cpm> unplug it. 10:49 < ecrist> they do, but the 3.0.0.0258 firmware sucks balls. 10:49 < ecrist> tried that. 10:49 < cpm> dang 10:49 < ecrist> for 5 minutes. 10:49 < ecrist> still comes up with wanting it's old address. 10:49 < ecrist> :\ 10:49 < cpm> that would piss me off really fast :) 10:50 < cpm> I hate truculent dhcp clients. 10:50 < cpm> one reason I hate windows 10:50 < cpm> can haz 192.168.0.100? 10:50 < cpm> FUCK NO! 10:50 < cpm> can haz 192.168.0.100? 10:50 < cpm> DAMNIT! NO! 10:50 < cpm> can haz 192.168.0.100? 10:50 < cpm> take 10.10.232.18 10:51 < cpm> can haz 192.168.0.100? 10:51 < ecrist> cpm http://pastebin.com/m60c1a87e 10:51 < cpm> and so forth 10:51 < cpm> grrrr, 10:51 < cpm> that really makes me angry, I'm getting angry just reading it. 10:51 < ecrist> it's been requesting it for an hour now. 10:52 < ecrist> with a pause every 10 minutes while it gives up and reboots, only to start over again. 10:52 < ecrist> even tried a factory reboot. 10:52 < ecrist> s/reboot/default/ 10:52 < cpm> sounds like some flash disciple is required. 10:52 < plaerzen> cpm, you just made my day. 10:52 < cpm> grab another one from the closet, toss that one off the roof. 10:53 < ecrist> what pisses me off is I just RMAd one phone for an issue which may be related. 10:53 < cpm> polycomm have a newer firmware? 10:53 < ecrist> no, that's the latest. 10:53 < ecrist> this issue has been quickly escalated to 'engineering' 10:54 < cpm> can you downgrade it? 10:54 < ecrist> nope 10:54 < cpm> crap 10:54 < ecrist> very specifically the 2.x to 3.x fireware is not undoable. 10:54 < ecrist> if that's a word. 10:54 < cpm> what switch software? 10:55 < ecrist> our VOIP provider is IronVoice, using asterisk. 10:55 < cpm> how U pushing your configs? 10:55 < ecrist> our provider does that for us. 10:55 < cpm> one of them outsourced deals eh? 10:56 < cpm> hows that work for you generally? 10:56 < plaerzen> that tcpdump on pastebin. laughter. 10:56 < plaerzen> or logs, w/e 10:58 < cpm> plaerzen, yeah, i can't look at it. 10:58 < cpm> really, I get seriously pissed off (angry) when that happens. I really don't like computers some times. Most of the time, yes. 11:02 < plaerzen> Soon I will have to deal with that. 11:03 -!- abien [n=abien@watergate.tradehaven.de] has quit ["ircN 8.00 for mIRC (20080313) - www.ircN.org"] 11:04 < plaerzen> what do you guys use for gateways in your shops? ( adie can ignore this one - we have like 30 employees) 11:06 < adie> lol 11:10 < cpm> gateway? 11:10 < cpm> adie, you get my push on the cisco 2821 router? 11:10 < adie> cpm: ?? 11:11 < plaerzen> cpm: yeah, like what would be a good appliance for a smaller shop that can do routing, vlan administration, etc. crisco pix ? 11:11 < adie> erm, aye that should be fine. 11:11 < cpm> err, krisko asa, or maybe astaro 11:12 < adie> I find our linux and freebsd boxen good enough for that. 11:12 < cpm> asa is an all-in-one, a pix, is basically a vpn 'server'. 11:12 < plaerzen> adie: I want something purpose-made with some redundancy 11:12 < adie> cpm: a pix is a horrible firewall which is cisco supported and has hardware crypto 11:13 < adie> we're running vrrp between boxen 11:13 < cpm> krizko asa, or astaro. the astaro is a linux kludge box w/support contracts, 'simple boss friendly UI' (which is a lie of course, you still need clues) 11:13 < cpm> adie, as a firewall, the pix is a fail. 11:13 < cpm> :) 11:13 < adie> but aye, I'd prolly go for a pix personally. 11:13 < cpm> as a vpn endpoint, it ain't bad. 11:13 * adie has had too many smtpfuckup issues with pixes 11:13 < cpm> but like so many other things, depends a lot on who set it up. 11:14 < adie> we virtually never have issues with our pixes 11:14 < cpm> yup, the smtpfuk on the pix is a bad one. 11:14 < cpm> 1) adie has had too many smtpfuckup issues with pixes 11:14 < cpm> 2) we virtually never have issues with our pixes 11:14 < cpm> which is true? 11:15 < adie> mainly other peoples pixes running smtpfuckup 11:15 < adie> but that was when I used a lot of them in the isp world 11:15 < adie> we have pixs to running ipsec to other locations which are fine.. just leave them be :) 11:16 < cpm> http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd8048dba8.html 11:16 < vpnHelper> Title: Cisco ASA 5500 Series Firewall Edition for the Enterprise Solution Overview [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems (at www.cisco.com) 11:16 < cpm> ipsec as vpn endpoints, what did I say? 11:16 < cpm> I can't remember. 11:16 < adie> for gbit gets expensive :-/ 11:16 < cpm> or rather pix as ipsec vpn endpoints, 11:17 < cpm> quite so. 11:17 < cpm> but, the 2821 with the security module, appears to do what you need. 11:19 < cpm> but for plaerzen, , , well, if I was going to buy such a product, I'd get either an ASA or an Astaro, with the weight on the ASA, as that experience translates well into the future. Not many folks making their bread and butter on managing Astaro (similar) firewalls. 11:19 < cpm> whereas I've never 'learned' something on a piece of cisco gear, that didn't come in handy later. 11:21 < cpm> http://www.astaro.com/our_products/astaro_security_gateway/hardware_appliances 11:21 < vpnHelper> Title: Astaro Security Gateway Hardware Appliances - All-in-One Unified Threat Management Solutions for Complete Network Security, Web Security and Mail Security (at www.astaro.com) 11:30 < plaerzen> ah sweet, I go for a coffee and come back to some reading material. 11:34 < cpm> things about astaro that really piss me off. When they first started to act like they were going to get into the game, and invited the 'community', I -idiot that I am- got involved. 11:34 < cpm> they did a pretty fair job of packaging openswan 11:34 < cpm> I pushed for openvpn, then in the 1.x days 11:35 < cpm> one of their chief developers sent me a really snarky email stating that ssl web vpns aren't true vpns and they would not support them as such. 11:35 < cpm> I got a big case of 'wtf?' 11:36 < cpm> now, of course, they've wrapped openvpn in their secret sauce, calling it 'Astaro SSL VPN'. 11:36 < cpm> doing their level best to hide the openvpn core. 11:36 < cpm> that -imho- sucks. 11:38 < plaerzen> yeah 11:39 < plaerzen> I would be slightly upset 11:40 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 11:40 -!- plaerzen is now known as AstaroSpy 11:41 -!- AstaroSpy is now known as plaerzen 11:41 < cpm> it's quite cost competitive to the ASA, and it does work as advertised. I've worked on'em before. 11:41 < cpm> I don't really hate the actual product. The company irritates me. 11:46 < plaerzen> I'm definately going to look into it 11:54 < ecrist> I'm a little disappointed, guys. 11:55 < ecrist> ever since I went on a rampage a month ago because of all the fuck-heads in here, none of them have shown back up, worth of the banhammer. 11:55 * ecrist sobs. 11:56 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:57 < ecrist> worthy* 12:05 < cpm> If I had the energy, I'd try to get banned, but I just don't have it in me. 12:05 < cpm> maybe I'll try later. 12:28 * plaerzen sighs 12:28 < plaerzen> time to go to the client site... be back later, if I don't suicide. 12:54 < ecrist> lol 12:55 < cpm> n'joy 12:55 < ecrist> cpm: I don't know why, but that phone finally pulled it handset out of it's data port and started working with DHCP again. 12:56 < cpm> good 13:02 -!- hulatang [n=hulatang@216.129.199.133] has left ##openvpn [] 13:02 < ecrist> and, fwiw, I got the dhcp options stuff setup so that it gets a specific IP address based on manufacturer 13:11 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 13:12 -!- fer_luck [n=fer_luck@201-88-32-138.cbace700.e.brasiltelecom.net.br] has joined ##openvpn 13:12 < fer_luck> hi guys! :-) 13:13 < ecrist> just fer_luck. 13:13 < ecrist> lol 13:13 < ecrist> how goes? 13:13 < fer_luck> ecrist: fine, what about you? 13:13 < ecrist> peachy 13:13 < ecrist> as soon as my boss' wife falls of the planet. 13:13 < ecrist> :\ 13:14 < fer_luck> hehe.. that's good I guess. :-D 13:14 < fer_luck> well.. I need some help.. I'm stuck. :-) 13:14 < fer_luck> I have a vpn running already, over pfsense 13:14 < fer_luck> I have three pfsense boxes connecting two branch offices to the hq... 13:14 < ecrist> ok. 13:15 < fer_luck> I did one vpn to connect the hq to branch 1.. and another to connect branch 1 to branch 2 (as I couldn't route between the two branches only using the hq vpn.. forgive me if I'm mistaken with this) 13:15 < ecrist> continue 13:16 < fer_luck> now the problem is.. when I try to access a windows share by using either unc or the ip address, I can access it from branch 1 to hq.. also I can do that from branch 2 to branch 1.. but from branch 1 to branch 2 it's not working.. :-/ the weird thing is that if I try to access the machine throught the httpd server contained in there, it works, so it's resolving the machine from 1 to 2.. just accessin the share doesn't wo 13:17 < ecrist> can you drawn it out and post it somewhere? 13:18 < fer_luck> I can. hold on. 13:20 < fer_luck> ecrist: you mind if I just post one ascii schematic? 13:21 < ecrist> sure, that's fine 13:22 < fer_luck> ecrist: http://pastebin.com/d171fdb4a 13:22 < fer_luck> I think it should work with only one vpn connection between the branches and the hq.. but I couldn't get it to work by the time, so I decided to do it the way it worked. :-( 13:23 -!- mode/##openvpn [+o ecrist] by ChanServ 13:24 -!- ecrist changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release: 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Pastebin your copies over 5 lines. | Don't feed the trolls. 13:24 -!- mode/##openvpn [-o ecrist] by ecrist 13:25 < ecrist> fer_luck: there's a couple ways to tackle your problem. 13:25 < ecrist> 1) have one VPN server at the HQ, route everything there. 13:25 < fer_luck> Hmm.. good.. :-) How can I begin? 13:26 < fer_luck> That's what I intended to do at first.. but won't it be kinda slow to route from branch 1 to branch 2? 13:26 < fer_luck> and cause overhead on hq? 13:26 < ecrist> 2) have a VPN server at each location, with each location connnecting to eachother for direct routes (saves bandwidth at HQ for connections between two remote sites 13:27 < ecrist> right, so, you install an Open VPN server at each location, then each other location has a VPN connnection to it. 13:27 < ecrist> well, you'd actually only need two servers for three locations. 13:27 < fer_luck> ok.. so you think it might be the structure I did that makes it slow? 13:27 < fer_luck> sorry 13:27 < fer_luck> not work 13:32 < ecrist> http://skitch.com/ecrist/u76w/untitled 13:32 < vpnHelper> Title: Skitch.com > ecrist > Untitled (at skitch.com) 13:33 < fer_luck> ecrist: I guess that's how it is already 13:33 < ecrist> ok, so what's wrong with that? 13:33 < ecrist> set it up so that each site gets a static IP, set routing table so that the subnet at each site is routed to the static VPN IP address. 13:34 < ecrist> in that diagram, HQ and Site 1 have a VPN server. 13:34 < ecrist> HQ serves for site 1 and site 2, site 1 serves for site 2. 13:35 < fer_luck> that's how it is.. I can access branch 1 from branch 2 using other protocols.. but when on (argh) windows I do a \\192.168.3.250 it cannot gives me a no network provider accepted the given network path 13:36 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:37 < ecrist> sounds like a routing issue. 13:39 < fer_luck> hmmm.. if I traceroute from one location to the other it works 13:39 < ecrist> ok, so what's broken? 13:40 < fer_luck> it just don't open the share on windows.. I don't know what's going wrong with this.. as it's not neither a dns or routing issue 13:40 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 13:41 < ecrist> fer_luck: windows sharing doesn't work very well across subnets. 13:41 < ecrist> however, if it's not routing, could be firewall 13:41 < fer_luck> hmmm.. I guess I figured what's going on... 13:42 < fer_luck> let me just check if it is really that.. hold on. :-) 13:44 < fer_luck> ecrist: figured what's wrong 13:44 < fer_luck> :-) 13:45 < ecrist> what was it? 13:45 < fer_luck> the problem is.. I was trying to print using the dlink print servers this customer has... 13:45 < fer_luck> one print server module acts as a smb host, the other just has http printing capabilities.. :-O 13:45 < fer_luck> dumb me.. :-S 13:49 < fer_luck> that's very strange.. 13:52 < fer_luck> well. thanks guys.. :-) 14:17 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 14:34 -!- near [n=near@88-122-21-114.rev.libertysurf.net] has quit [] 14:35 < cpm> This must be thursday 14:35 < cpm> I never could get the hang of thursdays 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 < plaerzen> back from lunch 14:52 < plaerzen> had a several beers. 14:55 < plaerzen> now I'm happy 15:16 < plaerzen> harro? 15:19 -!- Whoopie_ is now known as Whoopie 15:43 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:02 < Optic> mooo 16:19 -!- fer_luck [n=fer_luck@201-88-32-138.cbace700.e.brasiltelecom.net.br] has left ##openvpn [] 16:40 -!- SilenceGold [n=chris@adsl-70-232-78-19.dsl.ltrkar.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 16:49 -!- SilenceGold [n=chris@adsl-70-232-78-19.dsl.ltrkar.sbcglobal.net] has joined ##openvpn 16:54 < plaerzen> moo 16:56 < plaerzen> ok, see ya folks monday 16:56 * plaerzen waves. 17:12 -!- sega01 [n=sega01@2001:470:8:29:250:4ff:fe20:dbc4] has quit ["leaving"] 17:22 -!- bandini [n=bandini@host169-105-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:01 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 18:19 -!- ggeller [n=sdlinuxg@dsl017-112-098.lax1.dsl.speakeasy.net] has joined ##openvpn 18:22 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: epsilon, kala, Bheam, plik, steve, djs 18:22 -!- Netsplit over, joins: steve, djs, plik, Bheam, kala, epsilon 18:59 -!- ggeller [n=sdlinuxg@dsl017-112-098.lax1.dsl.speakeasy.net] has quit ["Ex-Chat"] 19:21 < ecrist> evening, folks 19:39 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 21:02 * ecrist waves back. 21:50 -!- Whoopie_ [i=Whoopie@unaffiliated/whoopie] has joined ##openvpn 21:51 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has quit [Read error: 60 (Operation timed out)] 21:51 -!- Whoopie_ is now known as Whoopie 23:41 -!- dmz [n=dmz@12.149.3.162] has joined ##openvpn --- Day changed Fri Aug 22 2008 00:42 -!- dmz [n=dmz@12.149.3.162] has left ##openvpn ["Leaving"] 01:57 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 02:04 < kraut> moin 02:54 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 04:11 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 05:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:20 -!- gallatin [n=gallatin@dslb-092-072-075-163.pools.arcor-ip.net] has joined ##OpenVPN 06:41 -!- gallatin [n=gallatin@dslb-092-072-075-163.pools.arcor-ip.net] has quit ["Client exiting"] 07:07 < ecrist> howdy, folks. 07:18 < cpm> lo 07:27 < kala> which of the X.509 EKU Extensions make more sens for OpenVPN servers and clients, id-kp-ipsecEndSystem or id-kp-serverAuth and id-kp-clientAuth ? 07:27 < kala> I'm trying to design the certificate templates for these 07:28 < kala> and it seems that I can verify those EKU's in the OpenVPN config file 07:30 < kala> because OpenVPN is not really IPSEC ... SSL server and client certificates seems to more appropriate 07:32 < cpm> OpenVPN isn't IPSec at all. 07:32 < kala> oh, RFC4945 declares that id-kp-ipsecEndSystem is obsolete anyway 07:36 < kala> ok. but another thing. How do I verify that server or clients' certificate is given out from specific OU? 07:37 < kala> --tls-remote verifies the CN value or the whole Subject value 07:38 < kala> so, the only way is to write a custom script and use --tls-verify ? 08:35 -!- svenx [n=sveniu@pat-tdc.opera.com] has joined ##openvpn 08:36 < svenx> nice. www.secure-computing.net uses a self-signed cert? :) 08:38 < svenx> anyway, i'm thinking about split dns, or dns hijacking. the infamous cisco client has a feature where you can specify for which domains dns requests are to be forwarded to the DNS server through the tunnel 08:39 < svenx> so, i can configure the client to forward all DNS queries for the example.net domain to a separate DNS server, provided by the VPN server. the rest will go to the client's own/local DNS 08:40 < svenx> is there any facilities for this in openvpn? it seems it is not, so either all queries go through the tunnel, or none of them do (and you'll have to resort to using ip addresses) 08:41 < cpm> svenx, I fiddled about with pushing resolver to the vpn clients, to a bind server that was specific to the vpn lan, which was a dmz. That worked okay. Not too sure what you needing to do. 08:42 < ecrist> serverauth/clientauth 08:43 < ecrist> svenx: if you want to buy me a certificate, you're welcome to do so. 08:44 < svenx> cpm: i was just thinking it's a good idea to keep the relevant tunnel traffic in the tunnel, so i won't get the client's other data into my net. just for the sake of cleanness 08:44 < svenx> i.e. i don't want to resolve all his requests for slashdot.org and localnewspaper.net 08:44 < ecrist> svenx: imho, DNS isn't that big an issue. 08:44 < svenx> but it seems that's the simplest way anyway. right 08:45 < svenx> ecrist: sorry, self signed is fine :) 08:45 < ecrist> where I work, we actually make all our DNS public, so we don't have to push DNS server. 08:45 < ecrist> we're a pretty small network, though. 08:47 < ecrist> conversely, I wouldn't see DNS requests as such a big deal, if you do caching and such. Not exactly a high-bandwidth service. 08:47 < svenx> agreed 09:32 < pUmkInhEd> hrm, so i ask your dns server for exchange.yourdomain.com and your dns server spits back 192.168.100.100 ? 09:33 < pUmkInhEd> even better, ask it for exchange.yourdomain.local lol 09:33 < pUmkInhEd> svenx: i think what you want to do is push the connection-specific-suffix 09:34 < pUmkInhEd> push "dhcp-option DOMAIN mydomain.local" 09:34 < pUmkInhEd> and also push a dns server, push "dhcp-option DNS 10.0.0.x" 09:35 < pUmkInhEd> then when clients try to resolve comp.mydomain.local it will use that dns server... 09:35 < pUmkInhEd> or does that redirect ALL dns requests.... not sure, but i know it works 09:37 < svenx> that's the search domain, so when clients enter unqualified hostnames, like 'webserver', it will first append 'mydomain.local' before querying the dns server 09:39 * cpm *really* wishes folks would NEVER EVER use the .local suffix for anything outside of 127/8 09:40 < ecrist> will someone debug my kernel, please? 09:41 < ecrist> pUmkInhEd: no, we have real IPs for most things. 09:42 < ecrist> the vast majority are firewalled, however. 09:44 < cpm> what's wrong with yer kernel? 09:44 < ecrist> http://pastebin.com/m4788a979 09:46 < cpm> ick. 09:46 * cpm runs away 09:48 < cpm> how old is this kernel? 09:48 < cpm> what source tree? 09:50 < ecrist> freebsd 7.0-RELEASE 09:50 < ecrist> patch 3, too. 09:50 < ecrist> FreeBSD leopard.claimlynx.com 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #1: Tue Jul 15 13:53:28 CDT 2008 root@leopard.claimlynx.com:/usr/obj/usr/src/sys/GENERIC i386 09:50 < ecrist> not very old. 09:51 < cpm> No, not very. 09:51 < cpm> Might take it to the freebsd list. 09:51 < cpm> or, swap that ram out :) 09:52 < ecrist> cpm, it's not ram 09:52 < kala> a proposal for a patch. currently tls-remote checks strictly, if (strcmp (opt->verify_x509name, subject) and so, you cannot check just the first part of the Subject Name and you are forced to write a custom script. It would be nice to use strncmp (opt->verify_x509name, subject, strlen (opt->verify_x509name) == 0 check, this way you could specify part of Subject Name and still get a match :) 09:52 < cpm> probably not. But that's always my default when you have some uptime and the kernel just decides to vomit. 09:53 < cpm> and more than once, I've made panics go away by replacing the ram. 09:53 < cpm> heck, I've made'em go away by reseating the ram and cpu. 09:53 < cpm> I think folks take hardware for granted. and expect that if it works, it is without flaw. 09:54 < cpm> which is not true. 09:54 < ecrist> cpm, here's the back story. that's our backup server. we off-load to a usb drive, which gets rotated weekly (two drives). 09:55 < ecrist> one drive has no problems, when I use the other drive, it gets all crashy. 09:55 < cpm> replace the drive. 09:55 < ecrist> I don't see any major problems with the drive, though. 09:55 < cpm> you don't see a problem when you connect it, it crashes your server? 09:55 < ecrist> I can format it, and I can do a dd if=/dev/random of=/dev/usbdrive all day without problems. 09:55 < cpm> but when you connect it, it crashes your box 09:56 < ecrist> no, it doesn't immediatly crash, only during heavy writes (I think) 09:56 < cpm> hrmmm, but not with the other drive? 09:56 < cpm> are these in drive enclosures? or are you swapping the drive out of the same enclosure? 09:57 < ecrist> different drive enclosures. 09:58 < ecrist> durr, don't know why I didn't try changing the enclosure. 09:58 < cpm> swap the drives around in the enclosures, see if the crash follows the drive, or the enclosure. SOLVE. 10:20 < ecrist> I want to kick half of the slashdot user base's ass right now. 10:28 < ecrist> lol, startssl.com crashes safari 10:33 < kala> OpenVPN cannot download CRL file by himself and cannot use OCSP, right? 10:37 < ecrist> it needs to have a current CRL available on the filesystem. 10:38 < kala> right 10:43 < kala> perhaps can I do the download in the --ipchange or --route-up script? 10:55 < kala> no, the correct place should be tls-verify script 10:58 -!- dmarkey [n=dmarkey@nat/ibm/x-294c1f9d2daf96a9] has quit [Remote closed the connection] 11:00 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 11:25 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:45 < ecrist> kala: the CRL is only useful to the server, not the clients. 12:07 < kala> certainly more useful to the server, than clients :) 12:08 < kala> it seems that one could perhaps hack a OCSP verifier with an OpenSSL "ocsp" command 12:09 < ecrist> what are you trying to do, exactly? 12:09 < kala> work out a large-scale OpenVPN installation 12:09 < kala> 500-2000 clients, many servers 12:09 < kala> with corporate CA and stuff :) 12:09 < ecrist> oh, cron that 12:10 < ecrist> fetch "URI://to-our-crl" 12:10 < ecrist> once an hour or something. 12:10 < kala> yep, it makes sense to cache the file on the server side. 12:10 < ecrist> and, to top that, in your CA signing scripts, have a routine which pushed the new CRL to the OpenVPN servers. 12:10 < ecrist> or, NFS mount a small directory which contains the CRL. 12:10 < ecrist> to each OpenVPN server. 12:11 < kala> yep, that might be possible too 12:11 < kala> the CA is Microsoft CA though :) 12:13 < ecrist> so waht? 12:13 < ecrist> what* 12:13 < ecrist> Windows can still be scripted. 12:15 < ecrist> why is it so damn quiet in here today? 12:23 < Optic> cause i'm busy at work :) 12:23 < Optic> hehe 12:28 -!- kraut [i=kraut@blackhole.packetloss.biz] has quit [Read error: 101 (Network is unreachable)] 12:53 -!- near [n=near@88-122-16-182.rev.libertysurf.net] has joined ##openvpn 12:53 -!- j_nwb [n=j_nwb@c-98-210-141-122.hsd1.ca.comcast.net] has joined ##openvpn 13:00 < j_nwb> hi guys, is it possible to bridge the openvpn connection at the client end ? i.e multiple machines on the client n/w can get openvpn address ? (In particular I am looking form making virtual machines running on client machine to obtain ip address from the openvpn interface not the local (client) network.) 13:01 < ecrist> sort of 13:01 < j_nwb> so on the client I want to create vpn-bridge and add the tun0 interface to it. After that I can direct the VMs to use the bridge and hence get ip address via tun0. 13:02 < ecrist> don't have openvpn do the IP assignment - do that with a DHCP server sepearate from OpenVPN 13:02 -!- thomas [i=tm@tm.muc.de] has joined ##openvpn 13:02 < thomas> hello! 13:02 < thomas> peoples here? :-( 13:03 < j_nwb> but I am allowing client-client on the openvpn.. so.. what I am trying to do is to allow VMs at all client location to be on "openvpn network" 13:03 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 13:04 < thomas> have a openvpnserver and a client, works both perfect. now i would like if i go to myexternip (example 111.111.111.111)eth0 and port 5500 then redirect to 10.55.0.2 port 80 tap0 13:04 < thomas> is it posible? 13:05 * cpm falls over 13:05 < thomas> cpm: hm? 13:06 < j_nwb> ecrist: where do u suggest the dhcp should live ? openvpn server n/w, I guess.. but I do not know how does this help ? 13:06 < thomas> have tried this: iptables -t nat -A PREROUTING -p tcp --dport 5500 -j DNAT --to 10.55.0.2:80 13:06 < thomas> bot doesnt works 13:07 < thomas> from lokal (10.55.0.1 (the vpnserver)) i have access to 10.55.0.2:80 13:07 < thomas> ideas? 13:08 -!- near [n=near@88-122-16-182.rev.libertysurf.net] has quit [] 13:15 * ecrist figures out what categories are in mediawiki and feels like a genius. 13:16 < thomas> ecrist: can you help me please? 13:16 < ecrist> j_nwb: what you need then, is an openvpn client installed on each machine connecting. 13:16 < ecrist> otherwise, you need to fix your routing. 13:17 < ecrist> thomas: it is possible, I don't know iptables, though, as linux sucks balls, so try pf. 13:17 < ecrist> :P 13:17 < thomas> ecrist: I would like forward a port to the openvpn client. 13:17 < ecrist> thomas: you can do that, but it's not really in the scope of this chan. 13:18 < thomas> hm ok 13:18 < thomas> thx 13:18 < ecrist> we can try to help you, but I don't think anyone here's an expert at iptables. 13:33 < j_nwb> ecrist : Thanks I will think it that way... can I use bridge on the client side and tap inerface and not have to think about routing ? 13:53 -!- near [n=near@88-122-16-182.rev.libertysurf.net] has joined ##openvpn 13:56 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:58 -!- Dougy [n=doug@64.18.159.247] has joined ##openvpn 13:58 < Dougy> Hi there 13:59 < Dougy> I have OpenVPN set up on my server and I have 2 clients, and I'm using 172.16.0.0/29 13:59 < Dougy> Both the clients when connecting, I see this: 13:59 < Dougy> Fri Aug 22 14:55:03 2008 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.255.0,route 172.16.0.0 255.255.255.248,ping 10,ping-restart 120,ifconfig 172.16.0.6 172.16.0.5' 13:59 < ecrist> j_nwb: yes 13:59 < Dougy> They both get the same IP. 13:59 < Dougy> Why is it doing that? 13:59 < ecrist> Dougy: are they both using the same client certificate? 14:00 < ecrist> also, it would help if you could paste your client and server configs 14:00 < Dougy> client configs are identical except for the name of the cert they are using 14:00 < Dougy> ecrist: client 1 uses client1.crt and client2 client2.crt 14:01 < ecrist> Dougy: the filename doesn't matter. 14:01 < ecrist> are they actually different certificates? 14:02 < Dougy> yes 14:02 < Dougy> I did ./build-key client1 and ./build-key client2 14:02 < Dougy> can I PM you a link to the config, I'd prefer not to share my site + IP with the world 14:03 < Dougy> ? 14:04 < rmull> ecrist cannot be trusted 14:04 < Dougy> :< 14:04 < ecrist> :P 14:05 < Dougy> http://thrian.douglashaber.com/server.conf 14:05 * ecrist looks 14:06 < ecrist> that link isn't working. 14:06 < ecrist> :\ 14:06 < Dougy> it works for me 14:06 < Dougy> :S 14:06 < Dougy> what error do you get 14:06 < ecrist> Safari can't open the page "http://thrian.douglashaber.com/server.conf" because it can't find the server "thrian.douglashaber.com". 14:06 < rmull> Does not work for me either, address not found 14:06 < Dougy> strange 14:06 < rmull> ffox3 14:06 < ecrist> it's not a browser problem, isn't a firewall/DNS issue. 14:06 < ecrist> pastebin ftw 14:07 < Dougy> its something i did with the dns server 14:07 < Dougy> hold on 14:07 < Dougy> chances are it may work now 14:07 < Dougy> either way 14:07 < rmull> Dougy: Just pastebin.ca and replace your IPs/names with fake ones if you want 14:07 < Dougy> paste binning 14:07 < ecrist> still no worky 14:07 < Dougy> meh 14:07 < Dougy> ill fix soon 14:07 < Dougy> http://rafb.net/p/rhl8qs53.html 14:07 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:09 < ecrist> ooh, itunes found my "Team America" sound track. 14:09 < Dougy> lol 14:09 * ecrist listens to "The End of an Act" 14:10 < Dougy> I probably did something wrong with the config 14:11 < ecrist> I miss you more than Michael Bay missed the mark, 14:11 < ecrist> When he made Pearl Harbor. 14:11 < ecrist> I miss you more than that movie missed the point, 14:11 < ecrist> And that's an awful lot . 14:12 < ecrist> hrm, the routing is your issue, I think. 14:12 < ecrist> You're assigning the server 172.16.0.0/29, but pushing 172.16.0.0/24 14:14 < Dougy> er 14:15 < Dougy> let me try fixing 14:15 < ecrist> :) 14:15 < Dougy> i doubt that'll fix it but he 14:15 < Dougy> y 14:15 < Dougy> I need to edit the push line then ecrist 14:16 < ecrist> yes 14:16 < ecrist> why are you pushing the class c? 14:16 < ecrist> is that the address space your LAN uses? 14:16 < Dougy> I felt like it 14:16 < Dougy> I only really need a /29 14:16 < ecrist> oh, then remove the whole line 14:17 < ecrist> no push 14:17 < ecrist> and, tbh, that /29 doesn't give you a lot of breathing room. 14:17 < ecrist> actually, it doesn't give you any breathing room. 14:18 < Dougy> What od you suggest 14:18 < Dougy> do* 14:18 < Dougy> And, still both get .6 14:18 < Dougy> they get .6 and PTP of .5 14:19 < ecrist> open that subnet up to a /28 14:19 < ecrist> try again. 14:19 < ecrist> a /29 doesn't have enough room for 2 clients 14:20 < Dougy> done 14:20 < Dougy> well 14:20 < Dougy> set to a /28 14:20 < Dougy> connecting clients now 14:20 < Dougy> still both get .6 14:20 < ecrist> I should've noticed the subnet issue earlier, sorry. 14:20 < ecrist> did you restart the openvpn server? 14:20 < Dougy> yes 14:21 < ecrist> can I see new config, please? 14:21 < Dougy> just before i do that 14:21 < Dougy> each client reports tihs: 14:21 < Dougy> Fri Aug 22 15:20:18 2008 route add -net 172.16.0.0 netmask 255.255.255.240 gw 172.16.0.5 14:21 < Dougy> Fri Aug 22 15:20:18 2008 Initialization Sequence Completed 14:21 < Dougy> Fri Aug 22 15:20:18 2008 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.255.240,ping 10,ping-restart 120,ifconfig 172.16.0.6 172.16.0.5' 14:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:22 < Dougy> ecrist: http://rafb.net/p/bJeHTX19.html 14:22 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:25 < ecrist> running openvpn on ns2.douglashaber.com, eh? 14:25 < Dougy> yep, same box as ns2 14:25 < Dougy> (till i get it working) 14:25 < Dougy> o.O 14:26 < ecrist> remove your ipp.txt line (line 103) 14:26 < ecrist> restart, bake at 350 for 1/2 hour 14:26 < Dougy> haha 14:26 < Dougy> anything else ecrist 14:26 < ecrist> nope, try that. 14:26 < ecrist> you do webhosting out of your home? 14:27 < Dougy> same thing 14:27 < Dougy> no, why? 14:27 < ecrist> just curious. you got a /29? 14:27 < ecrist> or is that a colo? 14:27 < Dougy> Er maybe I'm not getting hte whole vpn thing o.O 14:28 < Dougy> I thought it was a private network 14:28 < Dougy> like I don't need the actual /29 14:28 < Dougy> o.O 14:28 < Dougy> just one ip 14:28 < ecrist> did you restart? 14:28 < ecrist> the Openvpn server daemon? 14:28 < Dougy> yes 14:29 < Dougy> every time i get the .6 on both, i kill all 3 (2 clients + server) 14:29 < Dougy> until you give me something new to d 14:29 < Dougy> do* 14:29 < ecrist> can I see the server logs? 14:29 < Dougy> er 14:29 < Dougy> if i can find them 14:29 < ecrist> what OS? 14:29 < Dougy> or do you mean when i run openvpn server.conf 14:29 < Dougy> Cent5 14:29 < Dougy> (for the server) 14:29 < ecrist> yes, when you run openvpn server.conf 14:30 < Dougy> I am definitely pm'ing oyu this 14:31 < ecrist> ok 14:31 < ecrist> I already know your IPs. :D 14:32 < Dougy> yeah i know 14:32 < Dougy> lol 14:33 < ecrist> rolf: http://www.theonion.com/content/news/michael_phelps_returns_to_his_tank 14:33 < vpnHelper> Title: Michael Phelps Returns To His Tank At Sea World | The Onion - America's Finest News Source (at www.theonion.com) 14:33 < Dougy> hah 14:33 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 14:34 < ecrist> Dougy: the problem is that both client certificates are the same. 14:34 < Dougy> wtf 14:34 < Dougy> I told you what I did :S 14:35 < Dougy> -bash-3.2# history | grep build-key 14:35 < Dougy> 224 ./build-key-server server 14:35 < Dougy> 225 ./build-key client1 14:35 < Dougy> 226 ./build-key client2 14:35 < Dougy> 272 history | grep build-key 14:35 < Dougy> -bash-3.2# 14:35 < ecrist> hrm 14:35 < Dougy> client1 is my server, client2 is my laptop 14:35 < ecrist> do yo have logs where both clients connect? 14:35 < Dougy> i can try to get them again 14:35 < ecrist> wait 14:36 < ecrist> is your server trying to connect to itself? 14:37 < Dougy> no 14:39 < Dougy> okay 14:39 < Dougy> so that's got to be it 14:39 < Dougy> so i can make it like 14:39 < Dougy> vpn1.domain.com 14:39 < Dougy> and vpn2.domain.com 14:39 < Dougy> ? 14:39 < ecrist> if you add duplicate-cn to your config, it will work OK. 14:39 < Dougy> i'll resign them since i already rm -rf'd it 14:39 < ecrist> with the same certificate 14:39 < Dougy> haha 14:40 < Dougy> can i do vpn1. and vpn2.domain.com for the common name 14:40 < Dougy> like will that work 14:40 < ecrist> sure 14:40 < ecrist> as long as they're different. 14:40 < Dougy> what about common name for servre and the ca cert 14:40 < Dougy> can they be the same? 14:40 < ecrist> yes, that doesn't really matter 14:40 < ecrist> in these regards, that is 14:40 < Dougy> just the clients? 14:41 < Dougy> for common name, can it be like "John Doe" and "Jane Doe" 14:41 < Dougy> or is it one word 14:42 < ecrist> you can have spaces. 14:42 < ecrist> like I said, you can just hand out one certificate, if you add duplicate-cn to your config. 14:42 < ecrist> the downside is you can't remove a single client, then, you have to revoke them all. 14:42 < ecrist> unless you're using a secondary authenticate token. 14:43 < Dougy> yeah 14:43 < Dougy> im already resigning them 14:46 * ecrist <3 The Onion 14:46 < ecrist> Due to a deadline, The Onion had to make an educated guess on how the runoff election for Rockwell County supervisor ended last night. The guess turned out to be wrong, but the article was in on time. 14:47 -!- pred2k5 [n=Torsten@dslb-088-069-220-255.pools.arcor-ip.net] has joined ##openvpn 14:47 < pred2k5> hi, how to create certificates, when I only have ca.crt ca.key? 14:48 < pred2k5> he complais about index.txt 14:48 < pred2k5> and serials 14:48 < ecrist> http://openvpn.net/howto.html#pki 14:48 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 14:49 < ecrist> *or* download my ssl-admin script, and your world will be a happier place. 14:49 < pred2k5> ssl-admin script? 14:49 < pred2k5> I do it with easy-rs 14:49 < pred2k5> a 14:50 < pred2k5> I also have dh1024 14:50 < ecrist> pred2k5: read the link i gave above. 14:50 < pred2k5> doing so 14:50 < ecrist> easy-rsa sucks balls, fwiw. 14:51 * ecrist should've called ssl-admin easier-rsa 14:51 < Dougy> im trying it now ecrist 14:51 < ecrist> trying what? 14:52 < Dougy> yay 14:52 < Dougy> one client got .6 one got .10 14:52 < Dougy> o.O 14:52 < Dougy> Why is there a .4 difference 14:52 < ecrist> grats 14:53 < ecrist> Dougy: OpenVPN <2.1 creates a series of /30 subnets for each client, and one for the server. 14:53 < pred2k5> cant find the solution 14:53 < ecrist> so, a /29 doesn't have room for more than 1 client (/30 for server, /30 for one client = 8 ips) 14:53 < ecrist> pred2k5: look harder, or read the help in easyrsa. 14:53 < ecrist> or use ssl-admin 14:53 < ecrist> !ssl-admin 14:53 < vpnHelper> ecrist: "ssl-admin" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:54 < pred2k5> I thout ssl admin is the same as easyrsa 14:54 < Dougy> oh. 14:54 < ecrist> pred2k5: no, it does some of the same, but it's in perl, and better. 14:54 < Dougy> So if I want 5 clients 14:54 < Dougy> I basically need a /27 14:54 < ecrist> Dougy: just do a /24 and call it good. 14:54 < pred2k5> so 2.1 doesnt create one for server and one for client? 14:55 < ecrist> no, it's got a way to do /32 subnetting. 14:55 < ecrist> or is it /31 14:55 < ecrist> but, it doesn't need to do a series of /30s. 14:58 < ecrist> l8r, kids, I go to work on my truck. 14:58 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 15:00 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 15:01 < Optic> moo 15:02 < pred2k5> should be one command, or why do you give me a link? 15:10 -!- kraut [i=kraut@2001:6f8:12a9:0:0:0:4:0] has joined ##openvpn 15:13 < Dougy> Btw, thanks ecrist (when you get back you'll see) 15:24 < pred2k5> where to get ssl-admin.pl ? 15:26 -!- j_nwb [n=j_nwb@c-98-210-141-122.hsd1.ca.comcast.net] has quit [Read error: 110 (Connection timed out)] 15:28 -!- pred2k5 [n=Torsten@dslb-088-069-220-255.pools.arcor-ip.net] has quit [] 15:29 < Dougy> google it 16:25 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 16:32 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 16:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:58 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 17:22 < krzee> !iroute 17:22 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 17:53 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 18:06 < Dougy> goin home 18:19 -!- undertakingyou [n=will@undertakingyou.dsl.xmission.com] has joined ##openvpn 18:25 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:28 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:29 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 18:35 < undertakingyou> Question for any who will answer: I am using OpenVPN on a pfsense firewall. When Client1 connects it is given ip address 10.0.4.6, which makes sense. When Client2 connects it is given the address of 10.0.4.6, and then will not stay connected. Is there a trick around this? 18:49 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: pa, krzy, plaerzen, adie, kaynine, mcp 18:52 < ecrist> yes 18:52 < ecrist> either 1) use different client certificates 18:53 < ecrist> or 2) add duplicate-cn yes to your config and restart openvpn 18:53 -!- Netsplit over, joins: pa, adie, plaerzen, krzy, mcp, kaynine 18:56 < undertakingyou> This link the guy has the same problem: http://openvpn.net/archive/openvpn-users/2004-10/msg00156.html But there is no answer because of PHP errors. 18:56 < vpnHelper> Title: [Openvpn-users] Multiple clients with the same ip address (at openvpn.net) 18:56 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: pa, krzy, plaerzen, adie, kaynine, mcp 18:56 < ecrist> I just answered you. 18:56 -!- Netsplit over, joins: pa, adie, plaerzen, krzy, mcp, kaynine 18:59 < ecrist> undertakingyou: you'll notice that the message you're referring to is from October, 2004. I'm sure this isn't an *issue* and more likely a PEBKAC error. 19:31 -!- masquerade [n=robert@c-71-200-21-140.hsd1.de.comcast.net] has joined ##openvpn 19:31 < krzee> also, are you allowing openvpn to hand out whatever ips it chooses? 19:31 < krzee> !sample 19:31 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:32 < krzee> like 19:32 < krzee> server 10.8.1.0 255.255.255.0 19:33 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 19:41 -!- Mattz0r [n=user@cpc1-linc5-0-0-cust861.nott.cable.ntl.com] has joined ##openvpn 19:42 < Mattz0r> hey there, im trying to do "./build-dh" on my freebsd host box, but.. it doesnt seem to be doing anything :/ - any advice? 19:51 -!- masquerade [n=robert@c-71-200-21-140.hsd1.de.comcast.net] has quit [] 19:59 < ecrist> Mattz0r: ick 19:59 < Mattz0r> ? 20:00 < ecrist> you got a recent version of ports tree? 20:00 < Mattz0r> yep 20:00 < ecrist> cd /usr/ports/security/ssl-admin && make all install clean && party 20:00 < ecrist> the last command is optional, but it *is* friday 20:00 < Mattz0r> ok 20:00 < Mattz0r> lol 20:00 < ecrist> rehash and run ssl-admin 20:01 < ecrist> oh, you have to edit the config, first. 20:01 < ecrist> if you have problems, let me know. I wrote it. 20:01 < Mattz0r> hmmm 20:01 < Mattz0r> ssl-admin doesnt seem to exist :| 20:01 < Mattz0r> let me do a fetch and extract real quick 20:01 < ecrist> recent copy of ports tree? 20:02 < ecrist> I committed it about 3 weeks ago. 20:02 < Mattz0r> i use portsnap fetch, portsnap extract, portupgrade -au 20:02 < ecrist> rather, asked to have it committed. 20:02 < Mattz0r> ? 20:02 < ecrist> ah, not a user of those tools, myself. 20:02 < ecrist> good ol' csup for me. 20:03 < Mattz0r> its just the way i learnt 20:08 < ecrist> hrm, looks like I've bugs in the ports version of the script. 20:09 < Mattz0r> ah 20:10 < ecrist> and, to my embarrassment, it doesn't, yet, create a dh key. 20:10 < Mattz0r> lolz 20:11 * ecrist adds it to his to-do list. 20:11 < Mattz0r> so this wont help me? lol 20:11 < ecrist> well, it will, managing certificates. 20:11 < ecrist> easy-rsa sucks balls 20:12 < Mattz0r> hehe 20:12 < Mattz0r> i've had no probs 20:12 < Mattz0r> upto "build-dh" 20:12 < ecrist> it's ticket #3 in my trac. 20:12 < ecrist> congrats. 20:13 < Mattz0r> lol 20:13 < ecrist> ok, lemme lookup the code to do it. 20:13 < ecrist> well, see, i've had the perl script for a couple years in various forms I've handed out to folks. Finally, enough people have convinced me to port it to the FreeBSD tree and actually make a project out of it. 20:14 < ecrist> it's still in it's infancy, but relatively full-featured. 20:14 < ecrist> minus this caveat 20:14 < Mattz0r> ah 20:16 < ecrist> openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} 20:16 < Mattz0r> oki doki 20:16 < ecrist> so, I think, "openssl dhparam -out ./dh1024.pem 1024 would work. 20:16 < Mattz0r> ok 20:17 < Mattz0r> that works 20:17 < Mattz0r> just have to wait for it to create now =] 20:18 < Mattz0r> Oh yea... while im here, and someone with more than half a brain cell is about - If my host has a block of 64 ip addresses - can i push the external IP's out to clients, or at least, hide clients behind different IP addresses? 20:18 < ecrist> not sure I completely follow. 20:18 < Mattz0r> ok 20:18 < ecrist> the answer is going to be yes, but I need a bit more info. 20:18 < Mattz0r> ok 20:19 < Mattz0r> ill try :) 20:19 < Mattz0r> vpn host (64 IP block) 20:19 < Mattz0r> client one - behind ip1, client 2 behind ip2, etc etc 20:19 < Mattz0r> rather than all the clients being behind the same ip addess 20:19 < Mattz0r> address* 20:21 < ecrist> sure. 20:21 < Mattz0r> i've just never figured out how lol 20:21 < ecrist> you're going to be best off doing a bridged VPN in your case. 20:21 < Mattz0r> ok.. 20:21 < Mattz0r> lol 20:22 < ecrist> OpenVPN, the way it doles out static IPs chunks them in /30 subnets, so you essentially lose 3/4 of your IP space. Ick. 20:22 < ecrist> 2.1 is going to do away with that, but it's still in beta. 20:22 < Mattz0r> i see 20:23 < Mattz0r> but wouldnt it be like a hide nat? 20:23 < Mattz0r> rather than assigning the ip's to the clients 20:25 < ecrist> hrm, not really, depending on your network structure. 20:25 < Mattz0r> well, its just a rented dedicated box, 20:25 < Mattz0r> in the USA 20:26 < Mattz0r> and im based in the UK 20:26 < ecrist> so, you want to be able to VPN in and have a US IP address? 20:26 < ecrist> essentially. 20:26 < Mattz0r> well, i mean i got a bunch of people that i need to have access, but i went each person, to be behind a different IP 20:27 < Mattz0r> want* 20:27 < Mattz0r> not sure how effective that is though, 20:29 < ecrist> do you need them to have static IPs or can they be dynamic? 20:29 < Mattz0r> they can be dynamic, but static would help. 20:29 < Mattz0r> as each ip would have a diff reverse address 20:29 < ecrist> how many clients? 20:29 < ecrist> ok, static it is. 20:30 < ecrist> you *may* want to consider running 2.1 for it's better IP assignement features. 20:30 < Mattz0r> ahh 20:31 < ecrist> how many clients? 20:31 < Mattz0r> 5 atm 20:32 < ecrist> you'll need a client config for each client you add, to assign them the static IP. 20:32 < Mattz0r> ok 20:32 < Mattz0r> dont they have that anyway? 20:32 < ecrist> I'm guessing one of the /26 you've got is the VPN server address? 20:32 < krzee> its just natting each ip with diff ip 20:32 < krzee> each vpn ip with diff external ip 20:33 < Mattz0r> yea... 20:33 < ecrist> krzee: you could do that, or assign the public IP to the client. 20:33 < krzee> oh whoa 20:33 < Mattz0r> either way works for me. 20:33 < krzee> never knew you could do that 20:33 < krzee> thats coolness 20:33 < Mattz0r> neither did i lol 20:33 < ecrist> krzee: why not? 20:33 < ecrist> an IP is an IP. 20:33 < Mattz0r> yea.. 20:33 < Mattz0r> the connectino still goes via the host 20:33 < krzee> umm, i guess it never occurred to me 20:34 < Mattz0r> makes sence. 20:34 < ecrist> is one of the /26 ips your server IP? 20:34 < Mattz0r> well, not atm, but it can be :p 20:34 < ecrist> no, if it's not, that better. 20:34 < krzee> oh right with routing that will be IP wasteful 20:34 < Mattz0r> oh 20:34 < Mattz0r> then no its not :P 20:35 < krzee> sorry, i will scroll up before any more comments 20:35 < krzee> lol 20:35 < Mattz0r> lol 20:35 < Mattz0r> XD 20:35 < ecrist> so, just setup your server config so that you're giving the entire /26 to your VPN daemon. 20:35 < ecrist> then, for each client you have, in ./ccd/ create a file with the same name as the CN for each client 20:35 < Mattz0r> oh wait 20:35 < Mattz0r> no 20:36 < Mattz0r> /26 = 64 block? 20:36 < Mattz0r> then yes.. my host is one of them ips 20:36 < ecrist> yes 20:36 < ecrist> ah 20:36 < ecrist> ok, we'll do this a different way. 20:36 < Mattz0r> ok 20:36 < ecrist> you know how to use pf? 20:37 < Mattz0r> no ¬_¬ 20:37 < krzee> just make a smaller block 20:37 < Mattz0r> but the guide im going through, includes that 20:37 < krzee> a /27 will be more than enough 20:37 < Mattz0r> could i not assign a /28? 20:37 < ecrist> to not be so wasteful, setup pf to nat each IP individually. 20:37 < ecrist> you could, but that limits you to 3 clients. 20:38 < krzee> a /28 is only 14 ips 20:38 < krzee> not enough for 5 20:38 < ecrist> OpenVPN's static IP setup is very wasteful 20:38 < krzee> but /27 is 20:38 < Mattz0r> ah 20:38 < Mattz0r> well either way works for me lol 20:38 < krzee> sorry 16 ips in this case 20:38 < krzee> 14 in normal subnetting cases 20:38 < Mattz0r> yea 20:38 < ecrist> do this, for your VPN subnet, assign 172.30.0.0 255.255.255.0 20:39 < ecrist> then, setup pf to do 1-1 nat, for each IP you want to make public. 20:39 < Mattz0r> ok, 20:39 < ecrist> it's a bit of work, but you'll be happy, I think, with the end result, and you're not wasting nearly as many public IPs 20:39 < Mattz0r> ironically, i work with firewalls for a living, just not freebsd based ¬_¬ 20:40 < krzee> Mattz0r, any of those windows? 20:40 < Mattz0r> all the clients are windows. 20:40 < krzee> oh ok 20:40 < ecrist> Mattz0r: pf should make a lot of sense to you, then. 20:40 < krzee> otherwise you coulda gotten rid of the waste 20:40 < Mattz0r> ok 20:40 < Mattz0r> push "route 172.30.0.0 255.255.255.0" 20:40 < Mattz0r> ? 20:40 < ecrist> no 20:40 < Mattz0r> oh 20:40 < Mattz0r> ¬_¬ 20:40 < krzee> the wasteful method is a way to make windows work 20:40 < ecrist> you don't have to push, since it's 'local' to the vppn. 20:40 < ecrist> vpn* 20:41 < Mattz0r> ahhhh 20:41 * Mattz0r removes that part 20:41 < krzee> !push 20:41 < vpnHelper> krzee: Error: "push" is not a valid command. 20:41 < Mattz0r> !pull 20:41 < vpnHelper> Mattz0r: Error: "pull" is not a valid command. 20:41 < Mattz0r> xD 20:41 < krzee> !learn push as goes in the server config and makes the commands act as if they were in the client config, can be used in ccd entries 20:41 < vpnHelper> krzee: The operation succeeded. 20:42 < krzee> !forget push 20:42 < vpnHelper> krzee: The operation succeeded. 20:42 < Mattz0r> ¬_¬ 20:42 < ecrist> Mattz0r: start with getting OpenVPN running and assigning your addresses. 20:43 < krzee> !learn push as usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 20:43 < vpnHelper> krzee: The operation succeeded. 20:43 < Mattz0r> so the server will assign a dynamic local ip? 20:43 < ecrist> for now, yes 20:43 < Mattz0r> ok 20:43 < krzee> you will set the ip in a ccd entry when ecrist gets you there 20:43 < krzee> !ccd 20:43 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 20:43 < ecrist> just make sure you can connect and get an IP. 20:44 < Mattz0r> ok 20:44 < ecrist> !freebsd 20:44 < vpnHelper> ecrist: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 20:44 < Mattz0r> sec 20:44 < ecrist> Mattz0r: ^^^ check that out. 20:44 < krzee> ecrist, i think the bot and wiki were cool ideas =] 20:44 < ecrist> ditto 20:44 < Mattz0r> connection failed 20:45 < Mattz0r> page load error 20:45 < krzee> accept the cert 20:45 < ecrist> Mattz0r: accept my self-signed certificate. 20:45 < krzee> jinx 20:45 < Mattz0r> nothing came up 20:45 < Mattz0r> ok 20:45 < Mattz0r> nvm i got it 20:45 -!- ChanServ changed the topic of ##openvpn to: Donate $$ to ecrist for a *real* ssl cert! | | Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release: 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Pastebin your copies over 5 lines. | Don't feed the trolls. 20:46 < ecrist> $69 to go! 20:46 < Mattz0r> cool :) 20:47 < Mattz0r> well for all your help your giving, ill donate some $$ when i get paid ;) 20:48 < ecrist> I gotta go play Halo with the kid. Read up on that, get your VPN configured and handing out static IPs. 20:49 * krzee brings ecrist a briefcase of small unmarked bills 20:49 < Mattz0r> ok 20:49 < Mattz0r> halo 3? 20:49 < ecrist> I may be around early tomorrow morning, if not, I'm here M-F 7am-3pm Central, in and outish, depending on my work day. 20:49 < ecrist> yeah 20:49 < Mattz0r> :D 20:49 < Mattz0r> sweet 20:49 < Mattz0r> xbox live? :D 20:49 < ecrist> eyp 20:49 < Mattz0r> Mattz0rPwnz0r <-- 20:49 < krzee> heh 20:50 < Mattz0r> =P 20:50 < ecrist> I'll look you up. MnSlinky for me. kinda gay 20:50 < Mattz0r> lol 20:50 < Mattz0r> vanquish# /usr/local/etc/rc.d/openvpn start 20:50 < Mattz0r> Starting openvpn. 20:50 < Mattz0r> vanquish# 20:50 < Mattz0r> woot 20:50 < ecrist> been my moniker for ~20 years now, though, so I'm stuck with it 20:50 < Mattz0r> :p 20:50 < ecrist> bbl 20:50 < Mattz0r> tun0: flags=8010 mtu 1500 20:50 < Mattz0r> vanquish# 20:50 < Mattz0r> :| 20:50 < Mattz0r> lol 20:51 < ecrist> beer + halo 3 + kid = good family fun. 20:51 < Mattz0r> lol 20:51 < ecrist> =d 20:51 < Mattz0r> i wouldnt know about that ;) 20:51 < Mattz0r> i'm prolly a "kid" in your eyes lol 20:51 < krzee> k now im curious 20:51 < krzee> age? 20:52 < Mattz0r> 20 20:52 < krzee> nah not kid to me 20:52 < Mattz0r> lol ok :P 20:52 < krzee> dunno bout ecrist tho ;] 20:52 < Mattz0r> ;] 20:53 < Mattz0r> yeah.. been doing firewalling for a year now :| 20:53 < Mattz0r> working with an in-house firewall system 20:53 < krzee> im bout to go work with an in-belly burger system 20:54 < krzee> ill bbl =] 20:54 < Mattz0r> lol 20:54 < Mattz0r> later 21:05 < Mattz0r> hmmm 21:16 < Mattz0r> bleh 21:17 < Mattz0r> its not assigning an ip :( 21:36 -!- near [n=near@88-122-16-182.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:37 -!- near [n=near@88-122-17-249.rev.libertysurf.net] has joined ##openvpn 21:44 < ecrist> ecrist: 3, ecrist_mini: 0 21:44 < ecrist> muahahaha! 21:44 < ecrist> Mattz0r: did you set it up as I listed in the wiki? 21:45 < Mattz0r> yea 21:45 < Mattz0r> i did 21:45 < ecrist> and the vpn clients aren't getting IPs? 21:45 < ecrist> you using tun or tap? 21:46 < Mattz0r> err 21:46 < Mattz0r> tap? 21:46 < Mattz0r> the server is tun0 21:46 < ecrist> and the client? 21:46 < Mattz0r> but my client is using tap? 21:46 < Mattz0r> i dont know :S 21:46 < ecrist> no, wrong 21:46 < ecrist> client and server need to match. 21:47 < Mattz0r> ok 21:48 < Mattz0r> well when i use tap... on the server 21:48 < Mattz0r> it doesnt show in ifconfig 21:48 < Mattz0r> =/ 21:50 -!- Whoopie_ [i=Whoopie@unaffiliated/whoopie] has joined ##openvpn 21:51 < ecrist> Mattz0r: my wiki example uses tun. 21:52 < ecrist> tap is a bridging mode driver, you need to actually build a bridge. i.e. no IPs are assigned. 21:52 < ecrist> follow the wiki, verbatim 21:52 < Mattz0r> oh 21:52 < Mattz0r> screw that then lol 21:52 < Mattz0r> but if my client's device is tap 21:52 < Mattz0r> how can it use tun? 21:54 < Mattz0r> im maybe doing something wrong with the client.conf 21:54 < Mattz0r> :/ 21:56 < Mattz0r> tun0: flags=8051 mtu 1500 21:56 < Mattz0r> inet 172.30.0.1 --> 172.30.0.2 netmask 0xffffffff 21:56 < Mattz0r> Opened by PID 57616 21:56 < Mattz0r> but my client fails to connect ¬_¬ 21:56 < Mattz0r> it just sits there 21:58 < ecrist> where is that from, server I'm guessing? 21:58 < Mattz0r> yea 21:59 < Mattz0r> last line of the client connecting is.. 21:59 < Mattz0r> Sat Aug 23 03:59:00 2008 UDPv4 link remote: 64.18.129.130:1194 21:59 < Mattz0r> then thers nothing else 21:59 < Mattz0r> ¬_¬ 22:00 < ecrist> ifconfig shows? 22:00 < Mattz0r> ahhh 22:00 < Mattz0r> pm one sec? saves spamming ¬_¬ 22:00 < SilenceGold> Mattz0r did you really read the openvpn docs? 22:00 < Mattz0r> ive had it working before quite some time ago ¬_¬ 22:01 < Mattz0r> but it was under a debian host... and it worked first time :| 22:02 < Mattz0r> its telling me the TLS handshake failed, even tho i didnt set the tunnel to even have TLS 22:02 < SilenceGold> you didn't follow the documentations properly this time. 22:03 < Mattz0r> -.- 22:03 < ecrist> Mattz0r: OpenVPN is an SSL vpn suite. 22:05 * ecrist goes away for the night. 22:07 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has quit [Read error: 110 (Connection timed out)] 23:02 -!- Mattz0r [n=user@cpc1-linc5-0-0-cust861.nott.cable.ntl.com] has quit [] 23:16 < undertakingyou> ecrist: I am using different certificates. It is not a PEBKAC error, I am watching it hand out the same address to two different clients using two different certificates. 23:16 < undertakingyou> krzee: I am allowing OpenVPN to hand whatever address it wants to out of the range I have given it. 23:26 < ecrist> undertakingyou: what range did you give it? 23:34 < undertakingyou> 10.0.4.0/24. I gave the vpn its own subnet. --- Day changed Sat Aug 23 2008 01:13 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 01:48 < krzee> werent you supposed to give it the ips you wanted to dish out? 01:48 < krzee> ... 01:49 < krzee> oh sorry that was someone else 01:53 < krzee> !configs 01:53 < vpnHelper> krzee: "configs" is please pastebin your client and server configs, also include which OS and version of openvpn. 01:54 < krzee> @ undertakingyou 02:54 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 03:35 < Bheam> oi 03:37 < Bheam> if 2 people have conflicting ip's between their local lan, is it still possible to setup openvpn bridge somehow? but with a different ip? 04:11 < Bheam> scratch that :p 04:21 -!- Whoopie_ is now known as Whoopie 04:32 < Bheam> right so bridges are to allow windows networks name resolution etc, and it says bridges are required for this 04:32 < Bheam> wouldn't a virtual network adapter alone allow this? 04:32 < kala> bridges is for L2 broadcasts to work 04:33 < kala> windows name resolution can work over broadcasts and WINS and DNS 04:33 < Bheam> L2 broadcasts? is that a particular kind of broadcast ? :p 04:34 < kala> ethernet broadcasts vs IP broadcasts 04:34 < kala> umm ... I think 04:34 < kala> now I'm not so sure anymore :) 04:35 < Bheam> well anyway 05:12 -!- Mattz0r [n=user@cpc1-linc5-0-0-cust861.nott.cable.ntl.com] has joined ##openvpn 05:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 05:42 -!- gallatin [n=gallatin@dslb-092-073-112-213.pools.arcor-ip.net] has joined ##OpenVPN 07:27 -!- gallatin [n=gallatin@dslb-092-073-112-213.pools.arcor-ip.net] has quit ["Client exiting"] 07:32 -!- hkais [n=dpalic@p4FEBEE0D.dip.t-dialin.net] has joined ##openvpn 07:34 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 07:38 -!- hkais [n=dpalic@p4FEBEE0D.dip.t-dialin.net] has left ##openvpn [] 07:39 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 08:13 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: pa, krzy, adie, plaerzen 08:14 -!- Netsplit over, joins: pa, adie, plaerzen, krzy 08:16 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit [Read error: 104 (Connection reset by peer)] 09:08 < ecrist> Bheam: no, you cannot. 09:09 < Mattz0r> hey ecrist 09:10 < Mattz0r> i think my issue is something to do with my host machine. lol 09:10 < Mattz0r> cause i tested a vpn between both PCs on my LAN, and it worked first time. 09:11 < ecrist> ok 09:11 < Mattz0r> so i might just give it up as a bad job :p 09:36 -!- near [n=near@88-122-17-249.rev.libertysurf.net] has quit [] 09:40 -!- near [n=near@88-122-17-249.rev.libertysurf.net] has joined ##openvpn 09:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:48 < ecrist> have a good day, kids. I'm of to 'The Great Minnesota Get-Together' 09:48 < ecrist> mauaahahahahahah! 10:42 -!- pred2k5 [n=Torsten@dslb-088-069-222-177.pools.arcor-ip.net] has joined ##openvpn 10:43 < pred2k5> hi, I have the following net configuration in my server config: "server 10.8.0.0 255.255.255.0", but a client with "ifconfig 10.8.0.24 10.8.0.23" (pushed) is not allowed? 10:43 < pred2k5> should be from 10.8.0.1 to 10.8.0.254 10:44 < pred2k5> "ifconfig endpoints [local=10.8.0.24, remote=10.8.0.23]. The local and remote VPN endpoints must exist within the same 255.255.255.25" 10:44 < pred2k5> 252 10:47 < pred2k5> 26/25 works again 10:48 < pred2k5> ah ok wrong subnet 10:48 < pred2k5> but why doest 20/19 work? 10:48 < pred2k5> does 10:52 -!- Dougy [n=doug@64.18.159.247] has quit [Read error: 110 (Connection timed out)] 11:02 -!- Optic [n=dfraser@miso.capybara.org] has left ##openvpn [] 11:16 -!- gongoputch [n=kseel@74.95.184.161] has joined ##openvpn 11:17 -!- Dougy [n=doug@64.18.159.247] has joined ##openvpn 11:17 < Dougy> Hi there 11:18 < Dougy> If my server only has one public IP, and I set openvpn to route all traffic through it, when browsing the internet does my IP show as the server's IP? 11:23 < gongoputch> by 'route all traffic through' = set your default route as the tunnel? 11:24 < gongoputch> if yes, think about what the effect of that would be 11:24 < Dougy> gongoputch: what effect? 11:24 < Dougy> you're making it sound like its nightmarish 11:24 < Dougy> gongoputch: so if my server's ip is 4.2.2.2, then when you connect to the vpn and surf the net, your ip would show as 4.2.2.2 11:24 < Dougy> is that possible? 11:25 < gongoputch> routing must the unequivocal. 11:25 < gongoputch> s/the/be/ 11:25 < Dougy> that confused me 11:25 < Dougy> o.o 11:25 < gongoputch> ok ... 11:26 < gongoputch> ovpn will need to have tcp/udp connectivity to maintain the tunnel 11:26 < gongoputch> then you set routes thru it 11:26 < Dougy> its run as root on my linux laptop + it runs as root on my server obv 11:26 < gongoputch> if you set the default route AS the internal endpoint of the tunnel ...... 11:27 < Dougy> i'm new to this, so can you stupidify that for me 11:27 < gongoputch> You are wanting to have all internet traffic proxied through your remote VPN machine? 11:27 < Dougy> yes 11:28 < Dougy> so when they surf or IRC, it shows as corp.domain.com 11:28 < gongoputch> I am new to OVPN too but not new to tunnelling 11:28 < Dougy> i got it to designated 172.16.0.0/27 just fine 11:28 < Dougy> but i want to make it look like you're browsing from the server 11:29 < gongoputch> from a routing point of view, I guess you could add a route to your remote OVPN box as a single IP 11:29 < gongoputch> then make your default route the remote endpoint of the tunnel 11:29 < Dougy> push "redirect-gateway" 11:29 < Dougy> I uncommented that 11:29 < Dougy> now i gotta figure out the rest 11:29 < gongoputch> in theory that would maintain the link] 11:30 < gongoputch> of course, IP forwarding would have to be enabled on the remote 11:30 < Dougy> because on my laptop is executing "route add -net serverip netmask 255.255.255.255 gw gatewayip" 11:31 < gongoputch> it is an interesting 'problem' 11:35 < Dougy> ecrist show up 11:35 < Dougy> and i'll donate to your SSL cert 11:36 < gongoputch> do you have the tunnel up? 11:37 < gongoputch> just pick an IP somewhere on the net ... e.g. www.abc.com, set the route to it as the far side of the tunnel and ping it 11:38 < gongoputch> running tcpdump icmp on both your 'real' interface and the tunnel interafce 11:38 < Dougy> eh man i'm out of it today 11:38 < Dougy> i guess maybe i should save it for a rainy day 11:38 < Dougy> or when someone will really baby me through it 11:38 < gongoputch> why? 11:38 < gongoputch> this is a 'baby step' 11:38 < gongoputch> you now how to add a route? 11:39 < Dougy> not done it in a while 11:39 * Dougy man's route 11:39 < Dougy> or do you mean with openVPN 11:39 < gongoputch> on FBSD it si "route add whereto wherethru 11:39 < gongoputch> no, just with your OS 11:39 < Dougy> route add -net serverip netmask 255.255.255.255 gw gatewayip 11:39 < gongoputch> ok 11:39 < gongoputch> you are on Linux than 11:39 < Dougy> yes 11:39 < Dougy> laptop is debian 11:40 < gongoputch> by adding one IP like thatyou are telling the OS "if you want host A, set the packets thru gateway B" 11:40 < Dougy> i see 11:41 < Dougy> so in theory that sends the route to make it pass thru if openvpn sends that 11:41 < Dougy> right? 11:41 < gongoputch> the remote side must be told to forward packets, and probably to NAT them (you are likely using rfc 1918 addresses) 11:41 < Dougy> probably 11:41 < gongoputch> in theory this should work 11:42 < gongoputch> there are usually signifant details 11:42 < Dougy> so do i need to edit sysctl.conf 11:42 < Dougy> and enable fwding 11:42 < gongoputch> sysctl.conf .... the server is fbsd? 11:42 < Dougy> linux has it as well 11:42 < gongoputch> ah 11:43 < Dougy> server is cent 11:43 < Dougy> 5 11:43 < gongoputch> I tried Linux seriously back in 1993 11:43 < gongoputch> I didn't like it 11:43 < gongoputch> FBSD from about 94 11:43 < gongoputch> :) 11:44 * Dougy shrugs 11:44 < Dougy> I was still in diapers then 11:44 < gongoputch> I should really dick around with ovpn some more before I give advise 11:44 < Dougy> lol 11:45 < gongoputch> ecrist has some really good articles on it in his wiki 11:46 < Dougy> ecrist is awesome. 11:49 < gongoputch> I know him from ##freebsd 11:50 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has left ##openvpn ["bye"] 11:53 < Dougy> well 11:53 < Dougy> i enabled packet forwarding in sysctl.conf and rebooted 11:53 < Dougy> it added the route 11:53 < Dougy> still not workin 12:40 < gongoputch> do you have NAT on the oposite side? 12:40 < gongoputch> anf what route did you add? 13:06 < krzee> !wiki 13:06 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 13:06 < krzee> thats his wiki btw 13:07 < krzee> !route 13:07 < vpnHelper> krzee: Error: "route" is not a valid command. 13:07 < krzee> !routes 13:07 < vpnHelper> krzee: Error: "routes" is not a valid command. 13:07 < krzee> bleh 13:07 < krzee> !learn route as https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:07 < vpnHelper> krzee: The operation succeeded. 13:07 < krzee> !learn routes as https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:07 < vpnHelper> krzee: The operation succeeded. 13:23 < krzee> !learn tls-cipher as http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users 13:23 < vpnHelper> krzee: The operation succeeded. 13:23 < krzee> !tls-cipher 13:23 < vpnHelper> krzee: "tls-cipher" is http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users 13:23 < krzee> heh 13:32 < krzee> !ubuntu 13:32 < vpnHelper> krzee: "ubuntu" is dont use network manager! 13:34 < krzee> !privledges 13:34 < vpnHelper> krzee: "privledges" is just choose a sandbox user/group that nothing else is using, then in config use: user vpnuser and group vpngroup , and if it is the server add: persist-key and persist-tun 13:34 < krzee> !freebsd 13:34 < vpnHelper> krzee: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:34 < krzee> !gentoo 13:34 < vpnHelper> krzee: "gentoo" is http://gentoo.linuxhowtos.org/openvpn/openvpn.htm 13:35 < krzee> !secure 13:35 < vpnHelper> krzee: "secure" is (#1) http://openvpn.net/howto.html#security, or (#2) http://openvpn.net/index.php/documentation/security-overview.html 13:36 < krzee> !ask 13:36 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/ 13:36 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 13:40 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask 13:40 < vpnHelper> krzee: The operation succeeded. 13:40 < krzee> !freebsd 13:40 < vpnHelper> krzee: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:41 < krzee> !winpass 13:41 < vpnHelper> krzee: "winpass" is openvpnGUI for windows has a change password feature that will change the passphrase on your .key files 13:41 < krzee> !forget menu 13:41 < vpnHelper> krzee: The operation succeeded. 13:41 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass 13:41 < vpnHelper> krzee: The operation succeeded. 13:42 < gongoputch> ah, a bot! 13:42 < gongoputch> vpnHelper: help 13:42 < vpnHelper> gongoputch: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 13:42 < krzee> basically im trying to give you !menu 13:42 < krzee> !forget menu 13:42 < vpnHelper> krzee: The operation succeeded. 13:42 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev 13:42 < vpnHelper> krzee: The operation succeeded. 13:42 < krzee> !menu 13:42 < vpnHelper> krzee: "menu" is !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev 13:43 < krzee> with all the learned commands 13:43 < krzee> unfortunatly that gets upkeep by hand 13:43 < krzee> which is kinda lame 13:43 < gongoputch> what is vpnhelper? An eggdrop? 13:44 < krzee> no 13:44 < krzee> !/30 13:44 < vpnHelper> krzee: "/30" is http://openvpn.net/index.php/documentation/faq.html#slash30 13:44 < krzee> !forget menu 13:44 < vpnHelper> krzee: The operation succeeded. 13:45 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30 13:45 < vpnHelper> krzee: The operation succeeded. 13:45 < krzee> a supybot 13:45 < krzee> i think eggdrops are overkill for freenode 13:45 < krzee> they're more coded for efnet 13:46 < gongoputch> I like TCL better than python 13:46 < krzee> cool 13:46 < gongoputch> but I am a fogey 13:47 < krzee> supybot comes with everything we use for the channel anyways 13:47 < krzee> so the lang doesnt come into play 13:47 < gongoputch> it looks good 13:47 < gongoputch> I like bots 13:47 < gongoputch> some chans ban them 13:47 < krzee> ya its pretty handy for helpin people 13:48 < krzee> that and the wiki has made it easier to just point people to the answers for commonly asked stuff 13:48 < krzee> of course we still need to add more content to both (especially the wiki) 13:49 < krzee> but it'll get done as topics come up 13:50 < gongoputch> it is a different world today, the way info systems are more and more integrated 13:50 < krzee> !learn multi as please see !iroute 13:50 < vpnHelper> krzee: The operation succeeded. 13:50 < krzee> !forget menu 13:50 < vpnHelper> krzee: The operation succeeded. 13:50 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi 13:50 < vpnHelper> krzee: The operation succeeded. 13:50 < krzee> would be nice if Factoids updated !menu on its own 13:51 < krzee> and ya what you said is very true 13:51 < krzee> voip as a prime example 13:51 < krzee> we're moving closer and closer to unified messaging 13:51 < krzee> which is pretty cool 13:51 < gongoputch> yet corporate america fails to avail itself of it, by and large 13:52 < gongoputch> except in isolation, like using VOIP instead of PBXs 13:52 < gongoputch> but it uses VOIP LIKE IT WAS a PBX 13:52 < gongoputch> duh. 13:52 < krzee> hahah 13:52 < krzee> yup 13:53 < krzee> they still use PBX's for voip 13:53 < krzee> just not analog ones ;] 13:53 < gongoputch> sigh 13:54 < gongoputch> I think if management can't understand it, no one will use it 13:54 < krzee> just makes more room for the little guy 13:54 < gongoputch> yes 13:54 < gongoputch> it does 14:01 < krzee> !router 14:01 < vpnHelper> krzee: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 14:01 < krzee> !forget menu 14:01 < vpnHelper> krzee: The operation succeeded. 14:01 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router 14:01 < vpnHelper> krzee: The operation succeeded. 14:01 < krzee> !notopenvpn 14:01 < vpnHelper> krzee: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 14:01 < krzee> !forget menu 14:01 < vpnHelper> krzee: The operation succeeded. 14:01 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn 14:01 < vpnHelper> krzee: The operation succeeded. 14:01 < krzee> !path 14:01 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier 14:02 < krzee> !forget menu 14:02 < vpnHelper> krzee: The operation succeeded. 14:02 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path 14:02 < vpnHelper> krzee: The operation succeeded. 14:02 < krzee> !netman 14:02 < vpnHelper> krzee: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list 14:02 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman 14:02 < vpnHelper> krzee: The operation succeeded. 14:02 < krzee> !forget menu 1 14:02 < vpnHelper> krzee: The operation succeeded. 15:11 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:13 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 15:14 -!- Concept-P [n=concept@twimp.se] has joined ##openvpn 15:17 < Concept-P> Hello all! I have a question that I cant seem to find an anwser to. Im trying to connect to my vpn server, but it fails with the tls auth. I have changed the ta.key on both the server and the client. But it still does not work. Does the ta.key need to be signed with the ca or something like that? 15:20 < Concept-P> tips or a url to a howto would be helpfull. =) the one on openvpn.net seems to be lacking some info. =P 15:22 < undertakingyou> krzee and ecrist: Thanks for your pointers, I figured out why everyone was getting the same IP and I now have it resolved. 15:27 < krzy> no problem, what was it? 15:28 < krzy> Concept-P: 15:28 < krzy> !logs 15:28 < vpnHelper> krzy: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:28 < krzy> !configs 15:28 < vpnHelper> krzy: "configs" is please pastebin your client and server configs, also include which OS and version of openvpn. 15:28 < Concept-P> undertakingyou: did you make the cerficates with the same servername? I made that error yesterday =D 15:29 < krzy> Concept-P, they wouldnt be able to connect in that case without duplicate-cn 15:29 < undertakingyou> krzy, even though I had different cert/key pairs they were all built with the same common name. So, rebuild the crt's with different comon name and then away we go. 15:29 < krzy> (which should not be enabled) 15:29 < undertakingyou> yeah Concept-P, looks like I had the same thing going. 15:29 < krzy> hahah, concept-p was right 15:29 < krzy> werd 15:29 < Concept-P> heh. =D 15:29 < krzy> undertakingyou, i take it you were using duplicate-ncn? 15:29 < krzy> s/ncn/cn/ 15:30 < Concept-P> krzy: the error in the logs is a TLS error. I could paste the 3 lines, but I dont think its needed. 15:30 < undertakingyou> I don't want duplicate-cn so it is off. I want one connection per crt/key pair. I thought the common name would be what I started with, so ./build-key client1 would make client1 the common name. 15:30 < krzy> i would like to see the logs and configs 15:30 < krzy> if you want help from me, i need to see them 15:30 < Concept-P> krzy: oki. w8. 15:31 < krzy> undertakingyou, good... i was going to tell you to remove it 15:31 < Dougy> ecrist: when you're here, send me a PM' 15:31 < krzy> Dougy, hes most often here on weekdays 15:32 < krzy> depending on hos busy he is at work 15:32 < krzy> s/hos/how/ 15:32 < Dougy> he was ere yesterday night 15:32 < krzy> yup, he does stop through other times too, but if you dont hear from him before monday try him again 15:34 < Concept-P> krzy: http://plu.nu/~concept/temp/ server config, client config, and log from client. =) 15:34 < vpnHelper> Title: Index of /~concept/temp (at plu.nu) 15:35 < krzy> thx, reading 15:35 < Concept-P> krzy: thank you for the help =) 15:35 < krzy> np 15:35 < krzy> you have a reason for tcp? firewall allows 1195 tcp but not udp? 15:35 < krzy> !tcp 15:35 < vpnHelper> krzy: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:36 < Concept-P> krzy: no real reason actually. just started out that way.. 15:36 < krzy> k, make sure you switch back to udp 15:37 < Concept-P> krzy: oki. I never understood why udp would be better. =) 15:37 < krzy> werd, the link vpnHelper gave will explain why 15:37 < krzy> but while that COULD be your problem, odds are it isnt 15:37 < krzy> may as well test if it works with udp, but likely its the same 15:38 < krzy> !man 15:38 < vpnHelper> krzy: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 15:38 < krzy> (thats for me) 15:38 < krzy> looking up what your mssfix 15:38 < krzy> does 15:39 < Concept-P> krzy: I dont think it is. Everything was working fine yesterday, untill I realised that I had put the same commonname on all certs (the commonname of the vpnserver, not the client) and then I used the easy-rsa clean-all script, and regenerated everything from scratch. replaced all the certs and key files, and then it didnt work anymore. 15:40 < krzy> ohh 15:40 < krzy> ok then you likely kept 1 file somewhere from the old setup 15:40 < krzy> remove everything related to certs and start over 15:40 < Concept-P> krzy: Ok, now I understand why tcp is not a good option. 15:41 < krzy> ya 15:41 < krzy> its good openvpn supports it cause sometimes its the only way 15:41 < krzy> but if you can avoid it, do 15:42 < krzy> also 15:42 < krzy> Sat Aug 23 21:29:41 2008 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 15:42 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 15:42 < Concept-P> krzy: hmm, I did remove all the files. from the server with the clean-all script. then I copied all certs and stuff over a secure channel to an ironkey, then copied the files from the ironkey to the clients. 15:42 < krzy> see that link 15:43 < Concept-P> krzy: yeah, I noticed that too yesterday, I have another client config (on an another machine) where I fixed that issue. =) 15:43 < krzy> cool 15:43 < krzy> it looks like there was a problem when copying the files 15:44 < Concept-P> krzy: But atm, I thought it was more important to get the thing going than worring about mitm =D 15:44 < krzy> oh wait 15:44 < krzy> Sat Aug 23 21:29:46 2008 Authenticate/Decrypt packet error: packet HMAC authentication failed 15:44 < krzy> thats your tls.key 15:44 < krzy> yourstatic key 15:44 < krzy> for now you can comment out tls-auth and see if it works 15:44 < Concept-P> hmm. w8. 15:44 < krzy> (on client and server) 15:45 < krzy> !sample 15:45 < vpnHelper> krzy: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:45 < krzy> )thats for me too) 15:46 < Concept-P> krzy: Now I feel like a jackass. =D 15:46 < krzy> didnt copy over the new tls static key? 15:46 < Concept-P> krzy: when I recreated all the keys.. I didnt make a tls.key =D 15:46 < krzy> ya 15:46 < krzy> it happens ;] 15:46 < Concept-P> =D 15:47 < krzy> btw, good looking configs 15:47 < krzy> can tell you read the docs 15:47 < Concept-P> krzy: thats the openvpn --genkey --secret command right? 15:47 < krzy> if you have lans behind clients, see !iroute 15:48 < krzy> !secure 15:48 < vpnHelper> krzy: "secure" is (#1) http://openvpn.net/howto.html#security, or (#2) http://openvpn.net/index.php/documentation/security-overview.html 15:48 < krzy> 1sec 15:48 -!- hawk [n=hawk@pdpc/supporter/active/hawk] has quit [Read error: 104 (Connection reset by peer)] 15:48 < krzy> yup, that is it 15:48 < krzy> can see man page (!man) for making the key bigger than default 15:48 < krzy> personally i use 4096 for everything 15:49 < krzy> default is 1024 15:49 < Concept-P> krzy: then I did make it. I just named it ta.key instead. =/ 15:49 < krzy> well they arent identical on both sides 15:50 < Concept-P> krzy: Im using 2048 for everything.. but maybe I should change it to 4096 before starting everything. 15:50 < krzy> 2048 is good too, hat strength you use is up to you 15:50 < krzy> i just go overboard 15:50 < krzy> im krzy like that ;) 15:51 < Concept-P> krzy: well. it is a medical office. so it should be secure. =P 15:51 < krzy> ahh, yes it should be 15:51 < krzy> may as well pump it up to 4096 everywhere 15:51 < Concept-P> krzy: since I guess I missed a step somewhere, Ill remake all keys with 4096 =) 15:52 < krzy> i use 4096 in certs, TLS key, DH key 15:52 < krzy> you use fbsd? 15:53 < Concept-P> krzy: No, linux. 15:53 < Concept-P> krzy: krzy for the server anyway. all the clients are winxp 15:54 < krzy> werd 15:54 < krzy> ecrist made a perl script to manage keys and all that with 15:54 < krzy> you may find it helpful 15:55 < krzy> it is included in FBSD ports, but would work on linux too 15:55 < Concept-P> krzy: Im not used to fbsd, or any bsd. So I feel that its better to use something familiar (where I know where the potholes are) rather than use a system that might have one or too potwholes, but you dont know where they are. =D 15:55 < Concept-P> krzy: I can give it a try, where can I find it? 15:56 < krzy> i totally agree 15:56 < krzy> you the OS you know 15:56 < krzy> 1sec lemme find it 15:56 < krzy> !wiki 15:56 < vpnHelper> krzy: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 15:57 < krzy> i would recommend doing it by hand, but you have done that a couple times now and using a tool like this wont hurt you from learning (cause you already know how to by hand) 15:58 < krzy> https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 15:58 < vpnHelper> Title: OpenVPN Server - Secure Computing Wiki (at www.secure-computing.net) 15:58 < krzy> skip to Setup SSL Certificates/Keys 15:58 < Concept-P> learn how to do something by hand first. then you can cheat =D 15:59 < krzy> yup =] 16:00 < krzy> https://www.secure-computing.net/wiki/images/c/c3/Ssl-admin.tar 16:01 < krzy> Extract the tgz in your home directory (for now). You should see two files, ssl-admin.pl, and openssl.cnf. 16:01 < krzy> [edit] Tuning ssl-admin.pl 16:01 < krzy> You must edit the perl script to work correctly on your network. When initially downloaded, the script with exit, reminding you to setup all the variables at the top of the file. By default, the top of the file looks like this: 16:01 < Concept-P> even this vpn is a bit overkill. Im using a vpn on a local network. but the servers cannot be accessed without being on the vpn =D 16:01 < krzy> etc etc 16:01 < krzy> local network... 16:01 < krzy> umm, its connecting and routing right? 16:02 < Concept-P> krzy: well, I dont run any scripts before I read them =D 16:02 < krzy> good 16:02 < krzy> if you have comments or suggestions on that script im sure ecrist is open to them 16:02 < Concept-P> krzy: it worked just fine yesterday (besides the fact that all the clients got the same ip) 16:03 < krzy> hrm very odd 16:03 < krzy> it shouldnt really work on the same lan 16:03 < krzy> routing should get confused 16:03 < Concept-P> krzy: the reason is because there are two remote laptops that will be connecting to the vpn as well. 16:04 < krzy> and thats a perfect reason to use openvpn ;] 16:04 < Concept-P> krzy: well, its only the local network that need access to the servers. the computers can access the internet without the vpn. 16:04 < Concept-P> krzy: I didnt have any problems with the routing anyway =) 16:04 < krzy> i think im just misunderstanding you 16:05 < krzy> and it dont sound broken, so we dont need to fix it ;] 16:05 < Concept-P> hehe right. =) 16:06 < Concept-P> krzy: let me put it this way, there is a samba server on the network that only listens to the vpn interface. so if you are not part of the vpn, you cant access the sambaserver =) 16:06 < krzy> oh ok cool 16:06 < krzy> thought you meant client and server were on same lan 16:06 < krzy> which should not work 16:07 < krzy> what you are saying is good 16:07 < krzy> i think im just misunderstanding you 16:07 < krzy> ^that was the case 16:08 < Concept-P> =) 16:08 < Concept-P> krzy: where are you from, I feel like I recognize your nick =) 16:08 < krzy> been krzee on efnet for many years 16:08 -!- Mattz0r [n=user@cpc1-linc5-0-0-cust861.nott.cable.ntl.com] has quit [] 16:08 < krzy> and was krzy for awhile too 16:09 < Concept-P> krzy: where you in channels on efnet that where with a key? 16:09 < krzy> been here on freenode for awhile too, but not nearly as long 16:09 < krzy> ive been in a shitton of channels with and withoiut keys 16:09 < krzy> i been on efnet since early - mid 90's 16:09 < krzy> like 93 or so i think 16:10 < Concept-P> oki =) 16:10 < krzy> ohhh 16:10 < krzy> i was RNS counsil for a couple yrs 16:10 < krzy> had 2 counsil spots 16:10 < Concept-P> oki. 16:10 < Concept-P> maybe thats it. =) 16:10 < krzy> and ran a few groups 16:11 < krzy> abuse ,CDA, sFx, NoD, then went to RNS til i quit all scenes 16:11 < Concept-P> krzy: what did RNS release? 16:11 < krzy> mp3 16:12 < krzy> was the #1 mp3 group 16:12 < Concept-P> electronic music? 16:12 < krzy> everything 16:12 < Dougy> I need someone to answer a question and then baby me through something 16:12 < krzy> Dougy, the question? 16:12 < Dougy> typing it 16:12 < Dougy> sec 16:12 < krzy> Dougy, my babying will be more of pointing you to the right docs 16:12 < Dougy> If I have a server with 1 ip, is it possible to route all traffic thru it? Like, when you VPN in (say 6 diff clients), when you brwose the web / IRC, it shows the server's IP 16:13 < Dougy> krzy: as long as I get it done, that's fine by me 16:13 < krzy> dougy, absolutely 16:13 < krzy> !nat 16:13 < vpnHelper> krzy: "nat" is http://openvpn.net/howto.html#redirect 16:13 < krzy> its not an openvpn thing, you want NAT 16:13 * Dougy reads 16:13 < krzy> dougy, server OS? 16:13 < Dougy> Cent5 16:13 < krzy> cool, that link gives example of how to NAT on linux 16:14 < Dougy> so just do what it says there? 16:14 < Dougy> what's "def1" 16:14 < Dougy> is that an interface? 16:14 < krzy> !man 16:14 < vpnHelper> krzy: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 16:14 < Dougy> you could just have answered it too :p that doesnt take much 16:15 < krzy> i am 16:15 < krzy> had to goto man and CNTRL F 16:15 < krzy> well apple F, i use mac 16:15 < krzy> Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. 16:15 < krzy> Using the def1 flag is highly recommended, and is currently planned to become the default by OpenVPN 2.1. 16:16 < krzy> i THINK ive heard of issues with def1 and windows, but you use linux so shouldnt have a problem 16:16 < Dougy> one more question krzy 16:16 < Dougy> push "dhcp-option DNS 10.8.0.1" <-- 16:16 < Dougy> can i put like 16:17 < Dougy> push "dhcp-option DNS 204.8.216.67 204.8.216.102" 16:17 < Dougy> ? 16:18 < krzy> changing them to another external IP only while on the VPN? 16:18 < Dougy> yeah 16:18 < Dougy> soon as they are off vpn, they resume using ISP's ip 16:18 < Dougy> unless im not understand 16:18 < Dougy> unless im not understanding* 16:19 < krzy> well ya but if its not going over the vpn why not always use that ip? 16:19 < Dougy> Im slow today 16:19 < Dougy> idk what you mean 16:22 < Concept-P> krzy: oh, right. While Im waiting for the cert generation (damn 4096 dh gen =D) Ive been trying to find out how to give the clients static ips, but cant seem to find any info about that. openvpn stores ip mapping in the ippool.txt file. can I manually edit that for static ips? 16:23 < Dougy> krzy: :( 16:23 < krzy> dougy, i will check, dfunno if you can supply 2 NS or not 16:24 < krzy> but for windows what you said will def work for 1 NS 16:24 < krzy> Concept-P, kinda 16:24 < krzy> that *would* work, but doesnt garuntee they stay the same 16:24 < Concept-P> krzy: is there a better way? 16:24 < krzy> you give it an ifconfig in a ccd entry 16:24 < krzy> !ccd 16:24 < vpnHelper> krzy: "ccd" is entries that are basically included into server.conf, but only for the specified client 16:24 < Concept-P> ahh 16:25 < Concept-P> ok, Ill look into that. 16:25 < Dougy> well krzy 16:25 < Dougy> i can just use my priv one then 16:25 < Dougy> heh 16:25 -!- mucimon [n=mucimon@lugbari/people/mucimon] has joined ##openvpn 16:27 < Dougy> krzy: i did the thing (masquerade) etc, and enabled packet fwding in sysctl.conf on my linux laptop 16:27 < Dougy> its not routing traffic thru it :( 16:28 < krzy> Dougy, can the client still access the inet at all? 16:33 < Dougy> negative 16:33 < Dougy> i cant nslookup anything etc 16:33 < Dougy> i can ping other clients on he vpn 16:33 < Dougy> the* 16:33 < Dougy> that's it 16:34 < Dougy> eg 172.16.0.4 16:34 < krzy> dougy, to push 2 DNS servers to win client try using push "dhcp-option DNS 204.8.216.67" and push "dhcp-option DNS 204.8.216.102" 16:34 < krzy> ok cool, then your openvpn stuff is working right 16:34 < krzy> its your iptables NAT that is not 16:34 < Dougy> that wasn't it krzee 16:34 < Dougy> er krzy 16:34 < krzy> im krzee too 16:34 < Dougy> i jsut changed it to my private ns (its only 1 ip, and neither of those) 16:35 < krzy> werd 16:35 < Dougy> should that modify the resolv.conf locally? 16:35 < Dougy> like on the client 16:35 < Dougy> because they're not hte one in my server.conf 16:36 < krzy> echo 1 > /proc/sys/net/ipv4/ip_forward 16:36 < krzy> sudo iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE 16:36 < krzy> You can verify the rule was written correctly with: 16:36 < krzy> sudo iptables -L -t nat 16:36 < Dougy> that file is already set to 1 16:36 < krzy> (i dont really use linux, going from a google search) 16:37 < Dougy> I have it as /26 not /24, and i ran that 16:37 < Dougy> but the iptables thing i didnt do (last thing) 16:37 < Dougy> er its returning nothing 16:37 < krzy> that just lists the table 16:37 < Dougy> yeah 16:37 < Dougy> which is empty 16:37 < krzy> hrmz 16:37 < krzy> you have iptables loaded? 16:37 < Dougy> yes 16:38 < Dougy> er oops 16:38 < Dougy> hmm 16:38 < Dougy> Chain POSTROUTING (policy ACCEPT) 16:38 < Dougy> target prot opt source destination 16:38 < Dougy> MASQUERADE all -- 172.16.0.0/26 anywhere 16:38 < Dougy> MASQUERADE all -- 172.16.0.0/26 anywhere 16:38 < Dougy> double :S 16:38 < Dougy> now its only htere once 16:38 < Dougy> do i need to enable forwarding on the server as well, krzy? 16:39 < krzy> you mean you only set that file to 1 on the client? 16:39 < Dougy> :< 16:40 < krzy> yes, you want it on the server and prolly not on the client 16:40 < krzy> note, setting that file to 1 does not go across reboots 16:40 < krzy> its just for turning on forwarding without a reboot 16:40 < Dougy> lets try that 16:40 < Dougy> yup 16:40 < Dougy> i know 16:40 < Dougy> okay 16:40 < Dougy> i added fwding on the server 16:41 < Dougy> hmm 16:41 < krzy> now it works? 16:41 < Dougy> testing 16:41 < Dougy> YES! 16:41 < Dougy> :D:D:D 16:41 < Dougy> Thank youuuuu 16:41 < krzy> yw =] 16:41 < Dougy> haha :D 16:42 < krzy> see i didnt hafta baby you, you read the docs that you were pointed to =] 16:42 < krzy> and got it workin 16:42 < Concept-P> =D 16:43 < krzy> and because you did that, you learned a lil more bout networking ;] 16:43 < Concept-P> that damn learning part. =D 16:44 < Dougy> you babied me some krzy 16:44 < Dougy> one more question krzy though 16:44 < Dougy> is it possible to log everything done on the vpn 16:44 < Dougy> like all sites browsed, etc 16:44 < Concept-P> sniff allt the traffic that goes over the tap? 16:44 < krzy> should be able to monitor traffic on the VPN interface 16:45 < krzy> or by logging through iptables 16:45 < Dougy> I want it to log if client 3 goes to google.com 16:45 < Dougy> for eg 16:45 < krzy> but thats definatly not openvpn related 16:45 < krzy> !notopenvpn 16:45 < vpnHelper> krzy: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 16:45 < Dougy> well, where would i need to ask 16:45 < krzy> you are really asking how to monitor traffic of clients on a NAT 16:46 < Dougy> and krzy i have a openvpn question :p 16:46 < krzy> a linux channel 16:46 < Dougy> using the default howto 16:46 < Dougy> to generate the certs 16:46 < Dougy> is there any encryption on that 16:46 < Dougy> o.O 16:46 < krzy> absolutely! 16:46 < Dougy> what level is it o.O 16:46 < Dougy> Probably carappy 16:46 < krzy> post your configs please 16:46 < Dougy> er 16:46 < Dougy> what one o.O 16:46 < krzy> server and 1 client 16:47 < krzy> ill toss you any tips i see on how to make it better 16:47 < krzy> as far as that goes 16:48 < Dougy> can i pm you 16:48 < krzy> pm me the pastebin to the configs? 16:48 < Dougy> yesh 16:48 < Dougy> yeah* 16:48 < krzy> sure, but that will stop anyone else from giving input 16:49 < krzy> ouch 16:49 < krzy> please remove the comments 16:49 < krzy> like this: 16:49 < krzy> !sample 16:49 < vpnHelper> krzy: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:49 < krzy> (thats my configs) 16:49 < Dougy> oh 16:49 < Dougy> lol 16:49 < Dougy> comments take forever to remove 16:50 < krzy> with a few things removed which would require explanation, my setup is very diff than most 16:50 < krzy> its a serious PITA to dig through a huge config which is 80% comments 16:50 < krzy> !configs 16:50 < vpnHelper> krzy: "configs" is please pastebin your client and server configs, also include which OS and version of openvpn. 16:50 < krzy> !forget configs 16:50 < vpnHelper> krzy: The operation succeeded. 16:51 < Dougy> no prob 16:51 < Dougy> ill work on it 16:51 < krzy> !learn configs as please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 16:51 < vpnHelper> krzy: The operation succeeded. 16:52 < krzy> whoa! 16:52 < krzy> ovpn.pastebin.com 16:52 < krzy> thats awesome 16:52 < krzy> didnt know that existed 16:53 < krzy> ok you want HMAC verification using tls-auth 16:53 < krzy> !tls-auth 16:53 < vpnHelper> krzy: Error: "tls-auth" is not a valid command. 16:53 < krzy> !secure 16:53 < vpnHelper> krzy: "secure" is (#1) http://openvpn.net/howto.html#security, or (#2) http://openvpn.net/index.php/documentation/security-overview.html 16:53 < krzy> see http://openvpn.net/howto.html#security 16:53 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 16:54 < Dougy> krzy: anything exists 16:54 < Dougy> http://rooi5j28ow890t098t90898s.pastebin.com exists 16:54 < krzy> !learn tls-auth as The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 16:54 < vpnHelper> krzy: The operation succeeded. 16:55 < krzy> !menu 16:55 < vpnHelper> krzy: "menu" is !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman 16:55 < krzy> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, 16:55 < vpnHelper> krzy: The operation succeeded. 16:55 < krzy> !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, 16:55 < krzy> grr 16:55 < krzy> !forget menu 16:55 < vpnHelper> krzy: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 16:55 < krzy> !forget menu * 16:55 < vpnHelper> krzy: The operation succeeded. 16:56 < Concept-P> heh. !insanity =D 16:56 < krzy> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth 16:56 < vpnHelper> krzy: The operation succeeded. 16:56 < krzy> !insanity 16:56 < vpnHelper> krzy: "insanity" is doing the same thing over and over expecting different results 16:56 < krzy> ;] 16:56 < Dougy> Well krzy what d'ya say 16:57 < Concept-P> haha =) 16:57 < Concept-P> so true =) 16:57 < krzy> Dougy, you also want ns-cert-type server in client config 16:58 < krzy> you can change tls-cipher to use whatever encryption both sides support (each sides openssl needs to support it) 16:58 < krzy> !tls-cipher 16:58 < vpnHelper> krzy: "tls-cipher" is http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users 16:59 < Dougy> erk krzy 17:00 < Dougy> It says i need to rebuild server key 17:00 < Dougy> thats just the one server key line rihgt 17:00 < Dougy> right 17:00 < Dougy> not the whole redo clients and then redo the dh 17:01 < krzy> well 17:01 < krzy> i guess so as long as you're using the same CA and all 17:01 < krzy> just make sure its signed as a server 17:01 < Dougy> i assume for the sake of security i should redo them all? 17:01 < Concept-P> krzy: vad use is the password challenge line in openvpn? 17:03 < krzy> 1sec 17:03 < krzy> !man 17:03 < vpnHelper> krzy: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 17:04 < krzy> err wait 17:04 < krzy> Concept-P, you said all yourclients are on win right? 17:04 < krzy> if so, see !winpass 17:04 < Concept-P> krzy: almost. there are two that are not 17:04 < Concept-P> !winpass 17:05 < vpnHelper> Concept-P: "winpass" is openvpnGUI for windows has a change password feature that will change the passphrase on your .key files 17:05 < krzy> otherwise, you can change that manually at commandline 17:05 < Concept-P> krzy: but what is the use for them? I dont need to use them when connecting to the openvpn server? 17:05 < Dougy> krzy: im confused with this ns-cert thing 17:06 < Dougy> any good docs on how to do it 17:06 < krzy> http://openvpn.net/index.php/documentation/howto.html#mitm 17:06 < vpnHelper> Title: HOWTO (at openvpn.net) 17:06 < Dougy> wait 17:06 < Dougy> so all i have to do is ./build-key-server server 17:06 < Dougy> ? 17:07 < krzy> aye 17:07 < Dougy> god damn it 17:07 < krzy> then the client wont connect to anything with a cert signed by your CN unless it was built as a server cert 17:07 < Dougy> i did that before 17:07 < Dougy> :( 17:08 < Concept-P> Dougy: remember to set the commonname to the computer that will be using the cert =P (I made that error yesterday) =D 17:08 < krzy> hrm that seems to be more of a problem for people than i thought 17:08 < Dougy> Concept-P: what do you mean 17:08 < Dougy> when i do common names 17:08 < krzy> Concept-P maybe you could make a lil writeup about it on the wiki? 17:08 < Dougy> i do the name of the people going to be using the crt 17:08 < Dougy> cert 17:08 < Dougy> eg in my case "Douglas Haber" 17:08 < Dougy> o.O 17:09 < krzy> about cert generating for new people 17:09 < krzy> can common name be multiple words? never tried that 17:09 < Dougy> btw is ecrist one of the major openvpn coders or something 17:09 < Dougy> or expert w/e 17:09 < krzy> would make ccd/ weird 17:09 < Concept-P> krzy: well with the build-key scripts it asks for "Common Name (eg, your name or your server's hostname) []:" Its easy to think that it means the vpn servername 17:10 < krzy> i dont think hes a coder, but he helps a ton in this channel, knows what hes doing, and made a perl script (which is in fbsd ports) for admin'ing certs 17:10 < krzy> Concept-P, adding to the wiki is open to the pubkic 17:10 < krzy> !wiki 17:10 < vpnHelper> krzy: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 17:11 < krzy> you dont have to, but are welcome to add a writeup if you think it will help people 17:11 < krzy> i made the one shown in !route 17:11 < krzy> !route 17:11 < vpnHelper> krzy: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 17:11 < Concept-P> krzy: Ill do that. when I got mine going. =P 17:11 < krzy> Concept-P, still having problems?? 17:11 < krzy> your setup looks good to me 17:12 < krzy> the writeup i made helps people understand route, push route, iroute, and ccd 17:12 < Concept-P> krzy: not really, Im regenerating all the certs with 4096 encryption. =P 17:12 < Dougy> er 17:12 < krzy> which is an extremely often asked ? 17:13 < Concept-P> krzy: so I havnt tried yet =) 17:13 < krzy> ohh right =] 17:13 < Dougy> how do you do it with 256 bit 17:13 < Dougy> i'm sure 256 is more than I have now 17:13 < krzy> dougy, by using tls-cipher 17:13 < Dougy> !tls-cipher 17:13 < vpnHelper> Dougy: "tls-cipher" is http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users 17:13 < krzy> yay someone else using the bot! 17:13 < Dougy> that doesnt help 17:13 < Dougy> I need step by step 17:13 < Dougy> like something to baby me 17:17 < krzy> openvpn --show-ciphers 17:17 < krzy> on both sides 17:18 < krzy> see what both sides support 17:18 < krzy> choose one thats in both sides and is what you want 17:19 < krzy> The --show-ciphers option (see below) shows all available OpenSSL ciphers, their default key sizes, and whether the key size can be changed. Use care in changing a cipher's default key size. Many ciphers have not been extensively cryptanalyzed with non-standard key lengths, and a larger key may offer no real guarantee of greater security, or may even reduce security. 17:20 < krzy> --tls-cipher l 17:20 < krzy> A list l of allowable TLS ciphers delimited by a colon (":"). If you require a high level of security, you may want to set this parameter manually, to prevent a version rollback attack where a man-in-the-middle attacker tries to force two peers to negotiate to the lowest level of security they both support. Use --show-tls to see a list of supported TLS ciphers. 17:22 < krzy> dougy, so like Concept-P used: cipher AES-256-CBC 17:23 < krzy> in both client and server configs 17:23 < krzy> so hes using 256 bit AES 17:23 < krzy> by default openvpn uses blowfish 17:24 < krzy> which is pretty damn good 17:25 < krzy> http://openmaniak.com/openvpn_tutorial.php seems to expand on this a little 17:25 < krzy> rumor has it that AES is crackable by some governments, but that cannot be confirmed or denied 17:26 < krzy> i stick to blowfish personally, but see nothing wrong with going to 256 AES 17:26 < Dougy> ah 17:26 < Dougy> AES-256-CBC 256 bit default key (fixed) 17:26 < Dougy> that means its supported? 17:26 < krzy> sure does 17:27 < Dougy> cool 17:27 < Dougy> now i need to figure out how to use it 17:27 < Dougy> ;p 17:27 < krzy> so you would add cipher AES-256-CBC to both configs 17:28 < Dougy> that's it? 17:28 < Dougy> there's no ssl cert signing or anything o.O 17:28 < Dougy> ? 17:28 < krzy> that was done when you made your certs 17:28 < Dougy> it supports all those types? 17:28 < krzy> cipher just changes the communication channel's encryption 17:28 < krzy> theres a few levels of encryption in openvpn 17:29 < krzy> both me and Concept-P choose to build our certs, tls static keys, and dh keys with 4096 keysizes 17:29 < krzy> and that doesnt effect what the communication channel uses 17:29 < krzy> certs are for auth 17:30 < krzy> dh key goes into that too 17:30 < Dougy> im not looking for extreme security 17:30 < Dougy> just something more than basic for now 17:30 < krzy> tls static key adds a signature to every packet 17:30 < krzy> cipher is for the stream of data 17:30 < krzy> well basic on openvpn is good 17:30 < krzy> openvpn is made with security in mind 17:31 < krzy> i use the default cipher personally, cause i trust blowfish encryption 17:31 < Dougy> k 17:31 < Dougy> I heard the windows client(s) are exploitable for windows 17:31 < Dougy> o.O 17:32 < krzy> i know nothing about that, got any links for evidence? 17:32 < Dougy> negative 17:32 < Dougy> my boss just told me it 17:32 < krzy> (i also dont use windows) 17:32 < Dougy> he made me uninstall the client from openvpn.se because there are exploits 17:32 < Dougy> o.O 17:32 < krzy> can you ask your boss for evidence? 17:32 < Dougy> i don't want to piss him off 17:32 < Dougy> :< 17:33 < Dougy> I value my job as being 15 it's the only change I have to work at a DC 17:33 < krzy> did he find the exploits or make them? 17:33 < Dougy> chance^ 17:33 * Dougy has no idea 17:33 < krzy> well, i cant comment on it then 17:34 < krzy> but with HMAC verification, no packets will be processed unless signed with yout TLS static key 17:35 < Dougy> heh 17:35 < Dougy> honestly 17:35 < krzy> so unless the assumed exploit takes advantage of the HMAC verification process, or passes the HMAC verification process, it wont run 17:35 < Dougy> I will pay you $35 to write up a nice doc/wiki page/something about security 17:35 < Dougy> on openvpn 17:35 < Dougy> er i meant 25 but 35 will work o.O 17:35 < Dougy> so I can revisit in future 17:36 < krzy> ok, it'll take me a lil time tho, security in openvpn is not a small thing to write up 17:36 < krzy> they take it very serious 17:36 < Dougy> Well 17:36 < krzy> and much of it will be copy and pasting parts from howto and manpage 17:36 < Dougy> well 17:36 < Dougy> I mean like 17:36 < Dougy> Compile all teh diff types into a big doc 17:37 < Dougy> and throw links to more info on it 17:37 * Dougy thinks that could acutally be sold as an eBook if detailed enough 17:38 < krzy> i wouldnt sell it, i would put it on our wiki for the world to see / freely use 17:38 < Dougy> I guess 17:38 < Dougy> I could do that too 17:38 < krzy> tis the nature of the community =] 17:39 < Dougy> http://www.amazon.com/s/ref=nb_ss_gw?url=search-alias%3Daps&field-keywords=openvpn&x=0&y=0 17:39 < vpnHelper> Title: Amazon.com: openvpn (at www.amazon.com) 17:39 < Dougy> lots of openvpn books 17:39 < krzy> werd 17:40 < Dougy> but yeah 17:41 < Dougy> I really dont wanna pay for it, but it is time you'd have to spend doing it 17:42 < krzy> well, we'll see if ecrist wants to help me 17:42 < krzy> if i dont hafta spend a lot of effort on it i wont accept any $ 17:42 < krzy> it just doesnt sound like a fun doc to write, so im not closing the possibility of accepting a couple $ 17:43 < krzy> ie: i wouldnt be thinking bout writing it if you didnt bring that up 17:43 < krzy> lol 17:43 < Dougy> well 17:43 < krzy> but you're right that it would be a good doc for the wiki 17:43 < Dougy> I think that's a big thing that needs a lot of documentation 17:43 < krzy> theres a few levels of encryption that can each be configured differently 17:44 < Dougy> I personally would definitely bookmark + read it 17:44 < krzy> so first would come an overview, than a brief explanation of each, then how to conigure each 17:45 < Dougy> yes 17:45 < Dougy> that's a great wiki page 17:45 < Dougy> heh 17:48 < krzy> lemme see somethin 17:49 < krzy> !secure 17:49 < vpnHelper> krzy: "secure" is (#1) http://openvpn.net/howto.html#security, or (#2) http://openvpn.net/index.php/documentation/security-overview.html 17:49 < krzy> http://openvpn.net/index.php/documentation/security-overview.html 17:49 < vpnHelper> Title: Security Overview (at openvpn.net) 17:49 < krzy> is that enough right there? 17:50 < krzy> thats the official ovpn security overview 17:50 < Dougy> reading 17:50 < Dougy> It kinda explains parts of it 17:50 < Dougy> I guess 17:50 < Dougy> I was referring to more of an explanation of each, and a step by setp on how to do it 17:50 < Dougy> ste 17:50 < krzy> right, you're looking for that as the overview 17:50 < Dougy> p 17:50 < Dougy> Kind of like 17:50 < krzy> then more in depth on each part 17:51 < Dougy> "security for complete idiots" 17:51 < Dougy> like me 17:51 < krzy> right, like my routing writeup as compared to the howto's 17:51 < krzy> read my routing write \up and tell me if you understand it? 17:51 < krzy> !route 17:51 < vpnHelper> krzy: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 17:52 < Dougy> yep 17:52 < Dougy> like that but for security 17:52 < krzy> cool, so that was fully understandable? 17:53 < Dougy> i think so 17:53 < Dougy> let me skim more 17:53 < krzy> if you would as a favor, please fully read instead of skim 17:53 < Dougy> sure 17:53 < krzy> i know you dont need it for your setup, but would help me 17:53 < Dougy> give me five minutes and i'm on it 17:53 < Dougy> actually 17:53 < krzy> sure, whenever you can 17:53 < Dougy> on it right now 17:55 < Dougy> looks good 17:55 < krzy> cool 17:56 < krzy> tried to break it down as well as possible for the uninitiated cause it can be a source of confusion 17:56 < Concept-P> krzy: does the tls.key need to be signed by the ca? 17:56 < krzy> it took a bit of reading to get the understanding to write that up 17:56 < krzy> no tls.key is just a standalone static key 17:56 < krzy> has nothing to do with certs 17:57 < krzy> it adds HMAC verification to ALL packets 17:57 < krzy> so if packet going to vpn doesnt pass the HMAC verification, it doesnt get processed 17:58 < krzy> after the first packets pass hmac verificatin, the certs can be compared 17:58 < krzy> if the packets to compare certs dont pass hmac verification, no access 17:58 < Concept-P> krzy: right.. I remade all the certs and the tls.key. but its still bit*hing about tls error. so I was going to try to remove the tls part and se if it works then. fine. but then I get an error saying I cant use the ca option if Im not using the tls mode. 17:58 < krzy> (which was one of your problems, forget whose) 17:59 < krzy> umm 17:59 < krzy> show me the logs 18:00 < krzy> this wasnt the important part of the error before: 18:00 < krzy> Sat Aug 23 21:29:36 2008 TLS Error: incoming packet authentication failed from 192.168.134.32:1194 18:00 < krzy> this was: 18:00 < krzy> Sat Aug 23 21:29:36 2008 Authenticate/Decrypt packet error: packet HMAC authentication failed 18:01 < Concept-P> same error. 18:01 < krzy> the second one i pasted? 18:01 < Concept-P> And if I remove the tls auth section it all stops working and does not even get to loggin. 18:01 < Concept-P> http://plu.nu/~concept/temp/ 18:02 < vpnHelper> Title: Index of /~concept/temp (at plu.nu) 18:02 < krzy> did you remove it from both server and client? 18:02 < krzy> looks like at least 1 side still has tls-aututh 18:03 < Concept-P> that was before I removed the tls auth 18:03 < krzy> tls-auth 18:03 < Concept-P> after I removed it, the client will not even start. 18:04 < Concept-P> oh no. 18:04 < Concept-P> DOH! 18:04 < Concept-P> doh! and double doh! 18:06 < Concept-P> I might have figured it out. 18:07 < Concept-P> sitt back and relax and I might get it to work in about tre mins. =D 18:07 < krzy> coo 18:11 < krzy> lemm know WHATS IT WAS IF IT WORKS 18:11 < krzy> oops C/L 18:12 < Concept-P> krzy: if it is what I think it is.. the error was about 40 cm in front of the monitor =D 18:12 -!- pred2k5 [n=Torsten@dslb-088-069-222-177.pools.arcor-ip.net] has quit [] 18:13 < krzy> lol 18:14 < krzy> i almost wanna make the bot learn that quote as !humanerror 18:14 < krzy> how you put it was funny =] 18:16 < Concept-P> krzy: I had set up the server to be able (in the future) to run multiple servers. so the configuration files where in /etc/openvpn/conf/[server] and the key files where in /etc/openvpn/conf/[server]/keys but the dir in the vars file was /etc/openvpn/keys. I had made a symbolic link to the right key dir.. but.. the link had dissapeared and was replaced with a new directory.. hence.. the server was using all the old key files. =P 18:18 < krzy> ahh 18:18 < krzy> gotchya 18:18 < krzy> i just make a whole new dir for each vpn 18:18 < krzy> to keep it simple 18:19 < krzy> but whatever works for you =] 18:19 < Dougy> i only host 1 vpn per server 18:19 < Dougy> o.O 18:19 < krzy> dougy, thats much more normal 18:19 < Dougy> i only have 1 vpn 18:19 < Dougy> lol 18:20 < krzy> i chain a few together 18:20 < krzy> so i can route with the craziness 18:21 < krzy> each client machine connects to 2 servers and routes between them 18:21 < Dougy> im just doing it so my support desk's st aff area can onyl be seen via vpn 18:21 < krzy> its an in-depth routing setup, but very much helped me to understand iroute, lol 18:21 < Dougy> and staff can still browse web while onvpn 18:21 < krzy> ya yours is a more normal usage 18:22 < krzy> to my knowledge im the only one who has bothered with my type of setup 18:23 < krzy> and what Concept-P may be doing with multiple servers on 1 server is one running tcp in the case where he ends up behind a nazi firewall and udp doesnt work 18:24 < krzy> which is less for business and more for personal 18:28 < Concept-P> yeay! new error! =P 18:29 < Concept-P> Sat Aug 23 23:28:26 2008 192.168.134.101:1711 CRL: cannot read: conf/drmrp/keys/server.pem: Permission denied (errno=13) 18:29 < Concept-P> -rw-r--r-- 1 root root 1028 Aug 23 23:08 conf/drmrp/keys/server.pem 18:29 < krzy> check your permissions 18:29 < krzy> to the dir too 18:29 < Concept-P> AH! 18:30 < krzy> also, dont keep it world readable 18:30 < krzy> i make it readable by user the vpn drops to 18:30 < krzy> and owned by root 18:30 < krzy> world gets nothing 18:30 < krzy> err not by user vpn drops to, by group i mean 18:30 < krzy> although with persist-key and persist-tun you may not need group readable either 18:31 < krzy> in fact the point of them is so you dont 18:31 < krzy> so, ie: conf/drmrp/keys/server.pem make it 400 18:32 < krzy> and the dir, 500 18:32 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has quit [Remote closed the connection] 18:33 < Concept-P> yeah baby yeah! =D 18:33 < krzy> all is well? =] 18:34 < Concept-P> so far so good! =) 18:34 < Concept-P> I get an ip address on the client =D 18:34 < krzy> werd 18:34 < krzy> i take it you're still generating 4096 stuff too 18:34 < krzy> that takes FOREVER 18:34 < krzy> haha 18:34 < Concept-P> krzy: no, thats all done =) 18:34 < krzy> whoa 18:34 < krzy> certs, tls, dh? 18:34 < Concept-P> that was done an hour or so ago =) 18:35 < Concept-P> everything generated =) 18:35 < krzy> damn, you must have badass HW 18:35 < Concept-P> Xeon 2.13 Ghz Quad Core with 3gb ram =P 18:35 < krzy> yup thats pretty badass 18:35 < krzy> hehe 18:35 < Concept-P> well. the other server I have is nicer I think =P 18:35 < krzy> 2.6amd took me like 1/2 a day to gen 1 18:36 < Concept-P> Dual Xeon 2.0 ghx Quad core, 9gb ram and 2tb disk =) 18:36 < krzy> my macbook pro did them fast, but so fast i didnt trust the certs 18:36 < krzy> lol 18:36 < Concept-P> ghz even =) 18:36 < krzy> damn man, nice stuffs 18:36 * krzy borrows Concept-P's serversa 18:37 < krzy> haha 18:37 < Concept-P> heh, well thats what they get when they say.. upgrade all the computers. you have a budget of 10,000 euro =D 18:38 < krzy> omg 18:38 < krzy> badass 18:38 < Concept-P> It was fun buying everything =P 18:38 < krzy> you're lucky to work where ever you work 18:39 < krzy> often people underfund IT 18:39 < Concept-P> krzy: I only work extra here =) 18:39 < Concept-P> krzy: well, the overkill is that the two servers are for 1. VPN server 2. Samba server 18:39 < Concept-P> =D 18:40 < Concept-P> but it was 4 new computers and three laptops aswell =P 18:41 < Concept-P> But they are now supposed to last the next ? 10 years or so (yikes) =P 18:41 < Concept-P> we'll se about that part though =) 18:41 < krzy> they will last til HW dies 18:41 < krzy> hehe 18:42 < krzy> i mean hell you could still use a 300mhz box for that 18:42 < krzy> a pentium 1 would do the job 18:42 < krzy> hehe 18:42 < Concept-P> last time things where upgraded was about 8 years ago and the old samba server is from 95 18:43 < Concept-P> krzy: yeah, true, but then I cant use the servers for vps:es either. =D 18:44 < Concept-P> ok. now to get working on the ccd =D 18:46 < krzy> good, you're doing it right 18:46 < krzy> best to get it working, then add complexity 18:46 < Concept-P> =) 18:47 < Concept-P> krzy: in the manual the only example in the ccd part was to add subnet routing. Im guessing it works the same way but with a ifconfig push? 18:47 < krzy> sure does 18:47 < krzy> !push 18:47 < vpnHelper> krzy: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 18:47 < Concept-P> sweet =) 18:47 < krzy> !ccd 18:47 < vpnHelper> krzy: "ccd" is entries that are basically included into server.conf, but only for the specified client 18:48 < krzy> !menu 18:48 < vpnHelper> krzy: "menu" is !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth 18:48 < Concept-P> krzy: do I then remove the ifconfig push from the main server conf? 18:48 < krzy> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push 18:48 < vpnHelper> krzy: The operation succeeded. 18:48 < krzy> !forget menu 1 18:48 < vpnHelper> krzy: The operation succeeded. 18:48 < krzy> yes 18:48 < Concept-P> ait 18:49 < krzy> that would result in the ifconfig being pushed to every client 18:49 < Concept-P> thats what I thought =) 18:56 < Concept-P> Sat Aug 23 23:56:21 2008 drreception/192.168.134.101:1812 Options error: option 'ifconfig' cannot be used in this context 18:58 < Concept-P> in the ccd/drreception file its just ifconfig 192.168.5.1 192.168.5.101 18:58 < krzy> umm 18:58 < krzy> 192.168.5.0/24 is for vpn? 18:58 < Concept-P> yes =) 18:59 < krzy> for 1, server will be 5.1 18:59 < Concept-P> and 192.168.5.1 is the vpnserver 19:00 < Concept-P> should it just be ifconfig 192.168.5.101 ? 19:00 < Concept-P> I copy-pasted the line from the server conf =P 19:01 < krzy> so you want something like this:ifconfig 192.168.5.5 ifconfig 192.168.5.6 19:02 < krzy> err no 19:03 < krzy> push "ifconfig 192.168.5.5 192.168.5.6" 19:03 < krzy> for the first 19:03 < krzy> second should be .9 .10 19:03 < Concept-P> why 5.5 and 5.6? 19:03 < krzy> !/30 19:03 < vpnHelper> krzy: "/30" is http://openvpn.net/index.php/documentation/faq.html#slash30 19:04 < krzy> that will elab 19:04 < Concept-P> ahh. oki. 19:05 < Concept-P> so it doesnt have to be 5.5 and 5.6 .. could be 5.5 and 5.101 ? 19:05 < krzy> no 19:05 < Concept-P> damn there goes my network plan. =P 19:05 < Concept-P> oki =D 19:06 < krzy> do you get why? 19:06 < krzy> .5 is Virtual IP address in the OpenVPN Server 19:06 < krzy> .6 is the ip for the client 19:06 < Concept-P> yeah. but tcp/ip isnt my strong side. 19:06 < Concept-P> it has to do with broadcasts and stuff =) 19:06 < krzy> well, it has to do with an ugly hack to make routing in windows work 19:07 * Dougy pokes kraut 19:07 < Dougy> er krzy 19:07 < Dougy> krzy: question 19:07 < Dougy> :p 19:07 < krzy> Then OpenVPN assigns a /30 subnet for each client that connets. The first available /30 subnet (after the one the server is using) is: 19:07 < krzy> * 192.168.1.4/30 19:07 < krzy> * 192.168.1.4 -- Network address 19:07 < krzy> * 192.168.1.5 -- Virtual IP address in the OpenVPN Server 19:07 < krzy> * 192.168.1.6 -- Assigned to the client 19:07 < krzy> * 192.168.1.7 -- Broadcast address. 19:07 < krzy> Then to reach the rest of the network on behind the OpenVPN server, you push a route to the client, so traffic is routed through 192.168.1.5. 19:07 < krzy> As 192.168.1.5 is only a virtual IP address inside the OpenVPN server, used as an endpoint for routes, OpenVPN doesn't bother to answer pings on this address, while the 192.168.1.1 is a real IP address in the servers O/S, so it will reply to pings. 19:07 < Concept-P> but 5.5 / 5.6 for client1 and 5.7 and 5.8 for client2 would work? 19:07 < krzy> It does cause a little waste of IP addresses, but it's the best way to allow a consistent configuration that works on all O/S supported by OpenVPN. 19:07 < krzy> The TAP-Win32 driver includes a DHCP server which assigns the 192.168.1.6 address to you, that's why you see 192.168.1.5 as DHCP server address. 19:07 < Concept-P> krzy: Yeah, I read it =) 19:07 < krzy> no 19:07 < Dougy> If I use tap unstead of tun, does it work the same? 19:07 < krzy> 5.6 / 9.10 19:07 < Dougy> similar w/e 19:07 < krzy> err 19:07 < krzy> 5/6 9/10 19:07 < krzy> and so on 19:08 < Concept-P> krzy: so client tre would have 13/14 and client4 17/18 ? 19:08 < krzy> each client uses 4 ips for its own 19:08 < Concept-P> oki four 19:08 < Concept-P> right. I tought right. 19:08 < krzy> so yes 19:08 < Dougy> eh, i have a /8 i cann use so tun will work oO 19:08 < krzy> krzy: so client tre would have 13/14 and client4 17/18 ? 19:08 < Dougy> holy shit its DARK out 19:08 < krzy> yes 19:09 < Dougy> :S 19:09 < krzy> dougy, please explain 19:09 < krzy> (not the dark part) 19:09 < krzy> lol 19:09 < Dougy> haha 19:09 < Concept-P> the dark part is probably because its night (CEST) =) 19:09 < Dougy> I was just wondering if tap has any benefits over tun for my purpose 19:10 < Dougy> Using a /30 per client is fine for my intents and purposes, but, was wondering if tap had any benefits 19:10 < krzy> !bridge 19:10 < vpnHelper> krzy: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where the (1 more message) 19:10 < krzy> !morte 19:10 < vpnHelper> krzy: Error: "morte" is not a valid command. 19:10 < krzy> !more 19:10 < vpnHelper> krzy: protocol uses MAC addresses instead of IP addresses. 19:11 * Dougy shrugs 19:11 < Dougy> i dont have time to read it 19:11 < Dougy> tomorrow 19:11 < Dougy> i wil 19:12 < krzy> just see #4 19:12 < krzy> !bridge 4 19:12 < vpnHelper> krzy: Error: "bridge" is not a valid command. 19:12 < krzy> hrmz 19:12 < krzy> useful for windows sharing (without 19:12 < krzy> wins server) and LAN gaming, anything where the protocol uses MAC addresses instead of IP addresses. 19:12 < krzy> if thats not your case, you want routed 19:14 < krzy> for Concept-P it would let his samba clients browse by NETBIOS name, but i THINK he can still go by ip and be fine, or he could definatly use a wins server 19:14 < Concept-P> the samba server acts as a wins server aswell =) 19:15 < Concept-P> and yes it can be accessed by ip only 19:16 < Concept-P> through windows Start->run->\\192.168.0.4 where 192.168.0.4 is the samba servers ip 19:19 < Concept-P> krzy: it still pushes the .2 ip to the client even though the push is removed from the server conf.. 19:19 < Concept-P> Sun Aug 24 00:13:27 2008 drreception/192.168.134.101:1845 SENT CONTROL [drreception]: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0 192.168.5.1,route-gateway 192.168.5.1,ping 10,ping-restart 30,ifconfig 192.168.5.50 192.168.5.51,ifconfig 192.168.5.2 255.255.255.0' (status=1) 19:19 < Concept-P> it now pushes both. =P 19:20 < Concept-P> but the client accepts only the .2 19:20 < Concept-P> and the ippool file is flushed manually =) 19:20 < Concept-P> krzy: any suggestions? 19:20 < Dougy> krzy: yeah, you know what my use(s) are 19:21 < Dougy> krzy 19:21 < Dougy> If I have.. 19:21 < Dougy> If I ahve a /27 and I want 25 clients to all get their own IP so its like a mini isp 19:21 < Dougy> I would need to use tap for that 19:21 < Dougy> right? 19:21 < Dougy> like it'll dhcp them one 19:30 < krzy> nah 19:30 < krzy> you can use tun 19:30 < krzy> and sorry i had forgotten what you wanted 19:30 < krzy> heheh 19:30 < krzy> now i remember, ecrist was helpin ya last night 19:31 < krzy> your setup will be a ton like Concept-P's 19:31 < krzy> only you wont be using internal ips, you will use external ones 19:32 < krzy> while bridge would work too and allow less IP wasting, it would also allow clients to change their IPs 19:32 < krzy> with routed, you will lose some ips to the internal routing stuff, but will lock each in to their ip 19:33 < SilenceGold> lose? 19:33 < krzy> !learn cidr as http://www.oav.net/mirrors/cidr.html 19:33 < vpnHelper> krzy: The operation succeeded. 19:33 < SilenceGold> how do you lose ips to the internal routing stuff except for like gateway ip, broadcast ip? 19:33 < krzy> exactly 19:33 < krzy> 4 ips per client 19:34 < SilenceGold> lol 19:34 < krzy> he wants to hand out external IPs as opposed to an internal vpn block 19:34 < krzy> cause he has a /24 or /26 of ips 19:34 < SilenceGold> external IPs? you mean like Public IPs? 19:34 < krzy> yes 19:34 < SilenceGold> nah 19:34 < SilenceGold> you can use topology subnet as part of the beta versions 19:34 < Concept-P> wouldnt that be better to solve with some kind of NAT? 19:34 < SilenceGold> that will give one ip per client 19:34 < SilenceGold> I already got it working 19:35 < krzy> please explain more! 19:35 < krzy> sounds awesome 19:35 < SilenceGold> there's one of my answers on the FAQ 19:35 < SilenceGold> hrm..I can't remember the url to that unofficial FAQ 19:35 < Concept-P> doh =D 19:35 < krzy> our faq or another? 19:35 < SilenceGold> let me look at your faq 19:35 < SilenceGold> url? 19:35 < krzy> !wiki 19:35 < vpnHelper> krzy: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 19:36 < SilenceGold> no that's ecrist's 19:36 < krzy> actually, rmulls 19:36 < krzy> but ya 19:36 < SilenceGold> that's ecrist's domain 19:36 < krzy> right, ecrist runs the wiki, rmull wrote that up 19:36 < SilenceGold> "How do I route public IPs to my VPN clients without using NATD? " 19:37 < SilenceGold> that's my answer there 19:37 < SilenceGold> http://info.deafhogs.org/index.php/VPN_Access 19:37 < vpnHelper> Title: VPN Access - HaulmarkWiki (at info.deafhogs.org) 19:37 < SilenceGold> I set that up 19:38 < krzy> nice! 19:38 < SilenceGold> haven't even gotten to the point of finishing it yet 19:38 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 19:38 < SilenceGold> it's mostly the students..and few journalists who went to china that are using it 19:38 < Dougy> my ride is here, im outtie 19:38 < krzy> adios Dougy 19:38 < SilenceGold> later 19:38 < Concept-P> bye =) 19:39 < krzy> SilenceGold, wheres the answer to his problem? 19:39 < SilenceGold> i was pointing out that you can assign one ip per client 19:39 < Concept-P> krzy: did you have any suggestions on the push? 19:39 < SilenceGold> not 4 19:39 < krzy> right, if no windows clients 19:39 < krzy> with ip-config-pool linear 19:39 < krzy> but his is for windows 19:40 < SilenceGold> you can do one ip per client for windows too 19:40 < SilenceGold> just have to use the beta version with "topology subnet" 19:41 < SilenceGold> [19:21:05] If I ahve a /27 and I want 25 clients to all get their own IP so its like a mini isp... 19:41 < krzy> looks like i got some reading to do 19:41 < SilenceGold> it is possible if you use the beta version with the "topology subnet" 19:53 < krzy> very cool SilenceGold, thank you 19:54 < krzy> !learn /30 as it is possible to avoid this behavior if you use the beta version with the "topology subnet" option 19:54 < vpnHelper> krzy: The operation succeeded. 19:54 < krzy> !/30 19:54 < vpnHelper> krzy: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30, or (#2) it is possible to avoid this behavior if you use the beta version with the topology subnet option 19:55 < krzy> !forget /30 19:55 < vpnHelper> krzy: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 19:55 < krzy> !forget /30 * 19:55 < vpnHelper> krzy: The operation succeeded. 19:56 < krzy> !learn /30 as http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips 19:56 < vpnHelper> krzy: The operation succeeded. 19:57 < krzy> !learn /30 as it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 19:57 < vpnHelper> krzy: The operation succeeded. 19:57 < krzy> !/30 19:57 < vpnHelper> krzy: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 19:57 < krzy> i had no idea, that is definatly the solution for him 19:59 < Concept-P> damn. not even on another computer does the client get the ip given in the ccd conf 20:00 < krzy> what does it get? 20:00 < Concept-P> .3 20:00 < krzy> .3!? 20:00 < krzy> umm, ya sure? 20:01 < Concept-P> yes. but I will check again. 20:01 < krzy> ifconfig in client 20:01 < Concept-P> ipconfig in client. windows special =D 20:01 < Concept-P> .3 20:02 < Concept-P> but it cant ping .2 only .1 20:02 < krzy> shouldnt be able to ping .2 20:02 < Concept-P> ok 20:03 < Concept-P> from the serverlog: 20:03 < Concept-P> Sun Aug 24 00:56:23 2008 drkontor/192.168.134.102:1194 SENT CONTROL [drkontor]: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0 192.168.5.1,route-gateway 192.168.5.1,ping 10,ping-restart 30,ifconfig 192.168.5.80 192.168.5.81,ifconfig 192.168.5.3 255.255.255.0' (status=1) 20:04 < Concept-P> and I have commented out the push "ifconfig ..." line from the server conf. 20:07 < krzy> start at a low number 20:07 < krzy> im not sure if .80 and .81 are the right numbers to pick 20:07 < krzy> maybe yes, maybe no 20:07 < krzy> depends where they fall into the /30 20:08 < krzy> im thinking no tho, since it would be .9 and .10, adding 4 to each side would lead to .89 and .90 when up that high 20:09 < Concept-P> oh they have to be in order.. I took 50/51 on the first client 60/61 on the second and so on. I didnt want to do math this late. ;) 20:12 < Concept-P> but its still strange that client2 got .3 then. 20:13 < krzy> to me, very 20:14 < krzy> try starting at 49/50 20:14 < krzy> since its 9/10 and you always add 4 to find next, taking 9/10 and adding 40 yields 49/50 20:14 < krzy> just do 1 while testing 20:15 < krzy> and yes, since it is using /30 it will need to be the right #'s accordingly 20:16 < krzy> the .3 being given out is new to me 20:18 < krzy> Then OpenVPN assigns a /30 subnet for each client that connets. The first available /30 subnet (after the one the server is using) is: 20:18 < krzy> * 192.168.1.4/30 20:18 < krzy> * 192.168.1.4 -- Network address 20:18 < krzy> * 192.168.1.5 -- Virtual IP address in the OpenVPN Server 20:18 < krzy> * 192.168.1.6 -- Assigned to the client 20:18 < krzy> * 192.168.1.7 -- Broadcast address. 20:18 < Concept-P> krzy: it seems to be handing out ips trough the ip pool even though the ccd conf says different 20:21 < krzy> eventually you will want to see this part of the openvpn FAQ: 20:21 < krzy> How can I connect Windows XP to a Linux-based Samba server using routing rather than bridging? 20:21 < krzy> !faq 20:21 < vpnHelper> krzy: "faq" is http://openvpn.net/index.php/documentation/faq.html 20:21 < krzy> but first we need to get you using static 20:21 < krzy> theres a reason you need static right? 20:23 < Concept-P> hmm. I cant find the paragraf where it brings up static ips, only static keys. 20:23 < krzy> try commenting out the pool 20:23 < krzy> and add ifconfig 192.168.5.1 255.255.255.0 20:23 < krzy> to main server config 20:24 < Concept-P> well first the samba server needs to be on a static ip. the rest is for me to be able to connect via vnc over the vpn so I can help the users that cant get things to work. =D 20:24 < krzy> and mode server 20:24 < krzy> oh samba server is connected to vpn and not just on same LAN as the openvpn server? 20:25 < Concept-P> the samba server listens only to the tap interface. 20:25 < krzy> additional harm by having it only listen on LAN ip? 20:25 < krzy> ie: people on the lan that should NOT have access? 20:26 < Concept-P> well not really. but the remote users that connect with the vpn need to be able to connect to the samba server as well. 20:26 < krzy> ya that can be done easy enough either way 20:26 < krzy> i mean if you really want static we should be able to make that work 20:27 < krzy> although getting samba server connected to vpn on same lan should not work 20:27 < krzy> for that heres what ya do... 20:27 < krzy> whats samba server's lan ip? 20:28 < Concept-P> I have allready gotten it to work with dynamic ips =) 20:28 < krzy> !route 20:28 < vpnHelper> krzy: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 20:28 < Concept-P> .32 20:28 < krzy> you connected samba server to vpn server on the same lan ? 20:28 < Concept-P> yes =) 20:28 < Concept-P> no problems. =) 20:28 < krzy> umm, not unless they are seperated by 2 routers 20:29 < krzy> !samelan 20:29 < vpnHelper> krzy: Error: "samelan" is not a valid command. 20:29 < krzy> !lan 20:29 < vpnHelper> krzy: "lan" is you can NOT run both endpoints of openvpn on the same LAN. 20:29 < krzy> i should make a writeup that explains why 20:29 < Concept-P> I got it to work with a test net. 3 computers, 1 vpn server, 1 samba server, 1 client. the samba server only listened on the tap interface. 20:30 < Concept-P> but that was with dynamic ips. 20:30 < krzy> anyways, did you try what i said? 20:30 < Concept-P> the routing part? 20:30 < krzy> no 20:30 < krzy> try commenting out the pool 20:30 < krzy> and add ifconfig 192.168.5.1 255.255.255.0 20:30 < krzy> to main server config 20:30 < krzy> and mode server 20:30 < Concept-P> oh right. 20:31 < Concept-P> just about to =) 20:34 < Concept-P> i only have the line #ifconfig-pool-persist conf/drmrp/ip_pool.txt 20:34 < Concept-P> well now commented out. =P 20:34 < krzy> ohhh 20:34 < krzy> ya thats no good 20:34 < krzy> paste me your server config 20:34 < krzy> but ya you def want that commented out 20:35 < krzy> btw after you connected samba server to openvpn server on the same lan, you could ping? 20:36 < Concept-P> I dont remember if I tried that. But I could use the samba shares. 20:37 < Concept-P> http://plu.nu/~concept/temp/ 20:37 < krzy> well cool 20:37 < vpnHelper> Title: Index of /~concept/temp (at plu.nu) 20:37 < krzy> what ive learned says it shouldnt work, but if you say it does, go for it 20:37 < Concept-P> as long as the client was connected to the vpn. if it wasnt the server dissapeared ;P 20:39 < krzy> ahh 20:40 < krzy> remove your push route 20:40 < krzy> thats unneeded as its the block your vpn uses 20:40 < krzy> pushing the route is for a route behind the vpn 20:41 < krzy> like if your clients were gunna access your lan 20:41 < krzy> i THINK your ifconfig in server.conf needs to be 192.168.5.1 255.255.255.0 20:42 < krzy> try that 20:42 < krzy> along with your ccd handing out the ips i said earlier 20:42 < krzy> if that doesnt work i want you to comment out the server line, and replace it with mode server 20:43 < ecrist> Dougy: what's up? 20:44 < ecrist> what's going on, folks? 20:45 < krzy> wassssup 20:46 -!- ChanServ changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Pastebin your copy over 5 lines. | Don't feed the trolls. 20:55 < Concept-P> krzy: oki, I try that. 20:57 < krzy> ecrist, tryin to help Concept-P get static ips working 20:58 < krzy> ive never had a reason to do that so any input of yours is welcome and even requested ;] 20:58 < Concept-P> ecrist: Im having problems =D 21:00 < Concept-P> krzy: the first option didnt work. and when I remove the server line I get an error: 21:00 < Concept-P> Options error: --ifconfig-pool-persist must be used with --ifconfig-pool 21:00 < Concept-P> and openvpn (server) wouldnt start 21:01 < krzy> umm, you commented ifconfig-pool-persist conf/drmrp/ip_pool.txt didnt you? 21:02 < Concept-P> krzy: yeah, but I put it back when you said it was a bad idea. Ill remove it again =D 21:02 < krzy> ohh i meant bad idea to have that line 21:02 < krzy> you will NOT want that line with static ips 21:02 < Concept-P> ahh =P 21:02 < Concept-P> woot!! =D 21:03 < Concept-P> ip on client1 is .49 =D 21:03 < krzy> i take it that made it work? 21:03 < krzy> sweet 21:03 < Concept-P> checking client2 21:03 < krzy> and it can access samba? 21:05 < krzy> or at least it can ping the server at .1? 21:05 < Concept-P> ping to .1 good. 21:05 < Concept-P> going to start the samba server in a couple of mins. =) 21:08 < krzy> werd 21:08 < krzy> would be cool if you get the time to make a writeup on openvpn with static ips for the wiki 21:08 < krzy> for the next guy 21:08 < krzy> its like sitting here helping everyone who has the same problems you had, but only takes a little time to do 21:09 < Concept-P> I have been thinking about how to thank you for helping me, so a writeup is the least I can do =) 21:09 < krzy> ya thats the best way 21:09 < krzy> saves me from ever manually helping someone with that stuff again =] 21:09 < Concept-P> krzy: if client1 had 49 as a ip the next useable would be 52? 21:10 < krzy> +4 21:10 < Concept-P> hehe =D 21:10 < Concept-P> 53 21:10 < Concept-P> air 21:10 < Concept-P> ait even 21:11 < krzy> and boom, im gone for a few hours 21:11 < krzy> when you see me back here, ill be drunk 21:11 < krzy> =] 21:11 < Concept-P> and client2 works! =D 21:11 < Concept-P> yeay! 21:11 < Concept-P> krzy: drink a couple for me too. ;) 21:31 -!- djs26 [n=djs@unaffiliated/djs26] has quit [Remote closed the connection] 21:37 -!- near [n=near@88-122-17-249.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@83-155-186-245.rev.libertysurf.net] has joined ##openvpn 22:51 < ecrist> Concept-P: did you get things working? --- Day changed Sun Aug 24 2008 00:11 < Concept-P> ecrist: yeah! =D 00:11 < Concept-P> ecrist: well. the vpn part anyway. now the samba server is fscking with permissions. but what the heck =) 00:12 < Concept-P> ecrist: I told krzy I would do a writeup of the whole thing for the wiki as a thank you =) 00:23 < SilenceGold> hrm 02:15 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:41 < ecrist> Concept-P: back for a bit - can't sleep, have a bad cold. 02:41 < krzee> werd 02:41 < krzee> i have beeping UPSs 02:42 < krzee> cause power had been out so long the power inverters that run on car batteries are out of juice 02:42 < krzee> if i suddenly disappear, the UPS hooked to my router/cablemodem is dead 02:42 < krzee> hehe 02:49 < Concept-P> haha =) 02:49 < Concept-P> ecrist: Im sorry to hear that =) 02:50 < Concept-P> well so far everything works as it should.. allmost.. =D 02:51 < Concept-P> krzee: does that mean you're drunk now? =) 02:51 < krzee> not fully 02:52 < krzee> my friends wanted to smoke and pulled me away too early to be drunk 02:53 < Concept-P> damn.. I think Im starting to get really tired.. I just uninstalled the samba server on the wrong machine. =P 02:53 < Concept-P> krzee: and you didnt want to smoke? 02:54 < krzee> hah im pretty blazef 02:54 < krzee> blazed 02:55 < Concept-P> haha =D 02:56 < Concept-P> =) 02:56 < Concept-P> no worries then =) 02:56 < krzee> !learn samba as http://openvpn.net/faq#samba-routing 02:56 < vpnHelper> krzee: The operation succeeded. 02:56 < krzee> !forget samba 02:56 < vpnHelper> krzee: The operation succeeded. 02:57 < krzee> !learn samba as http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge 02:57 < vpnHelper> krzee: The operation succeeded. 02:58 < Concept-P> hmm, maybe I should read that =P 02:58 < krzee> ;] 02:58 < krzee> except your vpn is already good 02:59 < krzee> and your clients can ping the machine with samba on it? 02:59 < Concept-P> yeah, and thats too simple for me =D 03:01 < Concept-P> krzee: yeah. I can access the samba server just fine. loggin in is not a problem. the problem Im having now is permissions within the share. atm I got in though. tailing logs and stuffs to find out why it sometimes doesnt work =) 03:01 < krzee> ahh 03:01 < krzee> i guess the only useful part of that is how to mount the samba share from commandline / batch file 03:01 < krzee> net use g: \\192.168.1.5\Daten /USER:user1 <-- your account on samba!! 03:02 < krzee> if that command has a PASS flag, you can make openvpn start it 03:02 < Concept-P> krzee: yeah, but I reconnect the share on boot =) 03:02 < krzee> cant reconnect the share if not on vpn 03:02 < ecrist> blarg, I need to update the freebsd howto one of these days 03:03 < krzee> it doesnt seem overly fbsd dependant 03:03 < ecrist> Concept-P: did you get your static IPs working? 03:04 < Concept-P> ecrist: yes I did =) 03:04 < ecrist> good. 03:04 < Concept-P> finally =) 03:05 < Concept-P> I think all the clients are uppdated now. =) 03:05 < ecrist> what problems were you running in to? 03:05 < Concept-P> ecrist: now? samba permissions on folders within a share =P 03:05 < ecrist> no, with static IPs. 03:05 < Concept-P> and a stupidass software issue. 03:06 < krzee> ecrist, 03:06 < krzee> here was his conf: http://plu.nu/~concept/temp/drmrp.conf 03:06 < Concept-P> ecrist: no problems at all with the static ips, or openvpn at all. =) 03:06 < krzee> and he had ccd/ entry giving ips 03:06 < krzee> had him lose: ifconfig-pool-persist conf/drmrp/ip_pool.txt 03:07 < krzee> oh wait that was twords the end 03:07 < krzee> before that we had to lose the server ip command 03:07 < ecrist> there's no ccd entry in that server config. 03:08 < Concept-P> hmm. 03:08 < krzee> o_O thats true 03:08 < krzee> ... thats weird 03:09 < krzee> erm, and whys it say dev tap! 03:09 < Concept-P> I can up the working conf in a sec. the computer kinda hung.. and the vpn went down.. Im not sure why. 03:09 < krzee> HAH thats why its working! 03:09 < krzee> its a bridged setup 03:10 < krzee> (one of his clients is on the same LAN as the server, and it is working) 03:10 < krzee> was trippin me out 03:10 < krzee> can you post your current config? 03:11 < krzee> you have a tcp bridge, should at least make it udp 03:12 < Concept-P> krzee: its changed to udp now =) 03:12 < ecrist> why do you have a local client connecting to the vpn? 03:15 < Concept-P> there. now the current conf is in that dir. called new.conf 03:16 < Concept-P> ecrist: I dunno. maybe thats why it wasnt working? =P 03:18 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:21 < ecrist> Concept-P: connecting to a VPN from the same network is asking for problems. 03:21 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:22 < Concept-P> ecrist: heh, it sounds kinda obvious when you put it that way =D 03:22 < krzee> what did i miss there? 03:22 < krzee> [04:12] why do you have a local client connecting to the vpn? 03:22 < krzee> [04:22] ecrist: heh, it sounds kinda obvious when you put it that way =D 03:22 < krzee> sounds like 10min of info, lol 03:23 < ecrist> krzee: nothing. 03:23 < krzee> ecrist, did you see SilenceGold's solution for Dougy? 03:24 < krzee> !/30 03:24 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 03:24 < ecrist> krzee: yeah, I knew that. I told him to do that yesterday 03:24 < Concept-P> =D 03:25 < krzee> hah i missed it 03:25 < Concept-P> damn. I need to optimize samba. =P 03:26 < krzee> or it rolled off me, i thought we had both said he needed to waste more ips 03:33 < ecrist> yep, around 14:21 my time, I told him to use beta. 03:33 < krzee> ahh cool 03:34 < krzee> which tz ya in anyways? 03:34 < krzee> im -5 (EST) 03:34 < ecrist> -6 03:34 < krzee> ahh werd 03:39 < krzee> ok Concept-P 03:39 < krzee> thats why you got ip .3 03:39 < krzee> and you can choose any IP # btw 03:39 < krzee> cause you arent using routed 03:39 < krzee> lol 03:39 < krzee> you have a bridge 03:40 < Concept-P> ahh oki. 03:40 < krzee> tun devices encapsulate IPv4 while tap devices encapsulate ethernet 802.3. 03:41 < Concept-P> well, everything is working now. so Im not touching it! =P 03:41 < krzee> thats why i was so confused about yout client being on the same lan and working, and about the .3 03:41 < krzee> ya, might as well leave it alone 03:41 < krzee> heheh 03:41 < Concept-P> even the crap software they are using. =D 03:42 < Concept-P> first of all its 16bit software.. ! 03:42 < Concept-P> and it doesnt have tcp/ip support.. it needs to have a mounted share to run =P 03:43 < krzee> heh 03:43 * ecrist gets groggy and goes to sleep 03:43 < krzee> 'nite ecrist 03:43 < Concept-P> nite =) 03:44 < Concept-P> (or good day here) =D 03:44 < Concept-P> I want to go to sleep too. =/ 04:24 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 04:26 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 04:48 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 05:59 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 06:00 -!- Usiu [n=mateusz@72.81.datacomsa.pl] has joined ##openvpn 06:00 < Usiu> HI 06:00 < Usiu> is there any GUI for server configuration? 06:01 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 06:02 < Concept-P> Not to my knowlage =) 06:03 < Usiu> that sucks 06:03 < Concept-P> maybe, maybe not. with a gui, you're kinda stuck with certain options. =) 06:04 < Usiu> Concept-P: but its simple and works 06:04 < Usiu> Concept-P: and is fast 06:04 < Usiu> Concept-P: you dont have to be a openvpn developer to set it up 06:05 < Usiu> Concept-P: or Linux system administrator with over year of pratice in doing this stuff 06:05 < Concept-P> Im not a developer and I got one working.. (with a couple of hours help from people here) But I had a special case too =P 06:05 < Usiu> it just mean that new users can't do it 06:06 < Concept-P> Usiu: a simple setup? tried the example scripts that come along with openvpn? 06:06 < Usiu> Concept-P: yes 06:06 < Usiu> Concept-P: but I am not sure how to use them anyway 06:07 < Usiu> I dont have time to spend on setting such a simple thing like vpn 06:07 < Usiu> it should take 4-10min 06:07 < Usiu> not couple of hours 06:07 < Concept-P> heh 06:08 < Concept-P> Usiu: the example scripts should work out of the box if you generate the certificates =) 06:09 < Usiu> Concept-P: generating certificates it another thing 06:09 < Usiu> is there something like shared password in VPN ? 06:09 < Usiu> or pam authentication ? 06:10 < Concept-P> well.. the certificates are like shared encrypted password files. =) 06:12 < Usiu> Concept-P: If I had to choose between poping out dialog asking for password and file selection dialog to select file with password. I would choose first solution. When it comes to openvpn its not even the second one. Because you have to generate them and provide somewhere manualy and this is a lot of pain in most cases as openssl versions or whatever tool is used are diffrent. 06:14 < Concept-P> Usiu: with almost all encryption states you need to generate something.. with a gui or not. 06:15 < Usiu> Concept-P: but most of tools I use do it automaticaly (transparently) or use a gui for it. Even pidgin does it automaticaly. 06:16 < Concept-P> Usiu: it isnt hard to run the easy-rsa scripts... 06:17 < Usiu> Concept-P: is there any non encrypted vpn setup ? 06:19 < Concept-P> Usiu: yes, but I dont know how to do that =D 06:20 < Concept-P> Usiu: you just need to link two networks together? no need for security? 06:20 < Usiu> yes 06:21 < Usiu> its over internet so I dont really care 06:21 < Usiu> moreover data exchanged are not so important 06:22 < Concept-P> Usiu: what kind of data need to be exchanged? 06:24 < Usiu> Concept-P: pdf, music, photos 06:25 < Usiu> Concept-P: also I want someone to use my local printer 06:25 < Concept-P> Usiu: like a windows share? 06:25 < Usiu> Concept-P: yes, I want to run samba on that network 06:27 < Concept-P> Usiu: shares can be used over the internet without vpn. (not recomended though, for security reasons) =) 06:29 < Usiu> Concept-P: but configuration is already for local network 06:29 < Usiu> Concept-P: so I want to keep it this way 06:29 < Usiu> Concept-P: so I does not matter where I am 06:30 < Usiu> Concept-P: if I come back to network, or I am at home printer would have the same addres 06:30 < Usiu> which is local address 06:31 < Concept-P> Usiu: does the share have a external ip? (or is it possible to forward a port to the samba server?) 06:32 < Concept-P> in that case, just connect with the external ip ie: \\81.100.123.3\sharename 06:33 < Usiu> Concept-P: yhm 06:33 < Usiu> ok thanks 06:34 < Concept-P> Usiu: dont thank me, I just told you how to open a backdoor to your system... its better to have security =) 06:34 < Usiu> I dont really care about security :) 06:35 < Usiu> unless someone is damaging my filesystem with /dev/urandom garbage:P 06:36 < Concept-P> heh oki. =P 06:36 < Usiu> Concept-P: heh http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 06:36 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 06:37 < Usiu> Concept-P: is static.key the same thing as shared key ? 06:38 < Concept-P> Usiu: hmm, now youre asking me things Im not sure of. But since both client and server need the same key file, I would say its shared =D 06:39 < Concept-P> But Im guessing =) 06:59 -!- xybre [n=xybre@bb4win/users/fluffy] has joined ##openvpn 07:05 -!- Usiu [n=mateusz@72.81.datacomsa.pl] has quit ["Ex-Chat"] 07:17 -!- xybr3 [n=xybre@bb4win/users/fluffy] has quit [Read error: 110 (Connection timed out)] 08:35 < ecrist> that god he left. 09:17 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 09:52 -!- near [n=near@83-155-186-245.rev.libertysurf.net] has quit [Read error: 60 (Operation timed out)] 09:58 -!- near [n=near@83-155-186-245.rev.libertysurf.net] has joined ##openvpn 11:42 < Dougy> ecrist! 11:42 < Dougy> Are you still there? 11:55 < Dougy> Damn it. 11:56 * Dougy pokes krzee 11:57 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 12:07 < krzee> hey 12:08 < Dougy> yooo krzee 12:08 < krzee> dougy, ecrist and SilenceGold had your solution 12:08 < Dougy> mIRC cleared the window on me so i missed what was said last night when i left 12:08 < krzee> !/30 12:08 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 12:08 < krzee> you want #2 12:08 * Dougy loads 12:09 < Dougy> that looks excellent 12:09 < Dougy> IMHO that is far better than a /30 per client 12:09 < Dougy> Don't you agree? 12:11 < krzee> very much so 12:11 < krzee> which is why i let ya know bout it =] 12:11 < krzee> its exactly what you want 12:18 < Dougy> yup 12:18 < Dougy> I think that should be come standard in OpenVPN 12:18 < Dougy> I have bookmarked that as well 12:18 < Dougy> Its from 2005 :| 12:28 < krzee> just upgrade 12:28 < krzee> i use that version anyways 12:29 < Dougy> hm 12:29 < Dougy> ill have to read more after i repair this serve 12:29 < Dougy> r 12:29 < krzee> OpenVPN 2.1_rc9 -- released on 2008.07.31 12:29 < krzee> use that version 12:30 < krzee> Windows Vista-ready on both x86 and x64. 12:30 < krzee> OpenVPN GUI is now packaged in the Windows installer. 12:30 < krzee> topology subnet feature, allowing intuitive tun-based VPN subnets having 1 IP address per client. 12:30 < krzee> TAP-Win32 adapter can now be opened from non-administrator mode. 12:31 < krzee> !learn betaman as http://www.openvpn.net/man-beta.html 12:31 < vpnHelper> krzee: The operation succeeded. 12:31 < krzee> !menu 12:31 < vpnHelper> krzee: "menu" is !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push 12:31 < krzee> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push 12:31 < vpnHelper> krzee: The operation succeeded. 12:31 < krzee> !forget menu 1 12:31 < vpnHelper> krzee: The operation succeeded. 12:33 < krzee> i forget if it was you or Concept-P whose boss said that openvpn gui had a security issue 12:33 < krzee> but [13:30] TAP-Win32 adapter can now be opened from non-administrator mode. 12:33 < krzee> may make him happy 12:33 < Dougy> it was my boss 12:34 < krzee> also, if whatever hes talking about is true he should let mathias know 12:34 < Dougy> k 12:34 < Dougy> i need to look into the single ip soon 12:34 < Dougy> soon as I finish chewing out this customer 12:34 < Dougy> douchebag 12:34 < krzee> lol 12:34 < Dougy> hes hosting a 200+ concurrent user vB site 12:34 < Dougy> on a P4 3.0 12:35 < Dougy> with 1 GB RAM and an IDE drive 12:35 < Dougy> "I want SLA credits because my server keeps going down and overheating." 12:35 < Dougy> NO DUH, DIP SHIT. 12:35 < Dougy> jeez 12:35 < krzee> lol 12:35 < Dougy> and he wont upgrade 12:35 < Dougy> "This P4 should be able to handle 400 online no problem" 12:35 < krzee> bahah 12:35 < krzee> enjoy that 12:35 < Dougy> I actually started laughing at him 12:35 < krzee> 400 users viewing a test file ;] 12:35 < Dougy> I said "We have sites with 400 online and they have a 5 server cluster to handle it" 12:35 < Dougy> lol 12:39 < Dougy> er krzee 12:39 < Dougy> the beta link on that is bad 12:39 < Dougy> the download link on osdir 12:40 < krzee> [13:30] TAP-Win32 adapter can now be opened from non-administrator mode. 12:40 < krzee> oops 12:40 < krzee> http://sportsillustrated.cnn.com/2008/olympics/2008/08/23/taekwondo.ban.ap/index.html 12:40 < vpnHelper> Title: Cuban athlete banned for life after kicking taekwondo ref - 2008 Olympics - SI.com (at sportsillustrated.cnn.com) 12:40 < krzee> dont download from very old link on a mail list 12:40 < krzee> download from openvpn.net 12:41 < krzee> !learn download as http://www.openvpn.net/index.php/downloads.html 12:41 < vpnHelper> krzee: The operation succeeded. 12:41 < Dougy> just the latest beta? 12:41 < Dougy> ahaha 12:41 < Dougy> 2_1 12:41 < Dougy> duh 12:41 < Dougy> right on 12:41 < krzee> [13:29] OpenVPN 2.1_rc9 -- released on 2008.07.31 12:41 < krzee> [13:29] use that version 12:41 < Dougy> righto 12:42 < krzee> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download 12:42 < vpnHelper> krzee: The operation succeeded. 12:42 < Dougy> krzee: for the most part will my config work 12:42 < krzee> !forget menu 1 12:42 < vpnHelper> krzee: The operation succeeded. 12:42 < Dougy> the old one 12:42 < Dougy> or do i need to redo 12:42 < krzee> i believe so, if not show us the error 12:42 < krzee> no dont redo 12:42 < Dougy> okay 12:42 < Dougy> do you use rc9? 12:42 < krzee> i do 12:48 < Dougy> nice 12:48 < Dougy> someone here a while back told me against it, i don't recall who 12:51 < Dougy> oh krzee one more question 12:51 < Dougy> is there a safe way to install 2.1 over 2.0? like, i compiled 2.0 from source 12:51 < Dougy> i cant just recompile 2.1 over it, can i>? 12:54 < Dougy> :( 12:57 < Dougy> aha got it 13:04 < Dougy> krzee it works! 13:04 < Dougy> :D:D:D 13:04 < Dougy> 172.16.0.1 and .0.2 13:04 < Dougy> :D 13:05 < SilenceGold> :) 13:05 < Dougy> SilenceGold: Thank you. :) 13:05 < Dougy> Now I can use a /29 again if I want. Heh. 13:05 < SilenceGold> heh 13:05 < Dougy> I think that should be the mainstream and you should have to configure it to use a /30 instead 13:05 < Dougy> I think that should be the mainstream and you should have to configure it to use a /30 instead of the other way around* 13:19 < krzy> Dougy, im sure that will end up being the case 13:19 < krzy> remember, its still a beta feature... 13:19 < Dougy> Seems to work stable for me with 9 clients 13:19 < Dougy> lol 13:20 < krzy> yup 13:20 < krzy> in openvpn beta usually doesnt mean unstable 13:20 < krzy> just means relaticely untested, as compared to the other stuff 13:21 < krzy> relatively 13:21 < Dougy> nod 13:21 < Dougy> so what did you think of my security doc idea 13:21 < krzy> same as yesterday 13:21 < Dougy> i see ecrist was awake 13:21 < Dougy> did he mention anything 13:22 < krzy> dont think he saw that idea 13:22 < krzy> he tried to respond to your asking him to respond, but you werent in 13:30 < Dougy> :( 13:30 < Dougy> ecrist: whne you're here (if its within the next 5 and a half ours, pm me) 14:42 -!- gallatin [n=gallatin@dslb-088-077-069-255.pools.arcor-ip.net] has joined ##OpenVPN 14:59 < krzy> *bored( 15:00 < Dougy> lol 15:00 < Dougy> same 15:14 < Dougy> wow 15:14 < Dougy> krzy 15:14 < Dougy> this is incredibly cool 15:14 < Dougy> lol 15:14 < krzy> yoh 15:14 < krzy> ? 15:14 < Dougy> linking you 15:14 < Dougy> hold 15:15 < Dougy> http://www.speedtest.net/result/313242699.png 15:15 < Dougy> thats through my VPN 15:15 < Dougy> lo 15:15 < Dougy> l 15:15 < krzy> shit 15:15 < krzy> nice man 15:15 < Dougy> hahah 15:15 < Dougy> well 15:15 < Dougy> i'm on a work line here in the company office 15:15 < Dougy> its about 200 Mbps when not VPN'd 15:15 < Dougy> so 15:16 < Dougy> lol 15:16 < krzy> how many hops from server? 15:17 < Dougy> one mom 15:17 < Dougy> 3 15:17 < Dougy> lol 15:17 < krzy> 3 hops away!? 15:17 < Dougy> yes 15:17 < Dougy> it goes from office down to the DC 15:17 < Dougy> my server is in the same rack as the office router 15:17 < Dougy> lol 15:17 < krzy> so the DC has less BW than the office? 15:18 < Dougy> the bw for hte office comes from the DC 15:18 < Dougy> :| 15:18 < Dougy> hold on 15:18 < Dougy> now doing speedtest on office non-vpn 15:18 < Dougy> its a bit sluggish today 15:18 < Dougy> infact 15:18 < Dougy> extremely 15:18 < Dougy> lol 15:19 < Dougy> http://www.speedtest.net/result/309922257.png 15:19 < Dougy> that's the norm 15:20 < Dougy> haha 15:20 < Dougy> thats the priv network in the office for OS reloads.. my desk's connection is different 15:20 < Dougy> sec 15:21 < Dougy> its much slower :p 15:21 < Dougy> http://www.speedtest.net/result/313244829.png 15:23 < krzy> werd 15:28 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 15:29 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:29 -!- gallatin [n=gallatin@dslb-088-077-069-255.pools.arcor-ip.net] has quit ["Client exiting"] 15:32 -!- correcaminos [n=laguilar@nat1.inalambrica.net] has joined ##openvpn 16:11 -!- Dougy [n=doug@64.18.159.247] has quit [Nick collision from services.] 16:11 -!- Dougy [n=doug@64.18.159.247] has joined ##openvpn 16:11 < Dougy> ffs 16:20 -!- st1650 [n=eb@76-10-166-89.dsl.teksavvy.com] has joined ##openvpn 16:21 < st1650> I have openvpn installed on a client on ip 10.0.0.2. Router and DHCP server is on 10.0.0.1 I can connect remotely and get an ip in the 10.0.0.x range but I can't ping anything ... is the problem on the client or the router side ? 16:22 < krzy> routed or bridged? 16:23 < st1650> humm hold on .. 16:23 < krzy> tun or tap 16:23 < st1650> tap 16:23 < st1650> it worked fine before ... I was the the 192.168.x subnet 16:24 < st1650> But in the migration to 10.0.0.x now I'm stuck ... 16:24 < krzy> ya im not too familiar with tap 16:24 < krzy> i take it you're doing windows filesharing or LAN gaming? 16:24 < st1650> Yes and no ... 16:25 < st1650> It mostly for when I'm remote (internet cafe, hotels, etc) 16:25 < krzy> well ya, yes to either is a good reason for a bridge 16:25 < krzy> !bridge 16:25 < vpnHelper> krzy: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where the (1 more message) 16:25 < krzy> !more 16:25 < vpnHelper> krzy: protocol uses MAC addresses instead of IP addresses. 16:25 < st1650> I'd rather not touch the conf now since it was working fine before ... 16:25 < Dougy> Tun <3 16:25 < krzy> well if you arent using one of what i mentioned, you dont want a bridge 16:26 < krzy> more overhead, harder setup, opens you up to MITM arp attacks if someone gets into any part of the bridged lan 16:27 < krzy> so if you arent using any protocols that use MAC address instead of IP, im happy to help you get to a tun setup 16:27 < st1650> Ok .. sure .. want to see my config file ? 16:27 < krzy> otherwise, im unable to help with the bridge setup as i dont play games or use win filesharing 16:28 < krzy> sure 16:28 < krzy> !configs 16:28 < vpnHelper> krzy: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 16:30 < st1650> Server (Linksys wrt54gl running DD-WRT on 10.0.0.2 ip address, router is running tomato on 10.0.0.1) http://pastebin.ca/1183724 16:30 < st1650> Client: Windows XP: http://pastebin.ca/1183725 16:31 < krzy> !router 16:31 < vpnHelper> krzy: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 16:31 < krzy> that will matter if you run into ANY errors 16:31 < krzy> but not important yet as we dont have any problems yet 16:31 < st1650> ok 16:31 < krzy> still, make sure you know how to turn on logging 16:31 < st1650> ok 16:32 * krzy loves the bot 16:32 < krzy> !sample 16:32 < vpnHelper> krzy: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:33 < krzy> anything special to your setup? need access to lans behind server and or client? 16:33 < krzy> sounded like road warrior setup so im guessing only want access to lan behind server, unless you're just trying to change your default route (or both) 16:34 < st1650> needs to run on port 53 UDP ... other than that, normal setup .. 16:34 < krzy> nice 16:34 < st1650> ¸< 16:34 < krzy> ok so no access to lan behind the server? 16:34 < st1650> oups 16:34 < st1650> cat 16:35 < krzy> and no access to inet through your vpn? 16:35 < st1650> well yeah id like to access my routers and servers from outside 16:35 < krzy> and will you be routing traffic bound for the inet over the vpn? 16:35 < krzy> or just to access your lan?> 16:35 < st1650> access my lan 16:35 < krzy> k 16:36 < krzy> lan is 10.0.0.0/24 16:36 < st1650> yup 16:36 < krzy> duplicate-cn # Allow multiple clients with the same common name 16:36 < krzy> do not use that 16:36 < krzy> like, ever 16:36 < st1650> ok 16:37 < Dougy> krzy: someone told me to enable that yesterday 16:37 < Dougy> lo 16:37 < Dougy> l 16:37 < krzy> Dougy, who? 16:37 < Dougy> er 16:37 < Dougy> maybe the day before 16:37 < Dougy> I think it was ecrist actually 16:37 < krzy> maybe he only meant for testing 16:38 < Dougy> n 16:38 < krzy> thats all its good for 16:39 < krzy> st1650, your setup is very basic 16:39 < ecrist> sup, guys? 16:39 < krzy> you basically just want my sample configs 16:39 < krzy> remove my client-config-dir entry 16:39 < ecrist> krzy: not really. :\ 16:39 < krzy> and add push route for 10.0.0.0/24 16:40 < ecrist> for example, you can give it to a user who may have more than one machine. 16:40 < krzy> ecrist, not really what? 16:40 < Dougy> ecrist!!!!!! 16:40 < Dougy> Can I PM you, I want to ask you something, but I dont wanna interfere with krzy here 16:40 < st1650> krzy: Could you edit it ? I'm not sure how to push routes 16:40 < krzy> 1sec 16:40 < krzy> !route 16:40 < vpnHelper> krzy: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 16:40 < ecrist> Dougy: sure, I guess. 16:41 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 16:42 < Dougy> pm sent 16:44 < krzy> ecrist, were you saying not really about the duplicate-cn thing? 16:44 < ecrist> krzy: yes 16:44 < krzy> because even openvpn.net says it should only be used for testing 16:44 < krzy> and is not recommended for real life usage 16:45 < krzy> more certs should be made when more clients are desired 16:45 < ecrist> krzy: there are real-world situations where they can be useful. 16:45 < krzy> more useful than simply creating another cert? 16:46 < ecrist> krzy, I've gone to issuing certs for every client, however, I only do it so each certificate can have their own static IP. 16:46 < ecrist> before I was issuing statics, I didn't care how many client connections were coming in for each certificate. 16:47 < Dougy> erk chest pain :S brb 16:47 < st1650> krzy: ERROR : Dev tun also requires ifconfig 16:49 < krzy> 1sec 16:49 < st1650> strange ... 16:49 < st1650> it didn't save 16:49 < st1650> hold on 16:49 < krzy> ecrist, in your example your reasoning is only laziness, not actually making anything better 16:50 < krzy> whereas to disallow the cert when already logged in is slightly better 16:50 < ecrist> i disagree 16:50 < Dougy> I cant believe I lol at IRC arguements 16:52 < krzy> you disagree that it was only for laziness or that theres slightly more security in not letting someone use your cert while you are already using it? 16:52 < krzy> dont get me wrong, im sure im lazier than anyone else 16:52 < krzy> im quite lazy ;] 16:52 < st1650> krzy: testing from remote ... brb 2min 16:52 < ecrist> krzy: I don't see anything wrong with giving a user one certificate for use on multiple machines. 16:52 < krzy> st1650 1sec 16:53 < krzy> ecrist, til someone gets their hands on it 16:53 < ecrist> it's no more difficult to turn off... 16:54 < ecrist> regardless, a VPN isn't the *only* security protocol in place on any network run by a competent admin. 16:54 < krzy> that is true, but ild rather they not even be able to get in while i find out i need to add it to CRL 16:54 < krzy> very true 16:54 < krzy> im just agreeing with the devs 16:54 < ecrist> tbh, the network at my work could be opened up to the world, and would be virtually as secure. 16:55 < krzy> or at least whoever made openvpn.net 16:55 < ecrist> krzy: don't agree with them just because they wrote a useful piece of software. Unless you're a sheep. 16:56 -!- st1650 [n=eb@76-10-166-89.dsl.teksavvy.com] has quit [Read error: 104 (Connection reset by peer)] 16:57 < krzy> using suggested security by the authors is being a sheep? 16:58 -!- st1650 [n=eb@76-10-166-89.dsl.teksavvy.com] has joined ##openvpn 16:58 < st1650> back 16:59 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 16:59 < ecrist> krzy: agreeing with them simply because they said so, is being a sheep. 16:59 < krzy> http://pastebin.ca/1183749 17:00 < krzy> for st1650 17:00 < st1650> krzy: looks like what I have ... hold on im testing remotely .. 17:02 < krzy> my client config isnt for windows, so may be a slight edit to that 17:02 -!- st1650 [n=eb@76-10-166-89.dsl.teksavvy.com] has quit [Read error: 104 (Connection reset by peer)] 17:02 -!- st1650 [n=eb@76-10-166-89.dsl.teksavvy.com] has joined ##openvpn 17:02 < st1650> nope doesn't work 17:02 < krzy> my client config isnt for windows, so may be a slight edit to that 17:02 < krzy> !logs 17:02 < vpnHelper> krzy: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:02 < st1650> It connects fine, gets the ip address but I can't ping anything 17:06 < Dougy> sec let me look 17:06 < Dougy> url to config? 17:06 < st1650> same problem as before, when I was in tap mode ... 17:06 < st1650> I'm running out of time .. Ill be back 17:06 < st1650> thanks for the help 17:07 < Dougy> url to config? 17:09 < krzy> when you come back bring logs ps 17:09 < krzy> pls 17:09 < krzy> and we'll getchya up 17:11 < krzy> and Dougy, im not really arguing with ecrist, we just have diff veiwpoints on that and since i see him a lot here and we both dish out a bit of help i wanted to see why he would recommend duplicate-cn over just amking more configs 17:11 < krzy> making 17:11 < krzy> but its really not a big deal, not like he's saying to leave out tls-auth or anything that really matters 17:12 < ecrist> krzy: to clarify, my advice was to create two different certificates, or at the very least, enable duplicate-cn 17:12 < krzy> ahh 17:12 < krzy> ok ya i read that different than what i thought it was 17:13 < krzy> assumption... 17:13 < krzy> heh 17:13 < krzy> !learn assumption as the mother of all F***ups 17:13 < vpnHelper> krzy: The operation succeeded. 17:13 < krzy> ;] 17:14 < krzy> btw ecrist, did you see !menu? 17:14 < krzy> it doesnt update itself so when i add something i update menu, have tried to add everything i could remember to it 17:17 < krzy> !menu 17:17 < vpnHelper> krzy: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download 17:20 < ecrist> krzy: would possibly be better if !menu was replied via PM. 17:20 < krzy> not an option, also not as helpful for anyone who sees !menu and notices a topic they may want to read 17:21 < krzy> well not an option unless you code python 17:21 < ecrist> I don't code python, but I'm sure it's not that hard. 17:21 < ecrist> I do code perl, though. 17:22 < krzy> just yesterday i was editing the menu and someone found something in it they wanted to read 17:22 < krzy> although i think it was just !insanity, lol 17:28 < krzy> oh and Dougy was hoping we could make a writeup on openvpn security implimentation, like overveiw from !secure + details and examples 17:28 < krzy> it sounds like a long writeup, was curious if you had any interest in helping with it if i started working on it next time im bored enough 17:29 < krzy> on the wiki 17:31 -!- xybre [n=xybre@bb4win/users/fluffy] has quit ["Leaving"] 17:31 < ecrist> I have interest, but often no time. 17:31 * ecrist goes away for a bit. 17:31 < krzy> ya i hear ya 17:32 < krzy> los vemos 17:37 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:51 -!- kaynine [i=5684dc5d@gravity.spherecarrier.org] has quit ["later gang; keep up the good work :)"] 17:54 < krzy> !betaman 17:54 < vpnHelper> krzy: "betaman" is http://www.openvpn.net/man-beta.html 17:55 < krzy> have any of you played with --port-share in beta yet? 17:56 < krzy> it looks really cool 18:06 < Dougy> negative 18:06 < Dougy> Hm krzy 18:06 < Dougy> Is there an official "openVPN" forum? 18:06 < Dougy> Like one dedicated to it 18:06 < krzy> not that i know of 18:07 < Dougy> hmmm 18:07 * Dougy has a lightbulb in his head 18:07 < Dougy> : 18:07 < Dougy> :O* 18:08 < krzy> if one is created ill add !forum and signup, like we recently did with ecrist's wiki 18:20 < Dougy> I'll help create one 18:20 < Dougy> but 18:20 < Dougy> I don't know enough to admin it myself 18:20 < Dougy> (HINT) 18:20 < krzy> hehe 18:20 < krzy> ill cruise through and answer ?'s 18:20 < Dougy> If you want to help and maybe ecrist too I'll put it together 18:21 < krzy> maybe even add a forumfeed for the chan 18:21 < Dougy> can i PM to discuss more? 18:21 < krzy> if we decide the forumfeed isnt annoying 18:21 < Dougy> i don't wanna give anyone any golden ideas ;) 18:21 < krzy> if you want, but we can just talk in here too, either way 18:26 < krzy> and if you dont wanna renew it cause it doesnt get used, you only lose $8 18:33 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 19:04 -!- Dougy is now known as Dougy|Work 19:39 < Dougy|Work> damn it' 19:39 < Dougy|Work> ughhhhhhhhhhhhhhhh 20:31 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:41 * Dougy stabs ecrist 20:41 < Dougy> SilenceGold: 20:41 < Dougy> hi 20:41 < SilenceGold> hi 20:42 < Dougy> hihi 20:42 < Dougy> thanks again for the help 20:42 < SilenceGold> all working good? 20:43 < Dougy> thumbs up 20:43 < Dougy> now i got 172.16.0.1 .2 .3 .4 20:43 < SilenceGold> heh 20:43 < Dougy> Danke :) 20:43 < SilenceGold> the fun part is graphing the traffic being used per client 20:43 < SilenceGold> I got it working in cacti now :) 20:44 < Dougy> dude 20:44 < Dougy> that's sick 20:44 < Dougy> i wouldn't even know where to look, honestly 20:44 < SilenceGold> have you used cacti? 20:44 < Dougy> of course i have 20:44 < Dougy> :) 20:44 < Dougy> I do cacti installs on a daily basis 20:44 < SilenceGold> okay 20:45 < SilenceGold> then just look into openvpn's management port 20:45 < SilenceGold> you can write a script that will telnet to that port to get the stats 20:45 < Dougy> Down the road :) Not tonight 20:45 < SilenceGold> then parse it into readable for the cacti 20:45 < Dougy> haha 20:45 < Dougy> like I can script 20:45 < SilenceGold> I just gave you hints on how you can do it 20:45 < Dougy> you're funny :) 20:45 < SilenceGold> it is expected for you to know how to script 20:45 < SilenceGold> learn then 20:45 < Dougy> script what? 20:45 < Dougy> bash? 20:46 < SilenceGold> any 20:46 < SilenceGold> almost any scripting language can do it 20:46 < Dougy> ah 20:46 < Dougy> okay 20:46 < Dougy> Ill look into it. 20:46 < SilenceGold> python, csh, sh, bash, php 20:46 < Dougy> SilenceGold: did you see my idea of the openVPN forum? 20:46 < SilenceGold> even perl 20:46 < Dougy> could Perl 20:46 < SilenceGold> Dougy yea 20:46 < Dougy> ha 20:46 < Dougy> I'm learning PHP and Perl 20:46 < Dougy> well trying to 20:46 < Dougy> what do you think of the idea, SilenceGold? 20:46 < Dougy> you're probably gonna say its gonna flo 20:46 < Dougy> p 20:47 < SilenceGold> yea it will 20:47 < SilenceGold> you need enough traffic 20:47 < SilenceGold> it'll get overwhelmed by newbies with routing problems thinking it's openvpn's problem 20:47 < SilenceGold> I think that the wiki is the best solution 20:47 < SilenceGold> with the best FAQ list available 20:48 < Dougy> Yeah 20:48 < Dougy> Probably 20:48 < Dougy> It's worth a shot though :) 20:48 < SilenceGold> your big problem with the forums is getting enough people to help 20:48 < Dougy> yep 20:50 < ecrist> what's up, folks? 20:50 < Dougy> sup ecrist 20:50 < Dougy> :) 20:51 < ecrist> fwiw, I can host a forum, but have little desire to admin it. 20:52 < Dougy> er 20:52 < Dougy> i suck at e-speak 20:52 < Dougy> what's "fwiw" 20:52 < Dougy> ? 20:52 < ecrist> For What It's Worth 20:52 < Dougy> oh 20:52 < Dougy> I have plenty of time to waste 20:52 < Dougy> cleaning it up and running it 20:52 < Dougy> i just will need some people to help the newbies :p 20:52 < Dougy> erm ecrist does www.ovpnforum.com load for you 20:53 < ecrist> negative 20:53 < Dougy> what the f 20:53 < Dougy> :| 20:54 < Dougy> wow 20:54 < Dougy> my ISP SUCBBBBBBKS 20:54 < Dougy> .. 20:54 < Dougy> SUCKS******** 20:54 < Dougy> traceroute to ovpnforum.com (64.18.144.145), 30 hops max, 40 byte packets 1 192.168.1.1 (192.168.1.1) 23.315 ms 68.946 ms 79.948 ms 2 10.68.0.1 (10.68.0.1) 115.312 ms 152.560 ms 171.412 ms 20:54 < Dougy> woo. 20:55 < SilenceGold> you're hosting it at home? 20:55 < SilenceGold> it looks like it's the domain lookup failing 20:56 < Dougy> no, i'm not hosting it at home 20:56 < Dougy> it's in the DC at work 20:56 < Dougy> those were just the first 2 hops of the traceroute 20:56 < Dougy> lol 20:56 < Dougy> 100 ms latency inside my LAN 20:56 < Dougy> how nice 20:56 < ecrist> well, whatever you guys decide to do, let me know, or not. I'm not the boss or anything. 20:56 * Dougy nods 20:56 < Dougy> I need to figure out why named is screwed up 20:56 < Dougy> but its only for that one domain 20:56 < Dougy> :S 20:57 < ecrist> ns1.bergenhosting.com is resolving just fine. 20:58 < Dougy> should be .net 20:58 < ecrist> as is ns2 20:58 < ecrist> erm yeah, nsX.bergenhosting.net 20:58 < Dougy> .com is old and outdated 20:58 < Dougy> yeah 20:58 < Dougy> all the other sitse on the server resolve too.. 20:58 < Dougy> sites 20:58 < Dougy> such as www.pulserepair.com 20:59 < Dougy> something is miserably wrong with my server 20:59 < Dougy> what the frickin hell 20:59 < ecrist> Dougy: your colo sucks balls. 21:00 < Dougy> apparently so 21:00 < Dougy> our network has been fucked up the last 3 days 21:00 < Dougy> am i going to get banned if i curse again? 21:00 < ecrist> http://pastebin.com/m5035f06a 21:01 < ecrist> hrm, depends. 21:01 < Dougy> dude 21:01 < Dougy> i'm going to kill my boss 21:01 < Dougy> he goes on vacation when our network starts to mess up 21:01 -!- mode/##openvpn [+o ecrist] by ChanServ 21:01 < Dougy> and ecrist, please don't ban me for this 21:01 < Dougy> but 21:01 < Dougy> WHAT THE FUCK IS GOING ON!?!? 21:01 < Dougy> ughhhhhhhh 21:02 < Dougy> this isn't fair 21:02 < SilenceGold> uh where are the trolls 21:02 < Dougy> :( 21:02 < SilenceGold> I want to feed some 21:02 < Dougy> haha 21:02 < Dougy> well 21:02 -!- mode/##openvpn [-o ecrist] by ecrist 21:02 < ecrist> lol 21:02 < Dougy> it's time to move the site to somewhere that's not complete garbage 21:02 < Dougy> i can't believe that i'm saying that about my employer 21:02 < SilenceGold> Dougy sign up for my VPn and you can host your own website at home 21:02 < ecrist> well, off to spend some time with the wife before bedtime. 21:02 < Dougy> but they're really that bad 21:02 < Dougy> night ecrist 21:02 < ecrist> Dougy: fwiw, my DSL is more stable than your colo. :) 21:02 < Dougy> apparently so 21:02 < Dougy> i had been getting weird packet loss tickets last few days 21:03 < SilenceGold> but he don't have SPLA obviously 21:03 < SilenceGold> who's your provider? 21:03 < Dougy> www.justedge.net 21:03 < Dougy> i work there 21:03 < Dougy> i dont know what's going on 21:03 < SilenceGold> doing what? 21:03 < ecrist> you *work* at your colo? 21:03 < Dougy> i work for the datacenter.. 21:03 < Dougy> yes 21:03 < ecrist> and you can't get a server online? 21:03 * ecrist points and laughs. 21:04 < ecrist> :P 21:04 < Dougy> my boss is the only guy who has access to the routers 21:04 < Dougy> what kind of bs is that 21:05 < Dougy> ecrist: before you run 21:05 < Dougy> can you pm me the source IP for that trace 21:05 < Dougy> i'm going to call my boss up and get him to fly back from his vacation in Poland right now 21:06 < ecrist> Dougy: it's in the pastebin 21:07 < Dougy> oh 21:07 < Dougy> your server's ip? :s 21:07 < Dougy> oh 21:07 < Dougy> wrong pastebin 21:08 < ecrist> actually, it isn't but front-door is close enough. 21:08 < ecrist> and is pingable. 21:10 < ecrist> Dougy: you registered that domain today? 21:11 < ecrist> If it were me, I'd have started a forum somewhere I already owned, and if it took off, bought a domain, or asked for a subdomain from openvpn.net folks. 21:12 * ecrist goes away 21:18 < Dougy> ecrist: meh 21:18 < Dougy> i had $8 to waste 21:19 < Dougy> okay ecrist still here? 21:23 < Dougy> SilenceGold: fixed 21:24 < SilenceGold> nope 21:25 < Dougy> well 21:25 < Dougy> depends what IP it resolves to 21:25 < Dougy> what ip are you seeing 21:31 * Dougy pokes SilenceGold 21:32 -!- st1650 [n=eb@76-10-166-89.dsl.teksavvy.com] has quit [Read error: 113 (No route to host)] 21:37 -!- near [n=near@83-155-186-245.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:38 -!- near [n=near@83-155-189-82.rev.libertysurf.net] has joined ##openvpn 21:42 < Dougy> okay 21:42 < Dougy> that's it 21:49 < Dougy> New server here I come (new network, too) 22:50 < ecrist> Dougy: point the domain to me. 22:54 < Dougy> ecrist: que? 23:00 * Dougy shrugs 23:24 < krzee> it comes up fine for me 23:24 < krzee> vBulletin Message 23:24 < krzee> Sorry, the board is unavailable at the moment while we are testing some functionality. 23:24 < krzee> We will be back soon... 23:28 < Dougy> yeah 23:28 < Dougy> i put it on a new IP 23:28 < Dougy> i'm getting a new srver set up as we speak though 23:28 < Dougy> I cant frickin stand the bad routing going on at work 23:28 < Dougy> ugh 23:36 < Dougy> krzee: depending how long bigvps takes it may be up tomrrow 23:36 < Dougy> ive seen 2-4 days for support replies though 23:40 < krzee> cool if you're doing that for your server in general, but its not a big deal for the forum 23:45 < Dougy> well 23:45 < Dougy> you see 23:45 < Dougy> i had traceroutes from everywhere and out of the 10 people who did it 23:45 < Dougy> 8 couldnt even reach the server 23:45 < Dougy> it stopped at a njiix router (entrance to network) 23:45 < Dougy> :( 23:46 < Dougy> This other provider (where I'm getting this server) is far more solid. 23:48 < Dougy> from my exp anyway 23:49 < krzee> gotchya 23:51 < Dougy> so 23:51 < Dougy> should be good to go when they nuke my VPS 23:51 < Dougy> :) 23:51 * Dougy nods 23:51 < Dougy> bed soon 23:57 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] --- Day changed Mon Aug 25 2008 01:04 -!- SilenceGold [n=chris@adsl-70-232-78-19.dsl.ltrkar.sbcglobal.net] has quit ["I've never heard that silence is golden...."] 01:11 -!- SilenceGold [n=chris@70.232.78.19] has joined ##openvpn 01:40 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 01:41 < jeffspeff2> i'm trying to create the ca... i'm using windows as the vpn server... do i need to have openssl installed? 01:46 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 02:00 < krzee> no 02:00 < krzee> your cert making machine is windows? 02:01 < krzee> i dont use windows but at http://openvpn.net/index.php/documentation/howto.html#pki it says: 02:01 < vpnHelper> Title: HOWTO (at openvpn.net) 02:01 < krzee> If you are using Windows, open up a Command Prompt window and cd to \Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files): 02:01 < krzee> init-config 02:01 < krzee> Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. 02:01 < krzee> etc... 02:08 < kraut> moin 02:09 < jeffspeff2> krzee, when i go to run build-ca.bat... i get openssl errors. i installed openssl for windows, and i still get the errors. 02:09 < jeffspeff2> also, windows doesn't have any type of init-config... that's a linux thing 02:11 < jeffspeff2> wait, nm, i admit retardation... the initconfig thing does work... i was mistaken. 02:11 < krzee> i never installed openssl for windows 02:11 < krzee> that i can recall 02:11 < krzee> its been quite awhile, but i remember it being simple 02:11 < krzee> (awhile since using ovpn on win) 02:42 < jeffspeff2> could somebody explain to me how to assign a specific ip to a specific vpn client? i'm reading the howto http://openvpn.net/index.php/documentation/howto.html, but getting really confused 02:42 < vpnHelper> Title: HOWTO (at openvpn.net) 02:53 < krzee> ya 02:53 < krzee> an ifconfig entry in a ccd file 02:53 < krzee> !ccd 02:53 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 02:54 < krzee> we just helped Concept-P get that going 03:12 -!- mucimon [n=mucimon@lugbari/people/mucimon] has left ##openvpn [] 03:17 -!- mucimon_ [n=mucimon@host134-227-static.57-82-b.business.telecomitalia.it] has joined ##openvpn 03:25 -!- thomas [i=tm@tm.muc.de] has quit [Remote closed the connection] 03:35 < jeffspeff2> krzee, i'm doing ifconfig-push 192.168.50.2 in the ccd/user file but the client keeps getting 192.168.50.6 from somewhere... 03:35 < krzee> you have ipconfig-pool-persist? 03:35 < krzee> ipp.txt...? 03:35 < krzee> also 03:35 < krzee> it needs .6 03:35 < krzee> asuming you are using routing 03:35 < krzee> !/30 03:35 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 03:36 < krzee> read that to understand by 03:36 < krzee> s/by/why/ 03:40 < jeffspeff2> krzee, ok, just red that... so does that mean that i can assign static ip's still, but they have to be after .6 ? 03:41 < jeffspeff2> i.e. 192.168.50.7, 192.168.50.8, etc. 03:41 < krzee> .6 03:41 < krzee> .10 03:41 < krzee> .14 03:41 < krzee> .18 03:41 < krzee> etc 03:41 < krzee> OR 03:41 < jeffspeff2> ahh, increments of 4 03:41 < krzee> use beta and topology subnet 03:42 < krzee> in which case, you can just go by 1's 03:42 < krzee> only uses /30 to workaround some windows issue, but topology subnet does it more intelligently 03:47 < krzee> time for sleep 03:47 < krzee> best of luck 03:48 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 03:48 < krzee> ill be around tomorrow during the day (EST) if you dont get it working 03:55 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 03:56 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 04:39 -!- nver [n=Chekit@darthmaul.satgate.net] has joined ##openvpn 04:39 < nver> Hello 04:39 < nver> How come open vpn doesn't go through my socks proxy? 05:42 -!- OpenTokix [i=peter@0x2a.se] has joined ##openvpn 05:42 < OpenTokix> hey 05:42 < OpenTokix> I have a openvpn with a couple of hosts, like 60 or so 05:42 < OpenTokix> today all of a sudden six fell away 05:42 < OpenTokix> im logged in to one of them - and it's trying to connect but complaints about tls failiure 05:43 < OpenTokix> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 05:43 < OpenTokix> in the faq it talks about network problem 05:43 < OpenTokix> however, nothing have changed network wise - and I can sssh from the machine to the vpn-server 05:43 < OpenTokix> also, the six machines are in different co-los (different physical networks) 05:44 < OpenTokix> Any suggestions? 05:45 < svenx> tcpdump on both sides, compare with working setup 05:48 -!- nver [n=Chekit@darthmaul.satgate.net] has quit [Remote closed the connection] 05:50 < OpenTokix> svenx: im not sure how I am supposed to write on tcpdum p 05:50 < OpenTokix> with 05:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:01 < OpenTokix> It's going traffic thru 06:02 < OpenTokix> I see the clients traffic on the vpn-server 06:02 < OpenTokix> but the tunnel isn't getting operational 06:09 < svenx> i'm not too familiar with openvpn, but i would first investigate if it can use verbose logging 06:10 < svenx> if not, i would look at the ssl handshakes to see where things go bad 06:11 < OpenTokix> im trying the 2.1rc9 now 06:11 < OpenTokix> had 2.0.9 06:11 < OpenTokix> it mught be a problem with epoll-handling (?) and it was fixed in 2.1rc4 06:17 < OpenTokix> no luck 06:50 -!- lolo92 [n=lolo92@84.55.144.90] has joined ##openvpn 06:50 < lolo92> hello 06:51 < lolo92> is there any solution to get openvpn running with a non admin user on a windows xp ? 06:53 -!- BoomSie [n=gideon@s55936eb3.adsl.wanadoo.nl] has joined ##openvpn 06:53 < lolo92> i have this error msg: ROUTE: route addition failed using CreateIpForwardEntry: Acc`es au r'eseau refus'e 06:53 < lolo92> it fails to add the route 07:29 < ecrist> lolo92: no 07:29 < ecrist> there is no *solution* as it required access to device drivers. 07:38 < ecrist> the error says 'Access denied.' 07:38 < ecrist> you need to be an admin. 07:49 -!- BoomSie [n=gideon@s55936eb3.adsl.wanadoo.nl] has quit [Read error: 104 (Connection reset by peer)] 07:51 -!- BoomSie [n=gideon@s55936eb3.adsl.wanadoo.nl] has joined ##openvpn 07:58 < Concept-P> Damn Vista.. I hate vista =) 07:59 < Concept-P> ecrist: are there big differences with a vista client setup and a xp client setup? I can connect to the vpn but I dont receive an ip 08:03 -!- lolo92 [n=lolo92@84.55.144.90] has quit ["Quitte"] 08:10 < ecrist> Concept-P: no idea - never played with Vista 08:12 < Concept-P> ecrist: dont =D 08:12 < Concept-P> unless you have to =) 08:16 < BoomSie> or just join the 'vista-look-a-like' club @ gnome-looks.org and PRETEND you're under vista :p ... 08:17 < BoomSie> and turn to your colleagues with the "0wh, with me the VPN connection works just perfectly" look =) 08:17 < Concept-P> lol =D 08:19 < BoomSie> be carefull though, afterwards they'll start nagging at the system administrators that they want it too and they will be just clueless 08:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 09:23 < ecrist> quiet in here this am. 09:54 < plaerzen> morning irc 10:18 -!- pUmkInhEd [n=pumkinhe@mail.guardianchem.ca] has left ##openvpn [] 11:28 -!- fsckedagain [n=fsckedag@71-154-139-61.ded.pacbell.net] has joined ##openvpn 11:31 < fsckedagain> I need a little pointer on getting the ip address assigned to a client stored in openvpn-status.log. 11:34 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 11:42 -!- fsckedagain [n=fsckedag@71-154-139-61.ded.pacbell.net] has left ##openvpn ["Leaving"] 11:54 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection reset by peer] 11:54 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 11:54 < ecrist> what? 12:05 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 12:06 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 12:17 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:28 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 12:29 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 12:37 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 12:56 -!- BoomSie [n=gideon@s55936eb3.adsl.wanadoo.nl] has quit ["Ex-Chat"] 12:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:58 -!- fsckedagain [n=fsckedag@71-154-139-61.ded.pacbell.net] has joined ##openvpn 12:59 < fsckedagain> how can I specify the ip address of the openvpn server? I am using a tun device. 13:03 < krzee> local 13:03 < krzee> if its in the server config 13:03 < fsckedagain> ...now I feel stupid. Thanks a bunch! 13:03 < krzee> remote if its client config connecting to server 13:04 < krzee> np 13:17 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 13:17 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 13:20 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 13:25 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 60 (Operation timed out)] 13:46 < jeffspeff> hello everybody, i've just recently got openvpn installed on my windows system. the client and the server can ping each other fine (with the vpn address), but i can't open a remote session from the client to the server using the vpn address, but i can connect when using the servers public ip (server ip is set as DMZ on router). The actual issue is weird; when i try to open the remote session using the vpn address, it full screens 13:46 < jeffspeff> the window, i see the system log in, and then the screen stays black for a few moments then the connection times out. 13:46 < jeffspeff> any help would be much appreciated 13:47 < ecrist> it full screens 13:47 < ecrist> ? 13:49 < jeffspeff> ecrist, i'm using windows remote desktop (mstsc) 13:49 < jeffspeff> it full screens the remote session when it connects 13:49 < ecrist> ok, what does that have to do with OpenVPN? 13:50 < jeffspeff> i can't connect through the vpn, but i can with any other method 13:50 < ecrist> is the server listening on the VPN ip? 13:51 < jeffspeff> remote desktop doesn't listen on a particular ip 13:51 < jeffspeff> i also tested with hamachi, and it connect fine with that vpn 13:52 < jeffspeff> it connects using regular public ip, but not with openvpn ip 13:52 < ecrist> ok, so, the VPN works, right? 13:52 < jeffspeff> yes 13:52 < ecrist> ok. 13:52 < jeffspeff> i can ping both ways from either side 13:52 < ecrist> glad we could help. :) 13:52 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 13:52 < jeffspeff> you're a jack ass 13:53 < ecrist> that's not very nice. 13:53 < ecrist> sounds like you have a firewall issue. 13:53 < jeffspeff> firewall is off 13:53 < jeffspeff> it has something to do with openvpn, but i just don't know what 13:54 < jeffspeff> i tried changing the server from udp to tcp, and still got same results 13:54 < ecrist> leave the server udp 13:54 < jeffspeff> ok 13:54 < jeffspeff> would it have something to do with the client-client setting? 13:54 < ecrist> shouldn't 13:55 < ecrist> you are trying to connect from client to RDP on server, or other way around? 13:56 < jeffspeff> yes, but not sure it's actually RDP, as windows uses microsoft terminal services for remote connections... same concept though 13:58 < ecrist> terminal services is RDP (Remote Desktop Protocol) 13:58 < jeffspeff> ok, didn't know if they were the same 13:58 < ecrist> they are. 13:58 < ecrist> do you have anything else running on the server you can test? 13:58 < ecrist> are you *sure* windows firewall is turned off for the tun device? 13:59 < jeffspeff> i have a different remote application that uses vnc, it works fine 13:59 < ecrist> across the VPN? 13:59 < jeffspeff> yes, firewall is off 13:59 < jeffspeff> yes, vnc works across the openvpn 14:00 < ecrist> don' 14:00 < ecrist> t know, then. 14:00 < ecrist> doesn't seem to be an OpenVPN problem. 14:01 < jeffspeff> hmm... ok, i figured with deductive reasoning that if it works every other way except method c, then method c must be the problem... thanks though... 14:01 < jeffspeff> i take back the jack ass comment 14:03 < ecrist> i don't deny being a jackass, it's generally considered rude to point it out, though. :) 14:04 < jeffspeff> true 14:05 < jeffspeff> hey, i'm thinking about getting an iphone. anybody know if the iphone vpn works with openvpn? 14:06 < ecrist> iirc, it's standard pptp 14:06 < ecrist> which is != OpenVPN 14:06 < ecrist> OpenVPN is an SSL-based VPN 14:06 < ecrist> PPTP is a different animal 14:07 < jeffspeff> so, that's a no. lol 14:32 -!- _spm_Draget [n=draget@p54BB595F.dip.t-dialin.net] has joined ##openvpn 14:32 < _spm_Draget> Goodevening. Hopefully someone alive here =) 14:32 < ecrist> yes, usually 14:33 < _spm_Draget> I have a tutorial that creates a group openvpn and adds a dir called chroot under /etc/openvpn 14:33 < _spm_Draget> But does not explain why it does that 14:33 < plaerzen> you shouldn't be messing with chroot unless you know what it is, or the tutorial explains what it is. 14:34 < ecrist> sounds like the process is chrooting, which is a security protocol so that, if the OpenVPN software has a vulnerability, the attacker will be contained to the chroot directory, being denied access to the rest of the base system. 14:34 < ecrist> http://en.wikipedia.org/wiki/Chroot 14:34 < vpnHelper> Title: chroot - Wikipedia, the free encyclopedia (at en.wikipedia.org) 14:35 < _spm_Draget> Yup, thanks. But I wonder if OpenVPN really needs its own root or if I can skip this tep 14:35 < _spm_Draget> *step 14:35 < ecrist> up to you and your needs. 14:35 < ecrist> I, personally, don't chroot my OpenVPN process. 14:58 -!- undertakingyou [n=will@undertakingyou.dsl.xmission.com] has quit [Read error: 104 (Connection reset by peer)] 14:58 -!- undertakingyou [n=will@undertakingyou.dsl.xmission.com] has joined ##openvpn 15:07 -!- bandini [n=bandini@host123-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 15:11 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 15:12 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:18 -!- fzzzt [n=fzzzt@rrcs-72-43-92-186.nys.biz.rr.com] has joined ##openvpn 15:19 < fzzzt> If I use pf to route-to through a tun device, on the other end, how can I have those packets also route-to where they're supposed to go? I need to move a machine, and have to securely pretend like I didn't for a while...kinda build a tunnel to the new location from the old, but fake the old IP. :/ 15:21 * fzzzt guesses that didn't make any sense at all. 15:40 < _spm_Draget> " openvpn[7061]: Options error: You must define DH file (--dh) " 15:41 < _spm_Draget> I am using a preshared key (it is just for a quick setup) 15:41 < _spm_Draget> Why do I need to specify a key exchange thingy? 15:46 < _spm_Draget> Anyone? 15:46 -!- kraut [i=kraut@2001:6f8:12a9:0:0:0:4:0] has quit [Read error: 104 (Connection reset by peer)] 15:52 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 15:57 < _spm_Draget> =( 16:03 -!- fzzzt [n=fzzzt@rrcs-72-43-92-186.nys.biz.rr.com] has left ##openvpn ["Leaving"] 16:08 < ecrist> _spm_Draget: did you read the howto? 16:08 < _spm_Draget> Which one? 16:08 < ecrist> !howto 16:08 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:08 < _spm_Draget> I am not reading this one. But I will now, thanks 16:09 < ecrist> it's the 'official' one 16:22 < krzy> ecrist, is kraut a human? 16:23 < krzy> every night, at around 3am est he says 16:23 < krzy> !kraut 16:23 < vpnHelper> krzy: "kraut" is moin 16:23 < krzy> hehe 16:23 < plaerzen> fuck. Sometimes I hate my job. 16:24 < krzy> =/ 16:26 < gongoputch> do people use routing daemons in conjunction with OVPN when the endpoint is behind NAT (i.e. not on the default router) and you want to propagate the routes to the boxes on the LANs? 16:32 < krzy> just add the route to their default router 16:32 < krzy> my WRT54G supports adding a static route 16:43 < fsckedagain> Can I nat/pat traffic coming from the openvpn server to make it look like it is on the same network as the private interface? 16:44 < krzy> huh? 16:45 < fsckedagain> well, let me explain a little more. The default gw my inside devices have no nothing of the network that traffic from the vpn server is running on. I need to NAT it so I don't have to add a static route to every box on that network. 16:46 < krzy> no, you need to add a route to your default gateway in the lan 16:51 < fsckedagain> the networks are segmented. They can't get to each other nor, know about each other. 16:52 < plaerzen> Great, now I really want to segment my network. 16:52 * plaerzen hates his job. 16:54 < fsckedagain> that wasn't terribly helpful :) 16:54 * fsckedagain dislikes segmented networks... 16:57 < plaerzen> I'm not a really helpful guy. I just sit on this channel and bitch. 17:18 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:13 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 19:10 -!- _spm_Draget [n=draget@p54BB595F.dip.t-dialin.net] has quit [Remote closed the connection] 19:18 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:18 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:21 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:37 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 19:39 -!- rmull [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:39 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 19:49 < ecrist> hola 19:52 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:52 < ecrist> gongoputch: I don't fully understand what you're asking. 19:55 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:55 < Dougy> hey guys 19:55 < Dougy> sup 19:56 < ecrist> what's going on, Dougy 19:57 < Dougy> not much 19:57 < Dougy> got my new VPS at WowVPS 19:57 < Dougy> just waiting on DA to update license IP 19:59 < krzy> hola todos 20:00 < Dougy> hey krzy 20:00 < Dougy> que pasa? 20:01 < ecrist> krzy: no idea 20:01 < krzy> nada, aqui tranquilo 20:01 < ecrist> english, please. 20:01 < Dougy> he said he's calm/quiet/relxaed 20:01 < Dougy> relaxed 20:01 < ecrist> I know. 20:01 < Dougy> i asked what's up 20:01 < Dougy> he said that 20:01 < Dougy> :p 20:02 < ecrist> I can read that much. 20:02 < ecrist> I'm setting a precedent. 20:02 < Dougy> Oh, h'okay. 20:03 < Dougy> Oh, and for the record. 20:03 < Dougy> htop = win 20:04 * krzy doesnt care what language people speak in, they just shouldnt expect help if the helpers cant understand them 20:05 < ecrist> krzy: kraut seems to be human. 20:05 < krzy> really? 20:05 < krzy> sometimes i wait for him around 3am est 20:05 < krzy> so i can !kraut right after he says moin 20:05 < krzy> haha 20:05 < ecrist> seems to be someone that idles. 20:06 < krzy> its like clockwork 20:06 < krzy> if all NTP servers globally went down, ild know i was within 15min of 3AM when he says moin 20:06 < ecrist> http://pastebin.com/m6a4cfa28 20:08 < ecrist> why do you care? 20:08 < krzy> i dont 20:08 < ecrist> and, why do you have so many nicks? 20:08 < krzy> was just curious 20:08 < krzy> 2 is that many? 20:10 < krzy> BitchX-1.1-final+ by panasync - FreeBSD 6.3-RELEASE-p2 20:10 < krzy> this one for when im not home 20:10 < krzy> ... CTCP VERSION reply from krzee: X-Chat Aqua 0.16.0 (xchat 2.6.1) Darwin 9.4.0 [i386/2.16GHz/SMP] 20:10 < krzy> that one for when i am 20:10 < ecrist> 3, actually. 20:11 < krzy> wheres the 3rd? 20:11 < ecrist> ecrist@chunk:~/irclogs/freenode-> cat ##openvpn.log | grep -e "^.*< kr.*zy" | awk '{print $3}' | sort | uniq 20:11 < ecrist> krzee> 20:11 < ecrist> krzie> 20:11 < ecrist> krzy> 20:11 < ecrist> :P 20:11 < Dougy> erk 20:11 < krzy> oh hah, in logs 20:11 < Dougy> i missed a ot 20:11 * Dougy reads 20:11 < gongoputch> ecrist: it isn't so much a 'right' or 'wr9ong' answer 20:11 < Dougy> dude, i need to learn awk 20:11 < Dougy> and sed 20:11 < Dougy> i don't know it yet ive used linux for 5 years 20:11 < gongoputch> awk and sed rawk :) 20:11 < krzy> i have more nicks than that 20:12 < ecrist> Dougy: regular expressions are nice, too. 20:12 < gongoputch> ecrist: I think I have decided to use routed and RIP2 to propagate new routes 20:12 < gongoputch> yea, I know .... OLD 20:12 < Dougy> I need to learn how to use awk, sed, and then regex too 20:12 < ecrist> gongoputch: I didn't understand, specifically, what you were trying to do. 20:12 < gongoputch> but appearently supported in OS X 20:13 < Dougy> ewwwwww 20:13 < Dougy> mac 20:13 < ecrist> /kick Dougy 20:13 < krzy> eww man!? 20:13 < Dougy> ewwwwww 20:13 < Dougy> mac 20:13 < Dougy> :< 20:13 < krzy> err eww mac??? 20:13 < gongoputch> I have an idea how I want to do it, we'll see if it is as simple as all that :) 20:13 -!- mode/##openvpn [+o ecrist] by ChanServ 20:13 < krzy> dudes macs are sweet now 20:13 < Dougy> shit 20:13 * Dougy is dead 20:13 < gongoputch> Macs after OS X are pretty cool 20:14 -!- mode/##openvpn [-o ecrist] by ecrist 20:14 -!- mode/##openvpn [+o Dougy] by ChanServ 20:14 < gongoputch> before OS X they were shit IMO 20:14 <@Dougy> o.O 20:14 <@Dougy> what the hell 20:14 < krzy> gongoputch, agreed 20:14 <@Dougy> thanks ecrist o.O 20:14 < ecrist> not me. 20:14 -!- mode/##openvpn [-o Dougy] by ChanServ 20:14 < krzy> heheh 20:14 < ecrist> gongoputch: agreed. 20:14 < Dougy> thanks whoever did it 20:14 < Dougy> o.O 20:15 < ecrist> gongoputch: what were you trying to route, where? 20:16 * krzy looks at dougy and whistles 20:16 < Dougy> haha 20:16 < Dougy> ;] 20:16 < Dougy> WowVPS is pretty cool 20:16 < Dougy> @ krzy 20:16 < Dougy> this VPS company I use now 20:16 < Dougy> but.. their customer panel is fairly buggy 20:16 < krzy> right on 20:16 < krzy> i think i might get a vps at some point 20:17 < Dougy> right on 20:17 < Dougy> ever heard of jaguarPC? 20:17 < krzy> but ild get it from hong kong 20:17 < gongoputch> I prefer a CLI host 20:17 < krzy> hehe 20:17 < Dougy> lmao 20:17 < Dougy> gongoputch: ehh 20:17 < Dougy> i like being able to reboot it on my own 20:17 < Dougy> that's the only benefit of the panel 20:18 < Dougy> start/stop/suspend 20:18 < ecrist> Dougy: what does CLI have to do with start/stop/suspend? 20:18 < Dougy> nothing whatsoerver 20:19 < Dougy> I prefer a host that only uses CLI as well because they in theory know what they're doing 20:19 < Dougy> but having a web based panel that lets me do that without relying on them is nice 20:19 < ecrist> lol 20:20 < Dougy> ecrist: if you don't mind me asking, what's your first name? 20:20 < Dougy> krzy: same question 20:20 < krzy> jeff 20:21 < ecrist> Dougy: it's not hard to find my full name. 20:21 < ecrist> consider it an exercise in using the resources before you. 20:22 < ecrist> the RNC is going to kick my ass. 20:22 < krzy> ahh you're going? 20:22 < krzy> are you a delegate? 20:22 < ecrist> no, it's in the city where I live. 20:23 < ecrist> let's just say I'm working the event. 20:24 < Dougy> nice 20:24 < Dougy> ecrist: instead of typing that whole thing 20:24 < Dougy> why didn't you just tell me? 20:24 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Success] 20:24 < Dougy> oh 20:24 < Dougy> wow 20:24 < Dougy> eric rofl 20:24 < krzy> his name is his handle 20:24 < Dougy> well, i promise i'm not slow or anything. 20:24 < Dougy> :) 20:28 < ecrist> told ya it was easy. 20:28 < Dougy> wow 20:28 < Dougy> Mets are kicking ass 9-0 :d 20:29 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 20:30 < gongoputch> even a blind squirel find a nut occosinally 20:30 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 20:30 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 20:32 < Dougy> gongoputch: true. 20:32 < Dougy> ecrist: are you involed in the development of openvpn? 20:32 < ecrist> nope 20:32 < Dougy> or just a person tha helps out people a lot 20:32 < Dougy> btw, who owns this place? 20:33 < ecrist> owns what place? 20:33 < Dougy> ##openvpn 20:33 < ecrist> * 20:33 < ecrist> *shrug* 20:33 < Dougy> word. 20:33 < krzy> nobody owns it 20:33 < Dougy> cough 20:33 < krzy> its just a help channel 20:33 < Dougy> yeah 20:33 < Dougy> i meant like who registered it 20:34 < Dougy> but i have my answer 20:34 < Dougy> i forgot chanserv has the info feature 20:34 < gongoputch> being that it is a "##" it isn't even official 20:34 < ecrist> :) 20:34 < krzy> ya we used to be in #openvpn but there was NEVER any ops 20:34 < Dougy> ah 20:34 < krzy> so when trolls or floods came, it was quite annoying 20:34 < ecrist> I had staff move it here. 20:34 < ecrist> erm, forward it. 20:34 < Dougy> Cool beans 20:35 < krzy> i had even emails openvpn.net about it asking if they could either monitor the channel or add someone to chanserv, never got a reply 20:35 < krzy> emailed 20:35 < Dougy> that's lame 20:36 < krzy> *shrug* its fine, staff moved it over for ecrist and now we dont hafta worry bout it 20:36 < Dougy> indeed 20:36 < Dougy> :] 20:37 < Dougy> freakin' a 20:37 < Dougy> directadmin LETS GO 20:37 < Dougy> :( 20:37 < Dougy> I'm gonna kill mark when he calls me to tell me it's been updated 20:37 < Dougy> :( 20:38 < krzy> haha 20:38 < krzy> calmate 20:38 < Dougy> what? 20:39 < krzy> relax =] 20:39 < Dougy> oh 20:39 < Dougy> I want to get my sites off these two servers (the unstable one you saw last night) and one more 20:39 < Dougy> Wooo Mets win! 20:40 < krzy> 9 - 1 final 20:41 < Dougy> yeah 20:41 < Dougy> 2nd straight complete for Pelfrey 20:41 < Dougy> he's damn good 20:43 < krzy> ecrist, ild be at the target center if i was still in usa 20:44 < krzy> but i cant make it out there 20:45 < ecrist> what's going on at Target Center? 20:45 < krzy> ralley.campaignforliberty.com 20:45 < krzy> err, rally 20:46 < ecrist> ah, RNC is at Xcel Energy Center. 20:46 < ecrist> other side of river. 20:46 < Dougy> krzy: wher are you? 20:46 < Dougy> where^ 20:47 -!- rmull [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has joined ##openvpn 20:48 < krzy> the caribbean 20:48 < krzy> i left last yr after i read the patriot act 20:48 < Dougy> nice 20:48 < Dougy> seriously? 20:48 < krzy> yes 20:48 < Dougy> lo 20:48 < Dougy> l 20:48 < Dougy> why>? 20:48 < krzy> this isnt the channel for it 20:49 < krzy> and i leave pretty soon 20:49 < krzy> but ill explain another time for ya 20:49 * Dougy shrugs 20:49 < Dougy> sounds good 20:49 < Dougy> ever comin' back? 20:49 < krzy> just to visit friends and family 20:49 < Dougy> ah 20:49 < krzy> until they do the national ID card 20:49 < Dougy> i hope you moved to a cool country 20:49 < krzy> then ill stop visiting 20:50 < Dougy> lol 20:50 < Dougy> what country are ya in? 20:52 < krzy> i just leave it at "caribbean" 20:52 < Dougy> :( 20:52 < Dougy> either way 20:52 < Dougy> luckyyyyyyy 20:52 < Dougy> lol 20:53 < rmull> Just installed openwrt 20:53 < rmull> taishi would be proud 20:54 < Dougy> lol 20:54 < Dougy> im tired 20:54 < Dougy> bed soon 20:54 < krzy> all the hackers i know love openwrt 20:54 < ecrist> rmull: how do you like it? 20:55 < krzy> cause its an easier target and usually doesnt log 20:55 < Dougy> lol 20:57 < rmull> krzy: lol 20:58 < rmull> ecrist: Still poking around, really. Too soon for an opinion 20:58 < rmull> I installed it because I want to play around with an ipv6 LAN 20:58 < rmull> And I don't think you can install openbsd on a wrt54g 20:58 < krzy> ahh nice 20:59 < rmull> krzy: What makes it an easier target? 21:00 < ecrist> rmull: nice. 21:00 < ecrist> let me know your thoughts after you've played with it a few days. 21:00 < ecrist> I run 4 and 6 on my production network. 21:01 < rmull> Better watch out for krzy's hacker friends :D 21:01 < ecrist> no wrt here. 21:01 < ecrist> FreeBSD boxen. 21:01 < rmull> ecrist: I've literally never dabbled with 6, so I've got a shitton of learning to do. 21:02 < ecrist> it's easy, once you've figured it out. 21:02 < rmull> Sounds good to me. 21:02 < ecrist> rmull: https://www.secure-computing.net/wiki/index.php/IPv6_DNS 21:02 < vpnHelper> Title: IPv6 DNS - Secure Computing Wiki (at www.secure-computing.net) 21:02 < ecrist> if you need a primer. 21:02 < rmull> I do, and thanks! 21:02 < ecrist> that's for IPv6 dns, but should be helpful. 21:03 < ecrist> if you need any help, please don't hesitate. 21:03 < ecrist> oh, and check out http://ipv6experiment.com 21:03 < vpnHelper> Title: The Great IPv6 Experiment (at ipv6experiment.com) 21:03 < rmull> I think the one thing I've got to take a serious look at is configuration on the gateway/firewall level 21:03 < rmull> ecrist: Yeah, I saw that, lol 21:03 < rmull> I've become so accustomed to the NAT way of doing things 21:03 < ecrist> yeah, lots of folks have. 21:04 < ecrist> there's so much that NAT breaks, though. 21:04 < Dougy> ew 21:04 < Dougy> I have a WRT54G 21:04 < ecrist> SIP, for one. 21:04 < Dougy> I hate it 21:05 < rmull> Dougy: What firmware? 21:05 < krzy> nat dont break SIP 21:05 * ecrist <3 SMCFanControl 21:05 < krzy> nat has STUN 21:05 < krzy> err SIP has STUN 21:05 < rmull> krzy: STUN has to be run to work around the NATting, no? 21:05 < krzy> yes 21:05 < ecrist> rmull: if you're a FreeBSD guy, this might help, too: https://www.secure-computing.net/wiki/index.php/IPv6_on_FreeBSD_6.2 21:05 < rmull> They're two separate things. 21:05 < vpnHelper> Title: IPv6 on FreeBSD 6.2 - Secure Computing Wiki (at www.secure-computing.net) 21:05 < krzy> but is quite simple 21:05 < rmull> ecrist: Damn, very nice :D 21:06 < ecrist> it still breaks SIP - you shouldn't have to run STUN. 21:06 < rmull> Perhaps I'll drop the dough on a Soekris or something just for testing purposes. 21:06 < ecrist> like I said, if you need any Ipv6 help, hit me up. 21:07 * ecrist goes for a beer. 21:07 < krzy> ya im gone too 21:07 < rmull> ecrist: You'll be hearing from me, thanks mang 21:07 * krzy & 21:15 < Dougy> oO 21:15 < Dougy> bye krzy 21:22 < ecrist> Dougy: did you get your VPS figured out? 21:23 < Dougy> ecrist: the VPS is up, long up 21:23 < Dougy> directadmin :< 21:23 < ecrist> what is directadmin? 21:23 < Dougy> www.directadmin.com 21:23 < Dougy> its a control panel 21:23 < Dougy> yeah yeah, cli shut up. 21:23 < Dougy> directadmin makes life easy. 21:24 < ecrist> ok, but what does it do for you that you can't just do? 21:24 < Dougy> Saves me a ton of work 21:24 < Dougy> customers want it as well 21:24 < Dougy> I can do it all myself if I want, but for $5/mo who can complain 21:25 < ecrist> not to pry, I'm just curious, are you hosting for people, then? 21:25 < Dougy> A few of my friends, yessir 21:25 < Dougy> Eventually I'd like to sell locally, but at this juncture that's not a wise decision. 21:25 < Dougy> I mean, I can do most of it via cli. 21:25 < Dougy> One thing I *can't* do is mailservers. 21:26 < ecrist> oh, postfix+postfixadmin ftw 21:26 < ecrist> :) 21:26 < Dougy> Word. 21:26 * Dougy is lazty 21:26 < Dougy> lazy^ 21:26 < Dougy> DirectAdmin is really nice 21:26 < Dougy> cPanel is crap. 21:26 < ecrist> fair enough. 21:27 < Dougy> DirectAdmin uses postfix, actually 21:27 < ecrist> never used either of them. 21:27 < ecrist> linux on your VPS? 21:27 < Dougy> Yup. 21:27 < Dougy> Wow. I've really almost never seen someone familiar with IRC that hasn't used cPanel 21:27 < Dougy> Majority of people online have, actually. 21:29 < Dougy> ecrist: I even use Linux on my home computers 21:29 < Dougy> I am almost windows free. The only trace of Windows on my computers is this laptop. I dual boot just because my mic only works on windows 21:29 < ecrist> I've always had my own servers. 21:30 < Dougy> Winblows? 21:30 < Dougy> Windows^ 21:30 < ecrist> you asking if I use Windows? 21:30 < Dougy> yes 21:30 < Dougy> on your servers 21:31 < ecrist> no, I do not. 21:31 < Dougy> What do you use? 21:31 < ecrist> FreeBSD 21:31 < Dougy> I figured 21:31 < Dougy> I like FreeBSD 21:31 < Dougy> I prefer Debian, but BSD is up there 21:32 < ecrist> you figured? 21:33 < Dougy> You seem like a FreeBSD type of guy 21:33 < ecrist> tx, i think 21:34 < Dougy> hehe 21:34 < Dougy> Ports is nice 21:34 < Dougy> are^ 21:34 < Dougy> I'm out of here. Night. 21:34 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["leaving"] 21:37 -!- near [n=near@83-155-189-82.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@88-122-26-69.rev.libertysurf.net] has joined ##openvpn 22:28 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has joined ##openvpn 22:29 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has quit [Client Quit] 22:31 -!- Irssi: ##openvpn: Total of 40 nicks [0 ops, 0 halfops, 0 voices, 40 normal] 23:38 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 23:55 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit ["I Quit!"] --- Day changed Tue Aug 26 2008 01:17 < krzee> [22:27] Wow. I've really almost never seen someone familiar with IRC that hasn't used cPanel 01:18 < onats> what's cPanel? 01:18 < krzee> I've been on IRC since the mid 90's and only even looked at cpanel once, but decided to just do everything at the shell, was much easier for me to do things at the shell than use cpanel 01:19 < krzee> some app that lets people who dont know anything about *nix run insecure servers 01:19 < krzee> ;] 02:05 < kraut> moin 02:05 * kraut slaps krzy 02:08 < krzee> lol 02:08 < krzee> !kraut 02:08 < vpnHelper> krzee: "kraut" is moin 02:08 < krzee> ;] 03:15 -!- Bheam [i=Bheam@77.94.234.164] has quit [] 03:16 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 03:44 -!- stephanbuys [n=stephanb@gprs02.rb.mtnns.net] has joined ##openvpn 03:46 < stephanbuys> hi all, anyone know if it is possible to run OpenVPN server in a FreeBSD jail? 03:58 -!- stephanbuys [n=stephanb@gprs02.rb.mtnns.net] has quit [] 04:15 -!- gongoputch [n=kseel@74.95.184.161] has quit [Read error: 104 (Connection reset by peer)] 04:18 -!- gongoputch [n=kseel@74.95.184.161] has joined ##openvpn 07:08 < ecrist> good morning, folks. 07:09 < ecrist> yeah, I knew/know what cPanel is, just never used it. 08:13 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 113 (No route to host)] 08:13 -!- krzy [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:53 < ecrist> quiet in here today. 08:56 -!- mcp is now known as emcepe 08:56 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 08:57 -!- emcepe [n=hightowe@wolk-project.de] has quit [Remote closed the connection] 09:03 -!- mcp [n=mcp@wolk-project.de] has quit ["ZNC - http://znc.sourceforge.net"] 09:08 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 09:12 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 09:29 -!- epsilon [n=epsilon@raid1.net] has left ##openvpn ["Leaving"] 09:55 < Dougy|Work> mornin 10:16 < ecrist> hi, dogmeat 10:16 < ecrist> erm, Dougy|Work 10:20 -!- slango [n=slango@unaffiliated/iamethos] has joined ##openvpn 10:21 < slango> so, I have to connect to both an OpenVPN and a Cisco VPN for work 10:21 < ecrist> ok 10:22 < Dougy|Work> hey ecrist 10:22 < Dougy|Work> How are you? 10:22 < slango> however, when I start the cisco client while the OpenVPN client is running, I get an error 10:22 < ecrist> slango: probably having to do with no route to host? 10:22 < slango> I'm thinking the Cisco VPN wants to listen on the same ports as the openvpn one 10:22 < slango> ecrist yeah, it tells me to make sure at least one interface is up? 10:23 < slango> ecrist: "Unable to communicate with the VPN subsystem." is how they put it 10:23 < ecrist> slango: your Cisco VPN is probably grabbing default route for your machine and the IP for the OpenVPN connection isn't routable across that link. 10:23 < ecrist> I'd talk to your admins. 10:24 < slango> I see 10:27 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 10:30 -!- fsckedagain [n=fsckedag@71-154-139-61.ded.pacbell.net] has quit ["Leaving"] 10:30 -!- chemokid [n=chemokid@76-10-182-143.dsl.teksavvy.com] has joined ##openvpn 10:50 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 10:54 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 11:10 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 11:42 < dogmeat> ecrist, hi 11:42 < ecrist> :) 11:56 -!- devicenull [n=devicenu@64.252.135.178] has joined ##openvpn 12:08 -!- slango [n=slango@unaffiliated/iamethos] has quit [Read error: 104 (Connection reset by peer)] 12:28 < devicenull> I'm having trouble setting up openvpn with redirect-gateway.. the client just seems to ignore the tunnel and just use the normal internet connection 12:28 < devicenull> http://dev3.ampaste.net/m552a99aa is my server configuration 12:29 < devicenull> the client gets a IP of 10.8.0.9, and looking at the routing table has a default route for the tunnel set up with a low metric 12:30 < devicenull> I've been going off the information at http://www.wains.be/index.php/2008/07/18/openvpn-routing-all-traffic-through-the-vpn-tunnel/for setting itu p 12:30 < ecrist> can you show us a traceroute? 12:31 < ecrist> also, what version of OpenVPN are you using? 12:31 < devicenull> yea, it doesnt even go through the tunnel 12:31 < devicenull> 2.0.9 windows on the client 12:31 < devicenull> 2.0.9 on the server 12:32 < devicenull> http://dev3.ampaste.net/m3f4d25c5 tracert 12:32 < devicenull> http://dev3.ampaste.net/m17392eb8 routing table on the client 12:32 < ecrist> and an output from ifconfig /all 12:33 < devicenull> I assume you mean ipconfig, one sec 12:34 < ecrist> yes, sorry 12:35 < devicenull> I managed to break ipconfig somehow, I have to go find the fix 12:35 < ecrist> ok. 12:37 < plaerzen> ecrist, you're like the unsung hero of #openvpn 12:37 < ecrist> o.O 12:37 < plaerzen> every time I look over here, you're helping someone 12:38 < ecrist> eh, I try. thanks for noticing, thogh. 12:38 < ecrist> though* 12:38 < ecrist> honestly, it shows how mundane my job is. ;) 12:39 < devicenull> ugh apparently my tcpip stack is broken, that's fun 12:40 < devicenull> I wonder if thats part of the issue 12:40 < ecrist> devicenull: it's windows, reboot. 12:40 < devicenull> ipconfig has been broken for awhile 12:40 < devicenull> it's never bothered me because it's not a huge issue 12:41 < ecrist> can you ping 10.8.0.1? 12:41 < devicenull> yea, I could 12:42 < devicenull> restarting now 12:42 < devicenull> sweet ipconfig works 12:43 < ecrist> newegg FTW 12:43 < ecrist> me: "I bought this, and it stopped working." 12:44 < ecrist> newegg: "Damn, here's an RMA, we'll pay the shipping. You'll have a new one 3 days after we get your broken one." 12:44 < ecrist> me: "Let's argue about it." 12:44 < devicenull> now it's broken again, wtf windows I hate you 12:44 < ecrist> newegg: "it's not needed, but if it'll make you happy, sure" 12:44 < ecrist> me: "you're not supposed to agree with me" 12:44 < ecrist> newegg: "I'm sorry." 12:45 < ecrist> me: "I give up." 12:45 < devicenull> ok, I can ping 10.8.0.1, but http doesnt work.. lets see what tracert shows 12:45 < devicenull> lol 12:45 < ecrist> newegg: "have a nice day" 12:45 < devicenull> tracert shows a bunch of * * * Request timed out lines, and no actual content 12:46 < devicenull> lets see if tracert -d does any better 12:46 < devicenull> nope 12:46 < ecrist> does the routing table look the same? 12:47 < devicenull> no, actually it's different 12:47 < devicenull> my default gateway finally changed to 10.8.0.9 12:47 < devicenull> and it's actually fairly different 12:47 < devicenull> the interesting thing is I can ping the real IP address of the VPN server 12:50 < devicenull> but that's the only machine I can ping/ssh 12:51 < devicenull> I can pastebin the new routing table if you wan 12:51 < devicenull> *want 12:53 < devicenull> hmm, iptables doesnt show the nat rule after I've added it 12:54 < devicenull> ahha 12:54 < devicenull> had duplicate entries in iptables 12:55 < devicenull> ugh, nope.. windows seems to have fixed it by ignoring the vpn link again 12:58 < devicenull> okay that's weird 12:58 < devicenull> it's sending data via the VPN, but not recieiving any responses 12:58 < devicenull> makes me think it's an issue with the server, rather then the client 12:59 < ecrist> devicenull: you can't ping the remote endpoint addresses. 12:59 < ecrist> so, clients will only be able to ping the primary VPN address. 12:59 < ecrist> in your case, 10.8.0.1 13:00 < devicenull> yea, I can ping that 13:00 < devicenull> MULTI: bad source address from client [192.168.3.22], packet dropped 13:00 < devicenull> I get a bunch of those, lets see what google says about it 13:01 < devicenull> and now it's magically working with no changes 13:17 < ecrist> plaerzen: it would appear not everyone likes me. Just yesterday: 13:17 < ecrist> 13:52 < jeffspeff> you're a jack ass 13:26 < devicenull> I've got what would seem to be a stupid question.. is there user authenticiation in openvpn? It would seem it just kinda allows any client to connect 13:26 < devicenull> or does it require that the client's keys be signed by the CA I created? 13:32 < devicenull> found the docs :D 13:34 < devicenull> actually it doesnt seem to be adressed that much 13:34 < ecrist> what's not addressed? 13:35 < devicenull> how it does authentitication 13:35 < devicenull> does it allow everyone to connect by default? 13:35 < ecrist> clients cannot connect unless their certificate is signed by the CA Root certificate, or somewhere appropriate within the certificate chain. 13:35 < devicenull> ah, that's what I thought 13:35 < devicenull> thanks :) 14:31 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: rmull 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:06 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:12 -!- CppIsWeird [n=user@unaffiliated/cppisweird] has joined ##openvpn 15:14 < CppIsWeird> is there any way to set up vpn or a network connection at all that when I am at the location it uses the local network, and while I am not at the location, it uses the internet? 15:15 < CppIsWeird> I'm trying to set up on connection and IP that I can use for access to home that is the same weither im here or not so that I dont have to have two instances of everything depending on where I am 15:15 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 15:16 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:17 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Connection timed out] 15:17 -!- ITguru [n=ITguru@5ac30288.bb.sky.com] has joined ##openvpn 15:18 < CppIsWeird> reason I ask about doing it with openvpn is because I would like the remote access to my home network going through openvpn if any such method is possible. 15:19 < ITguru> openvpn, and network manager are a match made in hell! 15:19 < SilenceGold> uh 15:19 < CppIsWeird> good to know 15:19 < ITguru> I get p12 files from my smoothwall install - and I would like to know where I can find the CA file, so I can use network manager 15:19 < SilenceGold> CppIsWeird you can use VPN tunnels to access remote LAN over the internet if you wanted 15:19 < SilenceGold> just need an endpoint at each sides 15:21 < CppIsWeird> yes, i know this, i wasn't asking that possability, i was asking the possability of openvpn connecting over the internet when I am not at that network and connecting locally when I am on the network in quesiton, that way I can set up services to run through the openvpn IP's when local or remote. 15:22 -!- chemokid [n=chemokid@76-10-182-143.dsl.teksavvy.com] has quit ["fooood"] 15:24 < ITguru> CppIsWeird, that's more of a DNS issue, rather than an OpenVPN issue 15:24 < CppIsWeird> ... how you figure? 15:25 < CppIsWeird> actually... i think i know how you might figure that... 15:26 < CppIsWeird> hmm... so like i should have net.whatever.com and when im outside the network it will go to the dns and get redirected home, and have a dns on the internet network that picks it up and redirects it internally, yes? 15:27 < CppIsWeird> s/internet network/internal network/ 15:27 < ITguru> Something like that 15:28 * CppIsWeird fears dns servers 15:28 < CppIsWeird> anyways, im hungary, thanks for the redirection. later. 15:28 < ITguru> CppIsWeird, DNS servers are a pain in the *** 15:28 -!- CppIsWeird [n=user@unaffiliated/cppisweird] has quit ["FEAR DA DNS!"] 15:29 < ITguru> But i love 'em! 15:29 < ecrist> DNS is not difficult. 15:30 < ITguru> ecrist, it's not difficult, but it's a pain! 15:34 < Dougy|Work> Yay 15:34 < Dougy|Work> new server 15:34 < Dougy|Work> DNS is fun as hell 15:34 < Dougy|Work> until you get a support ticket like I did today 15:34 < Dougy|Work> to do RDNS records for every single IP in a /21 15:35 < Dougy|Work> i wanted to cry 15:44 < ecrist> Dougy|Work: that's scriptable. 15:44 < ecrist> unless you're using a GUI admin console... 15:45 < ecrist> and, as far as a /21, my guess is most of them followed some pattern, which can be done with a proper $GENERATE statement in the config. 15:46 < ITguru> Damn - Dougy|Work I feel for you dude! 15:51 < SilenceGold> I love CLI style for dns records :) 16:07 < Dougy|Work> ITguru: ugh fucking shoot me 16:07 < Dougy|Work> please 16:07 < Dougy|Work> ecrist: IRC vhosts. 16:07 < Dougy|Work> :( 16:09 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:17 < ecrist> Dougy|Work: what? 16:19 < Dougy|Work> ecrist: those RDNS's had no pattern 16:19 < Dougy|Work> every one was a weird IRC vhost 16:19 < Dougy|Work> :( 16:19 < Dougy|Work> took me literally 2 and a half hours to get it all done 16:20 < ecrist> Dougy|Work: still coulda been scripted. 16:20 < ecrist> so, you manually set 2,046 reverse DNS records? 16:21 < Dougy|Work> yeah :'( 16:21 * Dougy|Work has no life 16:21 < devicenull> aand, you didn't script that why :D 16:22 < Dougy|Work> i don't scrip 16:22 < Dougy|Work> t 16:23 < ecrist> could have saved yourself two hours and twenty nine minutes. 16:24 < Dougy|Work> lol 16:24 < Dougy|Work> i dont mind really 16:24 < ecrist> that's a rather large IRC network. 16:24 < Dougy|Work> it was either do that 16:24 < Dougy|Work> its a whole shell provider 16:24 < Dougy|Work> and 16:24 < Dougy|Work> it was either do that or sit here and twiddle my thumbs 16:25 * ecrist votes for thumb-twiddling 16:28 < devicenull> you have internet access, how can you be bored :D 16:29 < Dougy|Work> er 16:29 < Dougy|Work> you'd be surprised 16:29 < Dougy|Work> heh 16:35 < devicenull> no, I wouldn't actually 16:44 -!- Tido [n=tido@216.235.158.34] has joined ##openvpn 16:44 < ecrist> hi, Tido 16:44 < Tido> hey ecrist 16:45 < Tido> so I need to go from completely novice at openvpn to having a working vpn through a firewall I can't control 16:46 < Tido> can I use an openvpn client on the firewalled network to access an openvpn server on another, and thus let me have my access without all this crappy F5 vpn bs? 16:47 < devicenull> that seems to be the general point of a vpn 16:47 < Tido> except it's backwards 16:47 < devicenull> what :o 16:47 < devicenull> no, that doesn't seem backwards 16:47 < Tido> you'd run the server on the network you're trying to connect to usually, right? 16:47 < ecrist> Tido: yes, you can do that. 16:47 < devicenull> Tido: oh yea 16:47 < ecrist> depending on how restrictive the firewall is. 16:47 -!- vladi-bg [n=vladi@206-169-1-36.static.twtelecom.net] has joined ##openvpn 16:48 < Tido> well, I'm not going to be able to route a port to my box, so I have to connect to a server outside of the network for this to work 16:49 < ecrist> Tido, firewalls can be restrictive out, as well as in. If that's not a problem, there's no reason you can't do what you're looking for with OpenVPN. 16:49 < Tido> it's not restrictive out 16:49 < Tido> just in 16:49 < ecrist> then you're fine. 16:49 < Tido> ok, now just need to figure out how to do it :x 16:49 < vladi-bg> hi, i have two vpn tunnels and when i try to go from one tunnel and ping a host on the other tunnel i trace the packet all the way to the tun device of the destination tunnel but it doesnt seem to go to the other end of the tunnel do i need to do snat or something? 16:50 < Dougy|Work> ecrist 16:50 < Dougy|Work> nslookup ovpnforum.com for me please 16:50 < Dougy|Work> tell me if it returns an IP in the 69. 16:50 < ecrist> ovpnforum.com: not found 16:50 < devicenull> [17:50] [DNS] Canonical: ovpnforum.com Numerical: 69.73.151.150 16:50 < ecrist> ovpnforum.com has address 209.250.239.150 16:50 < ecrist> ovpnforum.com mail is handled by 10 mail.ovpnforum.com. 16:51 < Dougy|Work> hmm 16:51 < Dougy|Work> it works for devicenull 16:51 < ecrist> vladi-bg: I don't follow. 16:51 < ecrist> Dougy|Work: it worked for me, ignore not found. 16:52 < Dougy|Work> ecrist: ok 16:52 < devicenull> dns caching is irrtating isn't it 16:52 < Dougy|Work> yes it is 16:52 < ecrist> set a lower TTL next time. 16:53 < Dougy|Work> directadmin does 14400 by default 16:53 * Dougy|Work replaces it with "500" 16:59 -!- ITguru [n=ITguru@5ac30288.bb.sky.com] has quit [Read error: 110 (Connection timed out)] 17:02 -!- rsc [n=robert@fedora/rsc] has left ##openvpn ["Linux - The future has already started!"] 17:11 < vladi-bg> ecrist: i have office1 >tun0/10.10.0.x< vpnbox >10.8.0.x/tun2< office2 17:11 < vladi-bg> ecrist: and when i do a tshark on tun2 i see the pings comming from 10.10.0.2 but no reply and on the office2 vpn i dont see them as well 17:12 < ecrist> are you routing those networks? 17:12 < vladi-bg> ecrist: yes 17:12 < vladi-bg> ecrist: do i need to have them in the ccd file? 17:13 < vladi-bg> ecrist: i mean it knows to take the path to tun2 its just not going over it 17:14 < ecrist> then it doesn't know. 17:15 < ecrist> if it did, it would take the path. 17:15 < ecrist> is the vpn box your default router in each office? 17:15 < vladi-bg> ecrist: nope 17:15 < vladi-bg> ecrist: there are routs on the default router for the subnets that need to go through the vpn 17:16 < vladi-bg> ecrist: i see the icmp packets on tun2 on the vpnbox just not on tun0 on the vpn server in office2 17:17 < vladi-bg> ecrist: do i have to specifically allow something to go through a tunnel? 17:17 < ecrist> do you have client-to-client enabled in config? 17:17 < vladi-bg> ecrist: like a new subnet 17:17 < vladi-bg> ecrist: yes 17:17 < ecrist> you don't have to say my name with each message. 17:17 < vladi-bg> sorry use to it 17:23 < ecrist> vladi-bg: can you pastebin your client and server configs? 17:23 -!- Tido [n=tido@216.235.158.34] has quit ["Leaving"] 17:27 < vladi-bg> ecrist: so i need client-to-client on a server in order for it to accept packets not originating for the ptp tunnel ip 17:29 < ecrist> no, on the server 17:44 < vladi-bg> ecrist: sorry i just read up on client-to-client i dont think that will fix my problem because in my case i have two diff vpn tunnels / servers 17:45 < vladi-bg> office1/vpnsrv1 > tun0 >< office/vpnclient >< tun1 > office2/vpnsrv2 17:45 < vladi-bg> so i do a ping from office1 to office2 ip space 17:45 < vladi-bg> i can see the pings on tun1 but their source is ip of tun0 17:46 < vladi-bg> so i think tun1 is not passing them through the tunnel 17:46 < ecrist> firewall? 17:46 < vladi-bg> because of some restriction 17:46 < ecrist> vladi-bg: openvpn doesn't really do any restricting in terms of routing. 17:46 < vladi-bg> ecrist: im logging dropped packets and i dont see antyhing being dropped 17:46 < ecrist> that sentence doesn't even make sense. 17:47 < vladi-bg> sorry not english 17:48 < vladi-bg> im loggin dropped packets on my firewal and i dont see anything in logs that is dropped when i try that 17:48 < ecrist> vladi-bg: my guess is that it's not an OpenVPN issue - you're either missing a route on your routing table, or your firewall is dropping the packets. 17:56 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 17:59 -!- lwithers [n=lwithers@chrysocolla.lwithers.me.uk] has joined ##openvpn 17:59 -!- Irssi: ##openvpn: Total of 35 nicks [0 ops, 0 halfops, 0 voices, 35 normal] 18:01 < lwithers> hi, I have an openvpn server instance running on a machine, with "dev tun" and "topology subnet". If a client to this instance is compromised, can this client be used to do anything to the other clients? 18:01 < lwithers> obviously it can route to them, but I mean can it sniff packets or screw with their routing? 18:07 < ecrist> lwithers: how would it screw anything up? 18:15 -!- plaerzen is now known as pla 18:15 -!- pla is now known as plae 18:16 -!- plaerzen [n=user@S010600119505deed.cg.shawcable.net] has joined ##openvpn 18:17 < plaerzen> Hello guys. Just connected via my nokia n810 18:18 < plaerzen> Maemo os 18:19 < lwithers> ecrist: I don't know, that's why I'm asking -- basically I'm trying to determine the ramifications of a subverted client 18:19 < lwithers> sure, it can connect to services that might only be exposed on the VPN interface of other clients 18:19 < lwithers> but can it do anything else? 18:19 < lwithers> can it be used to intercept passwords sent in "plaintext" across the VPN? 18:38 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 18:46 < vladi-bg> ok so once a tunnel is established is there anything that will prevent it not passing traffic through given that there is a route for a certain subnet to go through it? 18:47 < vladi-bg> besides the obvious firewall 18:50 -!- plaerzen [n=user@S010600119505deed.cg.shawcable.net] has quit ["Leaving."] 18:55 -!- ByPasS [n=bypass@modemcable076.69-21-96.mc.videotron.ca] has joined ##openvpn 18:56 < ByPasS> its not purely openvpn oriented but any1 know if iptbles can port forward from real server ip inside an openvpn client ? 19:01 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:04 -!- plae [n=cam@S010600119505deed.cg.shawcable.net] has quit ["BitchX: Little. Yellow. Better."] 19:35 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:39 < Dougy> no krzy 19:39 < Dougy> :< 19:57 -!- lwithers [n=lwithers@chrysocolla.lwithers.me.uk] has left ##openvpn [] 20:04 < Dougy> ermm 20:04 < Dougy> ecrist: there? 20:32 < ecrist> yep 20:33 < Dougy> sup 20:33 * Dougy is pissed off at Namecheap 20:35 < ecrist> what do you need? 20:36 < Dougy> nothing any more 20:36 < Dougy> i fixed it 20:36 < Dougy> i need to go bitch at namecheap and comodo 20:36 < Dougy> brb 20:36 < Dougy> i cant believe them 20:36 < Dougy> -bash-3.2# openssl req -noout -text -in ovpnforum.com.csr 20:36 < Dougy> Certificate Request: 20:36 < Dougy> Data: 20:36 < Dougy> Version: 0 (0x0) 20:36 < Dougy> Subject: C=US, ST=New Jersey, L=Fair Lawn, O=OpenVPN, OU=Forum, CN=ovpnforum.com/emailAddress=me@douglashaber.com 20:36 < Dougy> i have that 20:37 < Dougy> but the ssl cert they gave me to install (The actual cert) is signed to Localhost in Someplace 20:37 < ecrist> why the fuck would you use an actual CA for an OpenVPN server? 20:37 < Dougy> I'm not 20:37 < Dougy> o.O 20:38 < Dougy> It's for ovpnforum.com 20:38 < ecrist> oh, ok. 20:39 -!- krzee [i=krzee@unaffiliated/krzee] has joined ##OpenVPN 20:39 < Dougy> krzee! 20:40 < Dougy> :d 20:40 < Dougy> but namecheap is pissssssssssing me off 20:40 < krzee> wassssssup 20:40 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 20:41 < Dougy> nm 20:41 < Dougy> oh wtf 20:41 < Dougy> vB is pissing me off now too! 20:41 < krzee> well you sound rather pissed off 20:41 < krzee> me on the other hand... pretty happy 20:41 < Grapsus> Hello ! 20:42 < krzee> hey Grapsus =] 20:43 < ecrist> Dougy: why'd you buy an SSL cert for ovpnforum.com? 20:44 < krzee> ive never even considered buying an ssl cert for anything, wouldnt unless i planned on doing e-commerce 20:44 < krzee> ild go self-signed 20:44 < ecrist> it's what I did. 20:44 < Grapsus> What are you chatting about ? 20:44 < krzee> yup ecrist, ild do the same as you personally 20:45 < Dougy> ecrist: I didn't 20:45 < Dougy> www.namecheap.com 20:45 < krzee> Grapsus, Dougy is gunna start an openvpn forum 20:45 < Dougy> free :) 20:45 < krzee> Grapsus, but if you need help with anything feel free to interrupt =] 20:46 < Grapsus> krzee: I don't actually need help 20:46 < krzee> ahh ok 20:46 < krzee> just thought ild offer that ;] 20:46 < Grapsus> openvpn is doing great job for me, so I joined this channel to help someone if needed 20:46 < Dougy> :) 20:47 < krzee> Grapsus, very cool 20:47 < krzee> !menu 20:47 < vpnHelper> krzee: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download 20:48 < krzee> those might help you when helping people 20:48 < Dougy> !forum is gonna be there soon 20:48 < Dougy> :o 20:48 < vpnHelper> Dougy: Error: "forum" is not a valid command. 20:48 < Dougy> oh shut up 20:48 < Dougy> lol 20:48 < krzee> hehe 20:49 < Grapsus> a forum would be cooler than the mailing list for simple questions for people who just start with ovpn 20:49 -!- mode/##openvpn [+o Grapsus] by ChanServ 20:49 < krzee> yup 20:49 < krzee> we also have a wiki 20:49 < krzee> for making writeups for things we commonly help people with 20:50 < krzee> ie: 20:50 < krzee> !route 20:50 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 20:50 < krzee> the writeup i made to help people understand route, iroute, push, ccd 20:51 < krzee> ecrist runs the wiki but its public editable 20:51 < Dougy> Grapsus: I agree 20:51 < Dougy> I want no personal gain out of it other than something fun to do 20:52 < Dougy> well 20:52 < Dougy> http://ovpnforum.com/ 20:52 < Dougy> yeah, nothing's been done yet, not even forums 20:52 < Dougy> but if you guys feel like joining now float your boat 20:53 < ecrist> you pay for vbulletin? 20:53 < Dougy> ecrist: already had it 20:53 < Dougy> that license has literally been sitting for 4 months 20:53 < Dougy> I paid $90 for the year in Dec 07 20:56 < krzee> ecrist, supybot can plugin to the forum to give us updates on forum entries, we can play with that to see if its annoying or not 20:56 < krzee> #aircrack-ng uses it and its great in there 20:56 < ecrist> krzee: up to you, I'm not running this joint. 20:57 < krzee> well ya but you are here helping often, ild like to get a consensus from those who are around helping on it 20:58 < krzee> cause if its going to help more people it's good, but if its gunna cause some who are here helping to pay less attention then its bad 20:58 < Dougy> By the way guys 20:58 < Dougy> If you wanna suggest forums for me to add, please do' 20:59 < krzee> ecrist, basically im just saying i will value your opinion on that 20:59 < krzee> when i get it up 21:02 < Dougy> so real fast guys.. 21:02 < Dougy> What are some forums I should add? 21:03 < krzee> just figure it out as you go 21:04 < krzee> im gunna join when im home so i can save the pw into my crowser 21:04 < krzee> browser 21:05 < krzee> likely in a couple days... tonight i got a girl, tomorrow is my bday 21:06 < Dougy> Righto 21:06 < Dougy> Haha krzee gonna get some huh? :P 21:06 < Dougy> And since I won't see you tomorrow (probably), happy birthday :) 21:06 < krzee> yup 21:06 < krzee> hehe 21:06 < krzee> and thanx 21:06 < krzee> ill prolly be on a lil during the day, but at night definatly not 21:06 -!- rmull_ [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has joined ##openvpn 21:06 < rmull_> Woah, we have to be identified now? 21:07 -!- rmull_ is now known as rmull 21:07 < Dougy> sup rmull 21:07 < Dougy> ooo 21:07 < Dougy> New jersey? 21:07 < Dougy> :O 21:07 < rmull> Yessir 21:07 < Dougy> Badass. 21:07 < Dougy> :D 21:07 < rmull> :\ 21:07 < Dougy> I work in Secaucus 21:07 < rmull> Why do you say that? 21:07 < rmull> Ohh, shit 21:07 < Dougy> word. 21:07 < rmull> I was looking at scoring some colo space in secaucus. 21:07 < Dougy> Haha. 21:07 < Dougy> How much d'ya need? 21:08 < rmull> Initially? 1-5U. Down the road, possibly a full rack. 21:08 < Dougy> Er. 21:08 < Dougy> We're really really really full now. Like, we don't have half a rack even for colo now. 21:08 < rmull> I was looking at interserver, because they're cheap. Newjerseycolocation.com 21:08 < Dougy> Hahahaha 21:08 < Dougy> I'm in their office *every day* 21:08 < Dougy> we're in the same building 21:08 < rmull> No kidding?? 21:09 < Dougy> Every day 21:09 < Dougy> :P 21:09 < rmull> The dudes with the futon in their office? 21:09 < Dougy> yup 21:09 < Dougy> I was on that futon on Sunday 21:09 < Dougy> o.O 21:09 < rmull> Rofl, that's nuts! 21:09 < Dougy> watching their TV 21:09 < Dougy> lucky bastards 21:09 < rmull> They have a ton of open rackspace 21:09 < Dougy> yeah 21:09 < rmull> I took a brief tour 21:09 < Dougy> their DC (TEB2) 21:09 < Dougy> is 21:09 < Dougy> so insecure 21:09 < Dougy> It's nice but it's insecure 21:09 < rmull> Details? 21:09 < Dougy> you could kick through that door 21:09 < Dougy> those doors 21:09 < Dougy> finger scanners dont mean shit 21:10 < rmull> I knocked and they opened :D 21:10 < ecrist> Dougy: you're wrong, they do. 21:10 < Dougy> Exactly 21:10 < Dougy> ecrist: what? 21:10 < Dougy> rmull: yeah 21:10 < Dougy> if i had a gun and just knocked 21:10 < Dougy> that equipment is mine 21:10 < Dougy> lol 21:10 < Dougy> rmull: We have about 4 racks in the DC behind their office 21:11 < Dougy> Most of our gear is in the XO datacenter in the other side of the building 21:11 < rmull> How's XO? 21:11 < Dougy> Much more secure :p 21:11 < Dougy> And, I like that DC better 21:11 < Dougy> Keycard entry 21:11 < Dougy> and metal doors 21:11 < rmull> Do you know anything about "SOX" or SAS70 datacenter certification? 21:11 * Dougy is on the interserver finger scanner :D 21:11 < Dougy> Negative 21:11 < Dougy> Hey, brb I need to finish setting up OVPNForum 21:11 < Dougy> :D 21:11 < rmull> Swoot 21:12 < rmull> We're going all out these days, I see 21:12 < ecrist> rmull: I do. 21:12 < rmull> ecrist: Ah - our situation is we've got some clients that require their stuff to be hosted in a certified datacenter 21:12 < Dougy> Neither DC is very secure 21:12 < Dougy> honestly 21:13 < rmull> But I was reading through the cert requirements, and it made it seem that the certification pertained not only to the datacenter, but also to the hardware 21:13 < Dougy> there is no security 21:13 < rmull> Is that true? 21:13 < ecrist> rmull: I don't build data centers, but I install access control systems and procedure. 21:13 < rmull> Dougy: Do the colo providers have any theft insurance or anything? :\ 21:13 < Dougy> rmull: no idea but there's no security guards in place 21:13 < Dougy> in either 21:13 < Dougy> XO you have the keycard, you just walk in and have access to the rack 21:13 < Dougy> nobody stops asks 21:14 < Dougy> there's nobody to stop/ask 21:14 < Dougy> at least for the XO one 21:14 < rmull> Interserver had a cage available if you wanted one, for a fee 21:14 < ecrist> that's usually standard procedure. 21:15 < Dougy> rmull: yes 21:15 < Dougy> that cage is nice 21:15 < Dougy> the cooling in there is insufficient though 21:15 < rmull> I noticed 21:15 < Dougy> they're putting in another AC unit in the back left corner 21:15 < Dougy> eg 21:15 < Dougy> AC UNIT | servers servers | AC unit 21:15 < Dougy> door 21:15 < Dougy> the one on the left is getting installed now 21:15 < Dougy> and theres another one along the right 21:16 < rmull> I'm sure that it still beats running our shit in house, though 21:16 < Dougy> Of course 21:16 < Dougy> but 21:16 < Dougy> i mean they rushed in extra cooling for our racks 21:16 < Dougy> as the servers were putting out 190 degrees in exhaust fans 21:16 < Dougy> now its much cooler in there 21:16 < rmull> The problem with us is that (before I came along) we were just a bunch of IT dudes with windows experience that were geeky enough to set up a network but not geeky enough to do it right, so we didn't hire anybody to actually do the network right 21:16 < Dougy> but its still warmer than it needs to be 21:16 < Dougy> haha rmull 21:17 < rmull> Are you buddies with these colo guys? 21:17 * rmull sniffs around for discounts 21:17 < Dougy> We (JustEdgE) don't do colo 21:17 < Dougy> I work for Justedge 21:17 < Dougy> (we originally were owned by same people as interserver, then we broke off) 21:17 < Dougy> so yes, I know the guys there 21:18 < Dougy> i can give you a contact or two 21:18 < rmull> Your website says you do colo <_< 21:18 < Dougy> We do 21:18 < Dougy> but 21:18 < Dougy> we're probably at 98 21:18 < Dougy> % capcity 21:18 < rmull> Oh right right. 21:18 < Dougy> My boss said that I can't sell more than 2-3 U colo 21:18 < Dougy> that's all we have 21:18 < rmull> Lol 21:18 < rmull> That's fairly tight. 21:18 < Dougy> We have plenty of space for dedicated servers 21:18 < Dougy> (TEB2, the InterServer) one 21:18 < Dougy> He doesnt like colo clients in there though. 21:19 < ecrist> from what I've see of your network Dougy, my DSL and rack in my basement are more reliable and probably have better peering... 21:19 < Dougy> ecrist: odds are you're probably right 21:19 < Dougy> however 21:19 < Dougy> i replaced the switch in the rack my server was in today 21:20 < Dougy> It was messed up 21:20 < Dougy> I do admit our network has been really borked lately =/ I have nooooooo idea what's causing it 21:20 < Dougy> ecrist: need your advice 21:20 < Dougy> www.ovpnforum.com 21:20 < Dougy> what else do I need (do you think) 21:20 * Dougy is blanking 21:20 < rmull> Dougy: Dev participation? :\ 21:20 < Dougy> rmull: what do you mean 21:21 < rmull> So we have a wiki and junk, and afaik, it's all the irc crowd that will be using it 21:21 < rmull> Any shot of actually getting participation from the ovpn codebase contributors? 21:22 < Dougy> rmull: for what? the forum or the wiki or the? 21:22 < rmull> I guess the forum 21:22 < rmull> The wiki is fine, I'd say 21:22 < Dougy> I would like that.. but.. 21:22 < rmull> I know I know. 21:22 < rmull> Lol 21:22 < Dougy> rmull: when i said what else do I need, I meant like what forums 21:22 < rmull> How about "examples" ? 21:22 < rmull> Maybe too specific? 21:23 < Dougy> If you explain to me what you mean by "Examples" 21:23 < Dougy> Maybe 21:23 * ecrist agrees with rmull 21:23 < ecrist> rmull, check out !freebsd 21:23 < Dougy> !freebsd 21:23 < vpnHelper> Dougy: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 21:23 < rmull> I find it often to be quite helpful to look at working config examples for different network setups 21:23 < ecrist> for a specific example. 21:23 < Dougy> rmull: oh, good idea 21:23 < Dougy> Tutorials too 21:24 < rmull> There are so many ways to config openvpn, it might be helpful to see what people are using that works 21:24 < Dougy> Yep 21:24 < Dougy> Added that forum 21:24 < rmull> ecrist: I've been checking out your ipv6 stuff, and wandered over to the TLDP IPv6 pages 21:24 < Dougy> added Tutorails as well 21:24 < Dougy> Tutorials^ 21:24 < rmull> I've set myself up with an account with Hurricane Electric with the goal of using 6to4 encapsulation 21:24 < ecrist> TLDP? 21:25 < rmull> The Linux Documentation Project 21:25 < rmull> Link: http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x683.html 21:25 < vpnHelper> Title: Prefix lengths for routing (at tldp.org) 21:25 < rmull> Not the root URL, sorry 21:25 < rmull> Has a decent bit of history 21:25 < Dougy> Any more things that came to mind, rmull? 21:25 < rmull> Seems that FreeBSD really did some groundbreaking work with ipv6 development 21:25 < rmull> kudos to them 21:25 < rmull> Dougy: Hmm 21:26 < ecrist> rmull: yeah, they were right in there with the KAME project from almost day 1, iirc. 21:26 < Dougy> (by the way, JOIN! :P) 21:26 < rmull> Dougy: Maybe some custom logo action to replace the vbulletin logo? 21:26 < Dougy> rmull: I'll hire my friend to make one soon 21:26 < Dougy> right now i'm talking about just forums 21:27 < ecrist> Dougy: maybe make some noise on the mailing list, build a following? 21:27 < Dougy> Krzy said he was going to do something like that 21:27 < ecrist> put some 'need-to-know' stuff up there now, send people to read it, they will add more. 21:27 < ecrist> it's how my wiki's slowly been rolling. 21:27 < Dougy> ecrist: Can I post your article(s) with a link to them? 21:27 < Dougy> Some 21:28 < Dougy> wiki things 21:28 < ecrist> otoh, I don't care much if my wiki is popular or used, it's mostly for my own reference. 21:28 < ecrist> Dougy: please just mention and link, don't plagarize. 21:28 < Dougy> I will 21:28 < Dougy> like i'll put the article and say 21:28 < Dougy> Source: 21:28 < rmull> Took me two tries to get the CAPTCHA right 21:28 < rmull> I must be part robot. 21:28 < Dougy> Will that suffice, ecrist? 21:28 < ecrist> Dougy: no 21:29 < Dougy> What do you want me to say then 21:29 < Dougy> ? 21:29 * Dougy will do whatever 21:29 < ecrist> that's not really the purpose of a forum. 21:29 < Dougy> I know 21:29 < Dougy> heh 21:29 < rmull> Yeah, actually... 21:29 < ecrist> a forum is sort of a longer-term IRC session. 21:29 < Dougy> hmm 21:29 < rmull> Perhaps the examples and tutorials belong more in a wiki. 21:29 < Dougy> never heard that analogy before 21:29 < Dougy> Ooh. 21:29 < rmull> Maybe a direct link to secure-computing's wiki in the link bar... 21:30 < Dougy> hahah 21:30 < ecrist> often, forum threads get built into howto/wiki documents. 21:30 < Dougy> i was just typing that, rmull 21:30 < ecrist> or white papers 21:30 < Dougy> So kill the examples and tuts forum, rmull? 21:30 < rmull> Doesn't bother me. 21:31 < ecrist> fwiw, you're welcome to use my wiki, but it's not required. 21:31 < Dougy> ecrist: you're helping me so i'll return it :) 21:31 < rmull> I'd prefer to see tutorials and examples get incubated in the forum and then graduate to the wiki when they're considered "ready" 21:31 < Dougy> i need to think of things I can post 21:31 < Dougy> rmull: that too sounds like a good idea 21:32 < Dougy> Hmm 21:32 < Dougy> I'll write a tutorial on how to install openVPN 21:32 < Dougy> :o 21:32 < rmull> Any of you guys run big fileservers? 21:32 < ecrist> rmull, what's big? 21:32 < rmull> Hmm, 3T or more? 21:32 < ecrist> sorry, 2.7T here. 21:32 < ecrist> :( 21:32 < rmull> Lol, sorry man :\ 21:33 < rmull> What do you have? 21:33 < ecrist> work stuff 21:33 < ecrist> medical claim files 21:33 < rmull> I just added 8 TB drives to my puppy 21:33 < ecrist> nope, nothing that big here. 21:34 < rmull> Now I'm rocking 8x 500G and 8x 1T drives, it's heavy :D 21:34 < ecrist> looking forward to better support for ZFS on FreeBSD soon. 21:34 < rmull> Hmm, yeah, about ZFS: 21:34 < ecrist> 8TB for < $800 21:34 < rmull> At first I was all into it 21:34 < rmull> And was going to run FreeBSD for it 21:34 < Dougy> ecrist: yeah 21:34 < Dougy> Scott from bqinternet knows a LOT about the ZFS 21:34 < Dougy> he uses it 21:35 < ecrist> freebsd support for ZFS is still EXP 21:35 < rmull> But now there's a new GPL'd filesystem in the works that's supposed to be a "ZFS-killer" 21:35 < rmull> called tux3 21:35 < rmull> #tux3 on irc.oftc.net 21:35 < rmull> Still a long ways from completion, but my hopes are high 21:36 < rmull> I guess I'm too much of a stodgy ol' Linux stick-in-the-mud 21:36 < rmull> I tried Solaris once and it did not make me happy. 21:36 < ecrist> freebsd camp is not a fan of GPL 21:36 -!- near [n=near@88-122-26-69.rev.libertysurf.net] has quit [Network is unreachable] 21:36 < rmull> I understand. I am personally not much of a fan of GPL because it contradicts itself. 21:37 < rmull> But the ZFS licensing is (IMHO) not doing me any favors 21:37 < rmull> Of all the licenses I'd say I respect BSD licensing the most. 21:38 < ecrist> agreed 21:38 < rmull> From what I've gleaned from the openbsd lists, /nobody/ outside RMS's camp cares much for the GPL. 21:38 < Dougy> hmm 21:38 < Dougy> I guses I need to tidy this up, but http://ovpnforum.com/showthread.php?p=1#post1 21:38 < Dougy> o.O 21:38 < Dougy> guess^ 21:39 < rmull> Hmm, I'd recommend making a non-admin account to post from, but that's just me being annoying I guess. 21:39 * Dougy shrugs 21:39 < ecrist> rmull: I know some folks that have had a chance to speak with RMS, apparently he's really bright. But as is usually the case, really crazy, as well. 21:39 < Dougy> I don't see the point of that, why do you say that? 21:39 * Dougy may be missing something 21:40 < ecrist> Dougy: I just get an unavailable message. 21:40 < Dougy> ecrist: what? 21:40 < ecrist> Dougy: same reason we don't sit in here as ops. 21:40 < Dougy> ecrist: true. 21:40 < ecrist> Sorry, the board is unavailable at the moment while we are testing some functionality. 21:40 < ecrist> We will be back soon.. 21:40 < Dougy> ecrist: you have it cached 21:40 < Dougy> that's the old server 21:41 < ecrist> oh 21:41 < rmull> Works for me 21:41 * ecrist will look tomorrow. 21:41 < Dougy> non-admin account made 21:42 < rmull> Dougy: What sort of machine is this forum being run on? 21:43 < Dougy> rmull: A vps 21:43 < Dougy> Ever heard of JaguarPC? 21:43 < rmull> Neg 21:44 * rmull googs 21:44 < Dougy> wel 21:44 < Dougy> they're a big company 21:44 * rmull barfs at their website :( 21:44 < Dougy> I use another VPS company (Xen based) owned by the same company 21:44 < Dougy> It's on the $34 www.wowvps.com plan 21:44 < Dougy> but 21:44 < Dougy> I know all teh guys there so they bumped me up ;) 21:44 < rmull> It's all about who you know 21:44 < rmull> Sweet deal 21:45 < Dougy> I know a few people, all awesome 21:45 < Dougy> :) 21:45 < Dougy> I need to hit the sack 21:45 < Dougy> gotta start getting into school sleep schedule 21:45 < ecrist> where/what do you think secure-computing.net is hosted at/on? 21:45 < Dougy> ecrist: i don't have a clue 21:47 < rmull> ecrist: your basement? 21:47 < ecrist> ;) 21:47 < rmull> iphouse.net? 21:48 < ecrist> yep, on both 21:49 < rmull> sweet. 21:49 < rmull> The only website I run is deconfused.org 21:49 < ecrist> power is rock solid, my dsl is rock solid, I control full access to my rack, and I have my own dedicated server room. 21:49 < rmull> Running in a friend's basement on a gentoo VM 21:50 < ecrist> fwiw, if you ever need cheap, high bandwidth colo, www.colopronto.com 21:50 < Dougy> yuck 21:50 < Dougy> colopronto 21:51 < rmull> Elaborate 21:51 < rmull> :P 21:51 < Dougy> who, me? 21:51 < rmull> Yeah 21:51 < Dougy> I've read horror stories about their cancelation policy 21:51 < Dougy> :p 21:51 < rmull> Ahh 21:51 < ecrist> I've got a buddy with a server down there, I use for secondary/backup stuff. 21:51 < Dougy> I hear they're solid 21:51 < ecrist> we pull a consistent 30Mbps 21:51 < Dougy> but i also hear canceling is murder 21:52 < rmull> ecrist: What's he paying monthly? 21:52 < ecrist> 1u server, 29.99/month, iirc 21:52 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 21:53 < ecrist> he seeds freebsd torrents and such 21:53 < rmull> I guess none of these places let you run a torrent seedbox, right? 21:53 < ecrist> the only problem we've had is that they get UCEPROTECT level 3 listed once in a while. 21:53 < rmull> Whoops, I mean for copyright-infringing torrents 21:53 < Dougy> hah 21:53 < Dougy> Just get a box at FDC 21:54 < rmull> FDC? 21:54 < Dougy> www.fdcservers.net 21:54 < ecrist> rmull: I'm grown, and so are most of my friends. I have a job, make my share of money, so I pay my share for things I use. 21:54 < ecrist> I stopped stealing stuff *years* ago. 21:54 < Dougy> You can actually get 20 TB of bandwidth on those $150 a month servers, rmull 21:55 < Dougy> http://www.fdcservers.net/Services/DedicatedServers/100MbitUnmeteredservers <-those 21:55 * ecrist goes away 21:55 < vpnHelper> Title: FDC - Services - Dedicated Servers :: Dedicated servers, Colocation chicago, Virtual dedicated servers, Dedicated server forums, virtual dedicated server forums, VDS, VPS, virtual private servers (at www.fdcservers.net) 21:55 < rmull> ecrist: :\ 21:55 * Dougy has nothing illegal on his PC 21:56 < rmull> We can talk about something else. I do not mean to annoy people. 21:58 * Dougy shrugs 21:58 < Dougy> im brainstorming for the forum 21:58 < rmull> Dougy: My biggest concern is whether or not people will actually use it 21:58 < Dougy> rmull: every website i've ever run has been a tragic failure 21:58 < rmull> I mean, between the mailing list, IRC, and the new wiki, there's a lot of help already 21:58 < Dougy> so i'm prepared for it 21:58 < rmull> That's a little depressing :\ 21:58 < Dougy> Not really 21:59 < Dougy> I just figure after all these fuck ups, one will do decent. 21:59 < Dougy> "{ 21:59 < Dougy> :( 21:59 < rmull> If you can somehow get a decent groundswell, maybe it's worthwhile to talk to the maintainers of the openvpn website and get a link posted 21:59 < Dougy> Yup. 21:59 < Dougy> I hope so, I'll do all I can 22:01 < rmull> I wormed my way into running a forum for this one paintball company back when I was 14 22:01 < rmull> It was pretty sweet 22:01 < Dougy> Nice 22:01 < Dougy> I'm only a year older than that 22:01 < Dougy> so 22:01 * Dougy shrugs 22:01 < rmull> The eventually went out of business due to legal pressure from The Man, but they sent me two baseball hats for all my work 22:01 * rmull score 22:02 < Dougy> :( 22:02 < Dougy> Well. 22:02 < Dougy> I just hope this site does something. I really do. 22:02 < rmull> Why? 22:02 < rmull> Not to be negative or anything 22:03 < rmull> Lol 22:03 < Dougy> I want to be able to say I helped something go 22:03 < Dougy> and i want that something to not be a complete failure 22:03 < rmull> Yes, that would be nice 22:03 < rmull> There are a lot of opportunites for things like that with open source communities 22:03 < Dougy> Yup 22:04 < Dougy> I think this has a chance.. everyone here is nice 22:04 < rmull> I've noticed that. 22:04 < rmull> Heh 22:04 < rmull> I hang out in a few other channels but I don't shoot the shit in them. 22:04 < Dougy> ah 22:05 < Dougy> Wow. 22:05 < Dougy> This girl just clicked "Yes" on a facebook app to date me 22:05 < Dougy> My friend who I showed her pic said 22:05 < Dougy> "more like a hump and dump hit and quit bag and tag" 22:05 < Dougy> Hah. 22:05 < rmull> Hmm 22:06 < Dougy> yeah, everyone in here is nice that i've spoken to so far 22:06 < Dougy> (Krzy, SilenceGold, ecrist, and you) 22:06 < rmull> Maybe you could impress her with your knowledge of IP routing and public key cryptography. 22:06 < rmull> :D 22:06 < Dougy> LMFAO. 22:06 -!- jeev [n=j@unaffiliated/jeev] has joined ##openvpn 22:06 < Dougy> "Babe, I have one mean router that can send large quantities of packets!" 22:06 < Dougy> "Oh doug!" 22:06 < Dougy> "Yeah. *coolface*" 22:06 < jeev> lol 22:07 < rmull> Gets em every time 22:07 < rmull> I do hate facebook apps with a passion though. 22:07 < Dougy> Eh, some are OK 22:07 < rmull> It's nice to see that something potentially good came out of one for once. 22:07 < jeev> hey guys, i regularly use mpd on freebsd.. so i was told openvpn is perfect for linux.. i set up a client and server, i connect just fine.. but if i want openvpn to act as my default gateway, do i need any different config ? 22:07 < Dougy> jeev: do you mean route all traffic through the VPN? 22:07 < jeev> yes sir 22:07 < rmull> jeev: You'll need the "redirect-gateway" directive in your server.conf 22:07 < Dougy> see 22:08 < Dougy> This is the perfect use for the forum :< but everyone just comes here 22:08 < Dougy> instead 22:08 < Dougy> :( 22:08 < jeev> its easy! 22:08 < rmull> jeev: Well, sortof 22:08 < rmull> THere are "caveats" 22:08 < rmull> Which are outlined in the howto 22:08 < rmull> !howto 22:08 < vpnHelper> rmull: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:08 < Dougy> !forum 22:08 < vpnHelper> Dougy: Error: "forum" is not a valid command. 22:08 < rmull> But it should do what you want. 22:08 < Dougy> :( 22:08 < jeev> hmm 22:09 < jeev> what is it considered? so i could look for it in the howto, 22:09 < rmull> jeev: I'll get you a link. 22:09 < jeev> routed vpn ? 22:09 < rmull> jeev: http://openvpn.net/howto.html#redirect 22:09 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 22:09 < rmull> HTH. 22:09 < rmull> Dougy: You can use !learn commands with vpnhelper if you want 22:10 < Dougy> krzee: not sure if you'll see this, but, I'm not too worried about that forum bot thing. There won't be that much activity for a while (if at all) 22:10 < Dougy> rmull: i know, but no point yet 22:10 < Dougy> I figure I should erm 22:10 < Dougy> get the logo done and what not 22:10 < Dougy> and maybe find some skin to use 22:10 < rmull> Oh 22:10 < Dougy> Right now they'll look, and just close the browser 22:10 < Dougy> probably 22:10 < rmull> That bad, eh? 22:10 < rmull> :\ 22:11 < jeev> one sec, i'll read it, thanks man! 22:11 < rmull> jeev: GL HF 22:11 < rmull> :p 22:11 < Dougy> rmull: tell me something you see on the forum that makes you want to stay 22:11 < rmull> Though, I'm not sure why the use of mpd requires the redirect-gateway directive 22:12 < rmull> Dougy: Give it a little more time mang, it's too soon 22:12 < Dougy> rmull: exactly 22:12 < Dougy> That's exactly why I haven't used the !learn yet ;) 22:13 < rmull> More initial interest/attention could possibly mean good things, for example, you could have some philanthropic vbulletin whiz with free time that wants to lend a hand because he sees you're trying to get established 22:13 < Dougy> I'll dig around vb.org for a skin tomorrow 22:13 < rmull> On the other hand, you could "crap out a premie" 22:13 < rmull> :\ 22:13 < Dougy> rmull: the chances of that are seldom 22:13 < Dougy> better chance of "oh that'll never amount to anything. *exit*" 22:13 < rmull> I'm running a PunBB forum at http://lug.bu.edu/forum/ 22:13 < vpnHelper> Title: BU LUG Forum (at lug.bu.edu) 22:13 < Dougy> My friend is integrating punBB into Facebook 22:14 < Dougy> o.O 22:14 < rmull> Bleh web2.0 22:14 < Dougy> Meh. 22:14 < Dougy> Well. 22:14 < Dougy> For the forum to ever amount to anything, it would need to be put out there in places where people will see right away 22:14 < Dougy> *and* 22:14 < Dougy> There will need to be a group of a few people already joined waiting to help and stuff. 22:15 < rmull> We'll see how it turns out. 22:15 < Dougy> Indeed. 22:15 < Dougy> Should I SEO the URL's? 22:15 * Dougy doesnt think its necessary 22:15 < rmull> SEO? (sorry, my acronym library is small) 22:16 < Dougy> like 22:16 < Dougy> www.ovpnforum.com/forumname/how-to-install-openvpn-on-centos 22:16 < Dougy> or just www.ovpnforum.com/showthread.php?blah 22:16 < rmull> Ohh. 22:16 < rmull> TBH, that was something I've had internal debates over a number of times. 22:17 < rmull> Because on one hand, I dislike URL pollution 22:17 < rmull> OTOH, it's nice to get a small preview about what you're about to click on. 22:17 < Dougy> Yeah. 22:17 < Dougy> I think it's ugly and ew 22:17 < Dougy> but it does help with SERP (search engine positioning) 22:17 < rmull> I hadn't even considered that. 22:18 < Dougy> It definitely does help with that 22:18 < Dougy> it's just forums dont necessarily need it 22:18 < Dougy> but for example, my hosting blog www.hostingrealm.com 22:18 < Dougy> It gets really good search engine positioning 22:18 < Dougy> http://www.google.com/search?q=directadmin+install+guide&btnG=Search&hl=en&client=firefox-a&rls=com.ubuntu%3Aen-US%3Aunofficial&hs=y1q&sa=2 22:18 < vpnHelper> Title: directadmin install guide - Google Search (at www.google.com) 22:18 < Dougy> #3 22:19 < Dougy> http://www.google.com/search?hl=en&client=firefox-a&rls=com.ubuntu%3Aen-US%3Aunofficial&hs=P2q&q=webmin+install+guide&btnG=Search 22:19 < vpnHelper> Title: webmin install guide - Google Search (at www.google.com) 22:19 < Dougy> #7 22:19 < rmull> vpnHelper: You need to xrl or tinyurl long urls, dude 22:19 < vpnHelper> rmull: Error: "You" is not a valid command. 22:19 < rmull> :P 22:19 < Dougy> :P 22:20 < Dougy> there's so many decisions man 22:21 < rmull> 7 more days, then I hit my first "bicentennial" - 200 days of uptime :D 22:21 * rmull knocks on wood 22:22 < jeev> ok lets see 22:23 < jeev> that att commercial is hilarious 22:23 < Dougy> rmull: heh 22:23 * Dougy vmsplice exploits rmull's server 22:23 < jeev> heh 22:24 < rmull> Dougy: Gotta get local first. :P 22:24 < jeev> i dont get how the certificate authentication works 22:24 < jeev> if i have all the certs on the server, which do i need to bring over ? 22:25 < rmull> To the client? 22:25 < jeev> # Issues exist with respect to pushing DNS addresses to Windows clients., damn pretty big caveat lol 22:25 < jeev> yes 22:26 < rmull> jeev: http://openvpn.net/howto.html#pki 22:26 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 22:26 < rmull> Scroll down to "Key Files" 22:26 < rmull> You should see a matrix that tells which machines need which keys/certs 22:26 < jeev> ok, so i guess this is my reason why i want a vpn 22:26 < jeev> i go to a lot of different places and i'd just rather connect to my server (securely) 22:26 < jeev> i guess that seems to be a good enough reason? 22:26 < rmull> Sure, seems like it 22:26 < jeev> assume that openvpn will provide me the proper encryption and security, right ? 22:27 < rmull> It should. 22:27 < rmull> Hold on though, if you just want to connect to your server, why not just use SSH? 22:27 < jeev> woo, hoo. 22:27 < jeev> no 22:27 < jeev> not connect to server 22:27 < jeev> i just want to browse the web and do everything that i do.. aim, irc securely 22:27 < jeev> i'm in hotels and crap 22:27 < jeev> i dont trust that stuff 22:27 < rmull> Oh, okay. 22:27 < jeev> so i'd rather vpn, right ? 22:27 < rmull> I'd say so. 22:27 < jeev> i got spare bandwidth on some nice colo's, might as well. 22:27 < Dougy> Lucky guy 22:28 < rmull> You can make a dynamic SOCKS proxy with SSH but then you'd need to config each app to use that proxy, which is annoying 22:28 < jeev> you're luckier, you have optonline! 22:28 < rmull> So OpenVPN would be nicer. 22:28 < jeev> yea rmull 22:28 < jeev> is it possible to enable the option to use it as a gateway 22:28 < jeev> and have the client decide? 22:28 < rmull> Decide? 22:28 < rmull> You can set your own routes as client 22:29 < jeev> so i wouldn't require the redirect-gateway clause ? 22:29 < rmull> I'm not sure specifically what that directive does - as far as I know, it just sets a routing rule on the clients that connect to it. 22:29 < rmull> Someone please correct me if I'm wrong. 22:29 < jeev> ahh 22:29 < Dougy> jeev: what do you mean 22:30 < rmull> Good question :D 22:30 < jeev> for example, if i use MPD in bsd 22:30 < jeev> if i connect, it'll try to send me out the freebsd network because by default 22:30 < jeev> 'use gateway on remote network' is selected 22:30 < jeev> i can't find the option in windows for that for the interface which i'm assuming is lan 5.. 22:30 < jeev> maybe for this computer, i dnot want * to go out the default on the remoet network 22:30 < jeev> but on my laptop, i will.. therefor, i wouldn't want to force all clients to via server.conf 22:31 -!- jeev [n=j@unaffiliated/jeev] has left ##openvpn [] 22:32 * rmull is confused 22:34 -!- jeev [n=j@unaffiliated/jeev] has joined ##openvpn 22:34 < jeev> wow 22:34 < jeev> did i get kicked? 22:34 < rmull> yes 22:34 < jeev> heh 22:34 < Dougy> you parted 22:34 < rmull> well, kicked? no 22:34 < jeev> how 22:34 < jeev> i didn't even realize 22:34 < jeev> i didn't see ANYTHING heh 22:34 < rmull> damn IRC gnomes 22:35 < jeev> hehe 22:35 < jeev> so did you guys get what i said 22:35 < Dougy> what did you say 22:36 < rmull> Last thing you said: but on my laptop, i will.. therefor, i wouldn't want to force all clients to via server.conf 22:37 < jeev> yep 22:37 < jeev> so you guys get what i meant 22:37 < jeev> lol 22:38 < rmull> Maybe you can use that directive in the ccd for the clients you want it to apply to 22:38 < rmull> I've never seen this in the documentation 22:38 < rmull> But it's worth testing 22:39 < jeev> ccd? 22:39 < Dougy> bed 22:39 < Dougy> night 22:40 < jeev> night dood 22:40 < rmull> Dougy: nn 22:40 < rmull> jeev: client-config-dir 22:40 < rmull> Check out the howto, man 22:40 < rmull> ;) 22:41 < jeev> ah 22:41 < jeev> i did! 22:42 < rmull> I'm gonna head out, peace chan 22:42 -!- rmull is now known as rmull_ 22:44 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 22:44 < jeev> later dood thanks 22:55 < jeev> after disconnecting from the vpn, windows gateway isn't reset.. 23:28 < ecrist> jeev: what version you suing? 23:28 < ecrist> using? 23:28 < ecrist> nothing litigous here. 23:36 -!- Alives [n=Alives@cpe-72-225-212-185.nyc.res.rr.com] has joined ##openvpn 23:38 < Alives> how do you get the TAP driver installed in vista? 23:38 < SilenceGold> it should occur during the installation of the openvpn client 23:38 < Alives> yeah 23:39 < Alives> but then vista says it will not allow the driver installation without it being digitally signed 23:41 < SilenceGold> I am not sure which one..I use the beta one 23:41 < SilenceGold> it did have the digitally signed drivers 23:41 < Alives> hmm 23:41 < Alives> development? 23:42 < SilenceGold> yea 23:42 < SilenceGold> the 2.1.x 23:42 < Alives> nice ill try that 23:42 < Alives> thanks --- Day changed Wed Aug 27 2008 00:10 -!- devicenull [n=devicenu@64.252.135.178] has quit [Read error: 104 (Connection reset by peer)] 00:57 -!- bandini [n=bandini@host123-109-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:34 -!- rmull_ [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 01:46 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:17 -!- undertakingyou is now known as u12u 02:42 < kraut> moin 03:22 < krzie> moin kraut 05:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:18 -!- thefish [n=thefish@unaffiliated/thefish] has joined ##openvpn 06:18 < thefish> hello 06:38 -!- mcp [n=mcp@wolk-project.de] has quit ["ZNC - http://znc.sourceforge.net"] 06:39 -!- weedar [n=sikrit@82.194.215.2] has joined ##openvpn 06:44 < weedar> Can I setup an OpenVPN-server that uses an internal DHCP-server to give IP-leases instead of providing it by itself - so OpenVPN can provide IPs in the same scope as the DHCP-server 06:47 < weedar> Put in another way...If I connect to the office-LAN I get an IP from a DHCP-server not accessible from the outside, I want to setup an OpenVPN-server on a server which is world-accessible and that also has access to the DHCP-server 07:15 < ecrist> weedar: yes, using bridging. 07:18 < thefish> i have openvpn client running and connecting fine on a wrt router (roadkill tomato firmware), but i can access vpn resources only from the router itself, not from any router clients (all clients use router as default route) - is there an extra step to do 07:25 < ecrist> there shouldn't be, if I understand your problem correctly. 07:25 < ecrist> sounds like a possible firewall issue. 07:32 < thefish> ecrist: no with iptables logging, they show as accept 08:04 < ecrist> thefish: you don't give me a lot of data to go on... 08:10 < thefish> ecrist: sorry :) busy trying different things here 08:11 < thefish> ecrist: it just wont route to the openvpn net... from the router, i can ping inside the remote net 08:11 < thefish> but from router clients, nothing 08:12 < thefish> from router clients i can still ping internet hosts though 08:12 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has joined ##openvpn 08:12 < plaerzen> harro 08:12 < thefish> so its just the openvpn part that its not routing 08:12 < ecrist> morning, plaerzen 08:12 < thefish> hans bricks? 08:13 < ecrist> thefish: can vpn clients ping the vpn router address? 08:14 < thefish> ecrist: yes, both the lan if (192.168...) and the openvpn tun address (172.16...) 08:15 < ecrist> ok, run a traceroute from one of the lan clients to one of the vpn clients and pastebin it 08:27 < kala> anybody here has option about "Extended Key Usage critical extension" in the X.509 certificates, which OpenVPN could use to authenticate server and client? 08:27 < kala> opinion 08:28 < kala> OpenVPN itself can check the "remote-cert-eku 1.3.6.1.5.5.7.3.1" things, but if I specify this extension as a critical in the certificate the OpenSSL fails with error "unhandled critical extension" 08:31 -!- tcccp [i=hey@223.66.238.89.arpa-addr.in] has joined ##openvpn 08:32 < ecrist> kala, interesting, if you find out, please let me know. 08:35 < ecrist> can I ask, what're you trying to do with the extra extensions? 08:35 < kala> well, it seems that OpenVPN can check the certificate intended usage, by having --remote-cert-eku option in the config file. However, when I *require* that the certificate must not be used for any other purpose, then OpenVPN fails, because OpenSSL fails to verify the certificate. 08:36 < kala> I'm just trying to understand the different options 08:36 < kala> honestly, its not really neccessary to issue certificates with critical extensions 08:37 < kala> so, I guess I'll just drop the subject and will use the non-critical extensions 08:37 < ecrist> my policy is generall KISS. 08:37 < ecrist> !kiss 08:37 < vpnHelper> ecrist: Error: "kiss" is not a valid command. 08:38 < ecrist> !learn Keep It Simple Stupid 08:38 < vpnHelper> ecrist: Invalid arguments for learn. 08:38 < kala> yep, good one 08:38 < ecrist> !learn as Keep It Simple Stupid 08:38 < vpnHelper> ecrist: The operation succeeded. 08:46 < plaerzen> hey guys, I'm going to hang out in #security for a bit... until I find out that it sucks 08:46 < plaerzen> bbl 08:46 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has quit ["[BX] We drink more beers than Norm on Cheers!"] 08:46 < ecrist> lol 08:57 -!- weedar [n=sikrit@82.194.215.2] has quit [Connection timed out] 09:18 < kala> uh. --tls-verify option says that it should have at most 1 parameter. So, when I have a script and want to pass argument to it, I need to to tls-verify "script.pl argument1". But this gets converted to execve("script.pl argument1", argument2, argument3) syscall and I get "no such file or directory". 09:19 < kala> I'm wondering if Suse has its services by default chrooted or is there something else different 09:54 < Dougy|Work> morning 09:57 -!- KaiForce [n=chatzill@rrcs-96-11-109-38.central.biz.rr.com] has joined ##openvpn 10:04 < kala> the OpenVPN sample verify.cn script recommends to use tls-verify "./verify-cn Test-Client" configuration option. but this fails on OpenSuse with "Verify command failed to execute" error 10:05 * ecrist doesn't know. 10:05 < Dougy|Work> ecrist 10:05 < Dougy|Work> http://www.codinghorror.com/blog/images/tan-lines-from-typical-summer-activities.jpg 10:05 < Dougy|Work> :) 10:06 < ecrist> Dougy|Work: that's been going around for many years. 10:06 < Dougy|Work> i just saw it 10:08 < Dougy|Work> oO 10:08 < Dougy|Work> ecrist: someone I don't know joined the forum 10:08 < Dougy|Work> hah 10:08 < Dougy|Work> krzee: happy birthday 10:11 < cpm> whose birthday? 10:22 < jeev> hey dood 10:22 < jeev> Dougy|Work 10:24 < jeev> Dougy|Work, when i close the connected openvpn window on the windows xp computer, it never sets the gateway back for the original connection.. 10:35 < Dougy|Work> erk 10:35 < Dougy|Work> My bad 10:35 < Dougy|Work> jeev: let me read that :p 10:36 < Dougy|Work> So click disconnect on the VPN thing 10:36 < Dougy|Work> Do you use a client? 10:36 < jeev> what client, when i'm using openvpn, i click right on my client config, start it.. works great, redirect-gateway = win win woo hoo! 10:36 < jeev> then when i click x on the window 10:36 < jeev> i dont have a route anymore to use the regular isp 10:37 < Dougy|Work> Oh. I haven't not used the www.openvpn.se client in ages 10:37 * Dougy|Work forgets how the default openVPN one works 10:37 < Dougy|Work> :< 10:37 < jeev> ahh 10:37 < jeev> that's the gui version ? 10:37 < jeev> i mean i know i got the gui version 10:38 < Dougy|Work> Well, the www.openvpn.se has a nice VPN client 10:38 -!- KaiForce [n=chatzill@rrcs-96-11-109-38.central.biz.rr.com] has quit [Connection timed out] 10:38 < Dougy|Work> Very easy to use 10:38 < jeev> that's wha ti downloaded 10:38 < jeev> but i thought the openvpn dos thing was a part of openvpn 10:38 < Dougy|Work> It is, I think 10:38 < Dougy|Work> It is^ 10:38 < Dougy|Work> http://www.openvpn.se/images/newmenu.png 10:38 < Dougy|Work> Just do that and disconnect if you have the program 10:38 < Dougy|Work> o.O 10:39 < jeev> bna 10:39 < jeev> thats not it 10:39 < jeev> i'm using the actual openvpn program without gui 10:39 < Dougy|Work> :< 10:39 < Dougy|Work> I don' 10:39 < Dougy|Work> I don't remember much about that* 10:39 < Dougy|Work> I don't use Windows, so 10:39 < jeev> ahh 10:40 < jeev> all i know is that it doesn't return local area connection's interface to its previous default gateway 10:40 < Dougy|Work> in ipconfig, is the vpn still connected? 10:41 < jeev> no, when i close it, it's discvonnected 10:41 < jeev> so local area connectino shows 192.168.0.3 for example, with netmask 10:41 < jeev> but no gateway 10:41 < jeev> so i have to ipconfig /renew to get it outgoing again (regular connections) 10:41 < Dougy|Work> Hrm 10:41 < Dougy|Work> I would talk to ecrist on that one 10:42 < Dougy|Work> I only use Linux when i VPN 10:42 < Dougy|Work> So.. I'm not of much use 10:42 < Dougy|Work> I only use Linux really (except here at work) 10:42 < jeev> ah ok 10:42 < Dougy|Work> control + c and my routing is back to normal 10:42 < Dougy|Work> lol 10:43 < jeev> control c doesnt' work for me 10:43 < jeev> i have to x it 10:43 < Dougy|Work> That's on Linux :)) 10:43 < jeev> are you using redirect-gateway 10:43 < jeev> ahh k 10:43 * jeev stabs Dougy|Work 10:44 < jeev> man, i want 4 opteron 270's 10:44 < jeev> cheap on ebay but 10:44 < Dougy|Work> Ew.. 10:44 < jeev> i need to be able to sell the 246's. 10:44 < Dougy|Work> use Intel 10:44 < jeev> i have 3 servers that use opteron 246's 10:44 < Dougy|Work> Core2's are about to drop in price 10:44 < jeev> single core 2ghz, dual each 10:44 < Dougy|Work> at leat 25% 10:44 < jeev> i know but i got these servers 10:44 < Dougy|Work> if not more 10:44 < Dougy|Work> Ah 10:44 < jeev> the dual is 54 bux each shipped 10:44 < jeev> i need 4 10:44 < jeev> but i dont want to buy it 10:44 < jeev> i really dont need it. but i want it 10:44 < jeev> i can wait. 10:44 < Dougy|Work> meh 10:44 < Dougy|Work> Intel is nice 10:44 < Dougy|Work> <3 Nehalem 10:45 < jeev> heh 10:45 < jeev> moo: os: Microsoft Windows XP Professional - Service Pack 3 (5.1.2600) up: 2days 15hrs 9mins 27secs cpu: Intel Pentium III Xeon processor (x86) at 3800MHz (2% Load) gfx: NVIDIA GeForce 8800 GTS 512 512MB res: 1920x1200 32bit 60Hz ram: 665/3582.4MB (18.55%) [||--------] hdd: C:\ 95.2GB/146.48GB D:\ 2.07GB/58.59GB F:\ 35.49GB/372.61GB H:\ 84.86GB/232.88GB I:\ 18.87GB/127.71GB J:\ 221.27GB/449.68GB net: Realtek RTL8168_8111 PCI-E Gigabit Ethernet NIC - Packet Sc 10:45 < jeev> but i do get random crashes 10:45 < Dougy|Work> yeah, i got XP here too 10:45 < jeev> i need to drop it 200mhz 10:45 < Dougy|Work> (work) 10:45 < jeev> my friend oc'd it 10:45 < Dougy|Work> OS: WinXP Professional 5.1 SP3 (Build #2600) CPU: Intel Pentium 4 , 3.01 GHz, 1024KB Video: (1280x1024x32bpp 1Hz) Sound: Realtek AC97 Audio Memory: Used: 1038/2032MB Uptime: 1w 6d 17h 37m 55s HD: Free: 150.28 GB/186.30 GB Connection: @ 0 bps (Rec: 0.00MB Sent: 0.00MB) 10:45 < jeev> said my fan isn't good enough 10:45 < jeev> said it's stock that's why 10:45 < jeev> lol 10:45 < jeev> i wanted the e8600 but couldn't find it 10:45 < jeev> so got the 8500 10:45 < Dougy|Work> nice 10:45 < jeev> had the q6600, hated iot 10:45 < jeev> it 10:45 < Dougy|Work> why? 10:46 < jeev> slower per core 10:46 < jeev> i noticed it 10:46 < Dougy|Work> oh see 10:46 < Dougy|Work> I don't even use this P4 to 50% 10:46 < Dougy|Work> So, I really wouldn't know 10:46 < jeev> ahh 10:47 < jeev> either way, i like it 10:47 < jeev> i just need to package it up 10:47 < jeev> for friends and stuff 10:50 < Dougy|Work> ah 10:51 < Dougy|Work> jeev: do you use FF3? 11:07 -!- rmull [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has joined ##openvpn 11:07 -!- rmull is now known as rmull_ 11:08 < Dougy|Work> rmull_ 11:08 < Dougy|Work> guess where I am 11:08 < rmull_> On the futon? :P 11:08 < Dougy|Work> indeed 11:08 < Dougy|Work> on my laptop 11:08 < Dougy|Work> :o 11:08 < rmull_> Haha 11:08 < Dougy|Work> its nice to be able to go in whenever I want 11:08 * Dougy|Work has acces to the finger scanner 11:08 < Dougy|Work> access^ 11:09 < rmull_> I just kick the door in whenever I want futon access 11:09 < Dougy|Work> lmfao 11:09 < Dougy|Work> yeah that would work too 11:09 < Dougy|Work> mine is just less invasive 11:09 < Dougy|Work> lol 11:10 < rmull_> Why do you chill there? Access to your machine in the DC or something? 11:10 < Dougy|Work> I work here :S 11:11 < Dougy|Work> The company I work for has equip in both dc's 11:11 < Dougy|Work> We have an extra guy, so I'm chilling here (TEB2) because we have an extra guy, so I can just solely staff thisDC 11:11 < rmull_> ahh. 11:12 < Dougy|Work> besides 11:12 < Dougy|Work> who doesnt wanna have a big tv and a futon to kick back on at work the whole day 11:12 < Dougy|Work> lol 11:12 < rmull_> Seriously. 11:12 < rmull_> What kind of connection do they provide to those in the office? 11:12 < Dougy|Work> What do you mean? 11:13 < Dougy|Work> http://www.speedtest.net/result/308618194.png 11:13 < Dougy|Work> that's from my desk (that i'm rdp'ing into) 11:13 < rmull_> That's what I mean :o 11:14 < Dougy|Work> that's slow as hell 11:14 < Dougy|Work> lol 11:14 < Dougy|Work> if I wire myself to the OS install network 11:14 < Dougy|Work> I get double it 11:14 < rmull_> That's sick 11:15 < Dougy|Work> <@Fatal_Work> *exec x=0.9999999999999999999999999999; y=x*10; y=y-x; y=y/9; "x equal #{y}" 11:15 < Dougy|Work> <~Purgatory> x equal 1.0 11:15 < Dougy|Work> o.O 11:15 < Dougy|Work> so apparently now 0.99 equals 1 11:17 < rmull_> You broke math 11:17 < Dougy|Work> http://en.wikipedia.org/wiki/0.999 11:17 < vpnHelper> Title: 0.999... - Wikipedia, the free encyclopedia (at en.wikipedia.org) 11:17 < Dougy|Work> apparently not 11:21 < Dougy|Work> lol 11:21 < Dougy|Work> rmull_: someone I don't know joined the forum 11:21 < Dougy|Work> o.O 11:24 < rmull_> OH snap 11:25 < rmull_> Matt 11:25 < rmull_> Hmm 11:25 < rmull_> Did you check their IP agains the forum spam databases? Lol 11:26 < Dougy|Work> yes 11:26 < Dougy|Work> it's a centurytel IP 11:26 < Dougy|Work> prob not spam 11:26 < Dougy|Work> oh rmull_ 11:26 < Dougy|Work> https://ovpnforum.com 11:26 < Dougy|Work> o.o 11:27 < rmull_> Did you pay for that? 11:27 < rmull_> The cert, I mean 11:27 -!- ChanServ changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Pastebin your copy over 5 lines. | Don't feed the trolls. | Forum: https://ovpnforum.com 11:27 < rmull_> Thanks chanserv :) 11:30 < Dougy|Work> rmull_: nah 11:30 < Dougy|Work> its a $50 cheapo cert, I got it for free 11:31 < ecrist> Dougy|Work: hook me up with a free cert. 11:34 < rmull_> Dougy|Work: I was asking because it's not included in FFox3 11:34 < rmull_> So if I paid, I'd have felt bad 11:35 < ecrist> rmull_: it was included in my FF3. 11:35 < ecrist> nm, it's not included on my Mac FF3 11:35 < Dougy|Work> yeah 11:35 < Dougy|Work> my FF3 supports it 11:35 < Dougy|Work> some do some don't 11:35 < Dougy|Work> It's a Comodo one too. :S 11:39 < Dougy|Work> :( 11:39 < Dougy|Work> rmull_: Namecheap hands em out free 11:41 < rmull_> Browser-included? 11:43 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:43 < jeev> yea Dougy|Work, i do 11:43 < jeev> sorry i forgot 11:43 < jeev> i use ff3 11:43 -!- xattack [i=invitado@132.248.108.239] has quit [Remote closed the connection] 11:44 < jeev> i'll be back in a bit 11:45 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:00 < Dougy|Work> rmull_: what? 12:01 -!- oxygene [n=oxygene@khepri.openbios.org] has joined ##openvpn 12:07 < oxygene> hi 12:08 < Dougy|Work> hi 12:08 < Dougy|Work> what's pu 12:08 < Dougy|Work> up^ 12:18 -!- bandini [n=bandini@79.16.109.123] has joined ##openvpn 12:20 -!- Irssi: ##openvpn: Total of 39 nicks [0 ops, 0 halfops, 0 voices, 39 normal] 12:20 < oxygene> I'm having issues with my openvpn client (2.0.9 installer on win32). it disconnects every 2 minutes (or so) from the server, with the server complaining about LZO errors.. comp-lzo is the same on both sides, and there's no related warning 12:20 < oxygene> any ideas? 12:21 < ecrist> can you paste your lzo errors? 12:22 < oxygene> Bad LZO decompression header byte: 42 12:22 < oxygene> several times, then timeout and reconnect. for 20-40 seconds, the connection works, then the issue shows up again 12:22 < ecrist> try disabling lzo 12:24 < oxygene> there are more clients (that I don't have access to), mine is the only one making trouble, so I can't easily mess around with the server 12:24 < Dougy|Work> what windows is this? 12:25 < oxygene> XP Pro SP3 12:25 < Dougy|Work> I run the same and never had that issue 12:25 < Dougy|Work> Try reinstalling LZO 12:25 < oxygene> I didn't have it last week, either :) 12:25 < Dougy|Work> Install any Windows updates lately? 12:25 < ecrist> oxygene: reinstall lzo on your client 12:25 < oxygene> hmm.. one for IE7 12:26 < Dougy|Work> Yeah, reinstall LZO again 12:26 < oxygene> hmm. isn't it statically linked? (2.0.9 installer) I can't find a dll, at least 12:27 < Dougy|Work> Not that I know of 12:28 < ecrist> no, I don't think it is. 12:32 < oxygene> no, sorry - no lzo.dll 12:34 * ecrist goes away. 12:37 < Dougy|Work> o.O 12:37 < Dougy|Work> Haha 12:44 -!- gongoputch [n=kseel@74.95.184.161] has quit [Read error: 104 (Connection reset by peer)] 12:50 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:08 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:28 -!- scampbell [n=scampbel@199.105.195.156] has joined ##openvpn 13:50 < Dougy|Work> hey 13:50 < Dougy|Work> Anyone ever set up openVPN tun on Virtuozzo? 13:52 < jeev> nnop 13:55 < Dougy|Work> damn 13:55 < Dougy|Work> im setting it up to route all traffic thru it 13:55 < jeev> heh 13:55 < Dougy|Work> and getting this: 13:56 < Dougy|Work> root@redrocket [/etc]# iptables -t nat -A POSTROUTING -s 172.16.0.0/26 -o venet0 13:56 < Dougy|Work> -j MASQUERADE 13:56 < Dougy|Work> iptables: Unknown error 4294967295 13:56 < jeev> huh 13:56 < jeev> hrmf 13:57 < jeev> iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE 13:57 < jeev> that's what i'm doing 13:57 < jeev> your virtual thing maybe doesn't support it 13:57 < jeev> what kernel ? 13:57 < ecrist> what's the google say? 13:59 < ecrist> Dougy|Work: you need to get away from VPSes 13:59 < ecrist> :\ 14:02 -!- syslogd [n=syslogd@unaffiliated/syslogd] has joined ##openvpn 14:02 < syslogd> Hello. 14:03 < jeev> killall -9 syslogd 14:03 < syslogd> I do not know if this is a OpenVPN-related issue but building a certificate is giving me this message: 14:04 < syslogd> error on line 143 of /usr/share/openvpn/easy-rsa/openssl.cnf 14:04 < syslogd> 18987:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 143 14:04 < syslogd> jeev: no, please not :) 14:09 < ecrist> I would look at line 143 of your /usr/share/openvpn/easy-rsa/openssl.cnf file 14:09 < ecrist> -.- 14:10 < syslogd> I have already done so. It contains: commonName_default = $ENV::KEY_CN 14:10 < syslogd> Probably KEY_CN is not set. 14:10 < syslogd> But there is no variable with the name KEY_CN predefined in the file "vars" 14:13 < ecrist> then, it would be null. 14:13 < ecrist> no, KEY_CN needs to be defines. 14:13 < ecrist> syslogd: you on freebsd? 14:13 < syslogd> No, Gentoo. 14:13 < ecrist> !ssl-admin 14:13 < vpnHelper> ecrist: "ssl-admin" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:13 < ecrist> nm 14:15 < syslogd> Will this tutorial also work on Gentoo? 14:15 < syslogd> I think the paths are different here. 14:17 < ecrist> mostly, yes 14:17 < ecrist> I've never done it on Gentoo. 14:17 < ecrist> linux is ftl. 14:24 < Dougy|Work> ecrist: this VPS isn't for me 14:24 < Dougy|Work> and the money I make doing what I do barely lets me get a VPS 14:24 < Dougy|Work> I get no staff discount, and I get paid like shit 14:24 < ecrist> DSL in your basement. 14:24 < ecrist> ;) 14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- dfas [n=none@10.201.216.81.static.s-o.siw.siwnet.net] has joined ##openvpn 14:45 < dfas> when being connected to a vpn network, will my other internet activity from that computer also travel over the vpn-server? 14:48 < Dougy|Work> not always 14:48 < Dougy|Work> you can configure it to route all traffic through it 14:48 < Dougy|Work> ecrist: HAHAHAHHAH 14:48 < Dougy|Work> you'e funny 14:49 < dfas> Dougy|Work: whats the default? 14:49 < Dougy|Work> dfas: not to 14:49 < Dougy|Work> !menu 14:49 < vpnHelper> Dougy|Work: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download 14:49 < dfas> can I find it out? traceroute maybe? 14:49 < Dougy|Work> dfas: what do you mean 14:50 < Dougy|Work> !push 14:50 < vpnHelper> Dougy|Work: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 14:50 < dfas> Dougy|Work: find out if my general internet traffic goes via vpn or not. 14:50 < Dougy|Work> if it does, your ip will change 14:50 < Dougy|Work> and if you were signed into msn etc 14:50 < Dougy|Work> you'd have to re sign in when you connected to the vpn 14:51 < dfas> nice way of checking :P thanks 14:53 < Dougy|Work> L( 14:53 < Dougy|Work> .. 14:53 < Dougy|Work> :) 15:03 -!- scampbell [n=scampbel@199.105.195.156] has quit [Read error: 104 (Connection reset by peer)] 15:28 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 15:41 -!- MolePrince [n=m0ntag@c-24-8-178-10.hsd1.co.comcast.net] has joined ##openvpn 15:42 < MolePrince> Hello, when I VPN into my home network from a remote Linux laptop, I cannot see my workgroup or any of my machines here. How may I fix this please? I can ping them all. 15:50 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:02 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 16:02 < krzee> i take it you mean windows shares 16:03 < Dougy|Work> krzee! 16:03 < krzee> in which case, it uses NETBIOS, which goes by MAC address and not IP adress 16:03 < Dougy|Work> isn't it your birthday? 16:03 < krzee> yup =] 16:03 < Dougy|Work> happy bday ^^ 16:04 < jeev> i thought i was the only lamer that was on irc during bday 16:04 < krzee> MolePrince, you either need a bridge so you can do NETBIOS, or a WINS server 16:04 < krzee> lol jeev, nope you arent alone 16:04 < jeev> :> 16:04 < krzee> Dougy|Work thanx man =] 16:05 < Dougy|Work> krzee: a random person joined the openvpn forum 16:05 < Dougy|Work> :o 16:18 < MolePrince> krzee: Which method is preferred? I am very new to VPN 16:18 < krzee> well really thats up to you 16:19 < krzee> a WINS server translates NETBIOS name to IP address, much like an NS 16:19 < krzee> err, a name server 16:19 < krzee> a bridge makes it seem like the machines are on the same switch 16:19 < MolePrince> Ah, so. I think Samba may some option regarding WINS. 16:19 < krzee> i dont do either cause i dont use windows 16:20 < krzee> oh you use samba on linux for your windows filesharing? 16:20 < MolePrince> krzee: I have Windows laptops for work unfortunately. 16:20 < MolePrince> krzee: Yes, my local server shares Samba folders that I want to access over VPN on a Windows machine. 16:21 < krzee> 1sec 16:21 < MolePrince> Thanks 16:23 < krzee> !learn samba as http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode 16:23 < vpnHelper> krzee: The operation succeeded. 16:24 < krzee> !samba 16:24 < vpnHelper> krzee: "samba" is (#1) http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge, or (#2) http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode 16:24 < krzee> read both of those 16:25 < MolePrince> Will do, thanks. 16:28 < Dougy|Work> gah 16:28 < Dougy|Work> #gnome is being usless and I have a gnome question 16:28 < Dougy|Work> :(((((((( 16:28 < krzee> !forget menu 16:28 < vpnHelper> krzee: The operation succeeded. 16:28 < krzee> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba 16:28 < vpnHelper> krzee: The operation succeeded. 16:34 -!- MolePrince [n=m0ntag@c-24-8-178-10.hsd1.co.comcast.net] has quit ["leaving"] 16:38 < Dougy|Work> krzee 16:38 < Dougy|Work> why are you here 16:38 < Dougy|Work> gtfo 16:38 < Dougy|Work> go celebrate 16:38 < Dougy|Work> lol 16:46 < ecrist> Dougy|Work: what am I funny about? 16:54 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Remote closed the connection] 17:07 < Dougy|Work> ecrist: a rack in my basement 17:07 < Dougy|Work> my parents don't even let me keep my desktop on 24/7 17:07 < Dougy|Work> hell they wont even let me have a desktop 17:07 < Dougy|Work> its either keep laptop or get rid of laptop + get desktop 17:07 < Dougy|Work> and its only allowed on while im using it 17:23 < ecrist> didn't realize you were that young. 17:23 < krzee> ya niether did i till he mentioned it 17:23 < Dougy|Work> Haha. 17:23 < Dougy|Work> :p 17:23 < krzee> more mature acting than his age 17:23 * Dougy|Work is 15 17:23 < krzee> why are you here 17:23 < krzee> im stuck to the computer for about 3.5 more hrs 17:23 < krzee> then its celebration time 17:24 < Dougy|Work> krzee: hahah 17:24 < Dougy|Work> don't get too drunkj 17:24 < Dougy|Work> drunk^ 17:24 < ecrist> I get to go to the kid's 1st grade orientation tonight. 17:24 < Dougy|Work> Ew 17:24 < Dougy|Work> why 17:24 < ecrist> Ew? 17:24 < Dougy|Work> OH 17:24 < Dougy|Work> I thought you said 17:24 < Dougy|Work> some kid's 17:24 < Dougy|Work> my bad :o 17:24 < krzee> ive got a bottle of tequila, grey goose, rum 17:25 < krzee> at the club tonight 17:25 < Dougy|Work> krzee: what kind of tequila? 17:25 < krzee> tres generationes 17:25 < krzee> its my favorite, tied with don julio 17:26 < krzee> with patron following up in 3rd place 17:32 < Dougy|Work> good man 17:32 < Dougy|Work> sorry for late reply, i'm down here in the datacenter 17:33 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 17:33 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has joined ##openvpn 17:33 < plaerzen> moin 17:34 < Dougy|Work> Hiya 17:37 < jeev> Dougy|Work, what datacenter 17:38 < Dougy|Work> jeev: the XO facility in secaucus, nj 17:38 < jeev> where is my free colo 17:38 < Dougy|Work> i dont even get free colo.. 17:38 < jeev> lol 17:38 < Dougy|Work> i work for a company with like 10 racks in here 17:38 < Dougy|Work> and i dont even get a fuckin discount 17:38 < jeev> oh 17:38 < jeev> sucks 17:38 < jeev> you're there all day ? 17:39 < Dougy|Work> during the summer 17:39 < Dougy|Work> ive been ere since 10 am 17:39 < jeev> damn 17:39 < jeev> you're the tech ? 17:39 < Dougy|Work> 18:39:16 17:39 < Dougy|Work> and looks like i got another hr infront of me 17:39 < jeev> damn 17:39 < jeev> i ogt a cage 17:39 < jeev> in LA 17:39 < jeev> and i'm coloing other places here 17:40 < krzee> where in LA? 17:40 < krzee> 1 wilshire 17:40 < jeev> yea 17:40 < jeev> coloed at 530 also 17:40 < jeev> and somewhere in tustin 17:40 < jeev> i havent dropped off the boxen yet 17:40 < krzee> nice 17:40 < krzee> thats a good dc 17:41 < jeev> yea 17:42 < krzee> i have fantastic routing to it too 17:43 < krzee> a lot of voip people in that DC 17:43 < jeev> yea i got mine there 17:43 < krzee> ahh you run a voip co? 17:43 < jeev> very small hosted 17:43 < krzee> nice man 17:44 < krzee> got url? 17:44 < jeev> no i just do it for little offices who ask me 17:44 < jeev> and friends 17:45 < jeev> i'm not that confident about it man 17:45 < jeev> sometimes i get dtmf errors and shit 17:45 < jeev> why, you interested in doing it ? 17:46 < krzee> ahh cool 17:46 < krzee> nah i used to be strong into voip 17:47 < krzee> resold in san diego and was 1/2 owner of a company 17:47 < krzee> still get people asking me who they should use and whatnot on occasion 17:47 < jeev> what kind of voip 17:47 < jeev> hosted pbx or sip and shit 17:47 < krzee> SIP 17:47 < krzee> although i resold hosted too 17:48 < jeev> ahh 17:48 < jeev> you use ITSP 17:48 < jeev> like internet provider 17:48 < jeev> or you had your own PRI and shit 17:48 < krzee> the one i was part owner of was just SIP, but we paid all our users per minute they used us 17:48 < krzee> we werent straight up ITSP 17:48 < krzee> no e911 and all that 17:48 < jeev> yea 17:48 < krzee> only inbound 17:48 < jeev> i dont have e911 17:48 < jeev> oh 17:48 < jeev> i have outbound 17:48 < Dougy|Work> back 17:48 < jeev> i got an office with 25 phones 17:48 < krzee> well ya but you charge people 17:48 < jeev> i set up multiwan 17:48 < krzee> not only were we free, we paid our users 17:49 < jeev> why pay 17:49 < jeev> so i was having like problems getting out of nat.. i set up iax between the asterisk box inside the office and the one at one wilshire 17:49 < krzee> lets just say, we made a ton of money that way 17:49 < jeev> it's cool but sometimes i have minor issues 17:49 < jeev> really ? 17:49 < jeev> advertising ? 17:49 < krzee> nah, access charge games 17:49 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 104 (Connection reset by peer)] 17:49 < jeev> huh?/ 17:49 < krzee> hehe 17:49 < krzee> read up on futurephone 17:50 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 17:50 < krzee> thats not us 17:50 < krzee> but they basically made our games famous 17:50 < krzee> http://www.google.com.pe/search?hl=en&q=futurephone+ATT&btnG=Search 17:50 < vpnHelper> Title: futurephone ATT - Google Search (at www.google.com.pe) 17:50 < krzee> all the free providers play the game we played 17:51 < jeev> heh 17:51 < krzee> http://ph33r.org/updates/2007/2/12/atts-free-call-bill-2-million.html 17:51 < vpnHelper> Title: AT's 'Free Call' Bill: $2 Million - ph33r dot org - an I.T. security blog by John Jolly (at ph33r.org) 17:51 < Dougy|Work> man 17:51 < Dougy|Work> i want colo 17:51 < Dougy|Work> but im not payin my boss retail to colo shit so he can make money off his own employee 17:52 < Dougy|Work> fuck him 17:52 < jeev> how much he charging you 17:53 < Dougy|Work> 70/mo for 1u and 2500 gb bw 17:53 < krzee> thats really not a bad price if its good bw 17:54 < jeev> lol 17:54 < Dougy|Work> krzee 17:54 < jeev> i'm paying 75 a month for 150gb bandwidth man 17:54 < jeev> what are you complaininga bout 17:54 < Dougy|Work> chances are ecrists home dsl is better 17:54 < jeev> who's the bandwidth by ? 17:54 < jeev> oh 17:54 < krzee> i wouldnt pay it, but its good 17:54 < Dougy|Work> jeev: level3, tiscali, sprint, above.net, and a couple others i dont remember 17:54 < Dougy|Work> XO 17:54 < Dougy|Work> and a few others 17:54 < krzee> i garuntee its better than my BW 17:54 < krzee> lol 17:54 < Dougy|Work> poooorly routed. 17:54 < jeev> so what's so bad about it 17:54 < jeev> oh 17:54 < krzee> my home bw that is 17:54 < Dougy|Work> jeev: let me break out traceroutes 17:54 < jeev> my 75/m for 150gb is level3 17:54 < jeev> my one wilshire is a lot of carriers 17:54 < krzee> i dont even like L3 anymore 17:55 < jeev> well, i need back up MX's and asterisk boxes 17:55 < Dougy|Work> jeev: http://rafb.net/p/X7AHyM21.html 17:55 < vpnHelper> Title: Nopaste - No description (at rafb.net) 17:55 < krzee> hell ill take cogent over L3 sometimes now 17:55 < jeev> heh 17:56 < jeev> where is the traceroute from 17:56 < Dougy|Work> all over 17:56 < Dougy|Work> the 38.x is from jacksonville, fla on all cogent 17:56 < krzee> 10 38 ms 38 ms 41 ms core-02-teb1.us.njiix.net [64.20.32.218] 17:56 < krzee> 11 161 ms 201 ms 205 ms 64.18.144.145 17:56 < krzee> OUCH 17:56 < Dougy|Work> krzee: case and point 17:57 < Dougy|Work> my boss fucked it up about two weeks ago 17:57 < Dougy|Work> and then went away on vacation 17:57 < jeev> 12 WBS-CONNECT.car3.NewYork1.Level3.net (4.71.172.166) 81.768 ms 81.982 ms 81.301 ms 17:57 < jeev> 13 core-02-teb1.us.njiix.net (64.20.32.218) 84.753 ms 98.754 ms 84.271 ms 17:57 < jeev> 14 *^C 17:57 < Dougy|Work> nice isnt it 17:58 < jeev> my routing to my shit here owns 17:58 < Dougy|Work> our routing is usually good here oto.. 17:58 < Dougy|Work> too^ 17:58 < Dougy|Work> now not so much 17:58 < jeev> 8 hops though 17:58 < jeev> for 15ms 17:58 < jeev> my one wilshire is 9ms 17:58 < jeev> but 10 hops 17:58 < jeev> heh 17:59 < Dougy|Work> man 17:59 < Dougy|Work> i dont WANNA be here another hour 17:59 < jeev> so i have 3 new servers up 17:59 < Dougy|Work> ugh 17:59 < jeev> i have nothing to do with them 17:59 < jeev> i've got to figure 17:59 < Dougy|Work> hmmm 17:59 < jeev> i'll set up asterisk on all 3 17:59 < krzee> i get to your first internal router in 9 hops from san diego 17:59 < jeev> and back up MX 17:59 < Dougy|Work> i have two old xeon socket 771's here 17:59 < Dougy|Work> a nice asus mobo 17:59 < krzee> 9 core-02-teb1.us.njiix.net (64.20.32.218) 70.606 ms 70.072 ms 69.327 ms 17:59 < Dougy|Work> thats still $200 17:59 < Dougy|Work> and 2 fans 17:59 < Dougy|Work> mmmmmmmmmm 17:59 < jeev> these servers are opteron 246's 17:59 < jeev> 2 in each 17:59 < jeev> i want opteron 270's, dual 2.0's and 2 of them 17:59 * Dougy|Work has gas 17:59 < Dougy|Work> >< 17:59 < jeev> but i dont want to blow that money 17:59 < jeev> actually 18:00 < jeev> to upgrade 2 of these servers 18:00 < jeev> i can spend 214 bux or something 18:00 < jeev> i'll have 4 dual core 2.0's 18:00 < jeev> 2 in each box 18:00 < jeev> compared to now, 4 single cores 18:00 < Dougy|Work> i'm an intel fanboy 18:00 < jeev> yea, i like intel too but i got a great deal on these boxen 18:00 < krzee> jeev, got ip i can trace to in 1 whilshire? 18:00 < Dougy|Work> 1 wilshire is real nice 18:00 < Dougy|Work> real real nice 18:00 < krzee> yup 18:01 < krzee> <3 carrier hotels 18:01 < krzee> 56 murrietta is also nice 18:01 < Dougy|Work> yeah 18:01 < Dougy|Work> that also is nice 18:01 < jeev> traceroute uscolo.com 18:01 < krzee> and 60 hudson in NY is great if you do voip 18:01 < Dougy|Work> ewwwwww 18:01 < Dougy|Work> njiix -> tiscali -> sprint 18:01 < Dougy|Work> in the first 8 hops 18:01 < Dougy|Work> @ jeev 18:02 < krzee> 11 204.9.207.30.uscolo.com (204.9.207.30) 5.852 ms 6.327 ms 7.059 ms 18:02 < krzee> heheh 18:02 < Dougy|Work> http://rafb.net/p/fLkCEE67.html 18:02 < vpnHelper> Title: Nopaste - Traceroute to UScolo.com (at rafb.net) 18:03 < jeev> justedge is wack man 18:03 < jeev> i wouldn't have a server anywhere near them 18:03 < jeev> Dougy|Work, i got 2 servers @ lomag.net 18:03 < jeev> traceroute them 18:03 < Dougy|Work> dude 18:03 < Dougy|Work> Ruby is nuts 18:03 < Dougy|Work> jeev: i dont even know what to say. 18:03 < Dougy|Work> i really don't. 18:03 < Dougy|Work> let me put it this way 18:03 < Dougy|Work> all my servers here aren't here anymore ;] 18:03 < jeev> heh 18:03 < Dougy|Work> Whoa. 18:04 < Dougy|Work> Ruby is WHACK. 18:04 < jeev> traceroute lomag.net frmo there 18:04 < Dougy|Work> 8 hops, jeev 18:04 < Dougy|Work> http://rafb.net/p/rZCt5g68.html 18:04 < vpnHelper> Title: Nopaste - No description (at rafb.net) 18:04 < jeev> 1 gige0-1.core1.nyc.lomag.net (208.185.81.1) 3.855 ms 3.490 ms 3.994 ms 18:04 < jeev> 2 282.ge-1-3-2.mpr1.lga5.us.above.net (64.124.170.26) 3.993 ms 4.774 ms 3.998 ms 18:04 < jeev> 3 64.124.44.213.interserver.com (64.124.44.213) 3.995 ms 3.791 ms 3.997 ms 18:04 < jeev> 4 core-02-teb1.us.njiix.net (64.20.32.218) 4.998 ms 4.796 ms 4.999 ms 18:05 < jeev> then * * ** 18:05 < Dougy|Work> ... 18:05 < Dougy|Work> um.. 18:05 < Dougy|Work> the hell.. 18:05 < Dougy|Work> you know what. screw it. not my problem. 18:05 < jeev> lol 18:05 < jeev> what does your work do 18:05 < Dougy|Work> What do you mean 18:05 < jeev> you guys host 18:05 < Dougy|Work> i get my $8.15/hour to be the noc monkey 18:05 < jeev> damn 18:05 < jeev> how old iz you! 18:06 < Dougy|Work> Fifteen 18:06 < jeev> oh 18:06 < jeev> ok 18:06 < jeev> not bad i guess 18:06 < plaerzen> working in noc at 15, not bad 18:06 < jeev> at 16 i was making 20k/month 18:06 < krzee> better than not bad! 18:06 < Dougy|Work> Bull shit 18:06 < Dougy|Work> Sorry 18:06 < jeev> and i was a noc monkey actually 18:06 < jeev> i had free bandwidth 18:06 < jeev> at a datacenter 18:06 < jeev> cause i did their routers 18:06 < Dougy|Work> Oh 18:06 < jeev> so i sold game servers 18:06 < jeev> lol 18:06 < Dougy|Work> Nice 18:06 < jeev> at 0 cost 18:06 < Dougy|Work> haha 18:06 < jeev> i was one of the first 18:06 < jeev> lol 18:06 < Dougy|Work> jeev 18:06 < krzee> i was making good $ too, but it was all illegal, lol 18:06 < Dougy|Work> Join the openvpn forum 18:06 < Dougy|Work> www.ovpnforum.com 18:06 < Dougy|Work> >> 18:06 < Dougy|Work> haha 18:06 < jeev> lol krzee 18:07 < jeev> mine was too pretty much 18:07 < jeev> at 19, i had gold amex 18:07 < jeev> they forced me to cancel it 18:07 < jeev> i was spending 30k/month and paying off within days 18:07 < jeev> and they got mad 18:07 < Dougy|Work> you know 18:07 < jeev> wanted financials 18:07 < jeev> and boom 18:07 < Dougy|Work> it would help 18:07 < Dougy|Work> if my fucking server was pu 18:07 < Dougy|Work> up 18:07 < jeev> lol 18:08 < Dougy|Work> wtf 18:08 < Dougy|Work> named is borked 18:08 < jeev> who still uses named? 18:08 < jeev> use djbdns like a man 18:08 < krzee> umm 18:08 < krzee> me 18:08 < jeev> LIKE A MAN 18:08 < krzee> hehe another qmail guy i take it 18:08 < Dougy|Work> jeev: directadmin comes with named 18:08 < jeev> no 18:08 < jeev> i used to love qmail 18:08 < jeev> till it pissed me off 18:08 < krzee> i still do 18:08 < Dougy|Work> Dovecot 18:08 < jeev> so now i run postfix 18:08 < krzee> hehe 18:09 < jeev> takes me SO long to configure 18:09 < Dougy|Work> Postfix is good to 18:09 < jeev> but postfix > qmail 18:09 < jeev> i have to install on 2 servers 18:09 < jeev> and document it 18:09 < Dougy|Work> -bash-3.2# uptime 18:09 < Dougy|Work> 04:09:13 up 5:50, 1 user, load average: 3.12, 1.95, 1.17 18:09 < jeev> my install took 1 month to perfect 18:09 < Dougy|Work> considering there's one site on there that has 4 members 18:09 < Dougy|Work> that's not good 18:09 < Dougy|Work> hmm 18:09 < Dougy|Work> I think iptables done it 18:09 < Dougy|Work> damn iptables 18:10 < Dougy|Work> www.ovpnforum.com 18:10 < Dougy|Work> load jeev? 18:10 < Dougy|Work> its sluggish cuz of the load 18:10 < Dougy|Work> but does it load 18:10 -!- mode/##openvpn [+o jeev] by ChanServ 18:10 <@jeev> cool 18:10 <@jeev> yes load 18:10 <@jeev> i will host it for you if you'd like. 18:10 <@jeev> thanks krzee 18:10 < krzee> haha 18:11 < Dougy|Work> this is pathetic 18:11 < Dougy|Work> Im gonna call up Greg Landis and complain like nobody ever has before 18:11 -!- jeev_ [i=jeev@unaffiliated/jeev] has joined ##openvpn 18:11 < jeev_> FreeBSD shell2.lomag.net 4.7-STABLE FreeBSD 4.7-STABLE #1: Sat Jan 18 15:29:54 EST 2003 root@shell2.lomag.net:/usr/obj/usr/src/sys/SHELL2 i386 18:11 < jeev_> 7:11PM up 2047 days, 6:06, 2 users, load averages: 0.05, 0.17, 0.23 18:11 -!- jeev_ [i=jeev@unaffiliated/jeev] has quit [Client Quit] 18:11 < Dougy|Work> Ewwwwwwwwwwwwwwwwwwwwwwww 18:11 < Dougy|Work> wow 18:11 < Dougy|Work> i lied 18:11 < Dougy|Work> that's some friggin sick uptime 18:11 <@jeev> who is greg landis 18:11 -!- mode/##openvpn [-o jeev] by ChanServ 18:11 < Dougy|Work> owner of jaguarpc/wowvps 18:11 < Dougy|Work> etc 18:12 < jeev> :/ 18:12 < jeev> playing with me krzee? 18:12 < Dougy|Work> very rich guy 18:12 < Dougy|Work> think he could give decent service 18:13 < Dougy|Work> okay 18:13 < Dougy|Work> site should be fast now, right jeev? 18:13 < jeev> it's decent 18:13 < Dougy|Work> faster* 18:13 < Dougy|Work> well, it's as fast as GNAX is going to let it be 18:13 < Dougy|Work> <@Fatal_Work> *exec @self[:users] 18:13 < Dougy|Work> <~Purgatory> fenris-wolf#yoda|away#zach#mckooter#hostserv#chanserv#fatal_work#lincid#viperskingdom#punzada#arcanusnumquam#allxtremenet#liquid-wolf#operserv#[-x-]#helpserv#< 18:13 < Dougy|Work> <@Fatal_Work> *exec @self[:users][:arcanusnumquam].level 18:13 < Dougy|Work> <~Purgatory> /home/fatal/mud_irc/src/classes.rb:120:in `evaluate'/home/fatal/mud_irc/src/classes.rb:120:in `evaluate'undefined method `level' for nil:NilClass 18:13 < Dougy|Work> Dude. Ruby is insane. 18:14 < jeev> heh 18:16 < Dougy|Work> yeah see its real fast now 18:16 < Dougy|Work> (The site) 18:16 < Dougy|Work> :) 18:17 < Dougy|Work> I just gotta get a logo made 18:17 < Dougy|Work> :( 18:22 < Dougy|Work> jeev: where'd you go 18:23 < jeev> was shaving 18:23 < jeev> lol 18:23 < Dougy|Work> fun stuff 18:23 < Dougy|Work> All my designers are on vacation :< 18:24 < jeev> heh 18:24 < jeev> i should make a tutorial 18:24 < jeev> since i hate rpm's 18:24 < Dougy|Work> I was going to do it later, but feel free 18:24 < Dougy|Work> http://bellardia.com/testforum/ 18:24 < Dougy|Work> What about that skin? 18:25 < Dougy|Work> HAHA. 18:25 < jeev> heh 18:25 < jeev> dunno 18:25 < jeev> brb 18:25 < Dougy|Work> hm 18:25 < Dougy|Work> who else is awake? 18:25 < Dougy|Work> are you still here krzee? 18:26 * plaerzen is awake. although /me is leaving work soon. 18:26 < Dougy|Work> plaerzen: http://www.upload3r.com/serve/270808/1219879594.jpg 18:26 < Dougy|Work> What do you think of that skin 18:26 < plaerzen> sfw ? 18:26 < Dougy|Work> except for the lack of english 18:26 < Dougy|Work> yes 18:26 < Dougy|Work> it's a vB skin 18:28 * plaerzen ponders. 18:28 < Dougy|Work> Hm? 18:28 < plaerzen> I like it, but I am no graphic designer. Let me grab our graphic designer and see what he thinks 18:28 < Dougy|Work> lol 18:28 < Dougy|Work> Meh. 18:32 < plaerzen> he says 7/10. As long as the contrast on the moniter is set properly it looks fine. However the contrast between the posting frames and the background might look a little too mellow to be easily distinguished 18:32 < plaerzen> so perhaps make it a shade or two darker in the grey areas 18:32 < krzee> im here 18:32 < krzee> im in and out 18:32 < plaerzen> except for the top bar, that looks fine. 18:32 < Dougy|Work> krzee: same question as i asked plaerzen 18:32 < plaerzen> I'm talking the main viewing area 18:34 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala 18:34 < plaerzen> cool? Because I'm heading out. 18:35 < Dougy|Work> images are borked 18:35 -!- Netsplit over, joins: kala 18:39 < ByPasS> is the fartboy taishi been around ? :) 18:40 < ByPasS> lately should I add 18:40 < Dougy|Work> hmm 18:40 < Dougy|Work> plaerzen: still here? 18:40 < Dougy|Work> krzee: ping 18:41 < ByPasS> doug : may i ask how u handle all that work and still be under direction of ur parents ? 18:41 < Dougy|Work> ByPasS: what do you mean? 18:41 < ByPasS> u said they wont allow u laptop + desktop 18:42 < ByPasS> hence u are into multiple projects 18:42 < Dougy|Work> i do it whenever i can 18:42 < ByPasS> for comps and friends 18:42 < Dougy|Work> ill go online on my psp 18:42 < Dougy|Work> or i'll "go out for the night" and come down to the DC for a few hours 18:42 < ByPasS> i had that problem 18:42 < ByPasS> i left home at 16 18:43 < Dougy|Work> I'll be here when I'm 16 18:43 < Dougy|Work> well 18:43 < Dougy|Work> at hoem 18:43 < Dougy|Work> home^ 18:43 < Dougy|Work> ByPasS: http://www.ovpnforum.com/?styleid=2 18:43 < Dougy|Work> How's that look 18:43 < Dougy|Work> er 18:43 < Dougy|Work> https://www.ovpnforum.com/?styleid=2 18:43 < ByPasS> instead of trash icon it looks good 18:43 < ByPasS> ur the one that proposed it earlier right the domain 18:44 < ByPasS> as an help of course 18:44 < Dougy|Work> well im egtting opinions 18:44 < Dougy|Work> getting^ 18:44 < Dougy|Work> Shit, got a reboot page to my cell 18:44 < Dougy|Work> brb going downstairs 18:45 < ByPasS> kk as i said beside the icons (prolly default) as trash cans its good 18:45 < ByPasS> clean imo and thats what i care the more clean it is the easier it is to get to the information 18:47 < ByPasS> i just dont like the icons on empty non empty subjects 18:47 < ByPasS> forums arent ment for non good info :) 18:47 < Dougy|Work> back 18:48 < ByPasS> anyway i think u said it was vb right ? 18:49 < Dougy|Work> It's vB, yes 18:49 < ByPasS> im semi clueless but a new icon set theme would save the apperance 18:50 < Dougy|Work> yeah 18:50 < ByPasS> im sure bc has themes 18:50 < Dougy|Work> no need even for a logo 18:50 < ByPasS> no they wont ask that here 18:50 < ByPasS> just not trash cans 18:51 < ByPasS> as they said they will really like it unless they have to care too much as dev 18:51 < Dougy|Work> Going hom 18:51 < Dougy|Work> e 18:51 < Dougy|Work> bbl 18:51 < ByPasS> k 18:52 < ByPasS> its so funny u might be gone but i have 5 box running here ok its my home but :) freebsd linux and winblows :P 18:55 < ByPasS> i got some questions from a friend and im clueless well i dont wanna fuck the setup 18:55 < ByPasS> if any1 tried :) 18:55 < ByPasS> he is redirecting gateway def1 in routed mode 18:56 < ByPasS> its maybe an iptables question but maybe some1 dealt with it 18:56 < ByPasS> can u port forward from the openserver real ip to tun0 ? 18:57 < ByPasS> iptables crap but im just wondering if any1 tried or did 18:57 < ByPasS> port forward from public ip server - specific client 19:01 < ByPasS> thats why i asked for taishi he would have farted atleast with no answer at worst ;) 19:02 < krzee> sorry i came in late 19:02 < krzee> whats the problem? 19:03 < krzee> you just wanna direct traffic over the vpn for the inet? 19:03 < ByPasS> opposite 19:03 < ByPasS> i was asked if it was possible 19:04 < krzee> umm 19:04 < krzee> opposite how? 19:04 < ByPasS> to use inet ip from openvpon server to redirect inside the von to the client well a speciofiv cleint 19:04 < ByPasS> err stupid kb 19:04 < krzee> oh im sure you can 19:04 < krzee> thats all IP layer, so ya 19:05 < ByPasS> i dont know what he wants put i assume 19:05 < ByPasS> he wants port 2222 to be port forwarded from openvpn server to the tun0 and to a specific machine 19:06 < ByPasS> client machien 19:06 < ByPasS> he knows the ip as clients are hardcoded 19:06 < krzee> well ya 19:06 < krzee> as long as the gateway router knows about the route to the vpn 19:07 < krzee> then sure 19:07 < ByPasS> i tested his thing 19:07 < ByPasS> from a winblows but well 19:07 < ByPasS> everything is redirected in vpn 19:07 < ByPasS> so thats all good 19:07 < krzee> ie: if the lan is 192.168.x.x and vpn is 10.8.x.x, if the gateway which port forwards doesnt know how to route traffic to 10.8.x.x then it cant forward to it 19:07 < krzee> otherwise, sure 19:08 < ByPasS> i think he is doing real ip eth0 ftom coloc 19:08 < ByPasS> from 19:08 < ByPasS> and 10.x 19:08 < krzee> i dunno iptables, but it can be done 19:08 < ByPasS> openvpn 19:08 < ByPasS> kk 19:09 < ByPasS> yea i figured it was not really vpn oriented 19:09 < ByPasS> ovpn 19:09 < krzee> correct 19:10 < ByPasS> i think he is trying to bypass :) some isp rule 19:10 < ByPasS> aka no inc 80 19:10 -!- daemon [n=daemon@mail.daemoncore.org] has quit ["ZNC - http://znc.sourceforge.net"] 19:11 < ByPasS> and by redirect his gateway he thought he was good 19:11 < ByPasS> yet u need to port forward 19:12 < ByPasS> and nat ! ahhh :) i should charge him 19:14 < ByPasS> redirect-gateway def1 = port forward XYZ in his head bah 19:15 < jeev> redirect-gateway > * 19:15 < ByPasS> well it works as i did the setup 19:15 < ByPasS> now he wants port X from vpnserver to forward into the vpn 19:16 < ByPasS> dif story 19:17 < ByPasS> i know its not purely openvpn related 19:18 < ByPasS> ive done all but that barely 19:19 < ByPasS> gateway is vpn all good 19:19 < ByPasS> now he wants port X to work thru ish 19:19 < ByPasS> its a lil farther than my knowledge 19:19 < ByPasS> iptables chan suck 19:20 < ByPasS> (5:58:52 PM) jmoncayo: will a default drop policy help if a windows computer is infected with virus? 19:20 < ByPasS> last msg in chan 19:20 < ByPasS> im not that stupid 19:20 -!- mode/##openvpn [+o ByPasS] by ChanServ 19:22 < krzee> lol 19:22 -!- mode/##openvpn [-o ByPasS] by ChanServ 19:22 < ByPasS> lol 19:22 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala 19:22 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: tcccp 19:23 < krzee> !notopenvpn 19:23 < vpnHelper> krzee: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 19:23 < jeev> lol 19:23 < krzee> all you really want is to know howto port forward in linux 19:23 < ByPasS> krzee : ive helped here and yet i helped cservice xy 19:23 < krzee> cservice xy ==? 19:24 < ByPasS> undernet crap 19:24 < ByPasS> bot systems 19:25 < ByPasS> chanserv = X , Y botsystem on undernet 19:26 -!- Netsplit over, joins: kala 19:30 < ByPasS> krzee : fine to order he gets zilllions of packet reply 19:31 < ByPasS> err replay 19:34 < ByPasS> now im wondering if he is dsl and mtu1492 19:34 < ByPasS> and server is 1500 eth0 19:36 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala 19:39 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 19:42 -!- Netsplit over, joins: kala 19:47 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala 19:48 -!- ByPasS [n=bypass@modemcable076.69-21-96.mc.videotron.ca] has left ##openvpn [] 19:50 -!- kraut [i=kraut@blackhole.packetloss.biz] has quit [Broken pipe] 19:55 -!- Netsplit over, joins: kala 20:05 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala 20:09 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 20:09 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala 20:10 -!- Netsplit over, joins: kala 20:13 -!- ByPasS [n=bypass@modemcable076.69-21-96.mc.videotron.ca] has joined ##openvpn 20:35 < krzee> s/lte/let/ 20:35 < krzee> oops 20:41 < ByPasS> :) 21:08 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:08 < Dougy> yooo 21:11 * Dougy waves 21:12 * jeev farted 21:12 < Dougy> me too =p 21:12 < Dougy> sup 21:18 * Dougy shanks jeev 21:19 < jeev> loll 21:19 < jeev> lol 21:19 < Dougy> ? 21:19 < Dougy> wha? 21:20 < jeev> watching dnc 21:20 < jeev> i dunno if this a rerun 21:20 < jeev> brb 21:23 < Dougy> k 21:24 < Dougy> !learn forum test 21:24 < vpnHelper> Dougy: Invalid arguments for learn. 21:24 < Dougy> !learn !forum test 21:24 < vpnHelper> Dougy: Invalid arguments for learn. 21:24 < Dougy> !help learn 21:24 < vpnHelper> Dougy: (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value. 21:24 < Dougy> !learn forum as test 21:24 < vpnHelper> Dougy: The operation succeeded. 21:24 < Dougy> !learn 21:24 < vpnHelper> Dougy: Invalid arguments for learn. 21:24 < Dougy> !forum 21:24 < vpnHelper> Dougy: "forum" is test 21:24 < Dougy> !route 21:24 < vpnHelper> Dougy: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:24 < Dougy> !forget forum 21:24 < vpnHelper> Dougy: The operation succeeded. 21:25 < Dougy> !learn forum as The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 21:25 < vpnHelper> Dougy: The operation succeeded. 21:25 < Dougy> !forum 21:25 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 21:25 -!- Alives [n=Alives@cpe-72-225-212-185.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 21:25 < Dougy> COOOOOOOL 21:25 < Dougy> :D 21:25 < Dougy> !menu 21:25 < vpnHelper> Dougy: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba 21:26 < Dougy> !forget menu 21:26 < vpnHelper> Dougy: The operation succeeded. 21:26 < Dougy> !learn menu as !forum, !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba 21:26 < vpnHelper> Dougy: The operation succeeded. 21:26 < Dougy> !menu 21:26 < vpnHelper> Dougy: "menu" is !forum, !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba 21:26 < Dougy> works for me 21:26 < Dougy> hmm do i do that, or do i do it at the end. 21:26 < Dougy> I think the end is better. 21:26 < Dougy> !forget menu 21:26 < vpnHelper> Dougy: The operation succeeded. 21:26 < Dougy> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba 21:26 < vpnHelper> Dougy: The operation succeeded. 21:26 < Dougy> CRAP 21:26 < Dougy> !forget menu 21:26 < vpnHelper> Dougy: The operation succeeded. 21:26 < Dougy> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 21:26 < vpnHelper> Dougy: The operation succeeded. 21:26 < Dougy> There. 21:27 < Dougy> :) 21:31 * Dougy grnis,. 21:31 < Dougy> whoa. 21:31 * Dougy grins. 21:32 -!- j_nwb [n=j_nwb@c-98-210-141-122.hsd1.ca.comcast.net] has joined ##openvpn 21:32 < Dougy> hey j_nwb 21:33 < Dougy> How are you 21:35 < j_nwb> Dougy: doing good thanks. 21:37 < Dougy> Cool stuff 21:37 < Dougy> :) 21:37 < Dougy> !notopenvpn 21:37 < vpnHelper> Dougy: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 21:39 < j_nwb> I am getting : UDPv4 link local: [undef] in the messages file and then TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 21:40 < j_nwb> Any idea on how to go about debugging this ? 21:41 < Dougy> Er. 21:41 < Dougy> What OS is the server and what OS is the client? 21:41 < j_nwb> both fedora 21:41 < jeev> Dougy 21:41 < jeev> !notopenvpn 21:41 < vpnHelper> jeev: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 21:41 < Dougy> jeev 21:41 < jeev> READ THAT! 21:41 < Dougy> jeev: why? 21:42 < jeev> chicken thigh 21:42 < Dougy> :s 21:42 < Dougy> !kick jeev SHHH. 21:42 < vpnHelper> Dougy: Error: You don't have the ##openvpn,op capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 21:42 < Dougy> PFFT. Lame. 21:42 < jeev> !kick Dougy take a shower! 21:42 < vpnHelper> jeev: Error: You don't have the ##openvpn,op capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 21:42 < Dougy> fail 21:42 < Dougy> okay 21:42 < jeev> brb 21:42 < Dougy> back on topic now 21:42 * Dougy kicks jeev 21:43 < Dougy> j_nwb: is there such things as a firewall on the clientside? 21:44 < j_nwb> no.. iptables is stopped on the client. 21:45 < Dougy> the !notopenvpn applies here to an extent 21:45 < Dougy> give me a sec 21:45 < Dougy> Can you pastebin the client side log? 21:45 < Dougy> http://rafb.net/paste 21:45 < j_nwb> There is no tap device getting created on the machine. 21:45 < j_nwb> sure. 21:46 < Dougy> Are you running it as root? 21:46 < Dougy> !whoami 21:46 < vpnHelper> Dougy: I don't recognize you. 21:46 < Dougy> You suck 21:51 < j_nwb> http://rafb.net/p/dc8FhC10.html 21:51 < vpnHelper> Title: Nopaste - No description (at rafb.net) 21:52 < Dougy> sec 21:52 < Dougy> old version of openvpn 21:52 < Dougy> o.O 21:53 < Dougy> and old version of fedora 21:53 < Dougy> but that shouldn't necessarily matter 21:53 * Dougy thinks 21:54 < Dougy> i'm really useless at all of this man 21:54 * Dougy should give up 21:54 < j_nwb> yes 21:54 < Dougy> thanks 21:54 < Dougy> good luck figuring it out then 21:54 * Dougy vanishes 21:54 < j_nwb> thanks.. :) 21:55 < Dougy> well man 21:55 < Dougy> you weren't exactly nice about it 21:55 < rmull_> j_nwb: Are the system clocks on both machines synced? 21:55 < j_nwb> probably not. 21:55 < rmull_> Sync them and try again. 21:55 < Dougy> sup rmull_ 21:55 < rmull_> sup Dougy 21:55 < Dougy> just got home about 30 mins ago 21:55 < rmull_> Saw you getting abused so I came to assist 21:56 < Dougy> thanks 21:56 < rmull_> Also saw vpnHelper getting abused <_< 21:56 < Dougy> i was thinking time and was getting ready to say it 21:56 < Dougy> but then i was insulted 21:56 < Dougy> so 21:56 < Dougy> to hell with that 21:57 < Dougy> !forum 21:57 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 21:57 * Dougy chuckles 21:58 < rmull_> 5 members 21:58 < rmull_> Still one post though :P 21:58 < Dougy> rmull_: new skin too 21:58 < Dougy> didja see it? 21:58 < rmull_> Looks good mang 21:58 < Dougy> nod 21:58 < Dougy> :] 21:58 < rmull_> Probably'd look even better if I was running that one KDE skin 21:58 < Dougy> no need for a logo either 21:58 < Dougy> ewwwwwwwwwwwwwww 21:58 < Dougy> KD 21:59 < Dougy> KDE = fal 21:59 < Dougy> fail^ 21:59 < rmull_> They have a skin that looks exactly like this is what I'm saying 21:59 < Dougy> i'm full of fail tonight, aren't i 21:59 < Dougy> >> 21:59 < rmull_> I use dwm 21:59 < Dougy> gnome here 21:59 < Dougy> sometimes fluxbox depending what the pc specs are 21:59 < rmull_> I used to use Flux back in the day (last year) 22:00 < Dougy> lmfao 22:00 < rmull_> I've only technically been using Linux for .. this is my third year. 22:00 < Dougy> I've been on it longer than you 22:00 < Dougy> o>O 22:00 < Dougy> o.O* 22:00 < Dougy> I had my first shell at 9 22:00 < Dougy> no joke 22:00 < rmull_> Damn son 22:00 < Dougy> I already had no life at that point 22:00 < rmull_> :bow: 22:00 < Dougy> mind you it was only for IRC purposes 22:01 < Dougy> but it was still my first shell 22:01 < Dougy> :p 22:01 < rmull_> I didn't use a computer until I was in 8th grade 22:01 < Dougy> lmfao 22:01 < Dougy> i got my first one before i started preschool 22:01 < Dougy> no lie 22:01 < rmull_> Woah. 22:01 < Dougy> i remember it well 22:01 < rmull_> Must have had compute-y parents. 22:01 < Dougy> not even close 22:01 < rmull_> werd 22:01 < Dougy> my dad doesnt know how to turnh is on 22:01 < Dougy> turn his 22:01 < Dougy> my mom is semi-literate 22:02 < Dougy> They got me one back then with Windows 3.1 and an app called child's play 22:02 < Dougy> that app was the shiz 22:02 < Dougy> it was like photoshop for babies 22:04 < rmull_> I wonder where j_nwb 's gone 22:04 < Dougy> Who cares 22:04 < Dougy> He's evil 22:05 < rmull_> Don't be bitter :P 22:05 < rmull_> I want to know if his problem got fixed, that's all 22:05 < rmull_> Lol 22:07 < Dougy> LOL rmull_ 22:07 < j_nwb> sorry guys.. I did not mean to offend anyone. 22:07 < Dougy> you know i'm 15 right 22:07 < rmull_> j_nwb: No sweat 22:07 < rmull_> Dougy: Yeah, I think you mentioned it 22:08 < j_nwb> rmull_, I syncd up the clock.. no luck. 22:08 < Dougy> Okay. so my friend who's also my age has a step sistser my age. there's a photo of his step sister in a maid outfit floating around facebook 22:08 < rmull_> :( 22:08 < Dougy> hahaha 22:08 < rmull_> You love facebook :P 22:08 < Dougy> everyones talking about it and hes like "wtf is this" 22:08 < Dougy> http://img83.imageshack.us/img83/7117/screenshot2vj3.png 22:08 < Dougy> read the facebook chat 22:08 < Dougy> hahah 22:08 * Dougy loves how desperate peopl are 22:09 < Dougy> people^ 22:09 < rmull_> You wouldn't react the same way? 22:09 < Dougy> what do you mean 22:10 < Dougy> i would be pissed 22:10 < rmull_> Wait 22:10 < Dougy> thats my friend saying "LINK" 22:10 < rmull_> I think I misunderstood the situation 22:10 < rmull_> Lol 22:10 < Dougy> not the guy who's stepsister is 22:10 < Dougy> probably 22:10 * rmull_ goes back to writing documentation like a good peon 22:10 < Dougy> lmfao 22:10 < Dougy> docs for what 22:10 < Dougy> tutorial for the 22:10 < Dougy> !forum 22:10 < Dougy> ?? 22:10 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 22:10 < Dougy> hahahaha 22:10 * Dougy is a bastard 22:10 < rmull_> So I worked for a windows shop this summer 22:11 < rmull_> Everything I did was Linux-based 22:11 < Dougy> lol 22:11 < rmull_> So they need to know how to work it if it breaks 22:11 < rmull_> Which it won't. 22:11 < rmull_> :P 22:11 < Dougy> righto 22:11 < Dougy> Im sleepy 22:11 < Dougy> bed soon 22:11 < Dougy> its 11:11 22:11 < Dougy> makeawish 22:12 < rmull_> I missed it 22:12 < rmull_> Maybe tomorrow night. 22:14 < Dougy> lol 22:14 < Dougy> actuall i guess 11:11 AM is better 22:14 < Dougy> since its technically (was) 23:1 22:14 < Dougy> 1 22:14 < rmull_> True 22:28 < Dougy> rmull_: 22:28 < Dougy> how good are you with windows 22:28 < Dougy> http://www.screen-shot.net/ss/73259552139391154767.png <-- my friend is gettign that 22:29 < Dougy> hm sec 22:31 < Dougy> fixd 22:31 < Dougy> gtg 22:31 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["leaving"] 22:35 < j_nwb> hi.. I removed the tls-auth key from both server and client configs.... it still gives... TLS error... is that normal ? 22:36 < j_nwb> do I need to create tap interface on the client separately.. or openvpn would start it when I connect/start the service. 22:38 < j_nwb> Can I somehow check if the client is able to connect to the server at the given udp port ? 23:13 -!- j_nwb [n=j_nwb@c-98-210-141-122.hsd1.ca.comcast.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Thu Aug 28 2008 00:36 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 00:39 < jeffspeff> if i have say 7 systems in one office, connecting with one public ip to an openvpn server in a remote office; do i have to set seperate ip addresses or anything, or will it all work even though there are multiple vpn clients behind a single public ip? 04:18 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:02 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 05:02 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 05:57 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:04 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 06:53 -!- ByPasS [n=bypass@modemcable076.69-21-96.mc.videotron.ca] has quit ["Leaving."] 07:21 -!- ByPasS [n=bypass@taki.secured.org] has joined ##openvpn 07:31 -!- ByPasS [n=bypass@taki.secured.org] has left ##openvpn [] 07:35 -!- ByPasS [n=bypass@taki.secured.org] has joined ##openvpn 07:57 < ecrist> jeffspeff2: it'll work fine as they'll all be coming from different source ports. 07:57 < ecrist> it's not an ideal setup, but it will work. 07:58 < ecrist> ideally, for a LAN as you describe, you'd setup a VPN router so that all local clients connect through a single VPN client. 09:27 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 110 (Connection timed out)] 09:30 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 09:32 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 09:33 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 09:56 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 10:08 < plaerzen> morning 10:08 < ecrist> howdy 10:10 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 10:14 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 10:14 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 10:19 -!- u12u [n=will@undertakingyou.dsl.xmission.com] has quit [Read error: 110 (Connection timed out)] 11:13 -!- steve [i=steve@bouncer.stephen.marsh.name] has quit ["disconnecting from stoned server."] 11:14 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust43.midd.cable.ntl.com] has joined ##openvpn 11:15 < weatherhead> hi, I'm trying to set up a bridged VPN. The client seems able to connect (I get initialisation sequence complete messages at both ends), but is unable to ping anything on the LAN side. He also doesn't seem to have a tap0 device. 11:26 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 11:29 < Dougy> hi 11:45 < jeev> Dougy, go to work 11:47 < Dougy> jeev: no 11:47 < Dougy> i'm off today 11:48 < Dougy> anyway 11:48 < Dougy> back outside to mow the lawn 11:48 < Dougy> bbl 11:49 < jeffspeff2> if i have say 7 systems in one office, connecting with one public ip to an openvpn server in a remote office; do i have to set seperate ip addresses or anything, or will it all work even though there are multiple vpn clients behind a single public ip? 11:49 < jeffspeff2> (i meant seperate ports, not ip addresses) 11:56 < plaerzen> you don't need multiple vpn clients. just set up a server with one vpn client connecting with a permanent tunnel to the other vpn server in a remote office. 11:56 < plaerzen> that would be my reccomendation 11:58 < jeffspeff2> how would one vpn server in each office connect all the different computers? 11:59 < plaerzen> as long as they are on the same subnet, nat should work. 11:59 < jeffspeff2> i need all the computers in the office to have a vpn ip to the server 12:00 < cpm> doesn't need nat, the lans are the same lan, linked by a vpn tunnel, rather than a point to point wan link. IT's the same lan. 12:00 < plaerzen> ya, that's what I meant 12:01 < jeffspeff2> ok, so set up an openvpn server in the office, and config it to tunnel all the other ip's of that office to the remote server? 12:02 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:02 < cpm> think of the 'openvpn server in the office' and the 'remote servers' as peers 12:02 < cpm> rather than servers. 12:03 < cpm> and yes, configured as a bridge, they act as a flat lan. 12:06 < jeffspeff2> sorry, but can you dumb it down just a little bit more for me? lol... Office 1 has lan ips of 192.100.123.0; Office 2 has 192.168.11.0 network. i need to be able to rdp and snmp Office 1 systems from a few systems on the Office 2 network. 12:06 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 12:09 < plaerzen> CPM can explain it better than me :P I'm still a relative vpn neophyte. 12:09 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 12:10 < cpm> jeffspeff2, both offices should have the same subnet, connected by the vpn. why are they numbered differently?> 12:10 < cpm> ? 12:11 < jeffspeff2> those are the individual lan networks. the vpn net that i'm working on getting up is 192.168.50.0 12:11 < cpm> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 12:11 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 12:11 < cpm> jeffspeff2, again, why? 12:11 < cpm> you want them to be the same lan, yes? 12:12 < Dougy> back 12:13 < jeffspeff2> yes, but the 192.100.123.0 net was already existing and they have alot of things already setup on that network (active directory, patient data database server, phone system, etc.) that i don't want to mess with... i just need to link the workstations 12:15 < cpm> jeffspeff2, okay, so you number the 'other lan' as if it's the same lan,and bridge it, as per the example in the url I provided. 12:17 < cpm> http://openvpn.net/index.php/documentation/faq.html#bridge1\ 12:17 < jeffspeff2> ok, but say i add Office 3 to the picture; how do i keep Office 3 from accessing office 1 stuff? 12:17 < vpnHelper> Title: FAQ (at openvpn.net) 12:18 < cpm> I thought you wanted them to be able to access, , , 12:18 * cpm is very confused. 12:19 < jeffspeff2> i want my servers in office 2 to access some things on the servers and stations of offices 1 and 3. all three offices are seperate companies, i'm calling them office to show geographical seperation. office 1 and 3 don't need to be accessing each other in any way. 12:21 < jeffspeff2> my idea was to do routed vpn on the client systems in offices 1 and 3 to the server in office 2... giving each client it's own vpn ip and security cert, etc. 12:28 < ecrist> afternoon, kids 12:30 < ecrist> jeffspeff2: you can't have confilicting IPs. period. 12:31 < cpm> ecrist, he wants to use the vpn as his access control system, which I think is a bit wrong headed, but I refuse to judge. I just don't think it's going to work very well. 12:36 < ecrist> jeffspeff2: you need to combine some firewall stuff in with the VPN to get what I think you're looking for. 12:37 < ecrist> OpenVPN isn't an access control system, per se. 12:37 < Dougy> sup ecrist 12:40 < Dougy> 13:37 :D 12:40 < Dougy> my fav tiem 12:40 < Dougy> time^ 13:05 -!- bandini [n=bandini@79.16.109.123] has quit [Read error: 60 (Operation timed out)] 13:06 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 13:12 < jeffspeff2> ecrist, cpm, i'm not wanting an access control system... i have a remote support system, and zenoss setup on my servers. both require network connection (rdp, snmp). i want to make a vpn between the different remote offices to my own, while leaving their existing network infrastructure intact. like have a seperate network only for the vpn. i think if i were to use bridging then there would be a big liability with the offices bein 13:12 < jeffspeff2> g able to access sytems of the other offices. 13:13 < ecrist> jeffspeff2: in that case, just setup a VPN, and for the hosts you want to have access to via the VPN, but them on a separate subnet, in addition to the primary subnet. 13:17 < jeffspeff2> right, and do routed vpn instead of bridge... correct? 13:18 -!- vladi-bg [n=vladi@206-169-1-36.static.twtelecom.net] has quit [Read error: 104 (Connection reset by peer)] 13:18 < ecrist> yep 13:21 < jeffspeff2> ok, now with that setup, i'm curious as to how some of the applications on my end will behave. does the vpn traffic bypass the lan/wan router? like for access the same port on the vpn clients, but they are all behind the same public ip 13:21 < jeffspeff2> or does the public ip even matter? 13:21 < ecrist> public IP doesn't matter to those clients. 13:21 < ecrist> everything will be transmitted across the VPN. 13:22 < jeffspeff2> ok, thanks. :) 14:04 -!- syslogd [n=syslogd@unaffiliated/syslogd] has quit [Read error: 110 (Connection timed out)] 14:16 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:30 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 14:30 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 14:58 -!- ByPasS [n=bypass@taki.secured.org] has left ##openvpn [] 15:01 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 15:14 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 15:30 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Success] 15:34 -!- irado [n=irado@srv1.carv.com.br] has joined ##openvpn 15:39 -!- irado [n=irado@srv1.carv.com.br] has quit ["fuiii!!"] 15:47 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 16:00 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 16:03 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 16:03 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 16:18 -!- ElCheapo [n=elcheapo@d199-126-55-162.abhsia.telus.net] has joined ##openvpn 16:30 < ElCheapo> Hiya. I've been trying to sort out my OpenVPN setup all day and I was hoping somebody would be able to quickly answer a couple of questions. 16:31 < ElCheapo> I'm trying to get it going without the overhead of managing a certificate for every user (unless I can do that automagically) 16:32 < ElCheapo> an authentication scheme similar to SSH/PPTP would be 100% (for ease of managing clients) 16:33 < ElCheapo> Any ideas would be appreciated 16:36 < adie> ElCheapo: do you mean with password auth? 16:36 < ElCheapo> against my ldap server would be best 16:37 < ElCheapo> oh, er.. yes, password 16:39 < adie> ElCheapo: try using --auth-user-pass-verify and wrap an ldapbind in a nasty shell script 16:39 < ElCheapo> cheers 16:40 < adie> dunno if it'll work :-/ - never tried that. 16:41 < adie> I give out p12 files to the users, I'm thinking of storing a cn attribute for the users, and just get the vpn server to poll that and compare it to a ccd directory and update it appropriatly. 16:41 < ElCheapo> I'll let'cha know how I make out 16:41 < adie> what's the clients? 16:42 < adie> win/mac/other *nix? 16:42 < ElCheapo> all of the above :/ 16:43 < adie> - I'd be intrested in how tunnelblick and openvpngui cope with it? 16:44 * adie supports them all too. 16:45 < adie> about 50 active vpn users. 16:45 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:45 < ElCheapo> busy 16:51 < ElCheapo> auth-pam.pl looks like it might be helpful 17:02 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 17:03 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 17:03 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 17:04 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 17:05 -!- jeffspeff2 [n=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 17:34 < Dougy> evening all 17:34 < Dougy> :O 17:45 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:52 < plaerzen> hi 17:53 < plaerzen> I wish TaiSHI was still in here. Made the day a little more entertaining. 18:05 < ecrist> why'd he stop coming? 18:08 < plaerzen> don't know. 18:08 < plaerzen> He just didn't show up one day 18:09 < Dougy> sup ecrist 18:09 < Dougy> heyhey plaerzen :) 18:09 < Dougy> krzee !! 18:09 < Dougy> :p 18:13 < ecrist> sup, Dougy 18:14 < plaerzen> Harro 18:39 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 18:40 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 18:45 < plaerzen> ok guys, I think I'm going to head out. perhaps grab some fast food, wait for the ice-axe in the gut-type feeling, shit a brick then get ready for my rock climbing weekend in the rockies. 18:48 < ecrist> ok? 18:49 < plaerzen> long weekend, booya. 18:49 < ecrist> my weekend started almost 4 hours ago. 18:49 * ecrist gears up for RNC. 18:49 < plaerzen> lucky. mine starts 20 hours from now. 18:50 < plaerzen> see you guys tomorrow. 18:50 * plaerzen waves. 18:50 < ecrist> and mine is over 7 days from now. 18:50 < ecrist> muahahahaha! 18:55 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 19:01 < Dougy> oh 19:01 < Dougy> hi ecrist haha 19:01 * Dougy waves 19:03 -!- jeffspeff2 [n=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:21 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:40 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 19:46 -!- jeffspeff [n=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:49 -!- jeffspeff [n=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:49 -!- jeffspeff [n=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:53 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:53 -!- jeffspeff [n=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:55 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:55 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:57 < Dougy> erm 19:57 < Dougy> connection problems jeffspeff2 ? 19:58 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:59 < Dougy> connection problems jeffspeff2 ? 19:59 < Dougy> connection problems jeffspeff ? 20:13 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 20:36 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 20:37 < jeev> lol 20:38 -!- j1nx3d [n=chatzill@CPE0014bf7eb325-CM00137189e19c.cpe.net.cable.rogers.com] has joined ##openvpn 20:41 < j1nx3d> with openvpn does all data pass through the server or do clients communicate directly? 21:22 -!- j1nx3d [n=chatzill@CPE0014bf7eb325-CM00137189e19c.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 21:30 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 21:31 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 21:39 < Dougy> krzee: boo 22:07 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:11 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 22:26 -!- mrbnet [n=mrbnet@12-203-40-55.client.mchsi.com] has joined ##openvpn 22:29 < mrbnet> I am running openvpn on openwrt with a client config. It cannot load the certificate file on boot and I believe this so due to a permissions issue. The only way that it will start is if I call the startup script manually. Any ideas? --- Day changed Fri Aug 29 2008 00:33 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 01:35 -!- niekie [i=niek@bergnetworks.com] has joined ##openvpn 01:51 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:51 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:08 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Remote closed the connection] 02:08 -!- krzee is now known as krzy 02:09 -!- krzie is now known as krzee 02:09 -!- krzy is now known as krzie 02:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:21 < niekie> G'day :) 02:29 < krzee> gday =] 03:38 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 03:42 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 03:43 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 04:43 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 05:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:38 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 08:14 -!- ByPasS [n=bypass@taki.secured.org] has joined ##openvpn 08:37 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:45 < ecrist> morning, bitches. 08:48 < cpm> Oh, that's nice. 08:49 < cpm> :) 08:49 < cpm> and a fine morning to you too, , , 08:49 < ecrist> :) 08:49 * ecrist is in vacaction mode. 08:50 < ecrist> I don't know what vacaction is, but it's probably similar to, but more evil, than a vacation. 08:51 < cpm> hrmm. Good thing to keep in mind. 08:55 < cpm> hey, did that fellow who was dreaming about using dozens of routed client vpns in place of a single bridge ever sort himself out? 09:17 < ecrist> no 09:59 -!- pred2k5 [n=Torsten@dslb-088-069-213-042.pools.arcor-ip.net] has joined ##openvpn 09:59 < pred2k5> hi, how to set up a tun device manuallyy? 09:59 < SilenceGold> uh 09:59 < SilenceGold> who was that? cpm..that dreamt of that 09:59 < SilenceGold> pred2k5 to do what? 10:00 < pred2k5> forget about it ;) 10:00 < cpm> SilenceGold, I don't recall who it was. 10:00 < SilenceGold> aw I want to scroll up and laugh 10:01 < cpm> it was from yesterday, 22 or so hours back 10:02 < cpm> that's a guess, don't remember exactly when 10:07 < jeev> dougy 10:08 * niekie has fallen in love with OpenVPN today :) 10:08 * jeev fell in love 3 days ago. 10:08 < niekie> Got it working from my school's WiFi. 10:08 < niekie> So I got internet just like at home, but from school :) 10:09 < niekie> (including printing to my network printer, hehe) 10:09 < niekie> (which came in pretty useful) 10:09 < jeev> you doing redirect-gateway ? 10:10 < niekie> jeev: yup. 10:10 < jeev> awesome 10:10 < niekie> Had to manually set DNS though. 10:10 < jeev> what do you mean 10:10 < jeev> it wouldnt' resolve ? 10:11 < niekie> Yup. 10:11 < niekie> Had to adapt /etc/resolv.conf to use my own nameservers instead of schools. 10:11 < jeev> ahh 10:11 < jeev> you could also push name servers 10:11 < niekie> Didn't pull in the dhcp-option. 10:11 < niekie> Yeah, tried that, didn't work. 10:11 < jeev> ah 10:11 < niekie> But I think you need a script for it under Linux. 10:11 < jeev> no idea 10:12 < niekie> Heh. 10:12 < niekie> Sadly I couldn't get the nm-applet easy OpenVPN setup to work though. 10:12 < niekie> As I had to route it through school's proxy servers, and the applet has no option for that. 10:12 < niekie> Also needed to use TCP instead of UDP. 10:13 < niekie> But oh well, it worked fine once I set it up. 10:13 < jeev> heh 10:14 < niekie> Little bit slower than actual home internet though ;) 10:14 < niekie> Due to low upload and higher download. 10:15 < niekie> Which causes the cap when using redirect-gateway over OpenVPN. 10:15 < niekie> Still, 80-100 kB/s.. can't really complain. :) 10:15 < jeev> yep ep 10:15 < jeev> yep 10:15 < jeev> dood i upgraded my modem yesterday 10:15 < jeev> 16mbit 10:15 < niekie> :o 10:15 < jeev> even though i have an uncapped cable too 10:15 < niekie> 16mbit up? 10:15 < jeev> i should really find the 16mbit capable modem and change MAC already 10:16 < jeev> no man 10:16 < jeev> 2 10:16 < niekie> Heh. 10:16 * niekie decided not to use his paid datacenter server as OpenVPN endpoint for redirect-gateway. 10:17 < niekie> Because I need to pay for bandwidth there :p 10:17 < SilenceGold> lol 10:17 < ecrist> you know an easier way to get internet access at school? 10:17 * SilenceGold runs public IP VPN service for people who do want it 10:17 < jeev> that's what i do 10:17 < jeev> but i dont use much bandwidth so it's fine 10:17 < ecrist> ssh PROXY and firefox 10:17 < niekie> Err.. or just logging in over the web proxy and browsing the web normally. 10:18 < SilenceGold> it's average of like 30 mb for a casual web browser..per week 10:18 < SilenceGold> it's not really much 10:18 < niekie> 30mb per week? 10:18 < niekie> You really don't use much then :p 10:18 < SilenceGold> yea 10:18 < SilenceGold> no not me 10:18 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:18 < SilenceGold> I see many of those users who are using my VPN service 10:18 < SilenceGold> that they use average 30 mb per week 10:18 < niekie> Ah. 10:18 < SilenceGold> students are apparently using like 1 GB each week 10:19 < niekie> Probably youtubing :p 10:19 < SilenceGold> maybe 10:19 < SilenceGold> i don't log their activities 10:19 < SilenceGold> just how much they use 10:19 < niekie> Heh. 10:19 -!- jeev [n=j@unaffiliated/jeev] has quit [] 10:20 < SilenceGold> I had already booted few for excessive usage 10:20 < SilenceGold> :) 10:20 < SilenceGold> well, it's incorrect to say "I" 10:20 < SilenceGold> since it's a script that does it for me 10:20 < niekie> Excessive usage shouldn't be a problem for my ISP. 10:21 < niekie> They say no data limit + no fair use policy ;) 10:21 < niekie> Also, they give SSH accounts to their subscribers for their servers. 10:21 < niekie> Not that I really use those. 10:21 < niekie> I already have my own server ;) 10:22 < ecrist> niekie: you in high school? 10:23 < niekie> ecrist: yeah, MBO ICT Level 4. 10:23 < niekie> (Dutch) 10:23 < niekie> First year. 10:24 < ecrist> ah 10:24 < SilenceGold> I remember htat I used to get shell account when I signed up for a dialup service for ISPs 10:24 < SilenceGold> they were popular 10:25 < niekie> Heh. 10:25 * niekie has one of the most relaxed ISPs in NL. 10:25 < niekie> They even give you custom rDNS :) 10:25 < niekie> And several other neat services. 10:25 < niekie> And you're allowed to home-host. 10:27 < niekie> (you pay a lot for it, though) 10:27 < niekie> Anyway, I'm gone for now. 10:28 < ecrist> meh, most of the ISPs here do that... 10:30 < ecrist> fucking a. 10:30 < ecrist> my new HP printer supports IPv6 10:30 < niekie> :o 10:31 < niekie> My new HP printer supports USB2.0 :p 10:31 < niekie> And I got it for free from HP ;) 10:31 < ecrist> I paid $377.00 US 10:32 < niekie> Heh. 10:42 < ecrist> woot: 10:42 < ecrist> TCP/IP(v6) 10:42 < ecrist> Status: Ready 10:42 < ecrist> Link-Local address: FE80::21B:78FF:FE27:D91 10:42 < ecrist> Stateless (from Router): 2001:470:1F07:4AD:21B:78FF:FE27:D91 10:42 < ecrist> Stateful (from DHCPv6): Not configured 10:43 * ecrist <3 his new HP printer. 10:43 < SilenceGold> you already have an ipv6 network? 10:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:43 < ecrist> SilenceGold: I've had one for well over a year. 10:44 -!- pred2k5 [n=Torsten@dslb-088-069-213-042.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 10:44 < ecrist> actually, I've got a couple. 10:44 < ecrist> www.secure-computing.net has address 209.240.66.150 10:44 < ecrist> www.secure-computing.net has IPv6 address 2001:4980:1:111::150 10:44 < ecrist> :) 10:44 < Dougy|Work> nice. 10:44 < Dougy|Work> :O 10:45 < ecrist> that's a native block from my ISP. 10:47 * niekie has IPv6 too :) 10:47 < niekie> Through a tunnel provided by my ISP. 11:36 < Dougy|Work> Erm 11:36 < Dougy|Work> Crap. 11:38 < plaerzen> morning irc 11:42 < plaerzen> ecrist: I wish I used freebsd 11:50 < ecrist> why's that? 11:51 < plaerzen> because, we use a smattering of rhel4, fc4, fc6.... it's shit. RPMs are a pain and are unmaintained after 2 versions.... 11:51 < plaerzen> freebsd is vastly superior 11:51 < ecrist> heh, yeah, where I work I've got 30+ FreeBSD servers. 11:52 < ecrist> aside from my Mac, a couple windows client machines, everything else is FreeBSD. 11:53 < ecrist> Dougy|Work: what's crap? 11:56 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:03 < cpm> Caribou Gorn. 12:16 < Dougy|Work> ecrist: nevermind 12:20 < krzee> moin 12:21 < krzee> if any of you are my new neighbor, thank you for using WEP 12:27 -!- OxB001 [n=Mathieu@66-254-37.66.altaspectra.com] has joined ##openvpn 12:27 -!- kraut [i=kraut@blackhole.packetloss.biz] has quit [Connection timed out] 12:29 < OxB001> hi, I have a quick question about static IP for the tunnel endpoints. Server is ok since we configured the network it should use.. but how do I go around and make sure I can define an IP for every client that will not change overtime? I have added 'ifconfig 10.10.13.5 10.10.13.1' to a client config... just want to make sure everything is alright before I reboot the client 12:30 < krzee> instead of doing it in the client config 12:31 < krzee> push it in a ccd entry 12:31 < krzee> !/30 12:32 < Dougy|Work> krzee!!!!!!!!!! 12:33 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:33 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 12:35 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 12:35 < krzee> !/30 12:35 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 12:35 < Dougy|Work> sup krzee ;o 12:35 < krzee> hey doug 12:35 < Dougy|Work> !menu 12:35 < vpnHelper> Dougy|Work: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 12:35 < Dougy|Work> :) 12:35 < Dougy|Work> @ last result 12:36 < krzee> OxB001, if you use topology subnet it will be easier to make sure you're pushing the right ips too 12:36 < krzee> its a new feature in the beta version (which i use and many others do, no reports of instability I've seen) 12:36 < Dougy|Work> krzee: how was your birthday 12:36 < krzee> it was great 12:36 < OxB001> I'm not familiar with ccd entries... but thanks I'll have a look 12:36 < Dougy|Work> get drunk as hell? 12:36 < krzee> !ccd 12:36 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 12:37 < Dougy|Work> !forum 12:37 < vpnHelper> Dougy|Work: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 12:37 < Dougy|Work> ^^ 12:37 < OxB001> but how do you go around an specify which client is which 12:37 < krzee> using the client-config-ir 12:37 < OxB001> (clients are on DSL lines and get a new public IP on every reconnect) 12:37 < krzee> dir 12:37 < krzee> then you make an entry for each client 12:37 < rmull_> OxB001: Each ccd entry has a name corresponding to the name on the cert. 12:37 < Dougy|Work> krzee: did you see the skin I put up? 12:37 < OxB001> ah 12:37 < OxB001> yeah 12:37 < OxB001> thanks 12:37 < krzee> as a file named by the common name of the clients cert 12:39 < krzee> Dougy|Work, some of that isnt english 12:39 < krzee> Cevap Yaz...? 12:39 < Dougy|Work> krzee: where do you see that 12:39 < krzee> Alinti...? 12:39 < Dougy|Work> some middle eastern guy made it 12:39 < Dougy|Work> it was on vb.org 12:39 < Dougy|Work> Where do you see that? 12:39 < krzee> im looking at your OpenVPN install guide 12:39 < Dougy|Work> oh 12:39 < Dougy|Work> the postbit 12:39 < Dougy|Work> hmmm 12:39 < Dougy|Work> fuckin a 12:40 < krzee> the buttons 12:40 < Dougy|Work> the skin is perfect 12:40 < Dougy|Work> but the buttons are in arabic 12:40 < Dougy|Work> UGH 12:40 * Dougy|Work slams head against wall 12:41 < rmull_> s/arabic/english :P 12:41 < Dougy|Work> I have the psd's here also 12:41 < Dougy|Work> i just need someone to edit + reslice 12:41 < Dougy|Work> :< 12:42 * Dougy|Work does not have or know photoshop 12:42 < Dougy|Work> :( 12:42 < rmull_> I belive the GIMP can handle PSD. 12:42 < krzee> you have other skins... 12:42 < krzee> steal from them 12:42 < Dougy|Work> krzee: i like this one :( 12:43 < krzee> just steal buttons then 12:43 < Dougy|Work> rmull_: it can, but it doesn't have a slice thingie 12:43 < Dougy|Work> they're gonna look out of places :p 12:43 < Dougy|Work> place^ 12:43 < krzee> not as out of place as arabic 12:43 < Dougy|Work> i can use the default vb ones 12:43 < Dougy|Work> those would work 12:44 < Dougy|Work> hm 12:44 * Dougy|Work fixes 12:46 < Dougy|Work> krzee: look now 12:46 < Dougy|Work> better? 12:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 12:47 < Dougy|Work> Damn him. 12:47 < Dougy|Work> :< 12:47 < Dougy|Work> rmull_: looks better now? 12:48 < rmull_> I didn't see the Arabic before (didn't look for it) but yes, seems fine to mee :P 12:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:48 < Dougy|Work> looks ok now? 12:49 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:49 < Dougy|Work> wb krzee 12:50 < krzee> thx 12:50 < krzee> !sample 12:50 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 12:50 * rmull_ whispers: put it in the wiki 12:51 < krzee> heh i was tossing it in the forum under examples 12:51 < rmull_> ah 12:51 < krzee> im putting my writeups in the wiki 12:51 < Dougy|Work> krzee: looks better now? 12:51 < Dougy|Work> (the icons) 12:51 < krzee> so far only 1 writeup made by me tho 12:55 < Dougy|Work> thanks krzee!! 12:56 < krzee> ya buttons are better 12:56 < krzee> !wiki 12:56 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 12:57 < Dougy|Work> krzee: I'm going to make you a "hidden" moderator 12:57 < Dougy|Work> do you mind? 12:57 < krzee> nah you can gimme all the access you want 12:57 < krzee> heh 12:57 < Dougy|Work> k 12:57 < Dougy|Work> and I'll make it "hidden" if you want? 12:57 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 12:57 < krzee> dunno the diff 12:57 < krzee> but sure 12:58 < Dougy|Work> well 12:58 < Dougy|Work> hidden is basically when you post it says "registered member" like everyone else instead of "Moderator" 12:58 < krzee> oh 12:58 < krzee> same diff to me 12:58 * Dougy|Work shrugs 12:58 < Dougy|Work> You tell me what you want i'll do it 12:59 < krzee> hidden is fine 13:00 < Dougy|Work> LOOOL 13:00 < Dougy|Work> i'm looking thru ircpimps.org 13:00 < Dougy|Work> krzee really does look like a pimp 13:00 < Dougy|Work> rofl 13:00 < krzee> hah 13:00 < Dougy|Work> http://www.ircpimps.org/pics/krzee/krz_mel.jpg 13:00 < Dougy|Work> ^ 13:01 < Dougy|Work> you either look like a pimp 13:01 < Dougy|Work> or you're stoned as hell 13:01 < Dougy|Work> or both 13:01 < krzee> haha she was nekkid in that pic too 13:01 < krzee> the rest of the pictures from that day show it off more ;] 13:01 < rmull_> What channel does she hang out it <_< 13:01 < krzee> lol 13:01 < krzee> she dunno irc 13:02 < krzee> or inet at all 13:02 < krzee> i think she has dialup aol even 13:02 < Dougy|Work> lol 13:02 < Dougy|Work> well 13:02 < Dougy|Work> i guess i wont look at the rest of those pics at work, eh kreg_work 13:02 < Dougy|Work> er krzee 13:02 < Dougy|Work> lol 13:03 < krzee> nah nothing bad on that page 13:03 < krzee> those are private stash 13:03 < Dougy|Work> lol 13:04 < kreg_work> lo 13:04 < kreg_work> ah typo. 13:04 < krzee> hehe kreg got false pinged 13:04 < krzee> hey kreg =] 13:04 < Dougy|Work> haha 13:04 < Dougy|Work> sup kreg :) 13:05 < kreg_work> yo! 13:06 < Dougy|Work> whatsup 13:06 < Dougy|Work> krzee: do you like that sin? 13:06 < Dougy|Work> skin^ 13:06 < krzee> i like sin more, but ya 13:06 < krzee> heh 13:08 < Dougy|Work> :p 13:20 < Dougy|Work> so 13:20 < Dougy|Work> krzee: what other forums do I need to add 13:20 < Dougy|Work> krzee: http://www.ovpnforum.com/showgroups.php 13:21 < krzee> looks fine for now 13:21 < Dougy|Work> Hmm. 13:21 < Dougy|Work> Wanna set up forumbot 13:21 < Dougy|Work> ? 13:21 < krzee> if everyone starts posting in 1, we can think bout splitting it into more 13:21 < krzee> ya ill add it to vpnhelper at some point 13:22 < rmull_> Dougy|Work: Word of advice from ex-forum admin - Wait and see if any of this is necessary... 13:22 < Dougy|Work> rmull_: meh 13:22 * Dougy|Work shrugs 13:22 -!- OxB001 [n=Mathieu@66-254-37.66.altaspectra.com] has left ##openvpn ["Quitte"] 13:22 < Dougy|Work> I have no idea how mailing lists work. 13:22 < Dougy|Work> Or I'd see about that. 13:22 < rmull_> Dougy|Work: What do you mean? 13:23 < Dougy|Work> I'd post something about the forum on the mailing list (openVPN one) 13:23 < Dougy|Work> No idea how those work 13:24 < rmull_> I've got some experience (as a user, not admin) of both Majordomo and Ecartis 13:24 * Dougy|Work shrugs 13:24 < rmull_> Oh - you want to join the openvpn list? 13:24 < Dougy|Work> I don't know anything about it other than what it is 13:25 < Dougy|Work> Is there a URL to it 13:25 < Dougy|Work> !menu 13:25 < vpnHelper> Dougy|Work: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 13:25 < rmull_> https://lists.sourceforge.net/lists/listinfo/openvpn-users 13:25 < krzee> !mail 13:25 < vpnHelper> Title: Openvpn-users Info Page (at lists.sourceforge.net) 13:25 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 13:26 < Dougy|Work> Are there a lot of people on it? 13:26 < Dougy|Work> oh 13:26 < Dougy|Work> it says 13:26 < Dougy|Work> lfmao 13:27 < Dougy|Work> Can we post stuff on it ourselves? 13:27 < rmull_> That's the point of it 13:27 < krzee> heh 13:27 * Dougy|Work doesn't know any of this 13:28 < Dougy|Work> sf.net is slow today 13:28 < krzee> its like the forum, only its a mail list 13:28 < krzee> and it is highly used 13:29 < Dougy|Work> Hm 13:29 < Dougy|Work> I need to figure out how to post on it o.O 13:29 < rmull_> Register, send mail to openvpn-users@lists.sourceforge.net 13:30 < Dougy|Work> oh, just email it. mailing list. duh. 13:30 < Dougy|Work> So basically be like "Hey everyone, I'm starting a forum as another method of getting support for openvpn" blahblah? 13:30 < krzee> ill send a post to it for ya 13:30 < Dougy|Work> krzee: :D 13:32 -!- oxygene [n=oxygene@khepri.openbios.org] has left ##openvpn [] 13:36 < krzee> sent 13:37 < Dougy|Work> word 13:37 * Dougy|Work looks around 13:37 < krzee> Hey list, 13:37 < krzee> I frequent the ##OpenVPN IRC channel on freenode to give support. 13:37 < krzee> One of the people in the channel decided to make a forum for openvpn, since there doesn't seem to be one. 13:37 < krzee> The URL to it is: http://www.ovpnforum.com/ 13:37 < krzee> It is open to all who would like to participate. 13:37 < krzee> It is brand new so there is not much content on it yet, so we'll see how it goes. 13:37 < krzee> -krzee 13:37 < Dougy|Work> where does this show up 13:38 < Dougy|Work> like will it show up here: http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-users 13:38 < Dougy|Work> ? 13:38 < vpnHelper> Title: SourceForge.net: openvpn-users (at sourceforge.net) 13:38 < krzee> yes 13:38 < Dougy|Work> Nice. 13:38 * Dougy|Work will keep his eyes open 13:38 < krzee> as you can see its still got 08-25 as newest message 13:39 < krzee> so archiving isnt real-time 13:39 < Dougy|Work> yeah :S 13:39 < Dougy|Work> that sucks 13:39 < Dougy|Work> lol 13:39 < krzee> *shrug* its nice theres an archive 13:39 < Dougy|Work> yeah 13:39 < Dougy|Work> oo 13:39 < Dougy|Work> I just got the email 13:39 < Dougy|Work> !!! 13:39 < vpnHelper> Dougy|Work: Error: "!!" is not a valid command. 13:39 < krzee> http://sourceforge.net/mailarchive/forum.php?thread_name=299AC036-C3FF-4D4E-858D-7B8507E99B16%40doeshosting.com&forum_name=openvpn-users 13:39 < Dougy|Work> :O 13:39 < vpnHelper> Title: SourceForge.net: openvpn-users (at sourceforge.net) 13:40 < Dougy|Work> yeah, i just got it emailed to me 13:40 < krzee> theres my message announcing the wiki 13:40 < Dougy|Work> nice 13:40 < Dougy|Work> i just got the one announcing the forum 13:40 < Dougy|Work> Thx jeff :) 13:40 < krzee> yw 13:41 < krzee> ill bbiab 13:41 < Dougy|Work> Cya 13:53 < krzee> hey dougy 13:53 < krzee> wasnt it you that wanted the security writeup? 13:54 < Dougy|Work> it was me indeed 13:54 < krzee> http://www.sans.org/reading_room/whitepapers/vpns/1459.php 13:54 < vpnHelper> Title: SANS Institute - OpenVPN and the SSL VPN Revolution (at www.sans.org) 13:54 < krzee> enjoy 13:54 < krzee> =] 13:54 < Dougy|Work> A bit of a read for today but bookmarked none the less 13:55 < Dougy|Work> thatd be nice to post on the forum 13:55 < Dougy|Work> krzee: http://www.ovpnforum.com/showthread.php?p=5#post5 <-- isn't that kinda erm 13:55 < Dougy|Work> pointless o.O 13:55 < Dougy|Work> no offense 13:55 < krzee> building your own rpm? 13:55 < Dougy|Work> no 13:55 < Dougy|Work> just posting the URL 13:55 < Dougy|Work> lol 13:55 < krzee> *shrug* 13:56 * Dougy|Work shrugs 13:56 < krzee> why rebuild the wheel 13:56 < krzee> ild rather point to an existing wheel 13:56 < krzee> you can remove it if you want 13:56 < Dougy|Work> Nah 13:56 < Dougy|Work> I was just wondering why you didn't put a sentence with it is all 13:56 < Dougy|Work> not a big deal 14:04 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 14:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:43 < ecrist> lol, krzee is a junior member. 14:43 < Dougy|Work> lol 14:43 < Dougy|Work> he's not ecrist 14:43 < Dougy|Work> he's just "displaying" as that 14:43 < Dougy|Work> ecrist: http://www.ovpnforum.com/showgroups.php 14:47 * ecrist can't find his gun belt 14:47 < Dougy|Work> how was the orientation 14:48 < Dougy|Work> why do you need a gun belt :S 14:50 < Dougy|Work> i love how my vps fails to respond 14:50 < Dougy|Work> again 14:51 < ecrist> Dougy|Work: I'm a reserve sheriff's deputy as a hobby. 14:51 < Dougy|Work> Nice 14:54 < ecrist> well, I'm off, going to spend some time on the lakes I think, tonight. 14:54 -!- mode/##openvpn [+o Dougy|Work] by ChanServ 14:56 <@Dougy|Work> whoa 14:56 <@Dougy|Work> Cool 14:56 <@Dougy|Work> Who dun it? 14:56 * Dougy|Work pokes ecrist 15:01 -!- ByPasS [n=bypass@taki.secured.org] has left ##openvpn [] 15:07 * Dougy|Work pokes krzie 15:19 < plaerzen> Awe, lucky, I have yet to get my +o badge. 15:19 <@Dougy|Work> I don' 15:19 <@Dougy|Work> I don't have access* 15:20 <@Dougy|Work> -> *nickserv* listchans 15:20 <@Dougy|Work> - 15:20 <@Dougy|Work> -NickServ- No channel access was found for the nickname Dougy. 15:20 <@Dougy|Work> So, I'm still trying to figure out how/why I have op. 15:20 <@Dougy|Work> :S 15:20 <@Dougy|Work> I don't mind it at all, of course 15:20 <@Dougy|Work> but 15:20 <@Dougy|Work> lol 15:30 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 16:04 <@Dougy|Work> hey 16:16 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:29 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:33 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 16:47 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 16:48 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 17:35 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 17:55 <@Dougy|Work> I'm going home 17:55 <@Dougy|Work> cya 18:45 -!- explody [n=groggy@gw.gemstone.com] has joined ##openvpn 18:48 < explody> anyone have some insight on the strength of using only certificates for auth? we're concerned that if a road warrior's cert gets stolen, an attacked could privately crack on it for weeks without us even knowing 19:50 -!- LumberCartel [n=IceChat7@24.86.160.252] has joined ##openvpn 19:52 < LumberCartel> Hello folks. I have a client with OpenVPN on their laptop running WinXP with SP2, and sometimes when they reboot their network adapter is in a "Disabled" state. Is there a command-line way of enabling an adapter in Windows so that I can automate this fix for them, or some other solution? Thanks in advance. 20:02 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala, Concept-P, dfas, plik, djs 20:03 -!- Netsplit over, joins: kala, dfas, Concept-P, djs, plik 20:05 < LumberCartel> Bah, Windows sucks. It can't be automated. 20:07 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:07 < Dougy> sup all! 20:09 < Dougy> ecrist: yo 20:10 < LumberCartel> Dougy: I'm trying to enable a NIC from the command-line in WinXP. The "netsh" stuff seems to be b0rked, which is typical of Microsoft's crap. 20:11 < Dougy> Heh. 20:11 < Dougy> I don't use windows. I'm useless here probably. 20:11 < Dougy> Can you be a bit more specific 20:11 < Dougy> man, I wish I could make Dougy|Work op me 20:12 < LumberCartel> It's for a client. The problem is that their OpenVPN network adapter comes up disabled sometimes. 20:12 < LumberCartel> End users aren't very good at right-clicking on network adapters and selecting "Enabled." Someone else is telling this guy (who is the owner of the company) to switch to the Microsoft VPN to solve the problem, but we just moved everyone over to OpenVPN. I hate idiot competitors like this. 20:14 < Dougy> Heh. 20:14 < Dougy> Competition man. 20:14 < Dougy> Ermm. 20:14 < LumberCartel> It's working fine for all the other users. This is just some idiot being a f***ing ***hole. 20:14 < LumberCartel> Unfortunately he has the boss's ear. 20:15 < LumberCartel> If I can fix this, though, then he'll lose credibility. 20:15 * LumberCartel hates supporting Windows networks because of the politics that seem to go along with them. 20:15 < Dougy> Haha. 20:16 < Dougy> Did you try reinstalling opneVPN? 20:16 < LumberCartel> Yeah. 20:17 < Dougy> Hm. 20:17 * Dougy tries to think 20:17 < LumberCartel> Never have I seen this problem before. I have OpenVPN deployed at many sites. 20:17 < Dougy> I'm pretty useless 20:17 < Dougy> I don't even know what netsh is >< 20:19 < LumberCartel> The "netsh" command is b0rked. 20:19 < LumberCartel> It seems to be Microsoft's answer to having an ifconfig type of tool. 20:20 < Dougy> Oh. 20:20 < Dougy> My vaporware is better than your vaporware. 20:21 * LumberCartel thinks the world will be a much better place when Microsoft finally goes out of business. 20:21 < Dougy> That will never happen 20:21 < Dougy> however 20:21 < Dougy> all the desktops I build for customers now 20:21 < Dougy> Every single one has Ubuntu :D 20:23 < LumberCartel> For the Widows systems I build, I always put on lots of free software including OpenOffice.org, Mozilla Thunderbird, TightVNC, and the major web browsers (Opera, Mozilla Firefox, Apple Safari, and Lynx), and set them to handle things by default. 20:24 < Dougy> Go you 20:25 < LumberCartel> For systems donated, since they come without Widows licenses, they get Ubuntu (with all its updates). 20:25 < LumberCartel> So far feedback from users has been that they really like it. 20:25 < Dougy> Yes 20:25 < LumberCartel> For servers I use NetBSD. 20:26 < Dougy> Pfft. 20:26 < Dougy> Debian + CentOS + FREEBSD = Win 20:26 < LumberCartel> In the near future I'm planning to try PC-BSD, DesktopBSD, and MidnightBSD, all of which are supposed to be end-user friendly like Ubuntu is. 20:27 < Dougy> I've heard DesktopBSD is good 20:27 < LumberCartel> If Microsoft Widows has FreeBSD in it, it's only portions of the network stack as I understand it, otherwise there'd be an "ifconfig" command in there and I wouldn't be having to screw around with this "netsh" garbage that simply doesn't work. 20:29 < LumberCartel> mota: According to http://www.groupsrv.com/dotnet/about210287.html that "netsh" command doesn't work properly in WinXP; only Win 2003. 20:29 < vpnHelper> Title: How to Dis/Enable Network Adapter? (at www.groupsrv.com) 20:30 < LumberCartel> Sorry, wrong channel. 20:30 < LumberCartel> Folks in #windows are trying to help with this too, but their solutions aren't working. They claim it does work, but this "netsh" command hasn't worked on 3 machines now. 20:31 < Dougy> Haha 20:31 < Dougy> 03 sucks 20:33 < Dougy> er 20:33 < Dougy> XP* 20:33 < Dougy> Anyway. 20:33 < Dougy> Have you tried the mailing list, LumberCartel? 20:33 < Dougy> I'd say check the forum, but I just set the forum up today. 20:34 < LumberCartel> Forum for OpenVPN? 20:34 < Dougy> Yup 20:34 < Dougy> !forum 20:34 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 20:34 < Dougy> Its brand spanking new 20:34 < Dougy> so not much there 20:34 < LumberCartel> Nice! 20:34 < Dougy> :) 20:34 * LumberCartel spanks the forum in a user-friendly way. 20:34 < Dougy> Haha 20:34 < Dougy> Join up o.O 20:37 * Dougy pokes LumberCartel 20:38 < LumberCartel> I stopped joining forums a long time ago. I'll participate in those that allow anonymous postings (even when the responses are moderated), but otherwise I just don't have the time to keep up. I simply had to stop a long time ago. 20:39 * Dougy pouts 20:40 < LumberCartel> Sorry, it's just that I've lost too many billable hours trying to keep up with forums in the past -- they're addictive to me and I just have to stay away from them. 20:40 < LumberCartel> Just look at how much time I spend in IRC already. =( 20:42 < Dougy> Haha. 20:42 < Dougy> I feel your pain. 20:43 < LumberCartel> I feel like I want to join though. 20:43 < LumberCartel> But I'm not going to. 20:43 * Dougy wants you to join 20:43 < Dougy> joiiiiiin... 20:43 < Dougy> joiiiiiin... 20:43 < Dougy> joiiiiiinnnnnnnnnnn 20:43 * LumberCartel smiles. 20:43 * Dougy talks like it's a cult 20:43 < LumberCartel> I'll tell others too. 20:43 < Dougy> We neeeeed you. 20:43 < Dougy> Haha. 20:43 < Dougy> :) 20:44 < LumberCartel> You should perhaps let the OpenVPN webmasters know about it so they can add it to the resources section. I'm sure that'll get you loads of members. You should, before doing that, include a notice that the username and password they choose should not match anything that's official OpenVPN stuff. 20:44 < LumberCartel> (A show of good faith, in a way.) 20:45 < Dougy> Ehh. 20:45 < Dougy> if the openvpn webmasters abandoned their own irc channel 20:45 < Dougy> why would they care about a forum 20:46 < LumberCartel> ...because someone else would be maintaining it. 20:46 < Dougy> good point. 20:48 < Dougy> where's their rseources section? 20:48 < Dougy> their resources 20:48 < LumberCartel> If they don't have one, then maybe they need one. 20:48 < LumberCartel> Or link it from the "help" section that points to this IRC channel. 20:48 < LumberCartel> My wife wants another massage. See you folks later. 20:48 -!- LumberCartel [n=IceChat7@24.86.160.252] has quit ["Go Team Venture!"] 20:49 < Dougy> I don't see the hel psection either 20:49 < Dougy> !help 20:49 < vpnHelper> Dougy: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 20:49 < Dougy> oh 20:49 < Dougy> lame 21:17 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 21:29 < Dougy> hey djs26 21:29 -!- djs [n=djs@unaffiliated/djs26] has quit [Nick collision from services.] 21:29 -!- djs26 is now known as djs 21:30 < Dougy> hey djs 21:45 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 21:46 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:55 -!- jeev [n=j@unaffiliated/jeev] has joined ##openvpn 21:55 < Dougy> JEEV 21:55 < Dougy> :O 21:55 * Dougy needs ecrist to shwo up 21:55 < Dougy> show^ 22:01 < jeev> sup 22:03 < Dougy> yoyo 22:03 < Dougy> whats up jeev 22:08 < jeev> nothin 22:08 < jeev> was invited to a dinner 22:08 < jeev> so i'm gonna put on my 65k watch 22:08 < jeev> lol 22:09 < Dougy> lol 22:09 < Dougy> jesus christ 22:09 < Dougy> my life isnt worth 65k. 22:10 -!- dfas [n=none@10.201.216.81.static.s-o.siw.siwnet.net] has quit [Connection timed out] 22:13 -!- socialist [n=groggy@gw.gemstone.com] has joined ##openvpn 22:21 * ecrist is back. 22:21 < Dougy> ecrist!! 22:21 < Dougy> wb 22:21 < Dougy> Erm question for you 22:22 < ecrist> explody: password protect your certificates for clients. 22:22 < ecrist> the only way that can really help minimize that risk. 22:22 < Dougy> ecrist, how/who/why opped Dougy|Work ? 22:22 < ecrist> if that's not enough, add a second authentication token, such as a username/password. 22:22 -!- JohnMahowald [n=john@fedora/fedorared] has quit [Read error: 113 (No route to host)] 22:23 < ecrist> Dougy: I did, before I left. 22:23 < Dougy> Oh 22:23 < Dougy> Thank you :) 22:24 < Dougy> How was whatever you did/ 22:24 < Dougy> ? 22:24 < ecrist> boring, tonight. nothing going on. 22:24 < Dougy> lame. 22:24 < ecrist> I hope the next three days are busier. 22:24 < Dougy> what's going no? 22:24 < Dougy> on^ 22:26 < ecrist> Republican National Convention. 22:26 < Dougy> oh, right. 22:26 < Dougy> :p 22:26 < Dougy> Btw, if you want to deop Dougy|Work, go for it. its kinda just .. idling 22:26 < Dougy> o.o 22:27 -!- Irssi: ##openvpn: Total of 33 nicks [1 ops, 0 halfops, 0 voices, 32 normal] 22:28 -!- mode/##openvpn [-o Dougy|Work] by ChanServ 22:28 -!- explody [n=groggy@gw.gemstone.com] has quit [Read error: 110 (Connection timed out)] 22:28 < Dougy> :) 22:28 < Dougy> Thank for the op though eric 22:28 < Dougy> that was pretty cool 22:28 < Dougy> :) 22:28 < ecrist> np 22:28 < Dougy> Im gonna go sleep 22:28 < Dougy> Night :) 22:28 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 22:53 -!- A|3x [n=alex@c-76-115-64-119.hsd1.or.comcast.net] has joined ##openvpn 23:06 < A|3x> i get this error message after changing ip: openvpn[14561]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 23:18 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 23:35 -!- quentusrex_lapto [n=quentusr@c-71-197-244-228.hsd1.or.comcast.net] has joined ##openvpn 23:35 < quentusrex_lapto> Hello 23:37 < quentusrex_lapto> I'm trying to setup an easy system to install vpn certs for laptops. I want to be able to package the client install so that it uses the custom cert(unique to every machine). Is this possible? 23:49 < SilenceGold> yea it's possible --- Day changed Sat Aug 30 2008 00:03 < ecrist> quentusrex_lapto: I've written a perl script to do all that for you. 00:03 < ecrist> https://www.secure-computing.net/ssl-admin 00:03 < vpnHelper> Title: SCN Open Source - Trac (at www.secure-computing.net) 00:04 < ecrist> it's not in the easiest form for consumption there, but if you can use perl, that'll get you there. 00:04 < ecrist> if you have problems, let me know and I'll try to clean it up for you. 00:05 < ecrist> if you're on FreeBSD, install the port, which is in a better form from /usr/ports/security/ssl-admin 00:05 * ecrist goes to bed. 00:07 < SilenceGold> nite 00:21 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 00:43 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:08 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 01:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:46 < quentusrex_lapto> Can I generate 100 different certs? and have them all named the same file name on each of the different machines? 01:50 < krzee> sure 01:50 < krzee> as long as common name is different 01:50 < krzee> although managing them while created wont be as easy 01:50 < krzee> and knowing which to send where 01:50 < krzee> but ya 01:51 < krzee> filename is not important 01:58 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 02:47 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 02:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:49 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 04:00 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 04:00 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 04:16 < kala> quentusrex_lapto: what operating system do you run on the laptops? 04:17 < quentusrex_lapto> debian 04:17 < kala> oh 04:17 < kala> yep, then perl is probably your friend 04:44 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 04:48 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 05:35 -!- A|3x [n=alex@c-76-115-64-119.hsd1.or.comcast.net] has quit [Read error: 113 (No route to host)] 06:40 -!- ams [i=ams@gnu/inetutils/ams] has joined ##openvpn 06:41 < ams> hi hackers! 06:42 < ams> Say i have the following setup: {internet} -- box with two nic -- switch -- {lots of machines}, `box with two nics' is running openvpn, how would i allow the machines behind the `box wih two nics' to access the tunnel? 07:22 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust43.midd.cable.ntl.com] has quit [Remote closed the connection] 08:03 < ecrist> quentusrex_lapto: that's a future feature of ssl-admin, to create bulk certificates and distribute them. 08:22 -!- rmull_ [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has quit ["leaving"] 08:25 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 08:25 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 08:54 -!- ng12345 [n=chatzill@c-68-46-184-46.hsd1.pa.comcast.net] has joined ##openvpn 08:54 < ng12345> hi i was wondering if anyone would be able to help me with my openvpn config 08:55 < ng12345> i posted recently to the mailing list but didn't realize there was an irc channel so i thought i would check it out 08:56 < ng12345> i've been banging my head against the wall for a while trying to get the client-config-dir command working 09:15 < ng12345> anyone here? 09:30 < SilenceGold> yea we are here 09:31 < SilenceGold> it's counter productive when you haven't mentioned what the problem is..and we're sitting here ignoring you 'cause of that. 09:34 < ng12345> oh ok 09:34 < ng12345> well i dont know how posting works in this channel 09:34 < ng12345> so was hoping for some sort of an intro 09:35 < ng12345> anyways the problem is the client-config-dir command doesn't seem to execute 09:35 < ng12345> i'm running a site to site vpn using linksys routers as the openvpn client and server 09:36 < ng12345> the config files and keys are stored in the /jffs folder of each router 09:36 < ng12345> the server config file contains the command "client-config-dir /jffs/ccd" 09:37 < ng12345> within /jffs/ccd there is one file named client with 2 lines in it : iroute 192.168.1.0 255.255.255.0 and push "route 192.168.7.0 255.255.255.0" 09:37 < ng12345> -- sorry, the server lan ips are 192.168.0.0 and the client lan ips are 192.168.1.0 the purpose of pushing that route is so i can see that it is working. however everytime i connect the client, the client successfully connects but does not route the pushed route 09:38 < ng12345> should i copy paste my config files? -- they are pretty long and it already feels like i've spammed the channel with chat 09:40 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 09:41 < ng12345> or am i still being ignored? 09:52 < SilenceGold> no I'm just busy 09:52 < SilenceGold> checking irc when I have a chance 09:53 < SilenceGold> pastebin.com 09:53 < SilenceGold> paste your configs from both sides 09:53 < SilenceGold> I'll see if I can give a hint on what is wrong 09:55 < ng12345> http://pastebin.com/m47bfa3d2 09:55 < ng12345> that is the e-mail i sent to the listsrv -- contains both configs and firewall scripts 09:56 < ng12345> i also tried using "client-config-dir /jffs/ccd/" (with the extra slash) and it made no difference 09:59 < SilenceGold> okay 09:59 < SilenceGold> what's in /jffs/ccd/ directory? 10:00 < ng12345> two files 10:00 < ng12345> default and client 10:00 < SilenceGold> oh 10:01 < SilenceGold> you have to have a directory that matches the common name of your SSL certificate that you give to a client 10:01 < SilenceGold> erm wait 10:01 < ng12345> the common name is client 10:01 < SilenceGold> I think it's a file 10:01 < SilenceGold> let me check 10:01 < SilenceGold> oh yea 10:01 < SilenceGold> a file 10:01 < ng12345> yah the openvpn howto said a file name 10:02 < SilenceGold> your SSL certificate also have client as the common name too? 10:02 < ng12345> yah 10:02 < ng12345> i tried a couple different common names and same result 10:02 < ng12345> and also default is supposed to be a catchall if the name doesn't match 10:02 < ng12345> if i change the client-config-dir to an invalid directory, then authentication fails -- so i guess it is checking for something? 10:03 < SilenceGold> k 10:03 < SilenceGold> I see in client: 10:04 < SilenceGold> that you have no ifconfig-push line? 10:04 < ng12345> not in the one i pasted 10:04 < ng12345> i tried that as well 10:04 < ng12345> and it doesn't work 10:05 < ng12345> i did ifconfig-push 10.9.0.9 10.9.0.10 and the client got an ip of 10.9.0.14 10:05 < ng12345> i didn't think that line was necessary -- besides i have ifconfig-pool-persist in my server config (which also is not working) 10:06 < SilenceGold> http://workaround.org/moin/OpenVpnFaq#client-config-dir 10:06 < vpnHelper> Title: OpenVpnFaq - workaround.org - literacy for admins and users (at workaround.org) 10:07 < SilenceGold> well, you can get it working without the client-config-dir? 10:08 < ng12345> i dont understand your question? 10:09 < ng12345> the client connects, but it is not running the commands within the client config dir 10:09 < ng12345> i can ping computers behind the server, but i can not ping computers behind the client 10:10 < SilenceGold> what I meant is 10:10 < SilenceGold> do it without the client-config-dir just to be sure that it is working correctly 10:10 < SilenceGold> then try to get client-config-dir working 10:10 < SilenceGold> so you can rule out other problems such as routing problems 10:11 < ng12345> ok, without client-config-dir i can't get it working; like I said computers behind 192.168.1.0 can ping computers behind 192.168.0.0 but computers behind 192.168.0.0 can not ping computers behind 192.168.1.0 10:11 < SilenceGold> then it's not the client-config-dir problem 10:12 < SilenceGold> 90% of problems with openvpn is the routings 10:12 < ng12345> but, i think that part of that is the server can accept multiple clients, so the only way it knows which ip to send each request is to use the iroute command which has to be in conjunction with the client-config-dir 10:12 < ng12345> at least thats what i have read in my searching 10:12 < SilenceGold> no that's not true 10:12 < ng12345> ok; i put my routing tables in the paste bin also 10:13 < SilenceGold> when your client connects 10:13 < SilenceGold> does it get an ip address? 10:13 < ng12345> yes 10:13 < ng12345> right now it has the ip address 10.9.0.14 10:13 < SilenceGold> okay 10:13 < SilenceGold> client's VPN ip is 10.9.0.14 10:13 < ng12345> the openvpn server has a local lan ip of 192.168.0.1 -- it can successfully ping 10.9.0.14 10:13 < ng12345> yes 10:14 < SilenceGold> your paste is kind of hard for me to read 10:15 < ng12345> sorry -- all the routes automatically highlighted light purple; this is without the highlighting: http://pastebin.com/m6893fe1d 10:15 < SilenceGold> hrm look at your line in server's side config 10:15 < SilenceGold> push "route 192.168.0.0 255.255.255.0" 10:15 < SilenceGold> I don't see a gateway listed? 10:16 < ng12345> it doesn't need one 10:16 < SilenceGold> it's not the colors 10:16 < SilenceGold> it's hard to identify sections 10:17 < ng12345> my apologies 10:19 < SilenceGold> I suggest you to start all over 10:20 < SilenceGold> and this time, get it working without the client-config-dir 10:20 < ng12345> http://pastebin.com/m10b66b5e -- i have highlighted the beginning of each section 10:20 < SilenceGold> just set it up as plain as possible 10:21 < ng12345> yes i've been building up from a basic install 10:21 < ng12345> i started with a static.key configuration and it worked fine 10:21 < SilenceGold> is this the first time? 10:21 < SilenceGold> or you have set up openvpn before? 10:21 < ng12345> first time 10:21 < SilenceGold> hrm 10:21 < SilenceGold> I compared my server side config 10:21 < SilenceGold> yours have "# 10:21 < SilenceGold> server 10.9.0.0 255.255.255.0 10:22 < SilenceGold> " 10:22 < SilenceGold> and mine is 10:22 < SilenceGold> local 216.xx.xx.99 10:22 < SilenceGold> I xx'ed it 10:22 < SilenceGold> did you look at ecrist's site on how to get it working? maybe it'll help 'cause it's plain 10:23 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 10:24 < ng12345> https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 10:24 < vpnHelper> Title: FreeBSD OpenVPN Server HowTo - Secure Computing Wiki (at www.secure-computing.net) 10:24 < SilenceGold> yea 10:25 < ng12345> though i didn't use his script; his script and mine are almost identical 10:25 < ng12345> except for the lines beginning with client-config-dir 10:25 < ng12345> (in my script) 10:27 < ng12345> i don't have a duplicate-cn line since that contradicts the client-config-dir line and also since i don't need it; persist-key and persist-tun refer to ping-restarts which is not where my problem is; and i am not using a crl 10:27 < ng12345> i dont have the ivans network line -- but i don't know what that is 10:30 < ng12345> also on his site https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing it indicates that i need the client-config-dir path in order to get the server side pinging the client side 10:30 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 10:32 < SilenceGold> yea 10:32 < SilenceGold> my client-config-dir is empty 10:32 < SilenceGold> but it's a file 10:32 < ng12345> what do you mean 10:32 < ng12345> you have a file called "ccd"? 10:33 < ng12345> this is from that text "You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/. " 10:33 < ng12345> i'm not a linux user so i dont know what that means -- i thought it meant create a file with the client common name within the ccd directory 10:34 < SilenceGold> %cat openvpn.conf | grep client-config-dir 10:34 < SilenceGold> client-config-dir /usr/local/etc/openvpn/clientconfig 10:34 < SilenceGold> %ls -alh | grep clientconfig 10:34 < SilenceGold> -rw-r--r-- 1 vpn wheel 0B Jul 1 13:40 clientconfig 10:34 < SilenceGold> % 10:34 < ng12345> ok but you said the file is empty 10:35 < SilenceGold> yep 10:35 < SilenceGold> that's why it is 0B 10:35 < ng12345> right 10:35 < SilenceGold> meaning zero byte/bit 10:35 < ng12345> so how would you indicate a specific machine within that file -- if i were to do it that way 10:35 < SilenceGold> that's not the point 10:35 < SilenceGold> the point is to get the whole routing working 10:36 < SilenceGold> before you go further beyond the scope of the basis of openvpn setup\ 10:36 < SilenceGold> you're ahead of yourself when you are wanting to use the client-config-dir 10:36 < ng12345> ok 10:36 < ng12345> well really i'm not using that command anyway since it isn't executing :-P 10:37 < SilenceGold> well, you're screwing with something that takes experienced linux user to do on a linksys router 10:38 < ng12345> ok i'm running my ovpn file without the client-config lines 10:39 < ng12345> now it is exactly like the pasted config on the wiki 10:40 < ng12345> i dont know if it is as much my inexperience with linux as it is my inexperience with routing tables 10:41 < SilenceGold> even experienced linux administrators get stumbled onto those routing problems related to the openvpn setups 10:41 < SilenceGold> if that happens, a rookie will run into a lot more trouble 10:43 < ng12345> alright backtracked to a non clientconfigdir config 10:43 < ng12345> 192.168.1.1 can ping 192.168.0.1 10:44 < ng12345> but 192.168.0.1 can not ping 192.168.1.1 10:44 < ng12345> so its the same issue 10:44 < ng12345> there is a route missing that is telling the server 192.168.1.0 should go through the client's vpn address 10:47 < SilenceGold> okay 10:47 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 10:47 < SilenceGold> then you can try doing it manually to see if you're right..if you're right..then you can put in the new route into the config 10:47 < SilenceGold> if you're wrong, delete the route then try a diff route 10:47 < ng12345> yup doing that now -- isn't working 10:49 < ng12345> this is the current configuration: server lan 192.168.0.0<--10.9.0.1/10.9.0.2 10.9.0.5/10.9.0.6 -->client lan 192.168.1.0 10:49 < ng12345> so the client side can successfully ping 192.168.1.1, 10.9.0.1, and 192.168.0.1 10:50 < ng12345> the server side can successfully ping 192.168.0.1, 10.9.0.6 but not 192.168.1.1 10:53 < SilenceGold> oh wait 10:53 < SilenceGold> I see now 10:53 < SilenceGold> you're doing the route 10:53 < SilenceGold> not the bridge 10:53 < SilenceGold> the server side can't reach beyond the clients 10:53 < SilenceGold> unless you use route 10:53 < SilenceGold> I meant the bridge 10:53 < SilenceGold> unless you use the bridge...that's tap..not tun 10:53 < SilenceGold> tun is route 10:53 < SilenceGold> hrm 10:54 < SilenceGold> or you can turn that client into a route? 10:54 < SilenceGold> *router 10:54 < ng12345> it is a router 10:54 < SilenceGold> I know it's a linksys router 10:54 < SilenceGold> but i meant..to make it route past 192.168.1.0 10:55 < SilenceGold> I think your client is doing one way route...not two way route 10:55 < ng12345> ok 10:55 < ng12345> how do i create the second route 10:55 < SilenceGold> hrm 10:55 < ng12345> i am forwarding all packets over the tunnel to the local ports 10:55 < SilenceGold> make sure your server knows that anything going to 192.168.1.0/24 should be routed to the client's VPN ip 10:56 < SilenceGold> pastebin your server's routing table 10:56 < ng12345> hehe -- ok that is what i've been trying 10:56 < ng12345> it is there already in that previous one 10:56 < SilenceGold> give me the current one 10:57 < ng12345> its the same but hold on 10:58 < ng12345> http://pastebin.com/m633f81f 11:06 < ng12345> is there a route you would suggest? 11:10 < SilenceGold> don't use 10.9.0.2 11:10 < SilenceGold> use the client's VPN ip address 11:10 < SilenceGold> I think 10.9.0.6 if I am correct 11:10 < ng12345> yah then it says network not reachable 11:11 < ng12345> so i can't add that route 11:11 < SilenceGold> 10.9.0.5? 11:11 < ng12345> same 11:11 < SilenceGold> hrm 11:11 < ng12345> though 10.9.0.6 is pingable 11:11 < SilenceGold> you said that the server can ping 10.9.0.6? 11:11 < ng12345> i can't traceroute it 11:11 < SilenceGold> what ip is the client using for 192.168.1.0/24? 11:12 < ng12345> 192.168.1.1 11:13 < SilenceGold> try that one? 11:14 < ng12345> well that isn't pingable nor traceable 11:14 < SilenceGold> my guess is that your linksys router is limited to do one way routing 11:15 < SilenceGold> not two way router like a real router does 11:15 < SilenceGold> I have two freebsd boxes that are set up just like your linksys routers.. 11:15 < SilenceGold> they both are routing two ways 11:15 < SilenceGold> 192.168.0.0/24 LAN network...and 192.168.5.0/24 LAN network all shared via the internet with two DSL connections 11:16 < ng12345> but they are the same linksys routers on both ends 11:16 < ng12345> and i can get two way communication on the client side 11:16 < ng12345> meaning it can receive and transmit packets 11:17 < ng12345> could i see your routing tables/configs? 11:17 < SilenceGold> sure 11:19 < SilenceGold> hrm 11:19 < SilenceGold> can't access inside it from here 11:19 < SilenceGold> I'll do a quick one that uses my public services 11:22 < SilenceGold> http://pastebin.com/d131ae2e6 11:24 < ng12345> k thanks 11:24 < ng12345> alright well thanks for your help 11:24 < ng12345> i guess i'll go fiddle around some more 11:26 < Dougy|Work> morning ya'll 11:27 < SilenceGold> morning 11:27 < SilenceGold> btw, you sleep at work? 11:27 < SilenceGold> :) 11:29 < Dougy|Work> No 11:30 < Dougy|Work> Why does everyone ask that 11:30 < Dougy|Work> o.O 11:31 < SilenceGold> 'cause "morning" usually mean that you just woke up 11:32 < Dougy|Work> I just walked in 11:32 < Dougy|Work> o.O 11:39 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 11:40 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 12:03 -!- djs [n=djs@unaffiliated/djs26] has left ##openvpn [] 13:18 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 13:24 < Dougy|Work> LMFAO 13:34 -!- quentusrex_lapto [n=quentusr@c-71-197-244-228.hsd1.or.comcast.net] has quit [Success] 14:27 * Dougy|Work pokes jeev 14:42 < ng12345> yay! i got the pinging to work using tap 14:42 < ng12345> but the client config dir still is messed up 14:47 < Dougy|Work> lol 14:48 < ng12345> dougy do you happen to know the syntax for client-config-dir? 14:49 < ng12345> i've tried everything that i have found on the net, and none of the ccd config files get accessed or run 14:49 < ng12345> and even if i add the ccd-exclusive command in -- it doesn't deny client access when they don't have a ccd file 14:52 < ng12345> this is the config file i made: http://pastebin.com/m4843ea53 15:03 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:05 < Dougy|Work> ng12345, did you look at 15:05 < Dougy|Work> !ccd 15:05 < vpnHelper> Dougy|Work: "ccd" is entries that are basically included into server.conf, but only for the specified client 15:05 < Dougy|Work> oh 15:05 < Dougy|Work> that's useless 15:05 < Dougy|Work> heh 15:05 < Dougy|Work> hold on 15:05 < ng12345> oh is that how you use vpnhelper 15:05 < ng12345> yah i looked everwhere 15:05 < ng12345> i tried client-config-dir ccd 15:05 < Dougy|Work> yes nj 15:05 < Dougy|Work> ng* 15:05 < Dougy|Work> !menu 15:05 < vpnHelper> Dougy|Work: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 15:05 < Dougy|Work> there are all the features s/he/it has 15:06 < ng12345> cool 15:06 < ng12345> i tried help 15:06 < ng12345> and nothing showed up 15:06 < Dougy|Work> ah 15:06 < Dougy|Work> !menu is what you need 15:06 < vpnHelper> Dougy|Work: Error: "menu" is not a valid command. 15:06 < ng12345> !menu 15:06 < vpnHelper> ng12345: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 15:07 < ng12345> it doesn't work in through pms? 15:07 < ng12345> !iroute 15:07 < vpnHelper> ng12345: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 15:07 < ng12345> thta is what i am trying to do 15:07 < ng12345> but the ccd command is failing 15:07 < ng12345> on me 15:07 < Dougy|Work> hm 15:07 < Dougy|Work> i've been here for a week and not been able to help one person 15:07 < Dougy|Work> i can do this. 15:07 * Dougy|Work reads 15:07 < ng12345> haha 15:07 < Dougy|Work> by the way ng12345 if oyu have some time 15:07 < Dougy|Work> check out.. 15:08 < Dougy|Work> !forum 15:08 < vpnHelper> Dougy|Work: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 15:08 < Dougy|Work> :P 15:08 < ng12345> yah 15:08 * Dougy|Work thinks 15:08 < ng12345> there is nothing there though 15:08 < ng12345> at least not yet 15:08 < Dougy|Work> join :) 15:08 < Dougy|Work> It'll help 15:08 < Dougy|Work> ll 15:08 < Dougy|Work> lol^ 15:08 < ng12345> haha 15:08 < Dougy|Work> If nobody joins, nothing will be there 15:08 < ng12345> that is true 15:08 < Dougy|Work> its a vicious cycle, like hte US economy 15:08 < Dougy|Work> nobody speds, we all suffer more 15:08 < ng12345> i kind of like the volatility in the stock market right now 15:09 < Dougy|Work> i do too 15:09 < Dougy|Work> but everything else is going up up up up up up up 15:09 < ng12345> true 15:09 < Dougy|Work> milk doubled in cost 15:09 < Dougy|Work> for me 15:09 < ng12345> the openvpn guys should turn their mailing list into a forum 15:09 < Dougy|Work> no they shouldn't 15:09 < ng12345> thta would be really good resource given how much info is already there 15:09 < Dougy|Work> ;p 15:09 < ng12345> haha 15:09 < ng12345> have you tried searching through the archives 15:09 < Dougy|Work> because then my effort is worthless 15:10 < ng12345> sourceforge's engine sucks 15:10 < ng12345> ah in that case fine 15:10 < Dougy|Work> exactly 15:10 < Dougy|Work> so screw the mailing list 15:10 < Dougy|Work> everyone just join the forum 15:10 < ng12345> haha 15:10 < ng12345> well i'm using openvpn through tomato on my linksys router 15:10 < ng12345> and it is working fine except the ccd commands aren't being executed 15:11 < Dougy|Work> yeah see i can configure openvpn to boot up 15:11 < Dougy|Work> that's it 15:11 < Dougy|Work> lmfao 15:11 < ng12345> hmm 15:11 < ng12345> and you are creating the forum :-P 15:11 < Dougy|Work> im just creating it so its there 15:11 < ng12345> gotcha 15:11 < Dougy|Work> i'm there to learn as i go more than anything else 15:12 < ng12345> well do you know how to get openvpn to spit out the clients currently connected to it? 15:12 < Dougy|Work> :< 15:12 < Dougy|Work> probably in the log file 15:12 < ng12345> yah but its not very clean 15:12 < ng12345> hmm stupid ccd 15:13 < Dougy|Work> ng12345: script it 15:13 < Dougy|Work> clean it up 15:13 < Dougy|Work> I can't do that either, but that's a way to do it 15:13 < Dougy|Work> lol 15:14 < ng12345> yah -- me neither 15:14 < ng12345> though i've learned a good amount of how to use the linux console trying to get this openvpn thing set up 15:15 < Dougy|Work> I know how to use Linux via cli a bit 15:15 < Dougy|Work> some 15:15 < Dougy|Work> lol 15:15 < Dougy|Work> I work for a datacenter, i should know how to use awk and sed 15:16 < Dougy|Work> [doug@teb1 ~]$ cat test | sed 's/test/replaced/' 15:16 < Dougy|Work> replaced 15:16 < Dougy|Work> woo i'm a bamf 15:16 < Dougy|Work> :D 15:24 < ng12345> hmm 15:24 < ng12345> i dont know what bamf means 15:25 -!- veokx [i=veox@gateway/tor/x-50d75a792d67c768] has joined ##openvpn 15:25 < Dougy|Work> ng12345 15:25 < Dougy|Work> bad ass mother fucker 15:25 < ng12345> oh 15:25 < ng12345> i don't even know what that command you typed in meant 15:25 < Dougy|Work> i just learned it today 15:25 < Dougy|Work> it echoes the file "test" and replaces any of the word "test" with "replaced" 15:25 < Dougy|Work> its cool 15:25 < Dougy|Work> run 15:26 < Dougy|Work> echo Barney was a retard | sed -e 's/retard/fatass/' 15:26 < Dougy|Work> watch what it returns 15:26 < Dougy|Work> o.O 15:29 < ng12345> intersting 15:29 < veokx> can i use openvpn to create a virtual lan where all computers are behind nat and no port forwarding is allowed? 15:29 -!- ng12345 [n=chatzill@c-68-46-184-46.hsd1.pa.comcast.net] has quit ["ChatZilla 0.9.83 [Firefox 3.0.1/2008070208]"] 15:32 < Dougy|Work> veokx: I believe so 15:33 < veokx> Dougy|Work: what is one relevant keyword for that solution? :) 15:33 < veokx> Dougy|Work: or expression 15:33 < Dougy|Work> veokx: what do you mean? 15:34 < veokx> Dougy|Work: for google 15:34 < veokx> Dougy|Work: a technology/option name 15:34 < veokx> Dougy|Work: what should i study for that 15:34 < veokx> ? 15:34 < Dougy|Work> Not sure. :( I'm new to this 15:35 < veokx> oh 15:35 < veokx> Dougy|Work: to vpns in general or to openvpn? 15:36 < Dougy|Work> general 15:38 < veokx> oops 15:38 < veokx> that's bad 15:38 < veokx> so how do you deal with your lans? 15:39 < Dougy|Work> I'm new to networking heh 15:39 < Dougy|Work> I just have a plain old linksys router at home 15:43 < veokx> i see 16:20 -!- Dougy|Work [n=doug@64.18.159.247] has quit [] 18:08 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:26 < veokx> can i use openvpn to create a virtual lan where all computers are behind nat and no port forwarding is allowed? 18:40 -!- quentusrex_lapto [n=quentusr@c-71-197-244-228.hsd1.or.comcast.net] has joined ##openvpn 18:52 -!- veokx [i=veox@gateway/tor/x-50d75a792d67c768] has quit [Remote closed the connection] 20:01 -!- quentusrex_lapto [n=quentusr@c-71-197-244-228.hsd1.or.comcast.net] has quit [Connection timed out] 20:12 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 20:26 -!- ElCheapo [n=elcheapo@d199-126-55-162.abhsia.telus.net] has quit [Remote closed the connection] 20:49 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:49 < Dougy> Hey everyone :) 20:53 < Dougy> poor ecrist lmao 20:57 < feighm> Hello Dougy. 20:58 < Dougy> Evening feighm. 20:58 < Dougy> How are you? 20:58 < feighm> Good good. 21:00 < feighm> Dougy. I'm curious. Have you been successful in establishing a VPN connection using your ISP or LAN connection? 21:00 < Dougy> I have created a VPN before. 21:00 * Dougy must be misunderstanding 21:01 < feighm> Yeah, because I haven't been successful trying to create one. It could be NAT issues but I've heard that you can bypass that. 21:01 < Dougy> What exactly are you trying to accomplish? 21:02 < Dougy> A full tunnel? Or what? 21:02 < feighm> I'd like to setup a webserver and VPN it for strict access from different locations. 21:03 < feighm> Yes, a tunnel. 21:03 < feighm> But, it's just that the ISP is using a firewall. 21:03 < feighm> And I'm not sure if openVPN supports or can bypass it. 21:05 < feighm> well, access to a webserver actually behind a NAT. 21:06 < feighm> Dougy: possible? 21:06 < Dougy> Er 21:06 < Dougy> My bad 21:06 * Dougy reads 21:06 < Dougy> I don't see why not 21:06 < Dougy> You should be able to VPN out just fine 21:06 < Dougy> What problem are you having? 21:06 < feighm> i'll have to check if NAT is possible on their website. 21:07 < feighm> The truth. I've never actually set up an VPN because of the firewall issues. 21:08 < feighm> I have openVPN installed but have no way to test it. 21:09 < Dougy> Hm 21:09 < Dougy> If it's running on the server 21:09 < feighm> Could I have a sample of your setup.ini? 21:09 < Dougy> hold on 21:09 < feighm> Or, you could tell me how to configure it and you can connect to my machine host. 21:10 < Dougy> Give me a sc, I need to test something 21:10 < Dougy> test 21:10 < Dougy> I can show you my server.conf sure 21:10 < Dougy> hold on 21:11 < feighm> If you're using a router, it probably should work on my end also. 21:11 < Dougy> Yes, I'm using a Linksys WRT54G. 21:12 < Dougy> I'm also using the beta version of openVPN, not the stable. 21:12 < Dougy> 2.1 21:12 < Dougy> http://rafb.net/p/xlWtCN63.html 21:12 < feighm> Mmm. 21:12 < vpnHelper> Title: Nopaste - No description (at rafb.net) 21:12 < Dougy> However 21:12 < Dougy> That configuration will force you to route ALL traffic through the vpn 21:12 < Dougy> not just connect to it 21:14 < Dougy> remove: 21:14 < Dougy> push "redirect-gateway def1" 21:14 < Dougy> push "dhcp-option DNS 4.2.2.2" 21:14 < Dougy> And it will not route all traffic 21:18 * Dougy pokes feighm 21:35 -!- feighm [n=feighm@121.1.54.50] has quit [No route to host] 21:36 -!- _spike [i=spike@IPv4.addrss.net] has joined ##openvpn 21:36 < _spike> hello 21:36 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 21:37 < _spike> I'd be really appreciative if someone could point me to a tutorial where public ips (non dhcp) are shared...I have one extra IP address, and I want to be able to assign this 1 public ip address to my laptop over some sort of secure tunnel, so that when i'm traveling and such people wont' be able to see everything i'm doing, and i'll have a static IP that i'm connecting to stuff from. 21:41 < Dougy> wb feighm 21:41 < Dougy> _spike, that's easy 21:41 < Dougy> you mean route all traffic through the VPN so it looks like you're surfing frmo the server? 21:41 < Dougy> from^ 21:47 * Dougy pokes _spike 21:57 < _spike> yessir 21:57 < _spike> sorry for the delay i'm here now 21:57 < _spike> dougy, you still around? 21:57 < Dougy> ping 21:57 * Dougy jumps around 21:58 < _spike> hmmm 21:58 < _spike> testing tesing 123 21:58 < Dougy> hi 21:59 < _spike> not sure if my connection dropped or not here 22:00 < _spike> heya 22:00 < Dougy> nope 22:00 < Dougy> Sup 22:01 < _spike> okay cool, yeah i'm trying to use one of the 5 external ips my freebsd machine has for my laptop... 22:01 < _spike> i want all traffic to that ip go to my laptop and all traffic from my laptop to appear from that ip... 22:09 -!- _spike [i=spike@IPv4.addrss.net] has quit ["changing servers"] 22:15 -!- spike- [i=spike@IPv4.addrss.net] has joined ##openvpn 22:17 < Dougy> erk 22:17 < Dougy> sorry 22:17 < Dougy> spike-, if i disappear 22:17 < Dougy> highlight me 22:17 < Dougy> thats easy spike- 22:19 -!- feighm [n=feighm@121.1.54.50] has quit [No route to host] 22:20 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 22:22 < ecrist> SilenceGold: what were you mumbling about? 22:22 < ecrist> 10:22 ##openvpn: < SilenceGold> did you look at ecrist's site on how to get it working? maybe it'll help 'cause it's plain 22:23 < ecrist> Dougy: poor ecrist, why? 22:23 < Dougy> ecrist, republican national convention 22:25 < ecrist> ah, done for the day - back at 10am tomorrow. 22:25 < ecrist> :\ 22:25 < ecrist> it's ok, we got a new boat - 150HP on a 17.5ft Alumacraft. 22:25 < ecrist> :D 22:25 < Dougy> Nice! 22:25 < ecrist> I got to break it in. 22:25 * Dougy is so jealous 22:25 < Dougy> I have a 14" starcraft with a 15 hp 22:25 < Dougy> lmafo 22:25 < ecrist> lol 22:25 < ecrist> we get lights/siren, too. 22:26 < Dougy> lucky 22:26 < ecrist> well, I'm off. It's saturday and I'm not drunk yet. 22:26 < Dougy> Lfmao 22:26 < Dougy> Lmfao* 22:26 < ecrist> l8r 22:26 < Dougy> Night bud 22:26 < Dougy> :) 22:36 < jeev> dooooooooooooooooooooooo 22:36 < Dougy> suppp 22:37 < jeev> notghin much man 22:37 < jeev> i opened a computer repair place 22:37 < jeev> i've been doing business for 6 years 22:37 < jeev> but decided to open a shop 22:37 < jeev> so i just signed lease papers 22:37 < jeev> i wont even be there 5 hours a week but my friend will run it 22:41 < Dougy> lol 22:41 < Dougy> Awesome dude 22:41 < Dougy> where is this store 22:42 < jeev> in los angeles 22:43 < Dougy> oh 22:43 < Dougy> I won't be in LA anytime soon 22:43 < Dougy> lol 22:43 < Dougy> Can they even afford computers in LA? 22:47 -!- quentusrex_lapto [n=quentusr@c-71-197-244-228.hsd1.or.comcast.net] has joined ##openvpn 22:51 -!- feighm [n=feighm@121.1.54.50] has quit [Read error: 113 (No route to host)] 23:00 * Dougy pokes jeev 23:27 -!- JohnMahowald [n=john@fedora/fedorared] has joined ##openvpn 23:40 < SilenceGold> ecrist I was going to point an user to your site with the openvpn how to :) 23:40 < SilenceGold> btw, hi guys 23:41 < Dougy> hi there 23:44 < JohnMahowald> Accessing all the remote subnet on a routed vpn where both client and server are behind NAT routers is proving harder than I anticipated 23:51 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 23:55 < Dougy> Haha 23:58 < spike-> okay sorry bout that 23:58 < spike-> connectivity issues 23:59 < spike-> Anyhow so i've got a freebsd machine with 5 public ips on it, and i've got a laptop. I want to be able to use one of the 5 ips for the laptop, so that no matter where i am i always have the same ip, and people can't sniff me when i'm on shady wireless networks 23:59 < spike-> dougy you still around? 23:59 < Dougy> i am 23:59 < Dougy> it's easy stuff 23:59 < Dougy> http://rafb.net/p/xlWtCN63.html 23:59 < vpnHelper> Title: Nopaste - No description (at rafb.net) --- Day changed Sun Aug 31 2008 00:00 < Dougy> replace the <> with your ip 00:00 < Dougy> make certs wrok 00:00 < Dougy> and it'll route all traffic through vpn 00:07 < SilenceGold> spike- I do that too 00:07 < Dougy> oh 00:07 < Dougy> fuck 00:07 < Dougy> Its freebsd. 00:07 < Dougy> Nevermind. 00:07 < SilenceGold> your problem is that you need two diff subnets on the public side 00:07 < Dougy> @ what I said. 00:07 < SilenceGold> one subnet for the openvpn to listen on..and other subnet for the vpn clients, spike- 00:08 < Dougy> spike-, 00:08 < Dougy> !freebsd 00:08 < vpnHelper> Dougy: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 00:08 < Dougy> might help 00:08 < Dougy> off to bed 00:08 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 00:09 < SilenceGold> !menu 00:09 < vpnHelper> SilenceGold: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 00:09 < spike-> dammm 00:09 < spike-> i have to have 2 subnets? 00:10 < SilenceGold> yes on the remote server 00:10 < spike-> why can't i just have a tunnel tunneling from the public ip of my laptop to x.x.x.1 (public ip of my server) and then using x.x.x.2 as the ip it connects to the world as 00:10 < SilenceGold> one sec..let me find that FAQ 00:10 < SilenceGold> 'cause you need the routing part 00:10 < spike-> what about in bridge mode? 00:10 < SilenceGold> https://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#How_do_I_route_public_IPs_to_my_VPN_clients_without_using_NATD.3F 00:11 < vpnHelper> Title: OpenVPN/FAQ - Secure Computing Wiki (at www.secure-computing.net) 00:11 < SilenceGold> you still need two diff subnets for either route or bridge 00:11 < spike-> like if i unassign the x.x.x.2 ip from the vpn host server.... 00:11 < spike-> so that when the laptop connects it can pull that ip 00:11 < SilenceGold> you still need two subnets 00:11 < SilenceGold> btw, I provide vpn services for the public at low prices :) 00:11 < spike-> how are the speeds? 00:11 < spike-> and how low prices? 00:11 < SilenceGold> it gets 10mbit for some of the students 00:12 < SilenceGold> 20 gb a month for $10 via paypal...I prefer 3 months to be bought in advance 00:12 < SilenceGold> 'cause of the silly fees 00:12 < spike-> so your vpn host is on a 10mbit uplink? 00:12 < SilenceGold> yes 00:12 < spike-> naw that's alright, thanks for the offer though. 00:12 < SilenceGold> http://info.deafhogs.org/index.php/VPN_Access 00:12 < vpnHelper> Title: VPN Access - HaulmarkWiki (at info.deafhogs.org) 00:12 < spike-> I have a server i'd like to use, i just need to figure out how to do it 00:13 < SilenceGold> how many ips does it have? 00:13 < SilenceGold> maybe you can break it into two subnets? 00:14 < SilenceGold> oh 00:14 < SilenceGold> 5 ips 00:14 < SilenceGold> hrm ..you could break it into two subnets..only one ip each side 00:14 < SilenceGold> s/side/subnet/ 00:14 < SilenceGold> while two are the broadcast and gateway 00:16 < SilenceGold> or just tell the ISP that you want a new IP range..and that the new subnet is to be routed to one of your current IPs...then set FreeBSD as a router (gateway_enable="YES" in /etc/rc.conf)...then Openvpn server will take care of the routing part 00:16 < spike-> hmmmpf 00:17 < spike-> yeah i don't want to break up my subnet, and the data center this machine is at charges for ips, so i dont' really want to have to request more. 00:17 < SilenceGold> there's no other way 00:17 < spike-> well i could just create a private network right? 00:17 < SilenceGold> OpenVPN requires that the listening ip of the server and the assigning IPs to be in two different subnets 00:17 < SilenceGold> yes 00:17 < spike-> like create 10.2.2.x and have that router to one of the public ips 00:18 < SilenceGold> but you can't route everything thru your server from your laptop 00:18 < spike-> but then i wouldn't be assisnging public ips to the laptop 00:18 < SilenceGold> your laptop will think, "Ok to reach 10.2.2.0/24, I need to route them to the OpenVPN's server" 00:18 < spike-> damm 00:18 < SilenceGold> while everything else would go to your local internet access 00:18 < spike-> i need to set this up on a machine with two subnets 00:18 < SilenceGold> I tried that too 00:18 < SilenceGold> correct 00:18 < spike-> not a big problem, just gonna have to put it on a diffenet machine in a differnet data center 00:18 < spike-> had hoped to keep it on this one 00:19 < SilenceGold> I understand 00:19 < spike-> thanks for the help 00:19 < spike-> guess i'll stick with ssh tunnels for now ... heh :) 00:19 < SilenceGold> np 00:25 -!- feighm [n=feighm@121.1.54.50] has quit [Read error: 113 (No route to host)] 00:31 -!- jeev [n=j@unaffiliated/jeev] has quit [Read error: 104 (Connection reset by peer)] 00:31 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 00:31 -!- feighm [n=feighm@121.1.54.50] has left ##openvpn [] 00:36 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 00:37 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 02:16 -!- feighm [n=feighm@121.1.54.50] has left ##openvpn [] 02:23 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:25 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 03:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:01 -!- SWAT [n=swat@ubuntu/member/swat] has joined ##openvpn 08:03 < SWAT> how can I increase my tls timeout? I've seen the --tls-timeout command line option, is there also config-file entry for this (I prefer setting this in the config file)? It currently has 60 seconds to negotiate the TLS key, and I want to set it to at least 2x that amount. 08:19 < ecrist> it's the same 08:20 < ecrist> so, tls-timeout 120 in your config 08:22 < ecrist> spike-: did youget your problem resolved? 08:54 -!- feighm [n=feighm@121.1.54.50] has left ##openvpn [] 10:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 10:38 -!- spike- [i=spike@IPv4.addrss.net] has quit [Remote closed the connection] 11:48 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 12:27 -!- Dougy|Work [n=doug@64.18.159.247] has joined ##openvpn 12:27 * Dougy|Work waves 13:49 -!- MatBoy [n=MatBoy@wiljewelwetenhe.xs4all.nl] has joined ##openvpn 13:49 < MatBoy> has someone been able to open a vpn to a zywall ? 14:01 < Dougy|Work> No idea what a zywall is, so not me 14:11 -!- rmull [n=boom@busw043-0b01-dhcp10.bu.edu] has joined ##openvpn 14:12 < MatBoy> Dougy|Work: firewall from zyxel 14:12 < Dougy|Work> Never heard of 14:12 < Dougy|Work> rmull might now 14:12 < Dougy|Work> s/now/know 14:12 < MatBoy> ok, but he will be here later ? 14:12 < Dougy|Work> rmull is here now, I thinks 14:13 < MatBoy> I don' t see him 14:13 < MatBoy> ah 14:13 < MatBoy> ok :) 14:13 < MatBoy> my fault 14:13 < MatBoy> rmull: ping :) 14:13 < Dougy|Work> rmull, ecrist, and krzie are the resident VPN experts 14:13 < Dougy|Work> If you post on the new forum you might get help though 14:14 < MatBoy> ok, nice idea indeed 14:14 < Dougy|Work> (Theres no posts yet, so everyones lurking.. waiting.. for something) 14:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:16 < Dougy|Work> speaking of 14:16 < Dougy|Work> there is the genius himself :) 14:16 * Dougy|Work waves to Jeff 14:19 < rmull> Dougy|Work: What am I knowing? 14:19 < Dougy|Work> rmull: you might know about what he needs 14:19 < Dougy|Work> * MatBoy (n=MatBoy@wiljewelwetenhe.xs4all.nl) has joined ##openvpn 14:19 < Dougy|Work> has someone been able to open a vpn to a zywall ? 14:20 < rmull> I don't know what zywall is 14:20 < rmull> ZyXEL firewall, apparently 14:21 < rmull> That's ipsec stuff, not openvpn. Openvpn won't help you. 14:21 < rmull> Let me read a bit about it though. 14:21 < Dougy|Work> Hah rmull to the rescue, again 14:22 * Dougy|Work buys rmull a shiny badge 14:23 < niekie> Superrmull? 14:23 < krzee> hey dougy 14:23 < krzee> wassu[ 14:23 < Dougy|Work> not much, you? 14:24 < krzee> bout to hop in a freezing shower 14:24 < krzee> i need a hot water heater installed in the new house asap 14:24 < krzee> im not going to use the widow maker 14:24 < Dougy|Work> lol 14:24 < krzee> http://brendasblogfromparaguay.blogspot.com/2008/08/widow-maker.html?showComment=1219441800000 14:24 < vpnHelper> Title: Brendas Blog from Paraguay: Widow Maker (at brendasblogfromparaguay.blogspot.com) 14:25 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 14:25 < MatBoy> rmull: using racoon it should be able I think 14:26 < Dougy|Work> Hahaha. 14:26 < rmull> MatBoy: That's got nothing to do with openvpn though, so I can't really comment on it :p 14:26 < krzee> MatBoy, ipsec? 14:27 < MatBoy> krzee: yep ipsec 14:27 < niekie> Uhh.. live wire? Water? What on earth are they thinking? :D 14:27 < MatBoy> rmull: hehe, nice one :D 14:27 < krzee> ya raccoon is whatchya want for that 14:27 < rmull> I just moved to school so I'm not gonna be around much 14:27 < krzee> but rmull has a point, wrong chan for that 14:27 -!- rmull is now known as rmull_ 14:27 < krzee> niekie, 3rd world country 14:27 < MatBoy> ok, sorry for that :) 15:29 < SWAT> the network my openvpn server is connected to is very busy, so I've adjusted the TLS authentication timeouts and checkalive commands to compensate. The high network load seems to cause a HMAC failure, could this be a correct assumption and is there anything I can do about it? 15:45 < Dougy|Work> wow 15:45 < Dougy|Work> i just foudn a NICE old motherboard 15:45 < Dougy|Work> win 15:49 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 54 (Connection reset by peer)] 15:57 -!- QToo [n=travis@c-68-56-131-192.hsd1.fl.comcast.net] has joined ##openvpn 15:59 < QToo> Hello, I need some help with openvpn. I set it up and it worked fine in the office, then a day later it doesn't work. Clients connect and get an IP address but they can't even ping across the connection, the server also can't ping the clients. I'm using 2.0.9 on Windows 2000 server. also using NAT routing method 16:00 < QToo> the only things that have changed is that i rebooted the server machine and there is a new router. the new router has all the same settings as the original 16:00 < QToo> it only worked for one day (the day i set openvpn up) then it stopped 16:13 -!- quentusrex_lapto [n=quentusr@c-71-197-244-228.hsd1.or.comcast.net] has quit [Connection timed out] 16:46 -!- nDuff [n=cduffy@rrcs-71-41-149-67.sw.biz.rr.com] has joined ##openvpn 16:51 -!- oinck [n=kasper@lasvegas.perfect-privacy.com] has joined ##openvpn 16:52 < oinck> hey guys :) i'm using openvpn for a privacy service in ubuntu hardy 16:53 < oinck> currently im starting up my openvpn connection in /etc/rc.local so its set up every session 16:54 < oinck> how do i stop it during a session? if I want to cancel openvpn or choose a different server? i can't find the process in the system monitor and i don't think it runs as a service because i can't cancel it with init.d 16:54 < Dougy|Work> hm 16:54 < oinck> or am i doing it wrong altogether 16:55 < oinck> i had trouble with the gnome network openvpn plugin, because this privacy service has a lot of settings in their openvpn connection i think 16:57 < oinck> i also tried setting up the openvpn in the normal gnome session management, but because it initially requires root rights, that didn't work well 16:58 < oinck> if i'd know how i could abort openvpn i could write some zenity script to switch me to another server without relogging, would make things a lot nicer for me 16:59 < nDuff> oinck, hmm. Personally, I'm fond of using runit for process supervision -- but while that handles commanding shutdowns and restarts, it doesn't necessarily help much in terms of having a convenient way to do reconfiguration. 16:59 < oinck> im a novice obviously, ill look into what you just said because im not familiar with it 16:59 < nDuff> ...also, that's not really as relevant in a desktop kind of scenario. 17:00 < oinck> well this is for a desktop with a direct cable modem 17:01 < oinck> and 12ish openvpn servers to choose from all over the world 17:01 < nDuff> vis-a-vis the session management -- you should be able to have a setuid wrapper that does appropriate privilege escalation; that can also be done via sudo (which supports making rules specific to the command being invoked). 17:02 < oinck> i had a bash script with 'sudo openvpn someserver.ovpn' in it, and tried to add that bash as command to the session 17:02 < oinck> but that didn't work 17:02 < oinck> then i added the command to /etc/rc.local and it worked 17:05 < oinck> im not sure i want to replace upstart with runit, it seems like too much of a headache for a someone like me 17:05 < nDuff> wrt. shutting down the OpenVPN client, btw, the management interface works for that; "signal SIGTERM" will do the trick. 17:05 * nDuff uses runit additional to his vendor-provided init, not in place of 17:06 < oinck> ah ok 17:06 -!- rmull_ [n=boom@busw043-0b01-dhcp10.bu.edu] has quit [Read error: 104 (Connection reset by peer)] 17:06 < nDuff> ...but upstart is flexible enough that it should be able to do anything you're looking for anyhow. 17:06 < oinck> google failure ;) 17:06 < nDuff> ...little embedded systems are, I think, the primary case for runit-as-primary-init. 17:07 < oinck> how do i give that signal to a specific process? 17:07 < oinck> ill try it now, should change my ip hehe 17:07 < nDuff> "signal" is an OpenVPN management command 17:07 < nDuff> if you have the management port turned on, you can connect to it locally 17:08 < nDuff> http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html 17:08 < vpnHelper> Title: Management Interface (at openvpn.net) 17:08 < nDuff> ...but that said, you can also just find the PID of the process and give it that signal via kill. 17:08 < oinck> ahh that looks good =) 17:08 < oinck> would the PID be the same each session? 17:08 < nDuff> no 17:09 < oinck> any way to know the PID when calling it in /etc/rc.local? 17:09 < nDuff> but fuser will look it up for you 17:09 < oinck> ah 17:09 < oinck> sorry man, only used linux for 2 years 17:09 < nDuff> ...just tell fuser to look for anything bound to whichever port you have OpenVPN connecting to locally. 17:09 < oinck> erm =) 17:09 < oinck> thats probably in my openvpn conf file sec 17:10 < oinck> locally? 17:10 < nDuff> right; you don't want to filter on the *remote* port 17:10 < oinck> but isnt it locally just any port i use? 17:10 < nDuff> ...as any other software connecting to any other service using that same port would be impacted. 17:10 < oinck> all my web traffic is through my openvpn right 17:11 < nDuff> the local port is dynamically allocated unless you tell it not to be -- which is generally not a bad idea. 17:11 < oinck> ah ok after openvpn 17:11 -!- Concept-P [n=concept@twimp.se] has quit [Read error: 113 (No route to host)] 17:11 < oinck> lol 17:11 < oinck> so i can find a dynamic DIP if i know my dynamic port 17:12 < nDuff> make the local port static, and it doesn't matter if the IP is dynamic; fuser will let you only search on port. 17:13 < oinck> i still only found my remote port, which is different between the 12 servers 17:20 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:29 < nDuff> oinck, grepping through the man page is a good habit to be in :) 17:29 < nDuff> oinck, lport 17:29 < nDuff> oinck, or just enable the management interface and use that 17:29 < oinck> lport? 17:30 < oinck> yeah ill look into that openvpn management link 17:30 < oinck> i did look at the man page 17:30 < oinck> but it has quite a few options =) 17:30 < oinck> and im quite a noob, glad i got it working int he first place 17:31 < oinck> i even had to fix a dns pushing issue first 17:34 -!- oinck [n=kasper@lasvegas.perfect-privacy.com] has quit ["Ex-Chat"] 17:46 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 18:01 < krzie> ive actually never used the management interface 18:31 < Dougy|Work> Whoaaa. 18:31 < Dougy|Work> krzie 18:31 < Dougy|Work> three drunk guys and a hurricane --> http://www.ustream.tv/channel/hurricam!--a-live-cam-from-the-eye-of-gustav 18:31 < vpnHelper> Title: HurriCam! A live cam from the eye of Gustav, Ustream.TV: HurriCam! Live from Houma, LA! Watch Gustav happen from the eye of. (at www.ustream.tv) 18:33 < krzie> hahah 18:35 < Dougy|Work> LMFAO 18:35 < Dougy|Work> BTARD 18:35 < Dougy|Work> ROFL 18:40 -!- gkffjcs [n=john-cha@c-98-193-26-115.hsd1.il.comcast.net] has joined ##openvpn 18:41 -!- gkffjcs [n=john-cha@c-98-193-26-115.hsd1.il.comcast.net] has left ##openvpn ["Konversation terminated!"] 18:47 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 19:36 -!- oinck [n=kasper@lasvegas.perfect-privacy.com] has joined ##openvpn 19:45 -!- quentusrex_lapto [n=quentusr@c-71-197-244-228.hsd1.or.comcast.net] has joined ##openvpn 20:21 < QToo> so 20:22 < QToo> can anyone help me with openvpn, the first time i started openvpn it worked fine, then a day later it's broken without me changing anything. the clients connect but i can't ping anything from either side. there are no firewalls setup in between the client and server 20:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 20:32 -!- shinobi2 [n=goldemta@cpe-204-210-106-229.hawaii.res.rr.com] has joined ##openvpn 20:33 < shinobi2> can openvpn be use as a client to connect to vpn server? 20:34 -!- feighm [n=feighm@121.1.54.50] has quit [No route to host] 20:35 < nDuff> shinobi2, to what kind of VPN server? To an OpenVPN server, certainly. 20:36 < shinobi2> nDuff, i don't know what kind of vpn server. 20:36 < shinobi2> but i just installed openvpn and want to use it as a client 20:36 < nDuff> shinobi2, if you don't know what kind of server, it probably isn't compatible. 20:36 < shinobi2> say it's an openvpn server, how to i connect to it? 20:37 < shinobi2> there's no gui interface 20:37 < nDuff> shinobi2, see the documentation. :) 20:37 < shinobi2> i was able to connect to the vpn server via my windows machine. and i want to set it up on linux 20:37 < shinobi2> ok, i am checking doc 20:38 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 20:38 < nDuff> shinobi2, if you didn't need to use OpenVPN on Windows, it's not an OpenVPN server. 20:38 < shinobi2> no, that's that what i mean. 20:39 < shinobi2> i was able to connect to vpn server (company's intranet) via a windows machine 20:39 < shinobi2> and want to do the same on this box 20:39 < nDuff> shinobi2, right... and you did that on a Windows machine *without installing OpenVPN on that Windows machine*. 20:39 < shinobi2> correct 20:39 < nDuff> shinobi2, so the company server was certainly not running OpenVPN, so you're in the wrong place. 20:39 < nDuff> shinobi2, see OpenSWAN for an IPsec-compliant VPN. 20:57 -!- shinobi2 [n=goldemta@cpe-204-210-106-229.hawaii.res.rr.com] has quit [Read error: 110 (Connection timed out)] 21:25 -!- oinck [n=kasper@lasvegas.perfect-privacy.com] has quit ["Ex-Chat"] 21:33 -!- feighm [n=feighm@121.1.54.50] has quit [No route to host] 21:36 -!- orbisvicis [n=orbisvic@pool-71-187-53-83.nwrknj.fios.verizon.net] has joined ##openvpn 21:43 < orbisvicis> im a bit confused about bridge-start, is eth_ip supposed to be the current ip of the physical interface or an ip address outside of the gateway's dhcp range ? 22:01 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 22:07 -!- orbisvicis [n=orbisvic@pool-71-187-53-83.nwrknj.fios.verizon.net] has quit [Nick collision from services.] 22:08 -!- orbisvicis [n=orbisvic@pool-71-187-53-83.nwrknj.fios.verizon.net] has joined ##openvpn 22:09 < orbisvicis> when i use bridge-start, i get br0 containing tap0 and eth0 but no network, ie pings dont work 22:09 < orbisvicis> br0 has an ip addr. etc, but tap0 and eth0 dont 22:10 < orbisvicis> which is normal i think 22:11 < orbisvicis> shouldnt a plain bridge work without openvpn running ? 22:15 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:15 < Dougy> sup 22:16 * Dougy waves 22:17 < orbisvicis> yo 22:17 < Dougy> hey hey 22:24 < orbisvicis> can i get a dhcp server to assign an ip to br0 ? 22:25 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 22:25 < orbisvicis> instead of manual ? 22:26 < orbisvicis> i wonder if this is necessary: 22:26 < orbisvicis> route add default gw $gw 22:30 < orbisvicis> well ive got enough info to play around 22:30 -!- orbisvicis [n=orbisvic@pool-71-187-53-83.nwrknj.fios.verizon.net] has quit ["Leaving"] 22:33 < ecrist> evening, kids 22:34 -!- feighm [n=feighm@121.1.54.50] has quit [No route to host] 23:24 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn --- Day changed Mon Sep 01 2008 00:21 -!- feighm [n=feighm@121.1.54.50] has quit [Read error: 110 (Connection timed out)] 00:36 -!- quentusrex_lapto [n=quentusr@c-71-197-244-228.hsd1.or.comcast.net] has quit [Read error: 110 (Connection timed out)] 00:41 -!- gadi_ [n=gadi@c906687c.static.spo.virtua.com.br] has joined ##openvpn 00:41 < gadi_> hello 00:42 < gadi_> Sun Aug 31 22:40:33 2008 Insufficient key material or header text not found found in file 'keys/fw-sp-pta.key' (0/128/256 bytes found/min/max) 00:42 < gadi_> what is error ? 00:45 -!- orbisvicis [n=orbisvic@pool-71-187-53-83.nwrknj.fios.verizon.net] has joined ##openvpn 01:01 -!- orbisvicis [n=orbisvic@pool-71-187-53-83.nwrknj.fios.verizon.net] has quit ["Leaving"] 01:04 -!- jervine [n=jon@pcd298129.netvigator.com] has joined ##openvpn 01:10 -!- shinobi2 [n=blueligh@cpe-204-210-106-229.hawaii.res.rr.com] has joined ##openvpn 01:10 < shinobi2> how to vpn to company network via command line? how to config connection 01:17 -!- gadi_ [n=gadi@c906687c.static.spo.virtua.com.br] has quit [Read error: 104 (Connection reset by peer)] 01:23 -!- shinobi2 [n=blueligh@cpe-204-210-106-229.hawaii.res.rr.com] has left ##openvpn ["Leaving"] 02:02 -!- JohnMahowald [n=john@fedora/fedorared] has quit [Read error: 104 (Connection reset by peer)] 02:07 -!- quentusrex_lapto [n=quentusr@c-71-197-244-228.hsd1.or.comcast.net] has joined ##openvpn 02:07 -!- JohnMahowald [n=john@fedora/fedorared] has joined ##openvpn 02:26 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:33 < kraut> moin 02:40 < krzee> !kraut 02:40 < vpnHelper> krzee: "kraut" is moin 02:40 < kraut> !krzee 02:40 < vpnHelper> kraut: "krzee" is http://www.ircpimps.org/pimpin.jpg 02:41 < kraut> omg 02:41 < kraut> should i click!? 02:41 < kraut> brrr, gaylord itself 02:42 < krzee> aww 02:42 < krzee> hows it goin man 03:03 < kraut> fine fine 03:03 < kraut> holliday today :) 03:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 04:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:05 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 05:27 -!- feighm [n=feighm@121.1.54.50] has left ##openvpn [] 05:49 -!- SlimG [n=slimg@84.205.48.248] has joined ##openvpn 05:54 < OpenTokix> How do you build openvpn without epoll? 06:33 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 06:33 -!- SlimG [n=slimg@84.205.48.248] has quit ["Lost terminal"] 07:26 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 08:14 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 09:11 -!- JohnMahowald [n=john@fedora/fedorared] has quit [Read error: 113 (No route to host)] 09:47 -!- SilenceGold [n=chris@70.232.78.19] has quit ["I've never heard that silence is golden...."] 09:55 -!- SilenceGold [n=chris@70.232.78.19] has joined ##openvpn 10:35 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 11:06 * Dougy pokes ecrist 11:07 * Dougy stabs krzie 12:10 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:22 -!- quentusrex_lapto [n=quentusr@c-71-197-244-228.hsd1.or.comcast.net] has quit [Connection timed out] 12:30 < QToo> can anyone help me with openvpn, the first time i started openvpn it worked fine, then a day later it's broken without me changing anything. the clients connect but i can't ping anything from either side. there are no firewalls setup in between the client and server 12:47 -!- int [n=quassel@wikia/int] has joined ##openvpn 12:54 < Dougy> QToo, let me think 13:18 < OpenTokix> I have a wonderful openvpn problem 13:19 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 13:20 < mooseman089> hey 13:21 < mooseman089> is it a safe to modify /etc/init.d/openvpn to run bridge-start? 13:21 < OpenTokix> Dougy: I have a machine that complaines about tls handshake faliure. It is however not network or time trouble. 13:21 < Dougy> Pastebin it 13:22 < OpenTokix> the log? 13:22 < Dougy> yes 13:22 < Dougy> QToo, did any server settings change? 13:23 < Dougy> Brb, back in like 15 13:23 < Dougy> I'll se if i can help either of you then 13:23 < Dougy> s/se/see 13:25 < OpenTokix> Dougy: http://pastebin.com/d781f0d3b 13:29 < QToo> dougy: no 13:30 < QToo> dougy: even when i connect the clients from within the LAN (using a LAN address) i still can't ping across the connection 13:30 < OpenTokix> QToo: tcp or udp? 13:30 < QToo> tcp 13:30 < OpenTokix> ok 13:30 < OpenTokix> try udp 13:31 < OpenTokix> udp > tcp for vpn 13:45 < Dougy> back 13:45 < Dougy> Yeah, udp is better 13:46 -!- jackjk981 [n=Jackjk@c-24-18-236-180.hsd1.mn.comcast.net] has joined ##openvpn 13:46 < Dougy> OpenTokix, do you have ipsec running 13:47 < OpenTokix> Dougy: no 13:47 < Dougy> Windows client? 13:48 < OpenTokix> Dougy: no 13:48 < Dougy> What OS is the client and server running 13:48 < OpenTokix> Dougy: It was "something"(tm) with openvpn 2.1 rc9 n Debian Lenny 13:48 < OpenTokix> Dougy: Server Debian Lenny, clients various linux 13:48 < Dougy> ah 13:49 < Dougy> Do all clients have taht issue? 13:49 < Dougy> that* 13:49 < OpenTokix> no 13:49 < OpenTokix> just some 13:49 < jackjk981> hi all. i am trying to set up a simple roadwarrior vpn (vista laptop connects back to win2k3 server at home then all traffic is routed thru vpn). i am using bridged adapter on win2k3. my laptop can get an ip but there is no default gateway set (i pushed route-gateway to the client laptop though). any ideas? 13:49 < Dougy> Is there a distro in common? 13:49 < OpenTokix> suse 13:49 < OpenTokix> different releases 13:49 < OpenTokix> from 9.1 to 10.0 13:49 < OpenTokix> all in between 13:50 < Dougy> Can you set the logging to verb 7 13:50 < Dougy> on server+client 13:50 < Dougy> pastebin it afte it errors 13:50 < Dougy> Tun or tap? 13:50 < OpenTokix> tun 13:50 < OpenTokix> It is working now 13:50 < OpenTokix> I can"at fiddlw with it more 13:50 < OpenTokix> since I need to gather stats on one of the clients just joined the vpn 13:51 < OpenTokix> for the next hour or so 13:53 < jackjk981> anyone? 13:54 < Dougy> jackjk981, what's your question 13:54 < jackjk981> i am trying to set up a simple roadwarrior vpn (vista laptop connects back to win2k3 server at home then all traffic is routed thru vpn). i am using bridged adapter on win2k3. my laptop can get an ip but there is no default gateway set (i pushed route-gateway to the client laptop though). any ideas? 13:54 < Dougy> man, i wish people would go to my openvpn forum and post their problems instead of comin here :( 13:55 < OpenTokix> Dougy: whats the url? 13:55 < Dougy> !forum 13:55 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 13:55 < Dougy> !menu 13:55 < vpnHelper> Dougy: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 13:55 < Dougy> !bridge 13:55 < vpnHelper> Dougy: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 13:55 < Dougy> jackjk981, some of that might be of use 13:55 < jackjk981> thanks 13:55 < Dougy> !more 13:55 < vpnHelper> Dougy: the protocol uses MAC addresses instead of IP addresses. 13:56 < Dougy> there, completed sentence 13:56 < Dougy> hah 13:56 < Dougy> jackjk981, do you need bridging? 13:56 < jackjk981> i have a really old home router which won't let me add static routes. i am a newb but from what i read, i need to be able to add routes to my gateway for routing to work 13:57 < Dougy> I'm behind a linksys router 13:57 < Dougy> I dont use bridging 13:57 < Dougy> I use tun, and it works fine 13:58 < jackjk981> i am after the easiest solution! 13:58 < Dougy> Well, mine is real simple 13:58 < Dougy> Bridging :( 13:59 < Dougy> !ts-cipher 13:59 < vpnHelper> Dougy: Error: "ts-cipher" is not a valid command. 13:59 < Dougy> !tls-cipher 13:59 < vpnHelper> Dougy: "tls-cipher" is http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users 14:00 < Dougy> !dev 14:00 < vpnHelper> Dougy: Error: "dev" is not a valid command. 14:00 < Dougy> erk 14:00 < Dougy> !menu 14:00 < vpnHelper> Dougy: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 14:00 < Dougy> !forget menu 14:00 < vpnHelper> Dougy: The operation succeeded. 14:00 < Dougy> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 14:00 < vpnHelper> Dougy: The operation succeeded. 14:01 < Dougy> Try not usign bridging, jackjk981 14:01 < Dougy> s/usign/using/ 14:16 < Dougy> Bbiaf 14:17 < QToo> is there some place i can look that just shows a list of every setting that can be in the configuration file and shows which ones are required and which ones are optional? 14:17 < mooseman089> how would i redirect firefox browsing through the vpn in windows? 14:30 < Dougy> mooseman089, you can route all traffic through the vpn 14:30 < Dougy> with redirect-gateway I believe 14:30 < Dougy> push "redirect-gateway def1" in config 14:30 < Dougy> and all traffic will go through the vpn 14:30 < Dougy> gahhhhhh the forum is ded 14:30 < mooseman089> alright ill give that a shot 14:31 < Dougy> make sure you set it to push a dns server tho 14:53 < jackjk981> slightly off topic but on a simple network (single subnet) do I need STA enabled? i created a bridged network in win2k3 and its enabled it 14:59 < Dougy> no idea 15:02 -!- jackjk981 [n=Jackjk@c-24-18-236-180.hsd1.mn.comcast.net] has quit [Read error: 54 (Connection reset by peer)] 15:28 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [] 15:51 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:52 -!- daemon [n=daemon@mail.daemoncore.org] has joined ##openvpn 15:56 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 60 (Operation timed out)] 16:04 < Dougy> hey daemon 16:04 < daemon> hey Dougy 16:05 < Dougy> whats up 16:05 < daemon> not much just installing icecast on debian and some other stuff 16:05 < daemon> this OS is not nearly as bad as I expected 16:06 < Dougy> What do you mean 16:06 < daemon> Well its not as bad as I expected 16:06 < Dougy> Debian is nice. 16:06 < Dougy> This is a reminder for everyone to join the new forum! 16:06 < Dougy> !forum 16:06 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 16:07 < daemon> its not as bad as I expected ^^ pretty much sums it up for me 16:10 < Dougy> Haha :) 16:11 < Dougy> daemon, please read the announcement hah 16:16 < daemon> Dougy, announcement (0_o) for openvpn...? debian? 16:16 < Dougy> erm 16:16 < Dougy> the reminderi meant 16:17 -!- w00ted [n=w00t@81.23.59.232] has joined ##openvpn 16:17 < w00ted> Hey 16:18 < w00ted> Quick bit of assistance if anyone is available? 16:20 < Dougy> sup 16:22 -!- w00ted [n=w00t@81.23.59.232] has quit [] 16:22 -!- w00ted [n=w00t@81.23.59.232] has joined ##openvpn 16:23 < w00ted> I have OpenVPN setup and working 16:23 < w00ted> I would like to route internet traffic through the VPN, the important bit is incoming traffic 16:23 < w00ted> Is this possible? 16:27 < Dougy> yes 16:27 < Dougy> you can route all traffic through it 16:27 < Dougy> in+out 16:28 -!- w00ted [n=w00t@81.23.59.232] has quit [Read error: 113 (No route to host)] 16:30 -!- w00ted [n=w00t@81.23.59.232] has joined ##openvpn 16:30 < Dougy> yes, you can w00ted 16:30 < w00ted> Awesome 16:30 < Dougy> !menu 16:30 < vpnHelper> Dougy: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 16:30 < Dougy> You need the redirect-gateway setting. 16:30 < w00ted> The host is a ded in a data center 16:30 < w00ted> it has a bunch of spare IPs 16:31 < w00ted> this means I can have one of those IPs point to my home machine yes? all ports? 16:32 < Dougy> not point to it 16:32 < Dougy> but you can route your home net through it, yes 16:32 < Dougy> so when you browse etc its from the server's ip 16:32 < w00ted> The important part is the incoming connections 16:32 < Dougy> yes, all in + out 16:33 < w00ted> Great 16:33 < w00ted> My ISP blocks all incoming ports 16:33 < w00ted> I can't SSH in from elsewhere, etc that's the idea behind this VPN setup 16:34 < Dougy> yeah 16:34 < Dougy> it'll work 16:35 < Dougy> (for that) 16:35 < w00ted> Cool 16:35 < Dougy> i believe the setting is 16:35 < Dougy> push "redirect-gateway def1" 16:35 < w00ted> Won't that conflict with SSHing into the server though? 16:35 < Dougy> shouldn't 16:35 < w00ted> I need to somehow have the VPN connection use a different IP 16:36 < SilenceGold> w00ted look here: http://info.deafhogs.org/index.php/VPN_Access 16:36 < vpnHelper> Title: VPN Access - HaulmarkWiki (at info.deafhogs.org) 16:37 < w00ted> Thanks 16:37 -!- Sir_J [n=Sir_J@91.149.157.95] has joined ##openvpn 16:37 < Sir_J> hi guys 16:37 < SilenceGold> under "listening services" ..that's what you wanted to do? 16:37 < Sir_J> I have the following connections vpn-client1 <-> vpn server <-> vpn-client2 16:37 < SilenceGold> *servers..not services 16:37 < Sir_J> how can I route all traffic from vpn-client1 via vpn-client2 ? 16:38 < Sir_J> routing via vpn-server is ok 16:38 < Sir_J> but how can I route all traffic via another vpn-client ? 16:38 -!- w00ted [n=w00t@81.23.59.232] has quit [] 16:38 < Sir_J> is it possible ? 16:38 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 16:39 -!- w00ted [n=w00t@81.23.59.232] has joined ##openvpn 16:40 < w00ted> That's what I want to to SilenceGold 16:40 < w00ted> that site is selling it as a service though. I already have the server and OpenVPN working, but I can't figure out how to give myself one of the remote machines IP addresses to listen for incoming connections on 16:41 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:41 < w00ted> I get a private IP (like 10.0 / 192.168 / etc) 16:42 < w00ted> do I have to bridge the tun0 with the eth1:1 (the interface and IP I want to use)? 16:47 -!- w00ted [n=w00t@81.23.59.232] has quit [] 16:57 -!- Sir_J [n=Sir_J@91.149.157.95] has quit [Read error: 104 (Connection reset by peer)] 17:06 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 145 (Connection timed out)] 17:40 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 17:57 -!- feighm [n=feighm@121.1.54.50] has quit [Read error: 104 (Connection reset by peer)] 18:00 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 18:02 -!- w00ted [n=w00t@81.23.59.232] has joined ##openvpn 18:03 < w00ted> Man I don't think I've ever been so confused! 18:04 < w00ted> I just want to use an IP address from one machine on another 18:04 < w00ted> lol 18:07 < w00ted> Do the local/remote peer addresses have to be private IPs? 18:08 < w00ted> coudn't I just use an internet IP (it's free for exclusive use by the remote machine) and be done with it? 18:12 * w00ted pulls his remaining hair out 18:16 < w00ted> Ok - I'll give anyone who can fix this free hosting on 100mbit. You can have 10GB disk space and half a TB a month for the next 6 months for free just get this working! :) 18:17 < w00ted> Oh, and background processes are ok just don't rape all the CPU :) 18:28 < w00ted> No bite? 18:30 < nDuff> w00ted, the endpoint IPs *can* be public, but there's no point to it -- you need all the extra routing entries in that case as you do when they're private. 18:31 < w00ted> Ah, crap. 18:31 < w00ted> Was hoping could make my life easy :) 18:31 < nDuff> well, it shouldn't be all that hard in any case. 18:32 < w00ted> I just want the IP on eth:1 on the remote machine to be as if it was directly connected to tun1 (as in this machine) 18:32 < nDuff> just forward any traffic you want handled by the other side through its IP on that point-to-point link, and there you are. 18:32 < w00ted> oop, tap0 I mean 18:33 < nDuff> hrm. the *easiest* way to do that is with a tap adapter, but you get more overhead that way as opposed to using tun and doing IP-based forwarding. 18:34 < nDuff> ...with the tap approach you don't even really need to deal with private IPs and routing at all. 18:35 < nDuff> ...think of a tap VPN as a really long ethernet cable -- you can bridge it to a physical network to span them, directly assign an IP (without bridging) that's valid for for the network bridged on the *other* side, etc. 18:37 * nDuff isn't up for the hosting offer, btw -- no need for it, really, and ${EMPLOYER} frowns on folks using company resources (my workstation, right now) for personal profit. 18:37 < nDuff> w00ted, do you control both endpoints? 18:38 < w00ted> yes 18:38 < nDuff> okay, cool. And the system where the IP is presently routed to has an additional IP to that one, I hope? 18:39 < w00ted> The server in the datacenter? 18:39 < w00ted> It has 4 IPs 18:39 < w00ted> one is shared by the webservers, etc 18:39 < nDuff> ...and one of those is the one you want to move elsewhere, yes? 18:40 < w00ted> the others are not assigned to anything 18:40 < nDuff> w00ted, then doing this the inefficient way is pretty easy. 18:40 < w00ted> I want one to be my home IP through that VPN :) 18:40 < nDuff> got it. 18:40 < w00ted> How much overhead are we looking? there's about 8ms between me and the datacenter so it hopefully shouldn't be a major prob 18:41 < nDuff> I don't remember exactly; shouldn't be more than 100 bytes per frame, plus copies of all broadcast traffic on the network. 18:42 < nDuff> the broadcast traffic is the one that has potential to get ugly; you can filter that out using ebtables with some extra work. 18:42 < w00ted> Home link is capable of 10mbit full duplex, server 100mbit full duplex. Never any contention issues, so probably not a big deal 18:43 < w00ted> I just want to be able to receive incoming connections to my home machine. Not being able to VNC, SSH, P2P, etc is such a waste of a very fast link! 18:43 < nDuff> so -- first step is to set up a simple tap-based VPN; on the server side, you're going to be bridging (http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html), and on the client side you're going to directly assign the IP to the tap device. 18:43 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 18:44 < w00ted> with the bridging, the server only has eth0 which is the internet connection 18:44 < w00ted> is that going to cause a problem? 18:45 < nDuff> on the server side, you'll make br0 which has eth0 as a member, and assign eth0's IP address to br0 18:45 < nDuff> ...and when the VPN is up, you'll have it add tap0 to br0 as a second member. 18:46 < nDuff> ...for the initial configuration, it *is* best if you have an out-of-band management approach, or hands-and-eyes on site. 18:46 < w00ted> The VPN is already working, with private IPs for now, so that's configged at leased 18:46 < w00ted> out-of-band? 18:47 < nDuff> w00ted, something like a DRAC or iLO you can use to work on the server even if its network configuration is broken. 18:47 < w00ted> but how would I stay connected to it? 18:47 < nDuff> DRAC cards have their own, separate NICs 18:47 < w00ted> Ah 18:48 < nDuff> ...which are up even when the machine itself is turned off (so you can command the DRAC to power on your server) 18:48 < w00ted> I see. It's pretty expensive to get to the data center and add hardware, and I'd probably have to pay a premium to do so 18:49 < nDuff> w00ted, *nod*. Does your service come with hands-and-eyes? If they'll just walk over and reboot your server for you if you break something, that's good enough; I'm just thinking in terms of having a safety net before we move the primary IP off of eth0 to br0. 18:49 < nDuff> w00ted, what's the OS, btw? Is it a RHEL-derivative? 18:49 < w00ted> CentOS 18:50 < nDuff> okay, good; I can give you network configuration to set up a bridge on that. 18:50 < w00ted> I have a remote admin panel that can power cycle and KVMoIP (at a charge) 18:50 < nDuff> jeesh, those folks are nickle-and-diming 'ya. 18:51 < w00ted> power cycle is free 18:51 < w00ted> KVMoIP is not 18:52 < nDuff> ahh. 18:52 < nDuff> see http://pastebin.ca/1190991, adjust to correct IP address and MAC address. 18:53 < nDuff> ...then in your up script for the VPN connection, "brctl addif br0 tap0" 18:53 < nDuff> don't assign an IP to either eth0 or tap0 on the server. 18:54 < nDuff> then on the client, assign the IP in question to tap0 after the VPN is up 18:54 < nDuff> ...and you should be good to go. 18:56 < w00ted> so the br0 IP should be the public internet IP I would like to use yes? 18:57 < w00ted> and the MAC on eth0 I should change to the correct one for my NIC? 18:58 < nDuff> the br0 IP on the *server* should be the one used by the existing web server running on that machine 18:58 < nDuff> the br0 IP on the *client* should be the one you're delegating across the VPN 18:59 < nDuff> ...and yes, change the MAC on eth0 to be the correct one for your NIC. 18:59 < w00ted> Which one on the existing web server. The one I want to use (spare) or the master? 19:00 < nDuff> okay, waitamoment... to make sure I'm clear -- are you running the VPN on your existing web server, or on a different host? 19:00 < nDuff> I assumed it was the former. 19:01 < w00ted> On the webserver yes 19:01 < nDuff> okay, right. so if you're running the VPN on the webserver, br0 should have the webserver's IP 19:01 < w00ted> master IP, or the spare one I want to use? 19:02 < nDuff> the spare IP should *only* be assigned on the VPN client, and not anywhere else. 19:03 < nDuff> so if the "master IP" is the one assigned to the host, which existing clients use to access the web pages it serves, that's what should be moved from eth0 to br0 on that host. 19:03 < w00ted> Right. 19:03 < w00ted> Would that also mean existing web traffic is going to be bridged down the VPN? 19:05 < nDuff> it works the same way an ethernet switch does. 19:06 < nDuff> ...so ARP requests will go down the tunnel, but as they aren't answered the traffic itself won't. 19:06 < w00ted> Ok 19:06 < w00ted> So when there's load on the webserver there'll be a bit of traffic coming to my home machine bit nothing major? 19:07 < nDuff> once the local router has your web server in its ARP table, there shouldn't be more requests 19:07 < nDuff> so there shouldn't be all that much traffic at all, unless the network there has a bunch of broadcast floating around. 19:08 < nDuff> ...if that's the case, you'll want to use ebtables to filter the broadcast traffic being sent down the pipe, and details on doing that are outside the scope of this conversation. :) 19:12 < w00ted> Ok 19:17 < w00ted> I'm scared :) 19:21 < nDuff> If you were in the neighborhood, I wouldn't mind helping out in person -- it's a holiday, after all, and I have a long history of working for gift certificates &c. (my wife appreciates "free dates"), but as I believe there's a pond between us, that doesn't appear to be an option. 19:21 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:21 < w00ted> "free dates"? 19:21 < nDuff> Anyhow, if you can get the web server's IP transferred over to the bridge and working, that's really the step with most of the risk. 19:21 < nDuff> w00ted, ie. an opportunity when we can have a night out with someone else paying 19:21 < w00ted> Ooooh yeah :) 19:22 < w00ted> Well, even if you were local, my server is hidden away in rapidswitch somewhere 19:24 < Dougy> I'll go unhook it then 19:24 < w00ted> It's a rental anyway not a co-lo 19:25 < w00ted> despite me being able to run 4x the specs as a co-lo at half the price lol 19:25 < w00ted> and not having to pay ridiculous amounts extra each month if I wanted to say pop a bigger drive in 19:27 * nDuff uses a friendly local ISP's colocation ~10 minutes away from his office... but will probably be having systems moved to his new owners' internal hosting soon. (Fortune 50 types apparently don't like paying for external hosting... go figure). 19:28 < nDuff> ...but yar, if I want to go over there to make a change I just walk in, wave my badge, put my hand on the biometric scanner, and step right in and walk over to the cabinet 19:28 < nDuff> ...never had to deal with places where physical access to the servers was something one had to pay for yet. 19:29 < w00ted> Awesome 19:29 < w00ted> I wouldn't have to pay if it was co-lo, but it's their server so I have to pay for them to do stuff to it 19:29 < nDuff> ahh. 19:29 < w00ted> and my server draws too much power 19:29 < w00ted> and I didn't like their extra power charges 19:30 < w00ted> only give you 120w for a 1U, it'd be hanging like crazy all the time it's a quad core2 based xeon 2Ghz 19:31 < w00ted> So I rent their Core 2 Duo 2.2ghz for twice the price and a tiiiiiny hard drive. lol 19:32 < w00ted> Right this paste you sent me 19:32 < w00ted> I've changed the MAC and IPs 19:33 < w00ted> but the br0 doesn't have the GATEWAY=78.129.142.1 line? 19:33 < w00ted> and the eth0 doesn't have TYPE=Ethernet ? 19:33 -!- feighm [n=feighm@121.1.54.50] has quit [Read error: 54 (Connection reset by peer)] 19:34 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 19:37 < w00ted> I've written to both files 19:37 < w00ted> do I dare type restart? lol 19:39 < w00ted> The system is going down for reboot NOW! 19:40 < w00ted> *fingers firmly crossed eagearly awaiting for it to start returning pings again!* 19:42 < nDuff> /etc/init.d/network restart might have been faster 19:42 < nDuff> ...I hope you did add the gateway line, btw 19:42 < w00ted> Yeah I did 19:43 < w00ted> Uhhh 19:43 * nDuff just got back from the kitchen; his employer's engineering department spent their new furniture budget on an espresso machine last time they moved, and the result is... delicious. 19:43 < w00ted> It's not responding to pings yet! :( 19:44 < nDuff> anything else that might have needed changes to work with br0 rather than eth0, ie. firewall configs? 19:44 < w00ted> Firewall was off 19:45 < w00ted> Hrm, admin panel tells me the switch port has ethernet link 19:45 < w00ted> but no pings still 19:46 < nDuff> might need that KVM access then if it continues to not come up. :( 19:46 < w00ted> Bugga 19:46 < nDuff> you made sure the bridge-utils package was installed, right? 19:47 < w00ted> No 19:47 < w00ted> Whoops I guess that's needed? 19:47 < nDuff> ooh; that might have done it. (Granted, I didn't remember to ask you to check it, but it was specified in the OpenVPN bridging web page I pointed at) 19:48 < w00ted> KVMoIP time then! 19:50 < w00ted> Heh 19:50 < nDuff> eh? 19:51 < w00ted> I should have set up some script that waited 10 mins then replaced the original settings unless I connected and cancelled it 19:51 < nDuff> ahh, hindsight. *sigh*. 19:51 < nDuff> anything obvious once you're in? (If not, you might try seeing what "/etc/init.d/network start" says) 19:52 * w00ted twiddles his thumbs feeling stupid as a technician plugs in the KVMoIP hardware 19:54 < w00ted> How's this work anyway, I guess I VNC in or something? 19:55 < nDuff> presumably; the DRAC's remote console is just modified VNC (via a browser-plugin client) 19:55 < nDuff> ...so it may well be a web-based thing. 19:56 < w00ted> Cool 19:56 < w00ted> Just so long as I can see what's up 19:57 < w00ted> "First, make sure you have the bridge-utils package installed." 19:57 < w00ted> Damn I should pay more attention 20:00 < w00ted> Ah, and installing that will be fun too..... I hate yum it always just says to me 'nothing to do' and I have to fiddle for hours where as opt is just apt-get install blah, done! 20:00 < w00ted> *apt 20:00 * nDuff has his yum-sources controlled by puppet 20:01 < nDuff> ...setting them to a local mirror (managed by cobbler, which is also handling PXE booting clients) works fairly well. 20:01 < w00ted> Aha it's ready 20:02 < w00ted> VNC.... 4 hour session so I should get long enough to have a few goes :) 20:04 < Dougy> PXE !!!!!!!!!!!!!! 20:04 < Dougy> :D 20:11 < nDuff> w00ted, I'm doing actual work in another window; if you need my attention, use my nick. 20:11 < w00ted> ok thanks mate 20:11 < w00ted> I'm in 20:12 < w00ted> it was the lack of bridge utils 20:12 < w00ted> thanks so much for all your help 20:13 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 20:24 < SilenceGold> hey w00ted 20:24 < SilenceGold> I'm the guy that runs that VPN service that provides public ips 20:24 < SilenceGold> you just need two subnets on that dedicated servers 20:24 < SilenceGold> one subnet for openvpn to listen on 20:25 < SilenceGold> and then other 2nd subnet that has those public ips to give out to the vpn clients 20:25 < SilenceGold> your ISP will have to route the 2nd subnet to one of your ips in the 1st subnet..so your openvpn server can deal with the routings 20:25 < SilenceGold> (I didn't bother to scroll up and read up) 20:27 < nDuff> SilenceGold, I'm helping him set up a (suboptimal, but easy) tap-based configuration; he's only doing a single client, and doesn't seem too worried about the overhead. 20:28 < w00ted> I'm getting there I think 20:29 < Dougy> jeeeeeeeev 20:29 < w00ted> I have the eth0 and br0 up 20:29 < w00ted> I just cant get out to the internet from the VPN connection yet 20:29 < jeev> sup 20:30 < Dougy> heyhey 20:30 < jeev> bored out of my ass 20:31 < Dougy> http://www.ovpnforum.com/showthread.php?p=9#post9 20:31 < Dougy> er 20:31 < Dougy> wrong window hah 20:31 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 20:31 < nDuff> w00ted, is that to say that they're both up on the client as well as the server presently? 20:32 < w00ted> I can connect with openvpn now 20:32 < w00ted> I appear to have the right IP 20:32 < w00ted> and I can connect to the server as if I was local 20:33 < w00ted> but I get Network is unreachable if I try to go out to the net 20:38 -!- w00ted [n=w00t@81.23.59.232] has left ##openvpn [] 20:38 -!- w00ted [n=w00t@81.23.59.232] has joined ##openvpn 20:39 < nDuff> okay, cool -- so you just need an appropriate routing table entry. 20:39 < nDuff> whoever is the default gateway from the server needs to be your default gateway on the client going through the tap device as well 20:39 < w00ted> Yep I set that 20:39 < w00ted> but I can't reach it over the VPN 20:39 < nDuff> does it show up in the routing table? 20:40 < nDuff> do you see the packets going over the VPN using wireshark/tcpdump/etc? 20:40 < w00ted> Um, I can get to and from the server over the VPN 20:40 < w00ted> just not outside it 20:41 < nDuff> right, but do packets *destined to the outside* from the client show up at the server using wireshark or tcpdump? 20:41 < w00ted> let me see 20:41 < w00ted> I lose internet connectivity every time I start the VPN heh 20:43 < w00ted> tcpdump shows so much traffic from all over the place I can't see it 20:44 < nDuff> that's why you tell tcpdump to filter 20:44 < nDuff> so tcpdump -w somefile.pcap -i br0 "host ${IP_YOU_DELEGATED_TO_THE_CLIENT}" 20:45 < nDuff> ^^ saving it to a file, so you can do additional filtering or inspection later. 20:46 < w00ted> 02:45:29.765883 arp who-has 78.129.142.86 tell 78.129.142.86 20:46 < w00ted> that's all it captured, as soon as I started the session. nothing else 20:46 < w00ted> oops 20:47 < w00ted> 02:45:29.765883 arp who-has 78.129.142.86 tell 78.129.142.1 20:47 < w00ted> that's it even 20:47 < nDuff> okay, that looks a little more like it 20:47 < w00ted> I assume that's me trying to contact the gateway 20:47 < nDuff> ...so the gateway (I'm assuming that's who .1 is) is trying to figure out how to talk to the client, and presumably hasn't gotten an ARP response for it yet. 20:48 < nDuff> now, any relevant ARP requests should be getting bridged over to the tunnel, so your client should be receiving them and trying to respond 20:49 < nDuff> ...so you should check whether tcpdump on the client shows it getting the ARP request at all (and trying to respond); if it's not getting the request, then that gives us other places to look. 20:49 < w00ted> I can't even ping 78.129.142.1 though? 20:51 < nDuff> right, but the question is why. If ARP requests from 78.129.142.1 aren't being sent over the bridge, that would explain part of the problem (it can't find your MAC address to be able to send packets to you). 20:59 -!- w00ted [n=w00t@81.23.59.232] has quit [Nick collision from services.] 21:00 -!- w00ted [n=w00t@81.23.59.232] has joined ##openvpn 21:17 -!- w00ted [n=w00t@81.23.59.232] has quit [Nick collision from services.] 21:17 -!- w00ted [n=w00t@78.129.142.86] has joined ##openvpn 21:17 < w00ted> whoop whoop 21:17 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 21:17 < w00ted> "Your IP Address Is 78.129.142.86" 21:30 < Dougy> :O 21:44 -!- DaPrivateer [i=Privatee@crimson.66fruit.com] has quit ["—I-n-v-i-s-i-o-n— 2.0 Build 3515"] 21:47 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 21:53 < w00ted> Ah this is awesome 21:54 < w00ted> It's just as responsive as ever (am I really going to notice 8ms?) and loads of apps that rely on incoming connections are all worknig brilliantly 21:54 < w00ted> instead of all working on passive (or not at all!) 21:55 < w00ted> thank you nDuff, I'll buy you a case of beer PM me :) 22:05 -!- jeev [n=email@unaffiliated/jeev] has quit ["ircN 8.00 for mIRC (20080809) - www.ircN.org"] 22:08 -!- feighm [n=feighm@121.1.54.50] has quit [Read error: 113 (No route to host)] 22:08 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 22:12 -!- w00ted [n=w00t@78.129.142.86] has quit [Read error: 104 (Connection reset by peer)] 22:14 -!- w00ted [n=w00t@78.129.142.86] has joined ##openvpn 22:23 -!- w00ted [n=w00t@78.129.142.86] has quit [] --- Day changed Tue Sep 02 2008 00:07 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 00:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:46 -!- feighm [n=feighm@121.1.54.50] has joined ##openvpn 02:34 -!- hyphenex [n=scott@nickstallman.net] has joined ##openvpn 02:36 < hyphenex> I'm living at uni and I've only got "HTTP proxy" access to the world wide web. Is there a way I could set up OpenVPN on a machine at home, so I could connect through the HTTP back home then directly out to the internet from there? (so things such as SIP would then work?) 03:23 < kraut> moin 03:23 < hyphenex> Morning 03:55 -!- thefish [n=thefish@unaffiliated/thefish] has quit ["leaving"] 04:35 -!- snowboarder04 [n=un@serv.bemail.co.uk] has joined ##openvpn 04:36 < snowboarder04> hi guys... here's the article... http://www.theregister.co.uk/2008/09/01/openvpn_primer/ 04:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:06 -!- hyphenex [n=scott@nickstallman.net] has left ##openvpn ["Leaving"] 06:49 -!- feighm [n=feighm@121.1.54.50] has quit [Read error: 104 (Connection reset by peer)] 08:10 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has joined ##openvpn 08:10 < plaerzen> good morning irc 08:18 < cpm> morning 08:24 -!- snowboarder04 [n=un@serv.bemail.co.uk] has left ##openvpn [] 08:53 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 08:58 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 09:21 -!- Sulpicus [n=llange@nat/redhat/x-349a8f37cd34eef7] has joined ##openvpn 09:22 < Sulpicus> Question how can i send packets to the openvpn internal routing engine? 09:24 < Sulpicus> I have a setup where i use client/server tun devices to access remote networks and route between these. But there is also the local network that should be able to reach all remote networks. Do i really have to open a openvpn connection locally to connect the local net? 09:32 -!- int [n=quassel@wikia/int] has quit [Read error: 101 (Network is unreachable)] 10:43 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has left ##openvpn [] 11:26 -!- Sulpicus [n=llange@nat/redhat/x-349a8f37cd34eef7] has quit [Read error: 110 (Connection timed out)] 11:26 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:37 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has joined ##openvpn 11:47 -!- pred2k5 [n=Torsten@dslb-088-069-203-070.pools.arcor-ip.net] has joined ##openvpn 11:48 < pred2k5> hi, I iroute a network behind a certain client, but when I for example try to get a hostname from an ip behind that client, it says "localhost", how can that be? 11:48 < pred2k5> I remember that it was working once 11:52 < pred2k5> of course I "nat" the net behind the client 11:58 < pred2k5> in wireshark I can see, that he tries to send the nbns packet to 10.8.0.31, though my other side ip is 10.8.0.29 11:58 < pred2k5> (client ip is 10.8.0.3) 11:58 < pred2k5> (client ip is 10.8.0.30) 11:59 < Dougy|Work> Erm 11:59 * Dougy|Work reads 12:02 -!- pa [n=pa@unaffiliated/pa] has quit ["Sto andando via"] 12:02 < Dougy|Work> No idea 12:02 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 12:08 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:14 < pred2k5> ah ok, 31 seems to be the broadcast 13:03 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:28 -!- Dougy|Work [n=doug@64.18.159.247] has quit [Read error: 60 (Operation timed out)] 15:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:52 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has quit ["BitchX: EPIC on steroids."] 15:55 -!- plaerzen [n=plaerzen@S010600119505deed.cg.shawcable.net] has joined ##openvpn 16:15 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:49 -!- pred2k5 [n=Torsten@dslb-088-069-203-070.pools.arcor-ip.net] has quit [] 17:01 < ecrist> fooooooooooooooooo 17:01 < ecrist> I fucked all your mom's asses. 17:08 < ecrist> nobody around today? 17:16 < plaerzen> lol 17:17 < plaerzen> I'm hanging out in #opensso 17:24 < ecrist> you hang out in too many places. 17:24 * ecrist is on day 5 of his vacation. 17:24 * ecrist is drunk. 17:24 < ecrist> (took 5 time to type that (3 time to type this sentence)) 17:24 < ecrist> grr 17:26 < plaerzen> lol 17:27 < plaerzen> Yeah I know. #openvpn will always be my home though 17:27 < plaerzen> I just have alot of projects on the go... and I'm a junior so I will take all the help I can get from IRC 18:18 < QToo> fuck 18:18 < QToo> fuck bank of america 18:18 < QToo> i didn't check my account for two days 18:18 < QToo> and i get charged 9 overdraft fees 18:18 < QToo> of $35 a piece 18:18 < QToo> all of which wouldn't have happened had it not been for the first one 18:19 < QToo> $315 in overdraft fees 18:22 * nDuff wonders when (over his year or so of absence) #openvpn became a social channel rather than a support forum. 18:38 < QToo> well 18:39 < QToo> i've asked questions in here 18:39 < QToo> maybe 8 times 18:39 < QToo> and waited in here 18:39 < QToo> i haven't been off of this channel in days 18:39 < QToo> and no one has answered me 18:39 -!- QToo [n=travis@c-68-56-131-192.hsd1.fl.comcast.net] has quit ["Leaving"] 18:51 -!- plaerzen [n=plaerzen@S010600119505deed.cg.shawcable.net] has quit ["Leaving"] 19:43 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 19:43 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 19:56 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 20:02 -!- w00ted [n=w00t@78.129.142.86] has joined ##openvpn 20:02 < w00ted> Hey hey :) 20:09 * w00ted wonders how the hell OpenVPN is handling 1,000 active connections and a fairly high bandwidth load whilst only consuming 4% CPU and 400kb of RAM?! 21:52 -!- trnzmeta [n=bleh@iinet.guard.com.au] has joined ##openvpn 21:53 < trnzmeta> guys: any setting to give specific IPs to hosts? 22:10 < mrbnet> trnzmeta: the documentation has information about client config files 22:11 < mrbnet> trnzmeta: create a client config file that uses the common name of the client certificate that is connecting. You can then specifiy the ip address in that file 22:12 < trnzmeta> yeah simple ifconfig in client script 22:12 < trnzmeta> still something not smooth, thanks anyways 22:18 -!- w00ted is now known as w00t|away 23:17 < mrbnet> trnzmeta: did you use ifconfig-push in the client config file? 23:26 < ecrist> trnzmeta: yes, ccds 23:27 -!- Irssi: ##openvpn: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31 normal] 23:43 < ecrist> grrrr 23:48 < trnzmeta> nope I turned off ip-client pool in server 23:48 < trnzmeta> and set the ip manually on client 23:49 < trnzmeta> I wanted static anyways --- Day changed Wed Sep 03 2008 00:58 -!- harpal [n=Harpal@122.169.108.195] has joined ##openvpn 01:01 -!- hyphenex [n=scott@nimmo-37.its.uow.edu.au] has joined ##openvpn 01:02 < hyphenex> Hey guys. I've got a big issue. I think I can connect fine (I get one error ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address) 01:02 < hyphenex> but I can not ping my server 01:03 < hyphenex> I get 100% packet loss 01:03 < hyphenex> oahh, and I'm trying to ping 10.8.0.1 (ed Sep 3 16:00:00 2008 /sbin/ifconfig tun0 10.8.0.2 10.8.0.1 mtu 1500 netmask 255.255.255.255 up) 01:05 < hyphenex> I'm not sure if they are related 01:15 < hyphenex> everyone asleep? :( 01:18 < harpal> I have installed openvpn and when I start it says that you dont have openvpn.conf file 01:18 < harpal> where can i find that file 01:18 < hyphenex> harpal: You write it 01:18 < hyphenex> what platform are we talking? 01:19 < hyphenex> *nix? 01:20 < harpal> hyphenex: I have Gentoo Linux 01:20 < hyphenex> harpal: yeah, you can look in your doc directory for example config files 01:20 < hyphenex> I think they go in /etc/openvpn 01:21 < harpal> hyphenex: in /etc/openvpn there is no file :( 01:36 -!- hyphenex [n=scott@nimmo-37.its.uow.edu.au] has quit ["Leaving"] 01:40 -!- w00t|away is now known as w00t 01:41 -!- faileas [n=geek@cm87.delta16.maxonline.com.sg] has joined ##openvpn 02:05 < kraut> moin 02:07 -!- faileas [n=geek@cm87.delta16.maxonline.com.sg] has left ##openvpn ["Konversation terminated!"] 02:21 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:26 < harpal> I have start with http://slackware.osuosl.org/slackware_source/n/openvpn/openvpn.conf.sample Is that fine? 02:26 < harpal> I have an machine which will work as VPN gateway and firewall and content filtering. now does I should use openvpn as server? 02:32 < krzee> you just setup openvpn to route the traffic over 02:32 < krzee> you'll still want a firewall on your OS and you can use something like a http proxy or socks for content filtering 02:33 < krzee> squid is a widely used http proxy 02:33 < krzee> !sample 02:33 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 02:36 < harpal> krzee: ok. I am using squid and I have used firewall. now in sample config I should take only server part? 02:37 < harpal> and put that to openvpn.conf file? 02:37 < krzee> ya 02:37 < krzee> your firewall will need to do NAT too 02:38 < harpal> krzee: why? thats only for vpn only? 02:38 < krzee> ya openvpn leaves nat to the OS 02:38 < krzee> you using linux? 02:38 < harpal> Gentoo Linux 02:39 < krzee> !nat 02:40 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 02:40 < krzee> but i guess maybe squid will do that for you actually 02:40 < krzee> for web traffic only 02:41 < krzee> if its like socks at least, i know you can make socks listen on 1 ip and use a different one for the outbound connection 02:45 < harpal> Hey how can i do like this https://sslvpn.demo.sonicwall.com/cgi-bin/welcome 02:45 < vpnHelper> Title: SonicWALL SSL-VPN Demonstration Site (at sslvpn.demo.sonicwall.com) 02:56 < svenx> oh dear 02:57 < svenx> harpal: that's not what openvpn does 02:57 < harpal> svenx: Then? 02:57 < svenx> the sonicwall thing is a *web*-based "vpn", that uses ssl for crypto 02:57 < svenx> openvpn is *not* web-based, but still uses ssl for crypto 02:58 < harpal> Ohhhh so thats different from openvpn 02:59 -!- w00t is now known as w00t|away 03:00 < svenx> openvpn will give you a true vpn, with an encrypted layer 3 network -> good 03:01 < svenx> sonicwall web-"vpn" will give you a false application-based vpn that requires a browser with java, and limited usability -> bad 03:14 < harpal> svenx: ok. 03:20 < krzee> kraut, moin 03:20 < kraut> grützi, krzee 03:22 < krzee> gr"utzi mittenand 03:25 -!- Sir_J [n=aaa@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 03:25 < Sir_J> hi guys 03:26 < Sir_J> I have the following schema vpn-client1 <-> vpn server <-> vpn client2 03:26 < Sir_J> is it possible to allow vpn-client1 pass all traffic through vpn client2 03:30 < Sir_J> I mean situation when default route for vpn-client1 is vpn-client2 03:38 < Sir_J> it's easy implement with pptp, but still not clear how do the same with openvpn 03:42 < harpal> Hey Can I use certificate generated using openssl? 03:53 -!- trnzmeta [n=bleh@iinet.guard.com.au] has quit [] 04:22 < harpal> kraut: is it possible? because I have ipsec vpn also and have certificated generated from openssl. 04:24 -!- SilenceGold [n=chris@70.232.78.19] has quit [Read error: 110 (Connection timed out)] 04:46 < krzee> Sir_J, yes, but traffic will flow through server 04:47 < krzee> harpal, not sure but ild just generate new ones anyways 04:53 < krzee> Sir_J, in fact if you are planning on expanding that you can even route through a client which is connected to 2 servers 04:53 < krzee> for chaining openvpns to obfuscate routes or whatever 04:54 < harpal> krzee: problem is that it looks same certificate if you generate for ipsec or openvpn. so that may save some time. so I dont want to put two certificate generation option 04:56 < harpal> krzee: I have system which have all vpn, iptables and content filtering in same box. and its configuration is done by only webpage 04:56 < harpal> so if I use 2 page for certificate generation that not looks good, if it does same thing 04:56 < harpal> what do you say? let me try that 04:58 < krzee> you could change your system to generate all the certs on 1 page... 04:59 < krzee> but hell it dont hurt to try the certs 04:59 < krzee> as long as your trust them 04:59 < krzee> s/your/you 05:00 < harpal> krzee: ok 05:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:11 -!- Sir_J [n=aaa@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 113 (No route to host)] 05:16 -!- w00t|away is now known as w00t 05:35 -!- SilenceGold [n=chris@70.232.57.225] has joined ##openvpn 05:48 -!- Sir_J [n=aaa@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 05:48 < Sir_J> krzee that's ok 05:48 < Sir_J> but how can I do it? 05:51 < krzee> you just gotta setup the routes 05:51 < krzee> so 05:51 < krzee> client - server - client that routes traffic to inet 05:52 < krzee> got names for the clients to make it easier? 05:54 < krzee> you will wanna use ccd entries 05:54 < krzee> give each client its own static ip for the vpn using ifconfig 05:54 < krzee> you wanna use tun 05:55 < krzee> !ccd 05:55 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 05:55 < krzee> you want client-to-client in the server config 05:55 < krzee> if its client1 --- server --- client2 05:56 < krzee> client1 being the one tunneling and client2 being the default route for client1 05:56 < krzee> client 2 will need NAT 05:56 < krzee> !nat 05:56 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 05:57 < Sir_J> how client2 will be default route for client1 ? 05:57 < Sir_J> client-to-client is enabled 05:57 < krzee> k 05:57 < krzee> lets say client2 is 10.8.0.6 05:57 < Sir_J> how can I setup routes for client1 so way that all traffic is being redirected to client2 ? 05:57 < krzee> and client1 is 10.8.0.10 05:57 < Sir_J> via client2 05:58 < krzee> openvpn will add a route for 10.8.0.* to go over 10.8.0.1 05:58 < Sir_J> yet, it's ok 05:59 < krzee> then you will tell it that 0.0.0.0 goes to 10.8.0.6 05:59 -!- harpal [n=Harpal@122.169.108.195] has quit [Read error: 104 (Connection reset by peer)] 05:59 < Sir_J> krzee how? 05:59 < krzee> in a push route 05:59 < krzee> in ccd 06:00 < krzee> !push 06:00 < vpnHelper> krzee: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 06:00 < krzee> in fact although its not exactly about what you want, this may shine some light on some openvpn things 06:00 < krzee> !route 06:00 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 06:01 < krzee> a writeup i made about route, push route, ccd, iroute 06:02 < krzee> its geared twords sharing of the lans, but nice for understanding those things about ovpn 06:02 < krzee> but if you dont have NAT on client2... 06:02 -!- Sir_J is now known as Guest46861 06:02 < krzee> your connections wont happen 06:02 -!- Guest46861 [n=aaa@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 113 (No route to host)] 06:04 -!- Sir_J [n=aaa@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 06:04 < Sir_J> sorry, internet connection is lost 06:04 < Sir_J> krzee, I've tried to write in the server config push 0.0.0.0 0.0.0.0 06:04 < Sir_J> and in the ccd file for client2 iroute 0.0.0.0 0.0.0.0 06:05 < krzee> no 06:05 < Sir_J> but that didn't work because vpn server had 2 default routes 06:05 < krzee> 1, you dont need iroute 06:05 < Sir_J> and the first one has been used 06:05 < Sir_J> erm? 06:05 < krzee> understandable after reading my doc 06:05 < krzee> second, its not 0.0.0.0 0.0.0.0 06:05 < Sir_J> do you mean redirect ? 06:06 < Sir_J> !redirect 06:06 < vpnHelper> Sir_J: Error: "redirect" is not a valid command. 06:06 < krzee> whats the vpn ip for client2? 06:06 < Sir_J> client1 - 192.168.1.6, client2 - 192.168.11.10 06:06 < Sir_J> sorry 06:06 < Sir_J> client1 - 192.168.11.6, client2 - 192.168.11.10 06:07 < krzee> k, giving those by ifconfig commands in ccd? 06:07 < krzee> cause if it changes, it'll break everything once everything is setup 06:08 < Sir_J> yes, I'll add ifconfig directive for both ccd clients 06:08 < Sir_J> but this not enought, right ? 06:08 < krzee> right 06:09 < krzee> client needs a line that says pull 06:09 < krzee> (thats not all yet) 06:09 < Sir_J> what directives should I add to server config or into client2 ccd config to make client2 default route for client1 ? 06:09 < krzee> client 1 is routing through client2 in what i been saying 06:10 < krzee> which is why i asked for names 06:10 < krzee> to keep from confusion hehe 06:10 < Sir_J> sorry, I've missed that step 06:11 < Sir_J> http://openvpn.net/index.php/documentation/howto.html#redirect <-- this doc says how route all traffic via vpn server 06:11 < vpnHelper> Title: HOWTO (at openvpn.net) 06:11 < Sir_J> but I'd like to know how route all traffic now via vpn server but via client2 06:12 < krzee> push "route-gateway 192.168.11.10" 06:12 < krzee> dude i get it 06:12 < krzee> i was reading the man page for you 06:12 < Sir_J> push "route-gateway 192.168.11.10" to ccd/client2 ? 06:12 < krzee> to client1 06:12 < krzee> since client1 is trying to route through client2 06:13 < Sir_J> ahh 06:13 < krzee> and client2 has the ip 192.168.11.10 06:13 < Sir_J> sorry, I'didn't find route-gateway directive in the howto 06:13 < Sir_J> thanks a lot 06:13 < krzee> its in the man page 06:13 < krzee> !man 06:13 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 06:13 < krzee> !devman 06:13 < vpnHelper> krzee: Error: "devman" is not a valid command. 06:13 < krzee> !mandev 06:13 < vpnHelper> krzee: Error: "mandev" is not a valid command. 06:13 < krzee> bleh 06:13 < krzee> !menu 06:13 < vpnHelper> krzee: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 06:13 < krzee> !betaman 06:13 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 06:14 -!- w00t is now known as w00t|away 06:14 < krzee> dont leave yet 06:15 < Sir_J> looks like route-gateway is all that I need 06:15 < Sir_J> :) 06:15 < krzee> also 06:15 < krzee> no 06:15 < krzee> look at: 06:15 < krzee> --redirect-gateway flags... 06:15 < krzee> This option performs three steps: 06:15 < krzee> (1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop. 06:15 < krzee> (2) Delete the default gateway route. 06:15 < krzee> (3) Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified). 06:16 < Sir_J> erm 06:16 < krzee> def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. 06:16 < krzee> bypass-dhcp -- Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients). 06:16 < krzee> (only if you got windows clients) 06:16 < Sir_J> no, default route on the vpn server shouldn't be rewritten 06:17 < krzee> not on the server 06:17 < krzee> these are meant for clients 06:17 < krzee> servers dont need to change their routing table for a new default gateway 06:17 < krzee> haha 06:18 < krzee> so at the least you want push "redirect-gateway def1" 06:18 < Sir_J> what is def1 ? 06:18 < krzee> in the same ccd file after route-gateway 06:18 < krzee> =[ 06:18 < krzee> if you dont read the manpage at least read my pasting it 06:18 < krzee> [07:16] def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. 06:19 < Sir_J> no-no I mean why def1 and not bof1 or sof1 :) 06:19 < krzee> umm 06:19 < krzee> default 06:19 < krzee> def 06:19 < krzee> whats bof and sof? 06:20 < krzee> def1, default gateways using /1 06:20 < Sir_J> as I see I need to write in ccd/client1 directives push "route-gateway 192.168.11.10" and push "redirect-gateway def1", right ? 06:20 < krzee> so your existing 0.0.0.0/0 route doesnt get written over, or used 06:20 < krzee> yes, but you should be giving it it's ifconfig above both of those 06:21 < krzee> after the ifconfig i'ld add route-delay 5 just in case 06:21 < Sir_J> ifconfig just to use static ips for client1 and for client2, right? 06:21 < krzee> yes 06:21 < krzee> you must use static ips for this 06:21 < Sir_J> uff, it's clear now 06:21 < krzee> ya it was really just a matter of routing 06:22 < Sir_J> ordinary pptpd is easy to understand, openvpn is more complicated :) 06:22 < krzee> its easier when you take it for what it is 06:22 < krzee> people always expect it to do things for you 06:23 < krzee> but it just makes the connection, leaves everything up to the OS 06:23 < Sir_J> it's easy cause it's easy to configure (ip, ss, iptables used) and easy to create client connections 06:23 < Sir_J> windows has only 3 steps to connect to pptpd 06:23 < Sir_J> openvpn is more complex 06:23 < krzee> how many steps to crack pptpd? ;] 06:24 < Sir_J> crack O_O ? 06:24 < Sir_J> I don't think so 06:24 < krzee> its happened 06:24 < krzee> http://packetstormsecurity.org/sniffers/pptp.html 06:24 < vpnHelper> Title: Counterpane Systems: PPTP Crack (at packetstormsecurity.org) 06:25 < krzee> Counterpane Systems has exposed insecurities in Microsoft's Point to Point Tunneling Protocol. 06:25 < Sir_J> no, if mschap2 is used (used all the time), pptpd is difficult to crack 06:25 < krzee> http://www.schneier.com/pptp.html 06:25 < vpnHelper> Title: PPTP (at www.schneier.com) 06:25 < krzee> See also: Exploiting known security holes in Microsoft's PPTP Authentication Extensions (MS-CHAPv2) by Jochen Eisinger 06:25 < Sir_J> erm 06:25 < krzee> heh 06:26 < Sir_J> I didn't know that 06:26 < krzee> http://penguin-breeder.org/pptp/ 06:26 < vpnHelper> Title: Penguin-Breeder - Analysis of PPTP (at penguin-breeder.org) 06:26 < krzee> "Anyway, while I thought it was obvious that PPTP wouldn't meet our requirements, others thought it wasn't. "Microsoft says it's secure, everybody is using it, and besides, it's those weaknesses are only theoretical". To prove those points false, I summarized my results and wrote a short program demonstrating how easy a password can be extracted from the MSCHAPv2 authentication protocol." 06:27 < Sir_J> it's interesting 06:27 < krzee> on the other hand 06:27 < krzee> i use 4096 DH 06:27 < Sir_J> could you share it ? 06:27 < krzee> 4096 RSA on my certs 06:27 < krzee> 4096 TLS static key for hmac sigs 06:27 < Sir_J> you program extracts hash or ready passwords ? 06:28 < krzee> client cert checks server cert for special server sig (added when CA signs the cert) 06:28 < krzee> no i didnt write any of that 06:28 < krzee> im just an end-user 06:28 < Sir_J> ahh 06:28 < Sir_J> but theoretically 06:28 < krzee> but im and end-user that prefers good strong encryption 06:28 < Sir_J> this guy extracts passwords or just hashes 06:28 < krzee> dude, pptp has been owned 06:28 < krzee> a couple times 06:29 < krzee> iirc IPsec had some proven weaknesses before too, dunno status of that now 06:29 < krzee> openvpn relies on ssl, which has yet to be proven cracked 06:29 < krzee> defaults to using blowfish, while you can overrise it to use anything that all involved openssl's support 06:30 < krzee> blowfish is generally accepted as strong by those who care 06:30 < Sir_J> yep, you right 06:31 < krzee> http://ikecrack.sourceforge.net/ 06:31 < vpnHelper> Title: IKECrack - Bruteforce crack for IPSec (at ikecrack.sourceforge.net) 06:32 < krzee> !security 06:32 < vpnHelper> krzee: Error: "security" is not a valid command. 06:32 < krzee> !secure 06:32 < vpnHelper> krzee: "secure" is (#1) http://openvpn.net/howto.html#security, or (#2) http://openvpn.net/index.php/documentation/security-overview.html 06:32 < Sir_J> another, question how can openvpn be reconnected after internet connection is lost ? 06:32 < krzee> !forget secure * 06:32 < vpnHelper> krzee: The operation succeeded. 06:32 < krzee> !learn secure as http://openvpn.net/howto.html#security for hardening 06:32 < vpnHelper> krzee: The operation succeeded. 06:33 < krzee> !learn secure as http://openvpn.net/index.php/documentation/security-overview.html for security overview 06:33 < vpnHelper> krzee: The operation succeeded. 06:33 < krzee> Sir_J, have a look at the manpage 06:33 < krzee> !betaman 06:33 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 06:34 < krzee> you will find a wealth of information! 06:34 < krzee> !sample 06:34 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 06:34 < krzee> but you want 06:34 < krzee> persist-key 06:35 < krzee> persist-tun 06:35 < krzee> in all configs 06:35 < krzee> keepalive 10 120 06:35 < krzee> in server config 06:35 < krzee> resolv-retry infinite 06:35 < krzee> in client configs 06:36 < Sir_J> erm 06:36 < krzee> If hostname resolve fails for --remote, retry resolve for n seconds before failing. 06:36 < krzee> Set n to "infinite" to retry indefinitely. 06:36 < krzee> By default, --resolv-retry infinite is enabled. You can disable by setting n=0. 06:36 < krzee> i guess you wont need resolv-retry infinite since its default 06:37 < Sir_J> thank you, it's clear 06:37 < krzee> --keepalive n m 06:37 < krzee> A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations. 06:37 < krzee> For example, --keepalive 10 60 expands as follows: 06:37 < krzee> 06:37 < krzee> if mode server: 06:37 < krzee> ping 10 06:37 < krzee> ping-restart 120 06:37 < krzee> push "ping 10" 06:37 < krzee> push "ping-restart 60" 06:37 < krzee> else 06:37 < krzee> ping 10 06:37 < krzee> ping-restart 60 06:38 < krzee> read the manual, its huge but you will understand openvpn far better 06:39 < krzee> and you may find things you wanna use that werent mentioned 06:44 < Sir_J> :) 06:48 < Sir_J> thank you for complex answer 06:48 < krzee> yw 07:02 -!- Sir_J [n=aaa@mm-207-159-57-86.adsl.mgts.by] has quit [] 07:09 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 08:10 -!- SilenceGold [n=chris@70.232.57.225] has quit [Read error: 104 (Connection reset by peer)] 08:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:16 -!- w00t|away is now known as w00t 08:22 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 08:29 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 08:33 -!- w00t is now known as w00t|away 10:55 -!- w00t|away is now known as w00t 11:08 -!- jbrouhard [n=jbrouhar@63.77.240.181] has joined ##openvpn 11:09 < jbrouhard> I could use a little help figuring this out 11:09 < jbrouhard> when building the server cert (on CentOS5) it keeps saying /etc/openvpn/keys/serial doesn't exist 11:09 < jbrouhard> but it's there, and CHMOD 777 just to see whats' up with it 11:10 -!- w00t is now known as w00t|away 11:27 -!- w00t|away is now known as w00t 11:54 -!- tmccrary [n=tmccrary@68.78.185.226] has joined ##openvpn 11:55 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:55 < tmccrary> Can clients push routes when they connect to a server? 13:02 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:02 -!- jbrouhard [n=jbrouhar@63.77.240.181] has left ##openvpn [] 13:03 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 13:06 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 13:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:32 -!- gallatin [n=gallatin@dslb-092-073-120-041.pools.arcor-ip.net] has joined ##OpenVPN 13:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:50 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 14:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:07 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 15:08 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:44 -!- gallatin [n=gallatin@dslb-092-073-120-041.pools.arcor-ip.net] has quit [Remote closed the connection] 16:05 -!- tmccrary [n=tmccrary@68.78.185.226] has left ##openvpn [] 16:20 -!- w00t is now known as w00t|away 16:25 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:34 -!- maek [n=maek@ip65-44-219-34.z219-44-65.customer.algx.net] has joined ##openvpn 16:34 < maek> is there a trick to using if up ? 16:34 < maek> I have a script that does what I want, using sudo but it wont run from openvpn. just says "error" 17:02 -!- Sir_J [n=sir_j@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 17:03 < Sir_J> hi guys 17:03 < Sir_J> krzie, hi 17:03 < Sir_J> I've tried schema we talked today but it didn't work 17:23 -!- Sir_J [n=sir_j@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 104 (Connection reset by peer)] 17:27 -!- Sir_J [n=sir_j@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 17:39 -!- SilenceGold [n=chris@70.232.72.54] has joined ##openvpn 17:52 -!- Sir_J is now known as Guest39984 17:52 -!- Guest39984 [n=sir_j@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 110 (Connection timed out)] 17:53 -!- Sir_J [n=sir_j@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 17:57 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 18:07 -!- SilenceGold [n=chris@70.232.72.54] has quit [Nick collision from services.] 18:07 -!- SilenceGold [n=chris@70.232.98.249] has joined ##openvpn 18:19 -!- Sir_J [n=sir_j@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 104 (Connection reset by peer)] 18:37 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 113 (No route to host)] 18:40 -!- Sir_J [n=sir_j@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 18:47 -!- maek [n=maek@ip65-44-219-34.z219-44-65.customer.algx.net] has left ##openvpn [] 19:16 -!- Sir_J [n=sir_j@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 110 (Connection timed out)] 19:18 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 19:59 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 21:17 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 21:24 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:24 < Dougy> hey 21:24 < Dougy> just a heads up 21:24 < Dougy> i wont be around much now that school has started except for weekends 21:24 < Dougy> gotta run 21:24 < Dougy> toodles 21:24 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Client Quit] 22:46 < ecrist> shhh 23:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:49 -!- SilenceGold [n=chris@70.232.98.249] has quit [Read error: 110 (Connection timed out)] 23:51 -!- dingus8 [i=thedingu@64-91-124-145.stat.centurytel.net] has joined ##openvpn 23:53 < dingus8> any one know of any routers that come with openvpn? --- Day changed Thu Sep 04 2008 00:14 -!- mucimon_ [n=mucimon@host134-227-static.57-82-b.business.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 00:27 < krzee> dingus8, no 00:28 < krzee> those linux setups on linux firmwares can run openvpn 00:32 -!- dingus8 [i=thedingu@64-91-124-145.stat.centurytel.net] has quit [Read error: 110 (Connection timed out)] 00:59 -!- EvilRick [i=chatzill@41.207.226.226] has joined ##openvpn 00:59 < EvilRick> hey guys, just having a tiny problem here with the tun driver, I get cannot open /dev/net/tun from openvpn but in the meanwhile I have /dev/tun 01:01 < krzee> i have a simple solution that doesnt change the problem 01:01 < krzee> a symlink 01:01 < EvilRick> yeah .. doing that already :) 01:01 < krzee> =] 01:02 < krzee> os? 01:02 < EvilRick> just wondering what the proper solution was. 01:02 < EvilRick> using openwrt kamikaze 01:02 < EvilRick> 2.6 kernel 01:03 < EvilRick> perviously under 2.4 and devfs the device appeared in /dev/net/tun 01:03 < EvilRick> but now with udev its in /dev/net 01:04 < krzee> dev-node /dev/tun 01:05 < krzee> Explicitly set the device node rather than using /dev/net/tun, /dev/tun, /dev/tap, etc. If OpenVPN cannot figure out whether node is a TUN or TAP device based on the name, you should also specify --dev-type tun or --dev-type tap. 01:06 < krzee> !ifconfig 01:06 < vpnHelper> krzee: Error: "ifconfig" is not a valid command. 01:06 < EvilRick> ta muchly 01:06 < krzee> !learn ifconfig as Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to. 01:06 < vpnHelper> krzee: The operation succeeded. 01:07 < krzee> !forget ifconfig 01:07 < vpnHelper> krzee: The operation succeeded. 01:07 < krzee> !learn ifconfig as usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to. 01:07 < vpnHelper> krzee: The operation succeeded. 01:08 < krzee> EvilRick, you're welcome 01:09 < krzee> !menu 01:09 < vpnHelper> krzee: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 01:09 < krzee> !forget menu 01:09 < vpnHelper> krzee: The operation succeeded. 01:09 < krzee> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum, !ifconfig 01:09 < vpnHelper> krzee: The operation succeeded. 01:10 < krzee> !learn security as [secure] 01:10 < jeev> !learn jeev = awesome 01:10 < vpnHelper> krzee: The operation succeeded. 01:10 < vpnHelper> jeev: Invalid arguments for learn. 01:10 < krzee> !security 01:10 < vpnHelper> krzee: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 01:10 < jeev> !learn jeev is the awesome 01:10 < vpnHelper> jeev: Invalid arguments for learn. 01:10 < jeev> you suck vpnHelper. 01:10 < krzee> hehe 01:10 * jeev stabs krzee in the eye 01:10 < krzee> !krzee 01:10 < vpnHelper> krzee: "krzee" is http://www.ircpimps.org/pimpin.jpg 01:11 < jeev> lol i can't look now 01:11 < jeev> i hate lookin at pics when my brother is in my room 01:11 < jeev> i dont want him to think i'm gay 01:11 < krzee> its not a picture of me 01:11 < krzee> lol 01:11 < jeev> i feel uncomfortable for him to even see me lookin at chix too 01:11 < jeev> i know but still 01:11 < krzee> haha 01:15 < jeev> heh 01:34 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 01:38 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:17 -!- Sir_J [n=aaa@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 04:00 -!- kotique [n=picachu@host-static-89-41-72-147.moldtelecom.md] has joined ##openvpn 04:00 < kotique> how do I tell it NOT to push me default gateway ? I have my own routing 04:01 < kotique> I can't change server's global config, but can change my, in ccd/ dir 04:02 < Sir_J> i suppose that if server config has directive push "redirect-gateway" you can't change it (not sure) 04:02 < kotique> damn guys, why ??? 04:02 < kotique> let's say I have provider who offers openvpn services 04:02 < Sir_J> remove it manually :) 04:02 < kotique> let's say I'm their client, why can't I configure so my CLIENT doesn't accept what server offers ? 04:03 < kotique> i thought I'm the boss here, not the other guys 04:03 < kotique> that's dumb 04:03 < Sir_J> maybe you can, I'm newb 04:04 < kotique> is there any directive to negate the push "redirect-gateway" option in ccd/ client config ? 04:04 < Sir_J> try to remove it manually 04:04 < Sir_J> client config has directives like up, route-up 04:04 < Sir_J> you can write some scripts there 04:08 < krzee> kotique, thats not how its setup 04:08 < Sir_J> ohh krzee 04:08 < Sir_J> :) 04:08 < krzee> \\in fact you're asking why you cant circumvent how its setp 04:08 < kotique> --push-reset 04:08 < krzee> setup 04:09 < Sir_J> krzee I've tried technique we talked yesterday 04:09 < Sir_J> unfortunately it didn't work 04:09 < kotique> krzee, actually, i'm the boss on my machine and openvpn should have the switches to let me control it. 04:10 < krzee> actually you are joining a vpn and the admin of the vpn should have the switches to control it 04:10 < krzee> if i deploy a vpn to my employees, i want it running how i set it up 04:10 < krzee> aka the genius behind push 04:11 < krzee> i can control the client configs from my server, great for an admin 04:11 < kotique> --push-reset in client config solved the problem 04:11 < krzee> not so great for the user who wants to change the settings i gave him 04:11 < kotique> good admin doesn't let users stop system services like openvpn 04:11 < kotique> nor edit the config files 04:11 < krzee> if i give them a package they can use their home laptop to enter the office lan 04:12 < krzee> while they still admin their system 04:12 < krzee> kotique, does your user config file have the pull command? 04:12 < Sir_J> krzee I've tried to use schema client1 <-> vpn server <-> client2 04:13 < Sir_J> directives in the client2 ccd like push "redirect-gateway" and push "route-gateway ip" doesn't have any affect 04:13 < kotique> i think yes and I think it's the very option I asked for 04:13 < kotique> pull or client 04:14 < krzee> pull allows your routing table to be modified by push 04:14 < Sir_J> these directives works only in the server conf 04:14 < kotique> yep, i see the man pge 04:14 < kotique> thanks 04:14 < krzee> try removing it and see if redirect-gateway still works 04:14 < Sir_J> in ccd doesn't :( 04:14 < krzee> np 04:14 < krzee> Sir_J, ahh, thats too bad 04:14 -!- kotique [n=picachu@host-static-89-41-72-147.moldtelecom.md] has quit ["æîïà äèðèäàé äèðèäèðèäàé"] 04:14 < Sir_J> I experimented 04:14 < krzee> Sir_J, what is the goal behind your setup? 04:15 < Sir_J> the goal is to pass all traffic from client1 via client2 04:15 < krzee> to have your route going through 2 machines with good encryption? 04:15 < Sir_J> you doc about redirect works only for passing traffic via vpn server 04:15 < krzee> im aware 04:15 < Sir_J> so directives like push "redirect-gateway" works only in server config 04:15 < krzee> i want to know the goal behind the goal is to pass all traffic from client1 via client2 04:15 < Sir_J> erm 04:16 < krzee> thats the goal to reach another goal... 04:16 < Sir_J> client2 has very fast connection 04:17 < Sir_J> so I'd like to pass all traffic from client1 via client2 04:17 < Sir_J> default gateway 04:17 < krzee> you're aware the server will still be in between all traffic right? 04:17 < Sir_J> yes 04:17 < krzee> (so the speed of client2 over the server makes no diff_ 04:17 < krzee> ) 04:18 < krzee> whats the real goal? 04:18 < krzee> check msg 04:18 < Sir_J> I can't use use vpn server as default gateway 04:18 < Sir_J> because his traffic is vety expensive 04:18 < Sir_J> but traffic between server and client2 is free 04:18 < krzee> you will be using THE SAME AMOUNT of traffic on server 04:18 < krzee> actually more 04:19 < Sir_J> amount is ok 04:19 < Sir_J> server traffic is expensive but client2 traffic is free 04:19 < krzee> are you somehow using less server traffic by doing this? 04:19 < Sir_J> yes 04:19 < krzee> hows that? 04:20 < Sir_J> example 04:20 < krzee> crossover cable to client2? 04:20 < Sir_J> schema client1 <- free -> vpn server <- very expensive traffic -> internet 04:20 < Sir_J> schema client1 <- free -> vpn server <- free -> client2 <- not very expensive -> internet 04:21 < krzee> traffic between client1 and server, client2 and server are both free? 04:21 < Sir_J> yes 04:21 < krzee> ok, and why not run the server on client2? 04:21 < Sir_J> because it has no real ip 04:21 < Sir_J> real ip has only vpn server 04:21 < krzee> just asking cause the setup you were asking about is only really useful for hiding 04:22 < krzee> just NAT a port to client2 04:22 < krzee> give it 1 port of real ip 04:22 < Sir_J> ? 04:22 < krzee> its behind a NAT right...? 04:22 < Sir_J> yes 04:22 < krzee> so port forward a port to it 04:22 < OpenTokix> If I have a pkc-key with a password, any way for me to autoconnect to that openvpn from a box. Providing the password in the config, .file in root or something? 04:23 < Sir_J> what do you mean by port forward? 04:23 < krzee> !google port forwarding 04:23 < vpnHelper> krzee: http://portforward.com/routers.htm - PortForward.com - Free Help Setting up Your Router or Firewall 04:23 < Sir_J> I don't unserstand how port forwarding can help me 04:23 < krzee> forward a port to openvpn server on machine you call client2 04:24 < krzee> change your network map to be more sane 04:24 < krzee> your orig question is only good for hiding as i mentioned 04:24 < Sir_J> erm 04:24 < krzee> OpenTokix, why use a key with password if you dont want a password? 04:25 < OpenTokix> krzee: I got it from 3rd party 04:25 < Sir_J> and how client1 can pass all traffic via client1 ? 04:25 < Sir_J> and how client1 can pass all traffic via client2 04:25 < krzee> thats like saying "how can i lock my doors but still get in my door without needing a key" 04:25 < Sir_J> krzee I could do this trick with pptpd 04:25 < krzee> Sir_J, if it cant via redirect-gateway in ccd/ you can still manipulate routes with an up script 04:26 < krzee> you still havnt read the manpage i linked you to 3 times last night 04:26 < Sir_J> I've read about redirect 04:26 < krzee> i suggest reading the man page 04:26 < krzee> not a small section 04:26 < Sir_J> I've read man page for setting up routes, but still has no clue 04:27 < krzee> !betaman 04:27 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 04:27 < Sir_J> I've noted that adding routes like iroute x.x.x.x x.x.xx. in client2 ccd fle 04:27 < Sir_J> file 04:27 < krzee> did you read the whole manpage> 04:27 < krzee> ? 04:27 < krzee> dude 04:27 < krzee> iroute is for the server 04:27 < krzee> !iroute 04:27 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 04:27 < Sir_J> but iroute cause passing traffic to x.x.x.x from client1 via client2 04:28 < krzee> !route 04:28 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:28 < Sir_J> it's not clear what route and for whom should I add after connection established 04:29 < krzee> --up cmd 04:29 < krzee> Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel. 04:29 < krzee> how is it not clear? 04:29 < Sir_J> my experiments shows that it should be iroute 04:29 < krzee> you want 0.0.0.0 to pass through client2 04:29 < Sir_J> yep 04:29 < krzee> it should NOT be iroute 04:29 < krzee> The route entries are telling his server to add a route for each of 192.168.1.0, 192.168.3.0, and 192.168.4.0 to its kernel's routing table, which will go through the tunnel interface. The server's kernel now has an entry for 3 LANs to both go through the vpn interface, but when that happens how will openvpn know what client to send each network to? The answer is iroute! 04:29 < krzee> Iroute does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. The iroute entry tells the openvpn server which client is responsible for the network. Without the iroute entry you will find the following in your logfiles: 04:29 < krzee> MULTI: bad source address from client [IP ADDRESS], packet dropped 04:29 < krzee> The thing is, we cant just drop the iroute into server.conf because it would then be used for every client, and iroute is only to tell the server at which client it should send traffic destined for a network that the kernel said should go to the openvpn interface. That is why we add the iroute commands to a ccd entry. 04:30 < Sir_J> well 04:30 < krzee> heres when iroute gets used: 04:30 < krzee> lan 192.168.1.x is behind client2 04:30 < Sir_J> why adding directive irote x.x.x.x y.y.y.y in client2 ccd file cause passing traffic to x.x.x.x from client1 via client2 ? 04:30 < krzee> server gets traffic for 192.168.1.10 from client1 04:30 < krzee> kernel says to send it through tun interface 04:31 < krzee> (says so cause you added the routes to kernel routing table using openvpn) 04:31 -!- kotique [n=picachu@host-static-89-41-72-147.moldtelecom.md] has joined ##openvpn 04:31 < kotique> gosh 04:31 < Sir_J> it actually what I need 04:31 < krzee> but openvpn doesnt know which client owns that network 04:31 < kotique> Thu Sep 4 12:31:13 2008 us=185638 write to TUN/TAP returned -1 04:31 < kotique> Thu Sep 4 12:31:13 2008 us=185670 write to TUN/TAP : Invalid argument (code=22) 04:31 < krzee> no Sir_J, its not 04:31 < kotique> Do we have developers present here ? 04:32 < krzee> iroute is to let openvpn know which client traffic is for when kernel routing table says to send it through openvpn but server doesnt know which client has the network behind it 04:32 < Sir_J> krzee ok 04:32 < krzee> its internal to openvpn only 04:33 < Sir_J> if I put directive push "route 0.0.0.0 0.0.0.0 client2" nothing happens 04:33 < krzee> you are looking for how to modify your kernel routing table 04:33 < Sir_J> bacause client2 can be no connected 04:33 < krzee> LOL 04:33 < krzee> what do you expect that command to do? 04:33 < Sir_J> :) 04:33 < Sir_J> send to all clients default gateway :) 04:34 < krzee> route "all traffic" through "every ip" 04:34 < krzee> and client2... 04:34 < krzee> what routing app you seen that takes client2 as an option? 04:34 < Sir_J> I'm absolutely confused 04:34 < krzee> did you find something in manpage that led to you trying the word client2? 04:34 < krzee> kotique, 04:34 < krzee> !configs 04:34 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 04:34 < krzee> !logs 04:34 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:35 < krzee> !router 04:35 < vpnHelper> krzee: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 04:36 < kotique> i'm on verbosity level 11 and it can't write to tun 04:36 < kotique> unless you're a developer who understands how userspace-kernel intercation is done, you wont help me 04:36 < krzee> k, then you wont find help here 04:37 < krzee> none of those here 04:37 < kotique> o, will log a bug 04:37 -!- kotique [n=picachu@host-static-89-41-72-147.moldtelecom.md] has quit ["æîïà äèðèäàé äèðèäèðèäàé"] 04:38 < Sir_J> could you provide me small example what routes and where should I up ? 04:38 < krzee> paste me the relevant portions of the manpage and why you dont get how to add a route 04:38 < krzee> and ill explain what you dont get 04:38 < krzee> actually wait 04:38 < krzee> if you are using an up script 04:39 < krzee> you need to do the routing at the OS level 04:39 < krzee> not through openvpn 04:39 < krzee> (if redirect-gateway doesnt work in ccd/) 04:39 < Sir_J> I see, but don't understand how reach it 04:39 < krzee> --up cmd 04:39 < krzee> Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel. 04:39 < Sir_J> up in the client2 ccd / 04:39 < krzee> you are in linux iirc, right? 04:39 < Sir_J> ? 04:40 < Sir_J> right 04:40 < krzee> up in client config 04:40 < krzee> that up script will be a shell script with the routes to add 04:40 < Sir_J> clien1 or client2 ? 04:40 < krzee> whichever one is getting routes changed... 04:41 < Sir_J> it's client1 04:41 < krzee> if you understand that little about routing you may wanna go back to pptpd honestly 04:41 < krzee> for this setup 04:41 < Sir_J> so I need to add directive up ip r a default via here, right? 04:41 < krzee> what!? 04:41 < Sir_J> I mean 04:42 < krzee> whered you get that!? 04:42 < Sir_J> so I need to add directive up route add default in client config ? 04:42 < krzee> are you going to read the man page!? 04:42 < krzee> i even pasted it 04:42 < krzee> [05:39] --up cmd 04:42 < krzee> [05:39] Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel. 04:42 < krzee> up /script/to/run 04:42 < Sir_J> I'm ready 04:43 < krzee> where do you see route add default, etc 04:43 < Sir_J> standard linux tools 04:43 < Sir_J> iproute2 04:43 < Sir_J> ip r s 04:43 < Sir_J> ip r a 04:43 < Sir_J> etc 04:43 < krzee> make a script 04:43 < krzee> up calls a command (a script counts as a command) 04:43 < Sir_J> I've tried trick you suggest 04:44 < Sir_J> and got message that designated ip can't be reached 04:44 < Sir_J> only vpn server ip can be reached 04:44 < krzee> i honestly feel the only way you will do this is if i do it for you 04:44 < krzee> that makes me a sad panda 04:44 < Sir_J> :) 04:45 < Sir_J> the problem I see is the client2 ip can't be designated directly 04:45 < Sir_J> only via vpn server ip 04:45 < krzee> designated? 04:45 < Sir_J> reached 04:45 < krzee> no kidding 04:45 < krzee> how you gunna get from A to C without going through B 04:45 < Sir_J> so it's impossible to add route like ip r a defaul via 04:46 < krzee> not if you have another route to client2 through server... 04:46 < Sir_J> without going through B - impossible 04:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 04:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:46 < Sir_J> without going through B - impossible 04:47 < Sir_J> but how can you add route on the client side --> ip r a default via C if C can't be reached directly ? 04:47 < krzee> A knows a route to B 04:48 < krzee> B knows a route to C 04:48 < Sir_J> yes 04:48 < krzee> A default routes through C 04:48 < krzee> if that doesnt work, i can think of 1 other way 04:48 < Sir_J> As I undestand you can do this A default route throug C 04:48 < krzee> a vpn over a vpn 04:48 < Sir_J> vpn over vpn works :) 04:49 < Sir_J> I'd like to do this trick by using only openvpn 04:49 < krzee> well can client1 ping client2? 04:49 < Sir_J> As I undestand you can't do this A default route throug C 04:49 < Sir_J> of course 04:49 < Sir_J> client1 can ping client2 04:49 < Sir_J> but not directly 04:49 < Sir_J> via server 04:49 < Sir_J> via server route 04:49 < krzee> then setup a vpn server on client2, listening only on its vpn ip 04:49 < Sir_J> I've done it already 04:50 < krzee> and use the normal default routing methods in ovpn 04:50 < Sir_J> but this is not proper way 04:50 < krzee> your whole setup is not proper 04:50 < Sir_J> it works, but I'd expected another way 04:50 < Sir_J> why ? 04:50 < krzee> as i said before, your setup ONLY makes sense when hiding yourself 04:50 < Sir_J> pptpd can very easy do this trick 04:50 < krzee> then use pptpd! 04:50 < Sir_J> ok, let it be hiding myself 04:50 < Sir_J> I use it 04:51 < Sir_J> I just wanted to to the same with openvpn 04:51 < Sir_J> as I see it's impossible 04:51 < Sir_J> :( 04:51 < krzee> for hiding yourself the vpn over vpn makes even more sense unfortunatly 04:51 < krzee> cause you dont need to trust any servers / clients in the middle 04:51 < Sir_J> yep 04:52 < Sir_J> only one idea I have about openvpn 04:52 < krzee> since you treat them as untrusted even tho they are in the outter vpn 04:52 < Sir_J> it should have internl route that pass all coming traffic from client1 via client2 04:52 < krzee> most people would just forward a port to client2 and make it a server 04:53 < Sir_J> yes, it's another idea 04:53 < krzee> the only reason why they wouldnt is if they are trying to add more hops in their route to obfuscate where they are 04:53 < krzee> (which i have no problem with at all) 04:54 < Sir_J> ok, that the final variant ? 04:54 < krzee> variant? 04:54 < Sir_J> it's impossible to do my trick with openvpn without any external tools/steps ? 04:55 < krzee> without a test area to test on im gunna hafta assume you did everything right and say yes 04:56 < Sir_J> :) 04:56 < krzee> btw i know you can route to C through B 04:56 < Sir_J> I'll try to experiment this eventing 04:56 < krzee> cause i do it when i tunnel over DNS 04:56 < krzee> i set a route to the local NS 04:56 < Sir_J> with pptpd I did the trick 04:56 < krzee> then i set my default route to go over it 04:56 < krzee> so i know that DOES work 04:56 < krzee> but if you cant bust it... 04:57 < Sir_J> ip ru a from lookup route_table1 04:57 < Sir_J> and after that 04:57 < Sir_J> ip r a default via t route_table1 04:57 < krzee> ive never seen a route command like that in my life 04:57 < Sir_J> these 2 steps enough to pass all traffic from client1 to be redirected via client2 04:58 < Sir_J> with openvpn this trick doesn't work L( 04:58 < krzee> its not an openvpn thing 04:58 < krzee> its a routing thing 04:58 < Sir_J> yes 04:58 < krzee> your question actually has NOTHING to do with openvpn 04:58 < krzee> once you got a pinging c vpn is up right 04:58 < krzee> now you have routing issues 04:58 < Sir_J> I see 04:58 < Sir_J> but I can't catch traffic on B and redirect it via C 04:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:58 < krzee> when you figure out how to change them on commandline they can be changed through openvpn 04:59 < Sir_J> ok, I see 04:59 < Sir_J> maybe I've missed something 04:59 < Sir_J> I'll try that 05:00 < Sir_J> thanks a lot 05:00 < krzee> route add gw 05:01 < Sir_J> it works only for client2 05:01 < krzee> route add default gw 0.0.0.0/1 gw 05:01 < Sir_J> erm 05:01 < krzee> route add default gw 128.0.0.0/1 gw 05:01 < cpm> ummm 05:01 < krzee> THATS how you add routes in linux 05:01 < cpm> gateway on a network boundry? 05:02 < Sir_J> krzee that can break default route on vpn server 05:02 < krzee> what you were using, ive never seen... maybe it works 05:02 < krzee> cpm, redirecting all traffic through another client 05:02 < krzee> so basically ya 05:02 < Sir_J> no, we can't use that command 05:02 < krzee> Sir_J, you only do this on client1 05:02 < Sir_J> cause it modifies main route table 05:02 < krzee> server doesnt need new routes 05:02 < Sir_J> it can break all 05:02 < cpm> just remove the default route 05:03 < krzee> Sir_J, you are only adding routes on a machine that NEEDS new routes (client1) 05:03 < Sir_J> krzee you can't do in on client1 05:03 < krzee> on the commandline dude 05:03 * cpm loves walking into the middle of a conversation he is clueless about and spouting off ideas 05:03 < krzee> [05:58] when you figure out how to change them on commandline they can be changed through openvpn 05:03 < Sir_J> because client2 is not reached directly 05:04 < Sir_J> you can add routes only via machines that can be reached directly 05:04 < krzee> thats why client1 gets a route to client2 before using client2 as the gw for 0.0.0.0/1 & 128.0.0.0/1 05:04 < Sir_J> client1 has route to client2 05:04 < Sir_J> it's ok 05:04 < krzee> Sir_J, WHY would you argue when you dont understand routing? 05:04 < Sir_J> I've tried that :) 05:05 < Sir_J> I've experimented with that 05:05 < krzee> no, you havnt tried exactly what im saying 05:05 < Sir_J> ok, I'll try it this evening 05:05 < krzee> you add a DIRECT route for client2 05:05 < krzee> yes it has a route indirectly 05:05 < krzee> you put its ass in the routing table 05:05 < krzee> so you can use it as a gw 05:05 < Sir_J> erm 05:05 < krzee> trust me, i do this with my dns tunneling 05:06 < Sir_J> if your trick work, I'll be happy :) 05:06 < krzee> in fact i made a script to automate it in dns tunneling... 05:06 < krzee> http://dev.kryo.se/iodine/wiki/TipsAndTricks 05:06 < vpnHelper> Title: TipsAndTricks - iodine - Trac (at dev.kryo.se) 05:06 * cpm still thinks that neither of those routes are legit. 05:06 < Sir_J> one question 05:07 < krzee> cpm, thats how def1 works in redirect-gateway 05:07 < krzee> def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. 05:07 < Sir_J> why we need route add gw if we already have this route ? 05:07 < krzee> you DONT 05:07 < krzee> where is client2 in your routing table? 05:07 < krzee> you have a route for the whole network 05:07 < Sir_J> erm 05:08 < krzee> so you cant use a ip in that network as a gw 05:08 < krzee> make a route to that EXACT machine 05:08 < krzee> then you can 05:08 < Sir_J> you mean that vpn server sent me route for whole network ? 05:08 < krzee> DUH 05:08 < Sir_J> for ex 192.168.1.x ? 05:08 < Sir_J> heh 05:08 < Sir_J> I undestood you 05:08 < krzee> it gave you a route back to it 05:08 < krzee> not directly to client2 05:09 < krzee> you get to client2 through your route to server 05:09 < Sir_J> ahh 05:09 < krzee> you cannot use client2 as a gw til you do what i said 05:09 < krzee> which is WHY I SAID IT! 05:09 < krzee> hehe 05:09 < Sir_J> I didn't know that we can use these tricks 05:09 < Sir_J> it's much clear now 05:09 < krzee> right, so you chose to argue it wouldnt work 05:09 < Sir_J> big thanks a lot 05:09 < krzee> np man 05:10 < Sir_J> bye 05:10 < krzee> adios 05:10 -!- Sir_J [n=aaa@mm-207-159-57-86.adsl.mgts.by] has quit [] 05:10 < krzee> i feel like a dick 05:11 < krzee> but he wouldnt read the man pages and wanted to argue routing when i was telling him how to do it when he didnt have a clue about it 05:11 < krzee> oh well, i hope he gets it up 05:13 < cpm> I ignorantly pride myself on being able to make IP route logically. (or rather, at all) that said, you have me stumped. 05:13 < cpm> What is the intention? 05:14 < krzee> he wants client1 to default route through client2 05:14 < cpm> okay. 05:14 < cpm> seems silly 05:15 < krzee> VERY 05:15 < krzee> which i explained 05:15 < cpm> seems possible he doesn't know what he wants. 05:15 < krzee> only way it makes sense is if he wants to help hide himself by obfuscating routes 05:15 < krzee> which if he wanted i gave him the better solution 05:15 < cpm> that's what tor is for. 05:15 < krzee> (vpn over vpn, dont trust machines in the middle) 05:15 < krzee> i trust routing games around the world and through countries like china over tor 05:16 < cpm> you can do vpn over vpn, you'll never any packets though, but you can do it. 05:16 < cpm> :) 05:16 < krzee> never any packets? 05:16 < krzee> what do you mean? 05:16 < cpm> running IP over IP over IP (vpn over vpn) means your mpath will be fucked. 05:17 < krzee> false 05:17 < krzee> i do it 05:17 < krzee> works great 05:17 * cpm remains skeptical 05:17 < krzee> well i did it 05:17 < krzee> some servers in the middle are down 05:17 < krzee> and i dont wanna configure around them yet 05:17 < cpm> run something like rdesktop, which is really funny about mtu 05:17 < krzee> haha 05:17 < krzee> true that 05:17 < krzee> expect i dont need rdesktop 05:17 < krzee> voip works 05:18 < cpm> so, sure, yeah, some packets will get through. but it ain't gonna be like a tuned lan. 05:18 < cpm> :) 05:18 < krzee> which is also funny bout mtu 05:18 < krzee> very agreed 05:18 < cpm> sip or iax? 05:18 < krzee> sip 05:18 < cpm> sip is pretty forgiving. 05:18 < cpm> what codex? 05:18 < krzee> g729 iirc 05:18 < krzee> i can check if you want 05:19 < krzee> not sure which im using atm 05:19 < cpm> very robust codec. Yeah, if it'll come up, it'll probably work. 05:20 < krzee> hrm seems im on ulaw right now 05:20 < krzee> but i think i used g729 on it before 05:21 < krzee> but ya, the better way as i explained to him was to make client2 the server 05:21 < krzee> he didnt wanna learn how to port forward 05:21 < krzee> hehe 05:25 < krzee> well 1 good thing came of that 05:25 < krzee> i finally looked at http://www.doeshosting.com/code/NStun.sh again 05:25 < cpm> so, splain to me this thing of pointing the default gw at a /1 network boundry 05:25 < krzee> time to make it look nicer 05:25 < krzee> ok 05:25 < krzee> from the manpage: 05:25 < krzee> def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. 05:26 < krzee> it will take routes by most specific to least 05:26 < krzee> 0.0.0.0/1 & 128.0.0.0/1 are more specific than 0.0.0.0/0 05:27 < krzee> but they accomplish the task of routing EVERYTHING 05:27 < krzee> without overwriting the 0.0.0.0/0 entry (your existing default gateway) 05:27 < krzee> so when you disconnect from vpn, you are still on the internet once you remove the routes you added 05:27 < krzee> MUCH easier to script =] 05:28 < krzee> well i guess its easy to work around, like i did in my script above 05:28 < krzee> but ya, its nicer 05:28 < krzee> hell, maybe i should add that to my script 05:29 < krzee> next time i play with my NS tunnels i may hafta edit my script to do that... nondestructive adding of new default route 05:31 < krzee> there, much nicer 05:31 < krzee> case "$OS" in 05:31 < krzee> Darwin|*BSD) 05:32 < krzee> instead of entries for Darwin and FreeBSD, 1 entry for fbsd/obsd/nbsd/Darwin 05:32 < krzee> meant to change that long ago but laziness and forgot bout it 06:00 < krzee> hah just realized i didnt tell him to create a static route to his original default route 06:01 < krzee> and i guarantee he wont know, or read the manpage and see that redirect-gateway would do it so he needs to 06:06 < cpm> well. with any luck, and some more hard work, the scripting will become more polished, and it'll be easier. 06:07 < cpm> I keep focusing on the ssl component as being the problem child. 06:07 < krzee> scripting is really easy 06:08 < cpm> krzee, it is, for folks who understand it. The tricky bit, on darwin, et al. Is going to be getting the xml polished enough so that you can install it as a patch to the native vpn client. 06:08 < krzee> oh thats not for openvpn 06:08 < krzee> that script is for DNS tunneling 06:08 < krzee> tunneling IP over DNS 06:08 < krzee> openvpn handles routing itself, iodine does now 06:08 < krzee> not 06:09 < cpm> well, that of course brings up another sordid subject. The subject of getting away from dns and moving towards dnssec 06:11 < krzee> im not overly familiar with dnssec, it fix anything that djbdns doesnt? 06:13 < cpm> http://en.wikipedia.org/wiki/Dnssec 06:13 < vpnHelper> Title: DNSSEC - Wikipedia, the free encyclopedia (at en.wikipedia.org) 06:13 < krzee> ya i found that 06:13 < krzee> dont see why ild wanna switch to dnssec 06:14 < cpm> again, it comes down to the ethereal concept of a pki, that folks have talked about for many years, that doesn't exist. 06:15 < cpm> everyone says we need a pki, but no one will commit to one. So, all these things break. 06:18 < krzee> http://cr.yp.to/djbdns/notes.html 06:20 < cpm> fun fun 06:22 < cpm> Quote: 06:22 < cpm> "Between licensing issues and a certain degree of arrogance, he has managed to create a sizable crowd of people who want nothing to do with his software. That may limit how far djbdns can go on the net. " 06:22 < cpm> Gee, ya think? 06:22 < cpm> :) 06:22 < krzee> lol 06:22 < krzee> true 06:22 < krzee> except the licensing issues 06:23 < krzee> he made all his released works public domain 06:23 < krzee> (although your quote is likely before that) 06:25 < cpm> It is. 06:26 < krzee> and i dont care about the attitude of authors when i choose my software 06:26 < cpm> djb worked very hard at, and I mean very hard at alienating as many folks as he could before changing his already perfect mind on his licensing stance. 06:26 < cpm> to me, it's a question of community. 06:27 < krzee> and i think his old license had to do with not wanting people to screw up his work and blame it on him (or want him to support it), although i have no reason to assume that 06:27 < cpm> I've been an isc 'social butterfly' for over a decade, well over in fact. I like the isc people, I like isc software, bletcherous as it is, and I like the isc community a great deal. I even have a box hosted on their network, gratis, because they are nice folks. 06:27 < krzee> thats cool 06:27 < krzee> quite cool 06:27 < cpm> I read a screed of djbs where he basically stated that all licenses are shite anyway, so fuck it. 06:28 < cpm> Which I certainly understand. 06:28 < cpm> his -very logical argument- was that folks who whine about license issues are all a bunch of punters. 06:28 < krzee> punters? 06:29 < cpm> I gotta admit, I was pretty taken with his point. Sharp guy, that one. 06:29 < cpm> punters, like about 6 steps below a 'user'. 06:29 < krzee> ahh, lol 06:30 < cpm> it' 06:30 < cpm> s pretty difficult, if you actually pay attention to djb and keep an open mind, to not deeply admire him and his work. 06:31 < cpm> but I'd not want to have him as a neighbor. 06:31 < cpm> :) 06:31 < krzee> werd 06:31 < krzee> to me none of that matters when choosing software 06:35 < cpm> to me what matters is: Is the software something I can deploy legally. Is the software I can deploy legally something I can deploy without an immense license management headache. is the software that doesn't come with a license management headache, that I can install legally well maintained and documented. Is there a strong community behind it, broad deployment, etc etc. 06:35 < cpm> can't always get whatcha want though. 06:35 < cpm> :) 06:35 < krzee> ya im easier 06:36 < cpm> Can i get up and walk away from it, and be replaced by someone who can read docs, who can then maintain my work? 06:36 < krzee> 1) is it the best at whaqt it does? 2) is it deemed secure? 06:36 < cpm> Not that that point matters. The first thing the new admin fixes, , , is the blame. 06:36 < krzee> you must be more corporate than me ;] 06:36 < cpm> then the rip and rebuild everything to suit them away, so that really shouldn't be an issue. 06:36 < cpm> krzee, yeah. 06:57 < OpenTokix> krzee: yeah, maybe - but I am saying. Let me in your stupid door when we are moving. 06:57 < krzee> make new certs 06:58 < krzee> but 06:58 < krzee> --askpass [file] 06:58 < krzee> Get certificate password from console or file before we daemonize. 06:58 < krzee> should do i 06:58 < krzee> it 06:59 < krzee> (Note: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h). 07:12 -!- kotique [n=picachu@host-static-89-41-72-147.moldtelecom.md] has joined ##openvpn 07:12 < kotique> that error about tun write failed was because of missing lzo-comp line, dunno why openvpnv doesn't tell that parameters of peer and me don't conicide 07:13 < ecrist> me either 07:13 < ecrist> and, why does OpenSSL have to use such arcane errors? 07:13 < krzee> i guess if you posted your configs and logs instead of saying if we werent the devs we couldnt help you that woulda been a faster solution tho 07:14 < kotique> now another problem remains to be solved - restarts by ping timeout. 07:14 < kotique> krzee, logs didn't tell anything. 07:14 < krzee> g'mornin ecrist 07:14 < krzee> kotique, but the configs did 07:14 < kotique> that's because I had to access server and see that it can't decode packets 07:15 < krzee> ecrist, glad the craziness in your town is over? 07:15 < ecrist> kotique: you did sort of expect a miracle. 07:15 < ecrist> krzee: today's the last day. 07:15 < ecrist> my part in it was done on monday, though. 07:15 < ecrist> :) 07:15 < krzee> ahh its only thurs 07:15 < krzee> i been off a day 1/2 the week 07:16 < krzee> what was your part? 07:16 < ecrist> I've been on vacation from my day job since last friday - just came back to work today. 07:16 < ecrist> I work for the local Sheriff's Dept. 07:16 < ecrist> in my off time. 07:16 < krzee> oh right on 07:17 < krzee> did you have to deal with protesters and whatnot? 07:17 < ecrist> so, I was on duty all weekend. 07:17 < ecrist> yeah, a bit. 07:17 < ecrist> I didn't have to be in the middle of it, but I had a hand in it. 07:17 < ecrist> I wasn't in riot gear or anything. 07:18 < krzee> ahh thats good 07:20 < krzee> wow its 8:30 07:20 < krzee> i should goto sleep 07:20 < krzee> see ya later 07:20 < ecrist> lol 07:20 < ecrist> kotique: did you get things fixed, now? 07:21 < kotique> nope, i'm connected via tcp and it keeps restarting 07:21 < kotique> Thu Sep 4 15:15:38 2008 SIGUSR1[soft,connection-reset] received, process restarting 07:21 < krzee> !tcp 07:21 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 07:22 < kotique> Sep 4 08:14:35 worldconn openvpn[19663]: yuri/89.41.72.147:37073 [yuri] Inactivity timeout (--ping-restart), restarting 07:22 < krzee> "Unfortunately, it doesn't work well. Long delays and frequent connection aborts are to be expected. Here is why. 07:22 < krzee> " 07:23 < kotique> hey guy. it's ping timeout. it's being sent 3 times and tcp is reliable proto. 07:23 < krzee> tcp is great 07:23 < krzee> tcp over tcp is not 07:23 < ecrist> kotique: UDP is preferred for VPNs 07:23 < kotique> i'm not running tcp over tcp 07:23 < krzee> as the link explains 07:23 < kotique> i'm running udp over tcp 07:23 < ecrist> kotique: yes you are. 07:24 < kotique> huh ? 07:24 < krzee> you arent tunneling tcp over a tcp vpn? (you are) 07:24 < kotique> no, i'm tunneling NOTHING now 07:24 < kotique> and it keeps restarting 07:24 < ecrist> you're not using tcp for vpn? 07:24 < kotique> i'm keeping it clear, you got it ? no packets over tun interface 07:24 < ecrist> kotique: can we see your configs? 07:24 < kotique> now tell me why it keeps restarting 07:25 < krzee> ecrist, hes fun to help, wouldnt post configs or logs and refused help earlier cause i wasnt a dev 07:25 < kotique> no, it's confidential 07:25 < krzee> ended up being lzo enabled on only 1 side 07:25 < kotique> hehe 07:25 < krzee> heh 07:25 < ecrist> kotique: blocko ut the IP, and copy your configs, or don't expect help. 07:25 < kotique> but why I had received tun write error instead of getting "peer capabilities don't match" ? 07:25 < krzee> why would anyone go to a help channel and be so hard to help? 07:26 < krzee> haha 07:26 < ecrist> kotique: block out the IP, and copy your configs, or don't expect help. 07:26 < kotique> ok 07:26 < krzee> or pay someone to fix it after they sign something if its that sensitive 07:27 < krzee> kotique, do you have a reason you need tcp instead of udp for your vpn? 07:27 < krzee> get around nazi firewall or something? 07:27 < kotique> legacy setup 07:27 < kotique> can't change 07:28 < krzee> that cant be changed but lzo can 07:28 < krzee> interesting 07:28 < krzee> and with that thought, i sleep 07:28 < kotique> mine - http://pastebin.com/m75df1ba7 07:29 < krzee> g'nite, g'luck 07:29 < kotique> there are a lot of configured clients using this openvpn server 07:29 < kotique> guess what proto they have 07:30 < ecrist> ok, if you're using tcp in the config, your tunnelling tcp over tcp - that's bad, per the link krzee sent you above. 07:30 < ecrist> that's why you're getting timeouts. 07:30 < krzee> yup 07:31 < krzee> expect it to stay the same 07:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 07:31 < ecrist> things aren't really timing out, the software is precieving it as such due to the conditions mentioned on that page. 07:31 < kotique> http://pastebin.com/d66eab3fc - server 07:31 < ecrist> if this is a widespread, chronic problem, switch to udp and reconfig the clients. 07:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:32 < kotique> god, I don't see and send aNY packets over tunnel 07:32 < kotique> and it keeps restarting 07:32 < kotique> not icmp 07:32 < kotique> not UDP 07:32 < kotique> not TCP 07:32 < kotique> not IP 07:32 < kotique> no ARP 07:32 < kotique> no RARP 07:32 < krzee> ARP wouldnt go over a tunnel 07:32 < krzee> :-p 07:33 < OpenTokix> kotique: Are you using debian testing for the server? 07:33 < ecrist> kotique: humor me, start a second instance of the vpn server, using udp instead of tcp, reconfig your client, and try 07:33 < OpenTokix> krzee: so you dont have any suggestions to pass the password onto the comandline or so? 07:33 < ecrist> you should see your problem go away. 07:33 < krzee> OpenTokix, i pasted it 07:33 < kotique> damn, I was thinking about that 07:33 < OpenTokix> krzee: ok, I didnt get a highlight 07:33 < OpenTokix> kotique: Are you using tcp for the vpn? 07:34 < krzee> its way up there, lemme find it again in man page for ya 07:34 < ecrist> OpenTokix: if the password is accepting on stdin, echo "password" | openvpn --options 07:34 < OpenTokix> krzee: ahh, askpass - thx 07:34 < krzee> !betaman 07:34 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 07:34 < krzee> look for --askpass [file] 07:34 < krzee> note: 07:34 < krzee> If file is specified, read the password from the first line of file. Keep in mind that storing your password in a file to a certain extent invalidates the extra security provided by using an encrypted key (Note: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h). 07:37 < OpenTokix> krzee: Found it 07:43 < krzee> vpnHelper, version 07:43 < vpnHelper> krzee: The current (running) version of this Supybot is 0.83.3. The newest version available online is 0.83.3. 07:47 < OpenTokix> Sorry, 'Private Key' password cannot be read from a file <-- damn =( 07:48 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 07:50 < krzee> did you recompile with the options i pasted? 07:50 < OpenTokix> damn, I don't want to compile shit 07:50 < krzee> haha 07:50 < krzee> i think thats why they did that 07:51 < OpenTokix> ok, look what you made me to 07:51 < OpenTokix> im compiling 07:51 < OpenTokix> godo thing its a fast box 07:51 < OpenTokix> =) 07:51 < krzee> its not a large compile anyways 07:52 < OpenTokix> nah =) 07:52 < OpenTokix> done 07:52 < OpenTokix> and it works 07:53 < OpenTokix> thx =) 07:53 < krzee> you're welcome =] 07:53 < krzee> ecrist, if dougy stops through can you mention to him that i cant put forum announcements in the channel unless he is able to provide an RSS feed of some sort for posts 07:54 < krzee> thats how the announce stuff works for supybot 07:54 < krzee> only way i can think of for it to work too 08:02 < krzee> !learn custom as http://www.openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html 08:02 < vpnHelper> krzee: The operation succeeded. 08:02 < krzee> !menu 08:02 < vpnHelper> krzee: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum, !ifconfig 08:02 < krzee> !forget menu 08:02 < vpnHelper> krzee: The operation succeeded. 08:02 < krzee> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum, !ifconfig, !custom 08:02 < vpnHelper> krzee: The operation succeeded. 08:20 < cpm> stop it! 08:21 < krzee> i know i wish it came with its own !menu 08:21 < krzee> =[ 08:24 < ecrist> krzee: you could code it, wouldn't be that hard. 08:24 < krzee> or someone else could, it doesnt bug me and i have 0 desire to learn python 08:25 < krzee> if someone chooses to, its the Factoids plugin in supybot 08:26 < ecrist> krzee: why not post a message on the forum for that? 08:27 < ecrist> krzee: I see that it has RSS. 08:27 < ecrist> :\ 08:28 < krzee> oh i didnt notice it did 08:28 < ecrist> I sorta thought it was weird vbulletin wouldn't have rss already. 08:29 < krzee> ya i figured it would 08:29 < krzee> whered ya find it? 08:29 < ecrist> it tells me in firefox's awesome bar. 08:29 < krzee> ahh coolness 08:29 < ecrist> https://ovpnforum.com/external.php?type=RSS2 08:29 < krzee> pls pass the link 08:29 < vpnHelper> Title: OpenVPN ForumOpenVPN ForumNeed Help With OpenVPN on Windows 2000 (at ovpnforum.com) 08:30 < krzee> safari lacks the awesome bar (tm) 08:30 < ecrist> safari still tells you it has rss. 08:30 < kotique> it was because the other side didn't have keepalive directive 08:30 < krzee> interesting 08:30 < ecrist> go to ovpnforum.com, look in address bar, it says, wait for it, RSS 08:30 < kotique> added push "keepalive" and it worked 08:31 < kotique> bye 08:31 -!- kotique [n=picachu@host-static-89-41-72-147.moldtelecom.md] has quit ["æîïà äèðèäàé äèðèäèðèäàé"] 08:31 < ecrist> kotique: excellent. 08:31 < krzee> ahh it sure does! 08:31 < krzee> i never noticed that 08:31 < krzee> cool thx 08:31 < krzee> learned something new =] 08:32 < ecrist> I was about 2 seconds from kicking his ass out, earlier. 08:32 < ecrist> oh, that's why he was so argumentative, he's from Moldova. 08:32 < krzee> ya i held myself back when he told me he only wanted help if i was a dev 08:33 < krzee> haha 08:33 < krzee> like the devs wanna sit here dealing with routing issues, misconfigs, and lack of reading ;] 08:34 < krzee> interesting, the RSS only shows new topics 08:35 < ecrist> krzee: what would you expect it to show? 08:35 < krzee> replies as well 08:36 < krzee> although i understand why not 08:36 < ecrist> I don't think you want that 08:36 < krzee> they have it like that in aircrack-ng 08:36 < krzee> its nice 08:36 < ecrist> too much potential for noise 08:37 < krzee> ya good point too 08:37 < krzee> which im sure is why its not like that in vbulletin 08:44 < krzee> vpnHelper, quit 08:44 < vpnHelper> krzee: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 08:44 < krzee> vpnHelper, quit 08:44 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["krzee"] 08:48 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 08:48 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit] 08:48 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 08:53 < krzee> bleh, he created a seperate rss feed for configuration section 08:53 < krzee> and thats where i posted my test thread, lol 08:59 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 09:00 < krzee> blah i forgot supybot overwrites config on exit 09:02 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 09:11 < krzee> [10:11] Unable to download feed. 09:26 -!- kreg_work [n=kreg@208-98-188-95.directcom.com] has quit ["Leaving"] 09:55 < jeev> so it didn't save? 10:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 10:31 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 11:03 -!- plaerzen [n=plaerzen@S010600119505deed.cg.shawcable.net] has joined ##openvpn 11:38 -!- Ghrim [n=Ollie@host81-151-53-70.range81-151.btcentralplus.com] has joined ##openvpn 11:39 < Ghrim> Hi, how would I temporarily disable a client from being able to connect? 11:59 < nDuff> Ghrim, you have a client-config-dir set up? 11:59 < nDuff> just put "disable" in a file named for that client's cert in there. 11:59 < Ghrim> How would I find that out? 11:59 < nDuff> Ghrim, ehh, you'd only have one if you set up the server that way 11:59 < nDuff> Ghrim, read the man page. 12:00 < Ghrim> Kk 12:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 12:47 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 13:09 * ecrist wonders if *anyone* reads the docs before asking for help. 13:21 < w00t|away> nDuff hello :) 13:23 < nDuff> w00t|away, howdy. 13:23 < w00t|away> setup working brilliantly :) 13:24 < w00t|away> only one issue I ran into 13:24 < w00t|away> my ISP don't allow outgoing connections on port 25 13:24 < w00t|away> I still get connection refused even with all my traffic going over the VPN! 13:26 < nDuff> the ISP running the colo location, or your ISP at home? 13:26 < w00t|away> at home 13:26 < nDuff> might need to check the routing table to make sure everything that's supposed to is really going over the VPN. 13:26 < nDuff> might pastebinning output from /sbin/route -n? 13:27 < w00t|away> w00t$ /sbin/route -n 13:27 < w00t|away> usage: route [-dnqtv] command [[modifiers] args] 13:27 < nDuff> which OS are you on? 13:27 < w00t|away> Home machine is OX 10.5 btw 13:27 < nDuff> ahh; I don't know the usage on OS X's route 13:28 < w00t|away> Ahh 13:28 * nDuff hasn't had a Mac since his employer was bought by Dell; couldn't use it for work at that point, so sold the laptop. 13:28 * ecrist has a mac. 13:28 < w00t|away> That was before intel macs I take it? 13:28 < w00t|away> Oh wait, probably a political thing 13:28 < w00t|away> :) 13:29 < nDuff> it was an Intel Mac, actually; company policy, not technical limitations 13:29 < nDuff> exactly. 13:29 < w00t|away> crap 13:29 * w00t|away loves his MacPro 13:29 < w00t|away> I used to bring a MBP into my old windows only workplace 13:29 < nDuff> anyhow, if just "route" dumps something that looks reasonable, go 'head and pastebin that. 13:30 < w00t|away> no output, just the same as before 13:30 < w00t|away> it wants some args but I have no idea what it needs :) 13:30 < nDuff> route print? route list? 13:30 < nDuff> ahh, route show 13:31 < nDuff> (yaay for google!) 13:31 < w00t|away> route: bad keyword: show 13:31 < nDuff> odd; show is given at http://www.osxfaq.com/man/8/route.ws. How about "netstat -r" instead? 13:32 < nDuff> if that doesn't work, run "openvpn --show-net" 13:33 < w00t|away> I got a list of routing tables 13:33 < w00t|away> from netstat -r 13:34 < nDuff> if the actual table entries are there, then that's what I'm looking for... 13:34 < w00t|away> yes I'll pastebin you it 13:35 < w00t|away> http://pastebin.com/d120d7ba1 13:35 < w00t|away> that default line looks like it could be the prob right? 13:35 < w00t|away> 0/1 has the right gateway and tap0, but default is my ISPs gateway over en0 13:37 < nDuff> well -- OpenVPN plays a few tricks to add its own "default route" without overriding the real one 13:37 < nDuff> specifically, it adds both 0/1 and 128.0/1; both of those should be hit first 13:38 < nDuff> ...so in theory there shouldn't be any new traffic actually making it to the "default" gateway 13:38 < nDuff> now, there *is* a route somewhere that allows the VPN traffic itself to still go through your ISP 13:38 < w00t|away> Well there would have to be :) 13:38 < nDuff> I'm guessing that's the one to 78.129.142.55/32, and as such it's... interesting... that there's nothing actually traversing it. 13:40 < nDuff> where are you trying to connect to as your mail server? 13:40 < w00t|away> I tried using the domain or the IP 13:40 < w00t|away> 78.129.142.55 13:40 < nDuff> if you're trying to send mail to the system that's also the other end of the VPN, then that would be hitting the VPN-traffic route 13:40 < nDuff> ahh; there you are, then. 13:40 < nDuff> if you send your mail to a different IP on the same machine, it should work 13:41 < nDuff> but that specific IP address isn't going through the VPN so the VPN has a way to send its UDP traffic through your ISP. 13:41 < w00t|away> Well 13:41 < w00t|away> The other two IP addresses I can't seem to see from this side 13:41 < w00t|away> and the third one is me :) 13:42 < nDuff> hmm; it should be possible to resolve whatever's stopping you from using the other two. 13:42 < w00t|away> .85 is the IP address on the other side of the VPN, I can't ping it. .86 is me. .87 shows up as the broadcast for tap0 on the server 13:43 < nDuff> tap0 has a broadcast address on the server? ideally, it should be an IP-less bridge member. 13:43 < w00t|away> Yeah 13:43 < w00t|away> OpenVPN is setup by plesk on the server however 13:44 < w00t|away> and overwrites anything I change in the conf file 13:44 < nDuff> *sigh*. 13:45 < nDuff> can you just assign an extra, externally-unroutable address to the server's bridge device and use it? 13:45 < nDuff> (as an alias, or a iproute2 secondary, or such) 13:45 < w00t|away> I guess so 13:45 < w00t|away> like a 10.0.0.x ? 13:45 < nDuff> sure 13:46 < w00t|away> sounds like a plan 13:46 < w00t|away> plesk making tap0 have .87 as a broadcast was a huge headache for me actually as that was where all my DNS servers were on 13:48 < nDuff> oy. If you've got the ability to do administration outside plesk, I'd almost consider that -- even if it overwrites all files named as /etc/openvpn/*.conf, there's nothing that stops you from making an OpenVPN config file somewhere else and running the process for it through a different mechanism (an inittab entry, runit, etc). 13:50 < w00t|away> I could 13:50 < w00t|away> But it's all working now I don't really fancy disrupting it 13:52 < nDuff> heh; I can appreciate that. 13:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 13:57 -!- EvilRick [i=chatzill@41.207.226.226] has quit [Read error: 104 (Connection reset by peer)] 13:57 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: krzie, nDuff, ams, jeev, adie, Ghrim 13:58 -!- Netsplit over, joins: Ghrim, jeev, nDuff, ams, krzie, adie 13:59 -!- OpenTokix [i=peter@0x2a.se] has quit [Remote closed the connection] 13:59 -!- niekie [i=niek@bergnetworks.com] has quit [Remote closed the connection] 14:07 -!- Irssi: ##openvpn: Total of 28 nicks [0 ops, 0 halfops, 0 voices, 28 normal] 14:07 -!- oinck [n=kasper@lasvegas.perfect-privacy.com] has joined ##openvpn 14:10 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 14:11 -!- mcp [n=mcp@wolk-project.de] has quit [Connection timed out] 14:16 -!- Risky2 [i=Risky@103-35-235-201.fibertel.com.ar] has joined ##openvpn 14:16 < Risky2> hi there - I'm trying to make it appear as though I'm in the united states 14:17 < Risky2> I'm from Seattle but I'm in Argentina atm and I can't do some things I want to do 14:18 < Risky2> I've been able to open a socks 4 proxy using putty and a server in the u.s.a. I have access to, but its a but limited in that I'm having trouble making sure some applications go through the proxy connection 14:18 < Risky2> is openvpn what I should be using instead? I basically want to make all outgoing connections go through this computer in the U.S. I have access to 14:19 < oinck> can you run it on the remote server? 14:19 < Risky2> umm, i think so 14:20 < Risky2> its a linux machine i can run most things 14:20 < Risky2> i don't have root, though 14:20 < Risky2> I'm a little confused as to how this all works 14:21 < Risky2> in the OpenVPN GUI, there's a section where you can set a SOCKS Proxy - is there a way I can just configure my client machine to use an existing proxy? 14:23 -!- dingus9 [n=thedingu@64-91-124-145.stat.centurytel.net] has joined ##openvpn 14:24 < Risky2> like this: http://img370.imageshack.us/img370/4214/proxykh1.jpg 14:25 < Risky2> i'm not really sure what that's even for 14:25 < Risky2> but if i put the same settings in firefox i go through the socks 4 proxy i have set up 14:26 < dingus9> hey, I am trying to get a bridge setup working correctly. I have an openvpn server at a valid internet ip, it is also on a lan with the same eth0 card that I want to expose to my private lan. 14:26 < dingus9> right now it connects, but I cannot seem to ping the server from my client, nor the client from my server 14:29 < Risky2> dingus9 any chance you can help me out? i'm not sure sure I understand how openvpn is supposed to work 14:29 < dingus9> Risky2 sure 14:29 < dingus9> whats up 14:29 < Risky2> I'm supposed to run a program on a remote machine (the server?) and then have my computer connect to it? 14:29 < dingus9> Risky2: over the vpn right? 14:29 < Risky2> you tell me 14:29 < Risky2> i'm trying to make it look like I'm in the U.S. 14:30 < Risky2> i'm travelling 14:30 < Risky2> is vpn a good idea for that? I have access to a few U.S. computers 14:30 < dingus9> ok so you want to setup a vpn, with full route forwarding 14:30 < Risky2> ok full route forwarding 14:30 < dingus9> are you on a linux machine 14:30 < Risky2> no windows here 14:30 < Risky2> the server is linux 14:30 < Risky2> or some *nix 14:31 < dingus9> ok what I do, for this if you have a program that can use a socks proxy 14:31 < Risky2> ok - so i already have a socks proxy working 14:31 < Risky2> the problem is, some applications don't use the proxy, and I can't figure out how to get them to use it 14:31 < dingus9> ah so your wanting all traffic 14:31 < Risky2> exactly 14:32 < dingus9> I believe then you do want openvpn 14:32 < Risky2> ahh nice 14:32 < Risky2> can openvpn be configured to just go through a proxy? 14:32 < Risky2> like, instead of the hassle of running the server program? 14:33 < dingus9> Risky2 have you looked ah hamachi 14:33 < dingus9> it uses openvpn 14:33 < ecrist> Risky2: no 14:34 < dingus9> if your using windows you might look into that, its pretty simple to get setup, although I don't know about forwarding all your routes through it 14:34 < Risky2> ok i'll take a look 14:35 < Risky2> ecrist: any chance you want to help me get this working? 14:35 < dingus9> Risky2: if that doesn't work, I saw a section in the openvpn readme on how to forward all your regular traffic through the vpn connection 14:36 < dingus9> Any how, I am posting my confs and a diagram of my setup to a paste bin, if some one could look at them really quick I would appreciated it. 14:36 < ecrist> Risky2: I would, but I'm on my way out of the office here in a few. I can be online from home, later this evening, about 3 hours from now. 14:36 < Risky2> ok - hopefully I'll be able to figure this out between now and then 14:42 < Risky2> i'm gonna try to build openvpn on the server here... 14:42 < ecrist> Risky2: what os? 14:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:42 < Risky2> some linux flavor 14:43 < Risky2> there we go 14:43 < Risky2> ./openvpn seems to work now 14:43 < Risky2> so now i guess i need to make config files for the server and client? 14:44 < dingus9> Risky2: yep 14:45 < dingus9> it comes with some sample configs 14:45 < dingus9> Risky2: follow the readme on the site 14:45 < ecrist> !freebsd 14:45 < dingus9> Risky2: it walks you through the key process and everything 14:45 < Risky2> which readme on the site? 14:45 < Risky2> i see HowTo, Examples, Read more, Installaion 14:46 < ecrist> Risky2: there is a decent howto at https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:46 < dingus9> http://www.openvpn.net/index.php/documentation/howto.html 14:46 < Risky2> man that howto is super confusing 14:47 < Risky2> i guess i just gotta keep reading 14:48 < dingus9> any how my configs are http://pastebin.osuosl.org/21988 http://pastebin.osuosl.org/21989 http://pastebin.osuosl.org/21990 http://pastebin.osuosl.org/21991 14:49 < ecrist> ahhhhhhh 14:50 < ecrist> dingus9: keep a config.default or something, remove comments from your 'working' config 14:50 < ecrist> much easier to read. 14:51 < Risky2> so...am i gonna be generating keys so that i can authenticate? or do i set up a login? 14:51 < ecrist> you should be able to remove line 124 from your server config 14:52 < ecrist> Risky2: keys 14:52 < ecrist> dingus9: you can't really push-route in a bridged vpn 14:52 < dingus9> ah 14:52 < dingus9> I bet thats part of the problem 14:53 < Risky2> ok so i got a thing called key.txt that was generated - do i need more? 14:53 < dingus9> ecrist: I seem to be loosing my route when I bring the bridge up 14:53 < dingus9> I just narrowed that down 14:53 < ecrist> Risky2: please read docs. it's discussed it both the howto I linked, and the howto on openvpn.net 14:54 < dingus9> so as soon as the bridge runs, I get disconned from ssh, and clients cannot connect to the server 14:54 < ecrist> after you removed the push route? 14:55 < dingus9> ecrist: no It is happening before I bring openvpn up 14:56 < dingus9> ecrist: I suspect that there is due to the missing default gateway 14:56 < dingus9> I can ping my subnet, but can no longer route to the internet 14:57 < ecrist> then something is borked, but your bridge should come up *after* openvpn is connected. 14:58 < ecrist> time for me to go, I'll be back on after dinner with the wife. 14:58 < ecrist> *poof* 15:00 < dingus9> ecrist: thanks :) 15:04 < dingus9> the problem was the default gateway was being set to 192.168.1.0 15:04 < dingus9> for some reason 15:04 < dingus9> should be .1 15:06 < oinck> you could add it all as parameters but its easier to make a config file 15:06 < oinck> wow sorry i didnt scroll down 15:08 < Risky2> which shell uses the export command? 15:08 < Risky2> eg export KEY_SIZE=1024 15:10 < Risky2> like, i run this vars file, and its supposed to define all these env vars right? i run it and i run env and none of them are there 15:10 < Risky2> i tried bash, tcsh, and csh 15:13 < Risky2> in bash it seems to work, like, the echo in the file prints out the value of some variable it set - but then after the script exits the values are gone 15:13 < oinck> ls *.ovpn 15:13 < oinck> oops 15:13 < oinck> wrong window 15:14 < oinck> im not really sure what you mean 15:14 < oinck> im no openvpn expert though, staying in this channel because i have a question myself 15:15 < oinck> you put the vars in the file and then you call openvpn with the config file (with or without the --config) 15:15 < Risky2> i'm trying to generate the server keys 15:16 < oinck> ah ok, can't help you there i only use it client side 15:17 < Risky2> my *nix is a bit rusty i guess 15:18 < Risky2> seems like i should be able to run ./vars, then run env, and see all the stuff it defined 15:19 < Risky2> man i feel like an idiot...what am i doing wrong 15:20 < nDuff> Risky2, setting variables in a script, they're only there for the life of that shell 15:20 < nDuff> Risky2, the shell only lives as long as the script does if you run it as a subprocess rather than sourcing it. 15:20 < Risky2> sourcing it? 15:21 < nDuff> Risky2, ". vars", not "./vars" 15:21 < nDuff> Risky2, if you read ". vars" in the docs and assumed it was a typo -- no, it wasn't. 15:21 < Risky2> ooh that did it 15:21 < Risky2> ahh i thought it said ../vars 15:22 < Risky2> which i found confusing :) 15:22 < Risky2> ok thanks 15:31 < Risky2> Thu Sep 4 16:32:09 2008 Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13) 15:31 < Risky2> do i need that? 15:34 < Risky2> man...there's gotta be an easier way to do what i want to do... 15:34 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 110 (Connection timed out)] 15:37 -!- Ghrim [n=Ollie@host81-151-53-70.range81-151.btcentralplus.com] has quit [Read error: 110 (Connection timed out)] 15:38 < nDuff> Risky2, modprobe tun 15:38 < nDuff> oh, wait, you're non-root 15:38 < Risky2> yeah...and i dont' have root 15:38 < Risky2> am i screwed? 15:39 < nDuff> pretty much. 15:39 < Risky2> i just want to proxy my whole machine i don't even need a vpn 15:39 < Risky2> i just don't know how to do that 15:40 < Risky2> like, i want any application making any kind of connection to go through a socks 4 proxy i already have set up 15:40 < nDuff> right. thing is, SOCKS just plain won't do everything 15:40 < Risky2> yeah, but something out there must 15:40 < nDuff> ie. there's no possible way to run a DNS lookup without an attendant connection through SOCKS 15:40 < Risky2> well, how about all tcp/udp at least? 15:40 < nDuff> that said, there are LD_PRELOAD SOCKS wrappers that will make anything that *can* go through SOCKS do so 15:41 < nDuff> one of those might be your best bet. 15:41 < Risky2> i need this for windows 15:41 < nDuff> oh. 15:41 < nDuff> the only approaches that come to mind for Windows involve running your apps in a virtual machine. 15:42 < Risky2> at home a budy of mine set up this crazy thing where we had a linux machine actually route packets through a proxy 15:42 < nDuff> (qemu's networking support is... surprisingly flexible) 15:42 < Risky2> but i only have my laptop here 15:42 < Risky2> hmm 15:42 < Risky2> yeah that sounds like it would work 15:42 < nDuff> ...well, for that matter, you could use the virtual machine as the router and gateway for your host 15:42 < nDuff> ...and as you're building it, you certainly have root there. 15:43 < Risky2> well, i need windows apps to be proxied 15:43 < Risky2> oh i see 15:43 < Risky2> you're saying use the VM as my internet connection 15:43 < nDuff> exactly. 15:43 < Risky2> and configure it all linuxy and complicated 15:43 < nDuff> and run SLIRP to connect the VM to somewhere else 15:43 < Risky2> :/ 15:43 < nDuff> yes, as you say, all linuxy and complicated. :) 15:44 < nDuff> hmm. 15:44 < nDuff> google windows slirp 15:44 < Risky2> i might be able to just have a vm, install windows on it, and have the vm software go through a proxy, right? 15:44 < Risky2> then just run what i need proxied on the vm 15:44 < nDuff> that's an approach 15:44 < nDuff> but see also http://math.arizona.edu/~swig/documentation/slirp/windows/win2000.php 15:45 < nDuff> if instead of making that go through a phone you have it run over a TCP socket... 15:45 < nDuff> ...and I *do* think there's a "TCP-socket" modem driver available for Windows... 15:45 < nDuff> ...you might have a winner. 15:45 < Risky2> eek 15:45 < Risky2> that's gonna take me a week to get working 15:47 < Risky2> i dunno how you guys remember all this stuff 15:47 < Risky2> i mean, i'm a programmer and i can't keep track of all these details of networking 15:47 < Risky2> its like memorizing a dictionary 15:49 < nDuff> meh; it's just a different set of constructs. UNIX is pretty transparent -- once one's had enough exposure to grok it, things pretty much fit together. 15:49 * nDuff has "developer" on his resume more often than "sysadmin"; http://web.dyfis.net/resume/charles/resume.html 15:50 < Risky2> bleh 15:50 < Risky2> i dunno i've used it for years 15:50 < Risky2> but i forget everything as fast as i learn it 15:53 < Risky2> i'm gonna try parallels workstation see if i can get that to work 15:53 < Risky2> maybe they have a socks 4 option 15:54 < nDuff> personally, I'd stick with systems supporting VDE 15:55 < Risky2> VDE? 15:55 < nDuff> that's going to give you the easiest bridge to a remote slirp instance 15:55 < nDuff> http://wiki.virtualsquare.org/index.php/VDE_Basic_Networking 15:56 < Risky2> sounds like it involves installing linux somewhere 15:56 < nDuff> I'd expect it to run in cygwin 15:57 < nDuff> ...and qemu is natively available for win32. 15:57 < Risky2> so...what would that do, exactly? 15:58 < nDuff> so you run vde-slirp on your UNIX box in the states, have a local VM that has a tap device connected to the VDE connection (over TCP) bridged to a tap device running OpenVPN, and then connect to that VPN from your Windows host. 15:58 < nDuff> ...and there you are; full network connectivity going over SLiRP (which doesn't require root on the remote endpoint), which a Windows client. 15:59 < nDuff> ...only place any root access is needed is within the VM, and of course you have that. 15:59 < nDuff> ...indeed, doing it that way you don't need VDE installed on the Windows machine at all. 15:59 < Risky2> and the vm runs on my windows machine or on the linux box? 15:59 < nDuff> VM runs on your Windows machine. 16:00 < nDuff> ...though I suppose you *could* run the VM on the Linux box as a way of getting around the no-root-access issue... 16:00 < nDuff> ...that would work too. 16:00 < nDuff> in fact, doing it that way you wouldn't need VDE at all 16:00 < nDuff> you could just use qemu's built-in slirp driver 16:01 < Risky2> again that seems awfully complicated 16:01 < nDuff> *shrug*. 16:01 < Risky2> i think i'm gonna drop the whole thing 16:01 < Risky2> seems like a huge waste of time at this point 16:01 < Risky2> i might as well just set up a windows machine with remote access when i'm back in country 16:01 < Risky2> then i can just run things on there 16:01 < nDuff> it's not that complicated once you're handy with the toolchain, particularly if you have some starter images ready so you aren't building the VMs from scratch (plenty of Linux distros have appropriate images available) 16:02 < nDuff> ...but if that's what you're comfortable with, makes sense. 16:02 < Risky2> i mean...doesn't that sound a lot easier? 16:02 < Risky2> run a computer and install vnc 16:02 < Risky2> done 16:02 < nDuff> if you were happy with that, why wait at all? 16:03 < Risky2> well, because i'm in argentina 16:03 < nDuff> install a VM using a virtualization program that supprots VNC connections 16:03 < nDuff> you can do that remotely. 16:03 < nDuff> s/a VM/a Windows VM/ 16:03 < Risky2> well, i don't think they'd like me using so many resources on the machines i have access to atm 16:04 < Risky2> it seems like there should be some trivial way to 'proxy all tcp connection through this socks proxy' with like a checkbox 16:04 < Risky2> i mean hell my browser can do it 16:04 < nDuff> yes, but you're on Windows 16:04 < nDuff> since when did Windows make anything easy? 16:04 < Risky2> they make everything easy 16:04 < nDuff> hah 16:04 < Risky2> linux is like a plague 16:04 < Risky2> its consumes your time endlessly 16:05 < nDuff> Windows makes things Microsoft thinks you might want to do easy 16:05 < nDuff> and makes everything else impossible 16:05 < Risky2> right 16:05 < nDuff> f' that. 16:05 < nDuff> Linux makes everything easy, once you know it well enough. 16:05 < nDuff> if you don't know it well enough, that's your problem. 16:05 < nDuff> YOUR problem, even. 16:06 < Risky2> well, since i'm not a human encyclopedia, i prefer windows 16:07 < nDuff> *shrug*; if you want to limit yourself to the things someone else decides to allow you, that's your choice. 16:07 * nDuff wanders off to actually get some work done. 16:07 -!- dingus9 [n=thedingu@64-91-124-145.stat.centurytel.net] has quit [Connection timed out] 16:08 -!- dingus9 [n=thedingu@64-91-124-145.stat.centurytel.net] has joined ##openvpn 16:10 -!- Risky2 [i=Risky@103-35-235-201.fibertel.com.ar] has quit [] 16:47 -!- dingus9 [n=thedingu@64-91-124-145.stat.centurytel.net] has quit ["Leaving"] 17:25 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 17:26 < ecrist> heya, kids, I'm finally home. 17:32 * ecrist wonders when this turned into Linux vs Windows 17:35 -!- dingus9 [n=thedingu@64-91-124-145.stat.centurytel.net] has joined ##openvpn 17:37 < dingus9> any one around? I have been trying to get a bridged conn to work correctly, I am currently having trouble communicating with different parts of the network, across the vpn 17:37 < ecrist> I am 17:38 < dingus9> oh your back sweet 17:39 < dingus9> ecrist: does a bridged vpn conn need to have a bridge on both sides for a client to forward packets from its lan on to the servers lan? 17:42 < ecrist> yes 17:47 < dingus9> hmm so maybe thats part of the problem 17:49 < ecrist> dingus9: have you read the howto on bridged VPNs? 17:49 < dingus9> ecrist: yeah 17:49 < dingus9> I thought it should be working correctly 17:53 < dingus9> from my config server-bridge 192.168.200.101 255.255.255.0 192.168.200.102 192.168.200.103 17:54 < dingus9> I have the tap0 on the server set to 192.168.200.101, but cannot ping from the client 17:56 < ecrist> dingus9: did you let openvpn assign the IP, or did you do it? 17:58 < dingus9> ecrist: it didn't do it on the server, so I tried it 17:59 < dingus9> still no luck 18:04 < ecrist> did you paste your configs? 18:05 * plaerzen likes to socialize in open source support irc channels. 18:13 < ecrist> bbl 18:14 < dingus9> ecrist: I did, but they have changed some what.... you wanted me to paste them without comments 18:15 < dingus9> I haven't removed them yet. 18:16 < dingus9> ecrist: based on the server-bridge line, should the servers tap0 interface have been set to 192.168.200.101, or is that incorrect 18:17 < dingus9> http://pastebin.osuosl.org/21988 http://pastebin.osuosl.org/21989 http://pastebin.osuosl.org/21990 http://pastebin.osuosl.org/21991 18:17 < dingus9> those are what I originally posted 18:18 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:21 < dingus9> ecrist: do you know if its ok to have the eth0(bridged to tap0) ip bound to my internet ip, but be trying to forward traffic on the 192.168.200.0 subnet... My server can ping and connect to all those boxes 18:36 -!- oinck [n=kasper@lasvegas.perfect-privacy.com] has quit ["Ex-Chat"] 18:55 -!- anholt_ [n=anholt@77.221.189.173] has joined ##openvpn 18:59 -!- plaerzen is now known as plaerzen_home 18:59 -!- plaerzen_home [n=plaerzen@S010600119505deed.cg.shawcable.net] has quit ["Leaving"] 19:13 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:13 < Dougy> sup 19:19 -!- docteh [n=mage@24.86.174.105] has joined ##openvpn 19:34 -!- SilenceGold [n=chris@70.232.53.104] has joined ##openvpn 19:49 -!- anholt_ [n=anholt@77.221.189.173] has quit [Read error: 110 (Connection timed out)] 19:57 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 20:06 < nDuff> ecrist, I think it turned into that roughly when "like a plague" came up. 20:09 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 20:30 -!- orbisvicis [n=orbisvic@v152015.CC.Lehigh.EDU] has joined ##openvpn 20:30 -!- orbisvicis [n=orbisvic@v152015.CC.Lehigh.EDU] has left ##openvpn [] 20:30 < ecrist> I'm back. 20:32 < ecrist> nDuff: gotcha 20:32 < ecrist> dingus9: get it working? 20:32 < ecrist> I'll be on for a few minutes 20:34 < ecrist> so, I went, with my son, to Buffalo Wild Wings, one of my usual hang-outs. 20:34 < ecrist> random night, tonight. 20:34 < ecrist> MN Viking cheerleaders happen to be there. 20:34 < ecrist> kid takes a pic with them, I sign up for some contest they're promoting. 20:35 < ecrist> most people have been there since 11am to win, I walk in, sign up, and within 40 minutes, win tickets to home-opener and two Viking seat pads. 20:40 < ecrist> fine, I didn't want to help anyway 21:26 < jeev> uh 21:26 < jeev> i'm at my girlfriends house 21:26 < jeev> i'm starting openvpn client and it's saying no server authentication crap 21:26 < jeev> there is no conncetion to the 21:26 < jeev> connection to the server 21:26 < jeev> nothin gin the logs ,wtf 21:27 < jeev> Thu Sep 04 19:25:58 2008 Cannot load private key file client.key: error:0906D06C 21:27 < jeev> :PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_us 21:27 < jeev> e_PrivateKey_file:PEM lib 21:27 < jeev> i dont get it! 21:39 -!- near [n=near@83-155-187-34.rev.libertysurf.net] has joined ##openvpn 22:40 < dingus9> ecrist: not yet, I was making some food, and watching politic stuff for a bit 22:55 -!- dingus9 [n=thedingu@64-91-124-145.stat.centurytel.net] has quit ["Leaving"] --- Day changed Fri Sep 05 2008 00:45 -!- OpenTokix [i=peter@0x2a.se] has joined ##openvpn 01:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:14 < krzee> werd --- Log closed Fri Sep 05 04:00:35 2008 --- Log opened Fri Sep 05 06:57:48 2008 06:57 -!- ecrist [n=ecrist@chunk.secure-computing.net] has joined ##openvpn 06:57 -!- Irssi: ##openvpn: Total of 30 nicks [0 ops, 0 halfops, 0 voices, 30 normal] 06:57 -!- Irssi: Join to ##openvpn was synced in 1 secs 07:10 -!- MZM [n=ddd@85.234.162.11] has joined ##openvpn 08:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:04 -!- Rienzilla [i=rien@sinas.rename-it.nl] has joined ##openvpn 08:05 < Rienzilla> Hello everyone 08:09 < ecrist> hello 08:12 < Rienzilla> Is openvpn able to notify an administrator (or a client) if a certificate is about to expire? 08:14 < ecrist> hrm, you can probably script something. 08:16 < kala> only if you are using local CA 08:16 < kala> it seems that there isn't a way to pass full certificate information to any of the scripts 08:17 < kala> you have to look the certificate up from a local file system or from a directory and then decide if "its about to expire" then warn the user/administrator 08:24 < Rienzilla> hmm 08:24 < Rienzilla> not really a centralized way to keep track 08:25 < ecrist> Rienzilla: you not using a local CA? 08:25 -!- tgnb [n=tgnb@cpe-72-229-133-104.nyc.res.rr.com] has joined ##openvpn 08:26 < Rienzilla> yes I am 08:26 < Rienzilla> hmm ofcourse 08:27 < Rienzilla> I can get the info out of the local ca database 08:27 < ecrist> there you go, that's what I was going to suggest. 08:27 < Rienzilla> thanks 08:27 < Rienzilla> that will do indeed 09:03 < ecrist> :\ 09:03 < ecrist> there are a fair number of things missing from ssl-admin 10:00 < ecrist> hrm, I need to refactor a bunch of that code. 10:00 < ecrist> it was one of my first perl scripts, and it shows. 10:00 < ecrist> lots of backticks and system calls, I'm not even using SSLeay. 10:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:21 -!- MZM [n=ddd@85.234.162.11] has quit [Remote closed the connection] 10:52 < jeev> damnit 10:53 < jeev> i duno why i'm having this problem 11:07 < ecrist> ummm 11:07 < ecrist> it would help if we knew what problem you were having. 11:08 < jeev> i was having tls soft fails and it'd reset 11:08 < jeev> then my dumb ass clean-all and lost everything 11:18 < ecrist> lol 11:36 < jeev> ok, i've re-created it.. but i'm using vista 11:36 < jeev> it's not settin the default gateway properly 11:36 < jeev> either way, the first time i set it up, it was working 11:36 < jeev> then i ran it again and i was getting tls softfails so it was looping giving me connection refused and stuff in the server log 11:36 < jeev> what's it mean when no server certificate mode has been enabled 11:37 < jeev> or whatever 11:37 < jeev> certificate verification method 11:37 < jeev> i mean 11:38 < jeev> ahh, typo in there.. but what the hell is hat 11:38 < jeev> that 11:45 < ecrist> what do the docs say? 11:45 * ecrist is not all-knowing. 11:47 < jeev> dunno 11:47 < jeev> i'll check in a bit 11:47 < jeev> but right now, it's not routing properly 11:49 < jeev> http://openvpn.pastebin.com/m37ac27ab 11:50 < jeev> possible winsock problem 11:50 < jeev> aka vista. 11:51 < ecrist> jeev: what IP is being assigned to your client from OpenVPN? 11:51 < ecrist> you're not giving me a lot to work from. 12:22 -!- dingus9 [n=thedingu@64-91-124-145.stat.centurytel.net] has joined ##openvpn 13:02 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:20 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 13:20 < ecrist> welcome 13:20 < ecrist> :P 13:21 < _Steve_> :) 13:21 < _Steve_> so i'm trying to setup an openvpn server with tap on freebsd 13:21 < ecrist> ok, what issues are you running in to? 13:21 < _Steve_> well, i have openvpn all setup right, i think 13:21 < _Steve_> i can connect 13:22 < ecrist> do you get an IP? 13:22 < _Steve_> yep 13:22 < ecrist> ok, then sounds like you need to simple bridge the lan interface and the tap interface. 13:22 < _Steve_> did that 13:22 < ecrist> ok, can you ping other hosts on the lan? 13:22 < _Steve_> i have a tap0 and a bridge0 with tap0 and em1 added to it 13:23 < _Steve_> no 13:23 < _Steve_> now, it may be an ip address issue 13:23 < _Steve_> the LAN uses 192.168.1.0/24 13:23 < ecrist> ok 13:23 < _Steve_> but i was uncertain so i used the defaults for IPs in tap mode in openvpn with is 10.8.whatever 13:23 < ecrist> that's your problem. 13:23 < _Steve_> ok 13:23 < ecrist> you need a router to do that. 13:24 < _Steve_> so they need to be 192.168.1.0/24 too 13:24 < ecrist> what are you using your vpn for? 13:24 < ecrist> correct. 13:24 < _Steve_> samba 13:24 < _Steve_> samba is the main thing 13:24 < ecrist> ok, so you need a server-bridge directive in your config with a range of IPs OpenVPN can assign to vpn clients. 13:25 < _Steve_> gotcha 13:25 < _Steve_> let me try that 13:25 < ecrist> so, if 192.168.1.50 through 192.168.1.100 are available, a line such as the following could work: 13:25 < _Steve_> hah 13:25 < _Steve_> funny enough that's exactly what iwant it to use 13:25 < ecrist> server-bridge 192.168.1.50 255.255.255.0 192.168.1.51 192.168.1.100 13:25 < _Steve_> cause 100-200 are in the dhcp pool 13:25 < ecrist> server-bridge 192.168.1.50 255.255.255.0 192.168.1.51 192.168.1.99 13:27 < ecrist> you need to assign 192.168.1.50 to your tap0 device interface. 13:27 < _Steve_> ah, ok 13:27 < ecrist> manually. 13:27 < _Steve_> just that one? 13:27 < ecrist> yep 13:27 < ecrist> then, OpenVPN will assign 51 through 99 to vpn clients. 13:27 < _Steve_> k, thought i might need all of them, like with aliases 13:28 < _Steve_> bingo! 13:28 < _Steve_> awesome! 13:28 < ecrist> does it work? 13:28 < _Steve_> yep 13:29 < _Steve_> now if i can get my samba password.... 13:29 < ecrist> glad to help. 13:29 < _Steve_> then to figure out how to tell rc.conf to do this for me at reboot.... 13:29 < ecrist> oh, that's easy 13:29 < _Steve_> i've got tap0, with it's ip and bridge0 with em1 and tap0 linked 13:29 < ecrist> what commands did you use to create tap0? 13:30 < _Steve_> ifconfig tap0 create; ifconfig tap0 192.168.1.50 13:30 < _Steve_> i think i know how to do it, but i'm not sure. i did this for home with qemu, but i can't get to that right now 13:30 < ecrist> man tap gives some clues. 13:30 < _Steve_> *nod* 13:32 < ecrist> you *may* want to add this to the startup script for openvpn 13:33 < ecrist> ifconfig tap0 create && ifconfig tap0 192.168.1.50 13:33 < _Steve_> ifconfig_em1="192.168.1.21 netmask 255.255.255.0" 13:33 < _Steve_> ifconfig_tap0"192.168.1.50 netmask 255.255.255.0" 13:33 < _Steve_> autobridge_interfaces="bridge0" 13:33 < _Steve_> autobridge_bridge0="tap0 em1" 13:33 < _Steve_> should do it, no? 13:33 < ecrist> yes, only until they break it. 13:34 < _Steve_> heh, i know it has changed a bit.... 13:34 < ecrist> well, sysctl net.link.dap.devfs_cloning is set to what? 13:34 < _Steve_> but i think that interface is stable. maybe not... 13:34 < _Steve_> default 13:34 < _Steve_> err, no such oid 13:34 < ecrist> hrm, I get that, too. 13:34 < _Steve_> # sysctl -a | grep -i clon 13:34 < _Steve_> net.link.tun.devfs_cloning: 1 13:34 < _Steve_> net.link.tap.devfs_cloning: 1 13:35 < _Steve_> those are default 13:35 < ecrist> oh, dap 13:35 < ecrist> I meant tap 13:35 < ecrist> net.link.tap.devfs_cloning 13:35 < ecrist> 1 is what you want. 13:35 < _Steve_> now to make bridge and tap kldload at boot and i think i should be set 13:35 < _Steve_> thats what it's set to, and default, i think. 13:35 < ecrist> that is the current default, yes. 13:36 < _Steve_> k 13:36 < _Steve_> awesome, thanks for the help man 13:37 < ecrist> um, add cloned_interfaces="tap0" to your rc.conf 13:37 < ecrist> iirc, that will run ifconfig tap0 create for you, before you try to configure it. 13:37 < ecrist> np 13:38 < _Steve_> ah, thanks 13:38 < _Steve_> i wouldn't have known 13:38 < _Steve_> now if i can just remember how to sign a cert for a new user.... 13:38 < _Steve_> i just setup a test one for myself.... 13:39 < ecrist> _Steve_: cd /usr/ports/security/ssl-admin && make install && rehash; ssl-admin 13:39 < _Steve_> i'm using the easyrsa scripts 13:39 < _Steve_> is that different? 13:39 < ecrist> yes 13:39 < ecrist> they're gross 13:39 < _Steve_> better? 13:39 < _Steve_> but, i've already setup all my stuff with them.... 13:40 < ecrist> ok, no worries, then. 13:42 < ecrist> it's a perl script I wrote to manage ssl certificates. 13:45 < _Steve_> now, it's working for me on my mac 13:45 < _Steve_> using this silly EVDO thing 13:45 < _Steve_> now to just figure out how to tell a user to use it... 13:45 < _Steve_> and on windows 13:45 < _Steve_> whats the best openvpn client on windows? 13:45 < _Steve_> http://openvpn.se/ ? 13:46 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 13:46 < _Steve_> man, that works so well, i just might do away with ssh to the production data center and require people to use openvpn before ssh'ing.... 13:47 < ecrist> glad you got it working. 13:47 < _Steve_> thanks 13:47 < _Steve_> so on the mac, i had to copy over the ca.crt and the ta.key as well as the users crt and key 13:47 < _Steve_> i'll have to do that on windoze too? 13:48 < _Steve_> i need a windoze box to test with.... hmm.... 13:48 < ecrist> yes, you need 4 files for each client. 13:48 < _Steve_> k 13:48 < ecrist> their certificate and key, a config, and the ca certificate. 13:48 -!- rubydiamond [n=rubydiam@123.236.177.165] has joined ##openvpn 13:49 < ecrist> *ahem*, my ssl-admin script packages all that for you... 13:49 < rubydiamond> Hi ppl 13:49 < _Steve_> oh, goody 13:49 < ecrist> hi rubydiamond 13:49 * _Steve_ installs then 13:50 < rubydiamond> I am getting error on connect "TLS Error: Unroutable control packet received from " 13:50 < ecrist> _Steve_: there are some bugs, but I'm actively working on them. If you run into a problem, let me know 13:50 < _Steve_> ok 13:50 < ecrist> rubydiamond: what does google say? 13:50 < rubydiamond> ecrist: what could be the reason 13:50 < rubydiamond> ecrist: yeah 13:50 < _Steve_> so i'll have to re-key everything, to switch from the easyrsa stuff to ssl-admin? 13:50 < ecrist> nope 13:50 < _Steve_> oh? 13:51 < rubydiamond> I googled but they are saying your client and server times are different 13:51 < ecrist> _Steve_: you just have to put all the configs and keys where ssl-admin expects them. 13:51 < _Steve_> ok 13:51 < ecrist> install it now, and I'll be around for about an hour to help you. 13:51 < _Steve_> ok 13:51 * _Steve_ edits ssl-admin.conf 13:51 < ecrist> iirc, I wrote it to ask you for each file and it moves them around for you. 13:53 < ecrist> oh, make sure the values you put in ssl-admin.conf EXACTLY match what's in your current CA certificate. 13:53 < _Steve_> right 13:53 < rubydiamond> ecrist: what could be the reasone for getting the "TLS Error: Unroutable control packet received from .." 13:53 < _Steve_> what is KEY_CN, i don't have that in vars 13:54 < ecrist> rubydiamond: what does google say? 13:54 < ecrist> _Steve_: then leave it blank. 13:54 < _Steve_> k 13:54 < _Steve_> and i have no CRL ATM 13:54 < ecrist> the script will build it for you 13:54 < ecrist> oh, wait, there's an update for that. 13:55 < ecrist> I just commited some updates today, I'm going to repackage tonight and submit to ports@ to get them updated. 13:56 < _Steve_> should i wait? 13:56 < ecrist> hrm, depends how much a hurry you're in. 13:57 < _Steve_> kinda a hurry 13:57 < _Steve_> i'm happy to fix things later if necessary 13:57 < rubydiamond> ecrist: here is the pastie http://pastie.org/266820 13:57 * _Steve_ goes ahead 13:57 < ecrist> _Steve_: https://www.secure-computing.net/trac/browser/trunk/ssl-admin/ssl-admin 13:58 < ecrist> that's the current working version 13:58 < vpnHelper> Title: /trunk/ssl-admin/ssl-admin - SCN Open Source - Trac (at www.secure-computing.net) 13:58 < _Steve_> ok 13:58 < _Steve_> so just copy that over the version ports installed? 13:58 < ecrist> yes, then there's a command to run, I'm getting it for you. 13:59 < ecrist> sed -i "" "s+~~~PREFIX~~~+/usr/local+g" ssl-admin 13:59 < _Steve_> gah, html 13:59 < ecrist> erm 14:00 * _Steve_ grabs the "original format" 14:00 < ecrist> sed -i "" "s+~~~PREFIX~~~+/usr/local+g" /usr/local/bin/ssl-admin 14:00 < _Steve_> gotcha 14:01 < ecrist> that has all my updates from today, which is like 3 14:01 < ecrist> but it's the one I'm using on my server right now. 14:01 < rubydiamond> ecrist: I found this on google http://pastie.org/266822 14:01 < rubydiamond> but how do I make it work 14:01 < _Steve_> sweet 14:01 * _Steve_ gives it a try now 14:01 < ecrist> rubydiamond: so set your clocks correctly. 14:02 < rubydiamond> ecrist: which clock 14:02 < ecrist> both 14:02 < rubydiamond> my laptop clock or server one 14:02 < ecrist> both 14:02 < rubydiamond> but I can't change server clock 14:02 < ecrist> hrm, don't know what you tell you 14:02 < rubydiamond> also to which time should I change my laptop clock 14:03 < _Steve_> the correct time 14:03 -!- rubydiamond [n=rubydiam@123.236.177.165] has quit [Read error: 104 (Connection reset by peer)] 14:04 -!- rubydiamond [n=rubydiam@123.236.177.165] has joined ##openvpn 14:05 < rubydiamond> ecrist: also to which time should I change my laptop clock 14:05 < ecrist> rubydiamond: both need to be correct. 14:05 < ecrist> that's all. 14:05 < ecrist> I don't even know if that's your problem. 14:09 * _Steve_ does his own key to test ssl-admin 14:09 < _Steve_> re-does that is 14:10 < ecrist> _Steve_: if there's a bug, or you need a feature, let mek now. 14:10 < _Steve_> hmm, you know, i want to start over. 14:10 < _Steve_> i put the state as the abbreviation and i want the whole thing 14:10 < _Steve_> ok, thanks 14:13 < _Steve_> ecrist: question 14:13 < _Steve_> what should the owner name be for the CA? 14:14 < ecrist> company name, organization name, your name, etc. 14:14 < jeev> bad source address 14:14 < jeev> great. 14:14 < ecrist> jeev: that's covered in the howto 14:15 < jeev> yea 14:17 < jeev> http://openvpn.net/index.php/documentation/howto.html 14:17 < jeev> it aint there 14:17 < vpnHelper> Title: HOWTO (at openvpn.net) 14:17 < ecrist> jeev: sorry, it's on the FAQ 14:17 < ecrist> http://openvpn.net/index.php/documentation/faq.html 14:17 < vpnHelper> Title: FAQ (at openvpn.net) 14:17 < jeev> does it have to do CCD 14:17 < jeev> k 14:19 < jeev> the problem is 14:19 < jeev> it's showing my public ip, not the internal one 14:21 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 14:21 < jeev> you know what i'm saying? 14:21 < jeev> everything i see thta has to do with bad source or whatever 14:21 < jeev> talks about an internal ip 14:22 < jeev> i think it's having a problem with push gateway. 14:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:05 < _Steve_> crap, re-keying broke my setup 15:08 < _Steve_> Fri 09/05/08 04:08 PM: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 15:09 < dingus9> ecrist: hey, I was reading above in the chat how you said that tap0 needs to be set to the manual ip that is set in the server-bridge... however, when I set it I loose the ability to ping all the external boxes on that subnet 15:09 < dingus9> any ideas 15:09 < _Steve_> he took off 15:09 < _Steve_> should be back later 15:10 < _Steve_> i wonder why i'm getting the cert verify failed now 15:14 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 15:22 < ecrist> I'm back for a few, till the wife gets home 15:22 < _Steve__> cool 15:22 < ecrist> dingus9: no idea, without looking at your configs and such, which I'm willing to do later tonight. 15:22 < _Steve__> i got everything setup with the new keys, but then i started getting cert verification errors. 15:22 < _Steve__> so, i'm starting over. again. 15:22 < _Steve__> bleh 15:23 < ecrist> _Steve_: if you create new server and CA keys, you need to reissue client keys. 15:23 < _Steve__> right, i did 15:23 < _Steve__> i think i screwed something up tho 15:24 < ecrist> don't know what there is to screw up. 15:24 < _Steve__> me either 15:24 < _Steve__> :) 15:25 < ecrist> so, you created new CA certificate and key 15:25 < ecrist> then, you created new openvpn certificate and key. 15:25 < ecrist> correct? 15:25 < _Steve__> yeah 15:25 < _Steve__> then i created a new client cert and key 15:26 < ecrist> ok, did you change your Openvpn server config to point to the new server keys? 15:26 < ecrist> and restart openvpn? 15:26 < _Steve__> yes 15:26 < _Steve__> yes 15:27 < ecrist> can you pastebin your errors? 15:27 < ecrist> erm, logs? 15:27 -!- dingus9 [n=thedingu@64-91-124-145.stat.centurytel.net] has quit [Read error: 110 (Connection timed out)] 15:27 < _Steve__> one min 15:27 < _Steve__> i'm going to do it all over again 15:27 -!- socialist [n=groggy@gw.gemstone.com] has left ##openvpn ["Leaving"] 15:27 < ecrist> hrm, that script still wants to recreate the CRL every time. 15:27 -!- dingus9 [n=thedingu@64-91-124-145.stat.centurytel.net] has joined ##openvpn 15:30 < _Steve__> ok, what does "owner name already configured" mean? 15:30 < ecrist> o.O 15:30 < ecrist> where do you see that? 15:30 < _Steve__> i created the new CA cert 15:31 < _Steve__> then i hit 4 to generate the vpn server cert/key 15:31 < _Steve__> Owner name already configured as ... , using exiting value. 15:31 < _Steve__> Would you like to password protect the private key (y/n): 15:31 < _Steve__> from here, i'm lost 15:31 < _Steve__> so usually i ctrl-C and start over 15:32 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Connection timed out] 15:32 < dingus9> ecrist: hey, I was reading above in the chat how you said that tap0 needs to be set to the manual ip that is set in the server-bridge... however, when I set it I loose the ability to ping all the external boxes on that subnet 15:32 < ecrist> ah 15:32 < ecrist> dingus9: no idea, without looking at your configs and such, which I'm willing to do later tonight. 15:33 < dingus9> ecrist: sure... I was just wondering if anything needs to happen in the routing tables on the server 15:33 < ecrist> not for bridged VPNs 15:34 < ecrist> generally, routing is more of an issue on tun vpns 15:34 < dingus9> ecrist: ok... thats what I thought, what about a seporate network device for that subnet 15:35 < _Steve__> ecrist: any ideas on that script issue? 15:35 < ecrist> _Steve__: thought you left. 15:35 < _Steve__> no, that was my clone 15:35 < _Steve__> :) 15:35 < dingus9> ecrist: I am just trying to narrow down the issue 15:35 < ecrist> that issue is what you were referring to earlier. 15:35 < ecrist> since you created a key, it's 'remembering' it 15:35 < _Steve__> ok 15:35 < ecrist> press 1 from menu, give it a new name. 15:35 < _Steve__> so for what i'm doing, do i answer y or n? 15:36 < ecrist> I'd press n for most cases. 15:36 < ecrist> the problem is, if someone gets a hold of the certificate, they get on your vpn without knowing the password. 15:36 < dingus9> _Steve__: I usually don't for my server keys... = n for my choice 15:36 < _Steve__> right, so i'm going to say y there 15:36 < _Steve__> dingus9: right 15:36 < _Steve__> i guess i hsould have knwon to quit out after creating the CA key 15:37 < _Steve__> or reset the CN via 1 15:37 < _Steve__> which i didn't 15:37 < ecrist> _Steve__: that's a process that should obviously be cleaned up in the script. 15:37 * ecrist submits a ticket 15:37 < _Steve__> submit one for fixing the openssl.cnf copy too. :) 15:38 < ecrist> _Steve__: got your email, will look into ta.key support. 15:38 < _Steve__> k 15:38 < _Steve__> gah! 15:38 < _Steve__> Key size in bits (less than 4096) [1024]: 15:38 < _Steve__> Key size in bits (less than 4096) []: 15:38 < _Steve__> Key size in bits (less than 4096) []: 15:38 < _Steve__> uh? 15:39 < ecrist> I failed there, 15:39 < ecrist> you have to enter a number 15:39 < ecrist> just doesn't work. 15:39 < ecrist> :( 15:39 < _Steve__> fix it! :) 15:40 * ecrist submits another ticket 15:40 * ecrist needs a dev team 15:42 < ecrist> wife's home, I gotta go. 15:42 < ecrist> I will work on this stuff later tonight or tomorrow. 15:45 < _Steve__> ok 15:49 < _Steve__> gah! 15:53 < dingus9> ecrist: coo 15:53 < _Steve__> still getting cert errors 15:53 < _Steve__> wtf 15:53 < dingus9> _Steve__: hmm 15:53 < _Steve__> i start from scratch 15:53 < _Steve__> make the CA cert 15:53 < dingus9> _Steve__: is this from src? 15:53 < _Steve__> make the vpn server cert 15:53 < _Steve__> make the client cert 15:54 < _Steve__> copy teh client cert 15:54 < dingus9> _Steve__: are you compiling form src 15:54 < _Steve__> yada yada 15:54 < _Steve__> freebsd ports, yes 15:54 < _Steve__> the client is a mac 15:54 < dingus9> ic... you could do all the cert stuff on another machine 15:55 < _Steve__> the server is freebsd 15:55 < _Steve__> thats where i'm doing the cert stuff 15:55 < dingus9> _Steve__: another machine 15:55 < dingus9> lol 15:55 < dingus9> the server doesn't care where its from 15:55 < _Steve__> ??? 15:55 < dingus9> did you look at the scripts to build the certs? 15:55 < _Steve__> thats what i've been using 15:55 -!- rubydiamond [n=rubydiam@123.236.177.165] has quit [Client Quit] 15:56 < _Steve__> i didn't have cert verification issues until i started using it tho 15:56 < dingus9> hmm 15:56 < _Steve__> using easyrsa i didn't have this problem 15:56 < dingus9> I used the 2.0 scripts in the openvpn docs 15:56 < dingus9> yeah 15:56 < dingus9> thats what I used 15:57 < dingus9> you could use openssl 15:57 < dingus9> also 15:58 < _Steve__> yeah 15:58 < _Steve__> well, i thought i'd try the ssl-admin thing 15:58 < _Steve__> it's fine except i get these cert validation problems on the client 15:59 < dingus9> hmm 15:59 < dingus9> yeah that sounds like a code problem 15:59 < _Steve__> i'm wondering if the client is caching something stupid 15:59 < _Steve__> what? 15:59 < _Steve__> a code problem? no 15:59 < _Steve__> it was working fine 15:59 < _Steve__> like i had the certs all setup 15:59 < _Steve__> nd was able to connect 15:59 < _Steve__> then i switched to ssl-admin from easyrsa (2.0) and re-key'd everything 16:00 < dingus9> hmm 16:00 < _Steve__> since then, everything starts up ok, but the client fails to connect with a cert verification failure 16:01 < dingus9> that would be weird... did you change the names of the keys, and or the location on disk? 16:01 < _Steve__> yes 16:01 < _Steve__> and i updated the config file and such 16:01 < _Steve__> and restarted 16:02 < dingus9> you have a unique id for each key right 16:03 < dingus9> _Steve__: have you tried the "problem keys" on another machine/client 16:03 < _Steve__> no, i don't have another one that's not on the same network to try 16:03 < _Steve__> and it's not the keys that fail to verify 16:03 < _Steve__> it's the certs 16:05 < dingus9> _Steve__: aren't the keys varified against the certs... I was just wondering if it could be something like that, but maybe not 16:05 < _Steve__> no 16:15 < _Steve__> brb 16:15 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [] 16:39 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 16:42 < _Steve_> ecrist? 16:52 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:52 < Dougy> suppp 16:53 < Dougy> boooo 16:53 < Dougy> !menu 16:53 < vpnHelper> Dougy: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum, !ifconfig, !custom 16:53 < Dougy> !forum 16:53 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 17:05 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 17:12 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:14 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Connection timed out] 17:29 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [Connection timed out] 17:52 < dingus9> OH happy day 17:52 < dingus9> lol 17:52 < Dougy> oh yay 17:52 < dingus9> I just figured out what I was doing wrong for two days 17:52 < dingus9> lol 17:53 * nDuff sees that James is back on the list again 17:53 < nDuff> ...last time I followed project status at all he'd fallen off the edge of the world. 17:54 < dingus9> ecrist: I figured out my problem, I was trying to bind an ip to the tap0 interface, when what I really wanted was to add another ip address to the br0 interface so ifconfig br0:1 192.168.200.100(the servers ip) makes all the diff 18:29 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 18:32 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 18:33 < _Steve_> whee 18:57 < Dougy> wow 18:58 < _Steve_> what? 18:59 < Dougy> http://web.twzone.net/trace.txt 18:59 < _Steve_> hmmm, ok 19:01 < Dougy> lol 19:04 < _Steve_> so what do i put in openvpn.conf on the client to make it change the default route to my vpn server? 19:07 < Dougy> er 19:07 < Dougy> do you mean rout al traffic through it 19:07 < Dougy> route all^ 19:07 < _Steve_> yeah 19:07 < _Steve_> redirect-gateway ? 19:07 < Dougy> my english is borderline pathetic tonight 19:07 < Dougy> yes 19:07 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 19:07 < Dougy> push "redirect-gateway def1" 19:07 < _Steve_> "def1" ? 19:08 < _Steve_> replace that with the IP of my gateway or just put that literally? 19:12 < nDuff> literally 19:12 < nDuff> (it's in the man page as a flag, btw) 19:12 < _Steve_> oh, ok 19:12 < _Steve_> yeah, i saw that 19:12 < _Steve_> wasn't sure about the flag to config file setting situation 19:13 < nDuff> if it's a flag, it's also a config file directive 19:13 < _Steve_> gotcha 19:13 < _Steve_> thanks 19:13 < _Steve_> i'm going to give that a try now, so irc is going to choke... 19:18 < _Steve_> ping? 19:19 < nDuff> ack 19:19 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Remote closed the connection] 19:20 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 19:20 < _Steve_> hmmm firewall issue that i don't want to try to fix remotely... 19:20 < Dougy> er 19:20 < Dougy> hhi _Steve_ 19:20 < Dougy> hi* 19:20 < _Steve_> i'm trying to do something weird, use tap and change the default route at the same time.... 19:20 -!- dingus9 [n=thedingu@64-91-124-145.stat.centurytel.net] has quit ["Leaving"] 19:21 < _Steve_> so that people can get to things and it's just like they're using the office network 19:21 < Dougy> Use tun 19:21 < Dougy> lol 19:21 < _Steve_> but it's slow enough that they don't use it all the time and make things insecure (cause i don't feel like setting up a bunch of firewall rules to block stuff from their home networks, which will be useless anyway because the virii will just use http anyway...) 19:22 < _Steve_> nah, need tap in order to use samba 19:22 < nDuff> not necessarily -- can set up unicast discovery w/ SMB/CIFS 19:22 < _Steve_> please explain 19:23 < _Steve_> or if there is a url that explains thatd be cool too 19:23 < nDuff> set dhcp-options WINS , and NBT type 2 or 8 19:24 < nDuff> (of course, you need a WINS server) 19:24 < nDuff> ...there should be explanations on the ML archives if not elsewhere 19:24 < _Steve_> our Samba is a WINS server and a PDC 19:24 < _Steve_> so ti shouldn't be an issue, i think 19:24 < nDuff> ahh; there you are, then; just make sure it's set up to take point-to-point queries and configure your dhcp-options to tell VPN clients to use it that way. 19:25 < _Steve_> this will work with macs too? 19:25 < nDuff> depends on the quality of their Windows Networking implementation 19:25 * nDuff doesn't know. 19:25 < _Steve_> leopard... 19:25 < _Steve_> k 19:26 < _Steve_> so the dhcp options just goes in the dhcp server config 19:26 < nDuff> it goes in the openvpn config 19:26 < _Steve_> ah 19:26 < _Steve_> and NBT type too? 19:26 < nDuff> yup 19:26 < _Steve_> interesting 19:26 < _Steve_> i'll have to try that next week 19:26 < _Steve_> right now, i think i'm going to not change anything, cause i don't want to break the firewall... 19:26 < nDuff> openvpn configures networking on windows clients via a fake dhcp server (well, it's one of the ways) 19:26 < _Steve_> can't fix it remotely.... 19:27 < _Steve_> neat 19:27 < _Steve_> sounds a lot better than the old PPTP or IPSEC way 19:31 < _Steve_> although now that i think about it, i haven't really investigated L2TP over IPSEC.... 20:05 -!- Bushmills [n=nBushmil@verhau.de] has left ##openvpn ["Leaving."] 20:31 -!- ScytheBlade1 [n=Death@about/pxe/ScytheBlade1] has joined ##openvpn 20:31 < ScytheBlade1> Hi all - having a "MULTI: bad source address from client, packet dropped" problem.. 20:32 < ScytheBlade1> Google suggests that this is due to the client using the 'wrong' IP to communicate with the server, and in every case I can find there, it's due to the client being behind a NAT router and sending its own private internal IP instead of the OpenVPN assigned IP 20:33 < ScytheBlade1> The trick here is that the client in question is actually on a public IP, no NAT.. and telling the server that it can find his subnet (public IP) over the regular interface (global internet) is a bit redundant :) 20:33 < ScytheBlade1> Any suggetions/debugging ideas? 20:49 < Dougy> someone pinged me 20:49 < Dougy> who dun it 20:49 < Dougy> hmmmmm 21:27 -!- TylerM [n=TylerM@osgeo/member/TylerM] has joined ##openvpn 21:27 -!- near [n=near@83-155-187-34.rev.libertysurf.net] has quit [Read error: 60 (Operation timed out)] 21:27 < TylerM> hi all, i'm a total openvpn n00b but know i've got it running properly on my server.. 21:27 < TylerM> proper = a tester used it fine :) 21:27 < TylerM> but now i'm looking at my mobile phone which has a ipsec-based client app... 21:28 < TylerM> i assume it won't work ata ll with openvpn. is that right? 21:28 < TylerM> no masquerading secrets you can share? ;) 21:39 -!- near [n=near@88-122-16-88.rev.libertysurf.net] has joined ##openvpn 21:59 < Dougy> man i have to piss like hell 22:07 < jeev> dougy 22:07 < jeev> i just psised 22:07 < jeev> my set up is fucked man 22:09 < Dougy> ring 22:09 < Dougy> dude i just took a piss for the ages 22:17 < jeev> lol 22:17 < jeev> i dunno what to do 22:17 < jeev> i'm getting tired of reconfiguring it 22:36 * ecrist <3 his sprint air card. 22:43 < _Steve_> ecrist 22:43 < _Steve_> hi dude 22:46 < Dougy> Ecrist! 22:50 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:02 < Dougy> hey krzee 23:02 < Dougy> bye krzee 23:02 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 23:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 23:11 -!- TylerM [n=TylerM@osgeo/member/TylerM] has left ##openvpn [] 23:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:27 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Remote closed the connection] 23:28 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn --- Day changed Sat Sep 06 2008 01:37 < krzee> !betaman 01:37 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 01:49 < krzee> !learn push-reset as Don't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level. 01:49 < vpnHelper> krzee: The operation succeeded. 01:49 < krzee> !menu 01:50 < vpnHelper> krzee: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum, !ifconfig, !custom 01:50 < krzee> !menu forget 01:50 < vpnHelper> krzee: Error: "menu" is not a valid command. 01:50 < krzee> !forget menu 01:50 < vpnHelper> krzee: The operation succeeded. 01:50 < krzee> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum, !ifconfig, !custom, !push-reset 01:50 < vpnHelper> krzee: The operation succeeded. 02:59 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 03:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:32 -!- itchi [n=David@unaffiliated/itchi] has quit [Read error: 110 (Connection timed out)] 03:53 -!- bandini [n=bandini@host13-25-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 04:11 -!- bandini [n=bandini@host13-25-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 104 (Connection reset by peer)] 04:12 -!- bandini [n=bandini@host52-106-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 05:26 -!- itchi [n=David@unaffiliated/itchi] has joined ##openvpn 05:31 -!- itchi [n=David@unaffiliated/itchi] has quit [Remote closed the connection] 06:16 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 07:21 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 07:21 < kexman> hi 07:21 < kexman> i have script to create certificates 07:21 < kexman> can i use that to create certificates for openvpn 07:32 -!- tgnb [n=tgnb@cpe-72-229-133-104.nyc.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 07:33 -!- tgnb [n=tgnb@cpe-72-229-133-104.nyc.res.rr.com] has joined ##openvpn 08:14 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 10:44 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:50 < krzee> hey ecrist 10:50 < krzee> is the forumfeed stuff working? 10:51 < krzee> my inet is to unreliable to know if they are being announced or not 10:52 < jeev> i hate this 10:52 < jeev> my ovpn shit got messed up 10:53 < jeev> then i accidently removed mys erver.conf 10:53 < jeev> and all that crap 10:56 < krzee> umm 10:56 < krzee> ya that does suck 11:38 -!- _spike [i=spike@IPv4.addrss.net] has joined ##openvpn 11:38 < _spike> heya, having some problems here... 11:39 < _spike> I can successfully connect my machines to my openbsd openvpn server/router, but i cannot ping it nor anything outside my network. 11:39 < _spike> When i try and ping 10.8.8.1 I get host unreachable. 11:39 < _spike> thinking maybe it's a pf error... 11:39 < _spike> anybody around? 11:40 < _spike> http://pastebin.com/d7a7e9963 11:42 < _spike> http://pastebin.com/m6fd48814 11:42 < _spike> those are pf.conf and server.conf 11:46 < krzee> 1sec, lookin 11:46 < krzee> oh a bridge 11:46 < krzee> windows shares? 11:47 < krzee> !bridge 11:47 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 11:47 < krzee> !more 11:47 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 11:47 < krzee> if you dont fall into #4 you fall into #3 11:49 < krzee> i gotta go in a minute 11:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:52 < _spike> well 11:52 < _spike> i need briding for #4 11:52 < _spike> that's the whole point of the vpn 11:52 < _spike> is to prevent clear text samba traffic....i want all the samba traffic encrypted. 11:52 < _spike> so i'm running smbd on a private network, that's only accessible via the vpn 11:53 < _spike> and i've read that exxact document 11:53 < _spike> but i'm not sure what i'm doing wrong 11:53 < _spike> and other problem with that document is that 1) i'm not using iptables, i'm using pf... 11:53 < _spike> and i've been googling/searching all over for pf + openvpn and trying all sorts of stuff ,but can't seem to get it to work, my pf.conf not being very standard doesn't help either. 11:58 < _spike> okay just finished reading those links you poisted, neither helped. 11:58 < _spike> thanks though, got any other ideas? 11:58 < _spike> Anybody else around? Need a little help troubleshooting here/... 11:58 < _spike> pf.conf : http://pastebin.com/d7a7e9963 11:58 < _spike> server.conf : http://pastebin.com/m6fd48814 11:59 < krzee> ya i have a lot less experience with bridgeing so im less helpful there 11:59 < krzee> but if you are running smbd and not chasing a share which is hosted on windows you can get around bridging 12:01 < _spike> damm 12:01 < _spike> oh really? 12:01 < _spike> its a solaris cifsd 12:01 < krzee> http://openvpn.net/index.php/documentation/faq.html#samba-routing 12:01 < vpnHelper> Title: FAQ (at openvpn.net) 12:02 < _spike> hmmm 12:02 < krzee> and the batchfile can be run auto using an up script 12:02 < _spike> i think i still prefer bridged mode to routed mode, i like having the same ip range as if i were on my local network. 12:02 < krzee> !betaman 12:02 < krzee> search for --up 12:02 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 12:03 < krzee> you dont have the same ip range, you are handing out ips in 10.8.8.x in your server-bridge statement (unless your lan is 10.8.8.x...) 12:03 < _spike> hehe yeah i've read that doc before as well, but I don't want to have to play with batch files... 12:03 < _spike> yeah my lan is 10.8.8.x 12:04 < krzee> oh ok 12:04 < _spike> 1-10 are services 12:04 < krzee> dev-type tap 12:04 < krzee> dev tun0 12:04 < _spike> 20-100 are wired clients 12:04 < krzee> you cant make a tap device in openbsd? 12:04 < _spike> 100-200 are wireless/vpn/outside clients 12:04 < _spike> dunno, that's something strange about openbsd 12:04 < _spike> you use a tun device, but specify tap 12:04 < krzee> oh ok 12:04 < _spike> its suppose be that way though, multiple tutorials/faq's confirm that 12:04 < krzee> ive never used ovpn on obsd 12:04 < _spike> but yeah, probably can't create a tap interface or something 12:04 < krzee> so i take your word for it 12:05 < _spike> should run just fine, it's part of obsd's port system 12:05 < _spike> i think it's a pf.conf issue 12:05 < krzee> "Yes, on OpenBSD it is tun0 again and not tap as it should be if you follow the HOWTO." 12:05 < _spike> or a routing issue 12:05 < _spike> probably a routing issue actually 12:05 < krzee> there shouldnt be routing issues on a bridge 12:06 < krzee> all is handled at a lower level 12:06 < krzee> ARP should go over the bridge, etc 12:06 < krzee> which is why im not too sure about how to help, im much more experienced with tun / routing issues, etc 12:06 < krzee> since im not much help, im gunna go get some food 12:06 < _spike> hmmmm i wonder whats up with it then 12:06 < _spike> heh 12:06 < krzee> goodluck! 12:06 < _spike> alright enjoy 12:06 < _spike> thanks for the help. 12:07 < krzee> you could turn off pf for a quick testing second 12:07 < krzee> to check that 12:07 < _spike> on it. 12:08 < _spike> nope still doesn't work. 12:09 < _spike> so at least i know its not a pf issue 12:12 < _spike> Anybody else around? 12:12 < _spike> need some help here if anyone could. 12:12 < _spike> Other wise i'll just have to go for a routed setup -just- so that krzee can help me 12:12 < _spike> lol 12:13 < krzee> lol 12:13 < krzee> stick around 12:13 < krzee> people pop in and out 12:14 < _spike> good stuff 12:14 < _spike> thanks :) 12:14 < krzee> np 12:31 < _spike> Anybody around? 12:31 < _spike> [10:56] pf.conf : http://pastebin.com/d7a7e9963 12:31 < _spike> [10:57] server.conf : http://pastebin.com/m6fd48814 12:32 < _spike> Need SOme help troubleshooting, can't ping other devices on my bridged network... 12:32 < _spike> [10:56] pf.conf : http://pastebin.com/d7a7e9963 12:32 < _spike> [10:57] server.conf : http://pastebin.com/m6fd48814 12:32 < _spike> [10:56] pf.conf : http://pastebin.com/d7a7e9963 12:32 < _spike> [10:57] server.conf : http://pastebin.com/m6fd48814 12:32 < _spike> 10:38] http://pastebin.com/d7a7e9963 12:32 < _spike> [10:40] http://pastebin.com/m6fd48814 12:32 < _spike> shit 12:32 < _spike> didn't mean to paste that 6 times 12:32 < _spike> sorry bout that. 13:09 < _spike> anybody around? Need some help here... 13:22 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 13:56 -!- HaRRT [n=Arthur@193.227.226.84] has joined ##openvpn 14:07 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 15:40 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 15:41 -!- SilenceGold [n=chris@70.232.53.104] has quit [Read error: 104 (Connection reset by peer)] 16:03 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 17:13 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:52 < _spike> Anybody around? Really need some help here, all my pings are getting dropped.... 17:52 < _spike> [11:30] [10:56] pf.conf : http://pastebin.com/d7a7e9963 17:52 < _spike> [11:30] [10:57] server.conf : http://pastebin.com/m6fd48814 17:54 < _spike> anyone? 18:19 < _spike> krzee you stilll around? 19:18 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 19:29 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 19:29 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has left ##openvpn [] 19:56 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:56 < Dougy> sup 20:04 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [] 20:17 < jeev> sup 20:17 * jeev is blasting persian music 20:26 < Dougy> yoooooo 20:26 < Dougy> whats good 20:26 < jeev> nothing 20:26 < jeev> http://www.youtube.com/watch?v=RPOYDiFJSU4 20:26 < jeev> listen to that 20:26 < vpnHelper> Title: YouTube - Dariush and Ebi - Noono Panir o Sabzi - \u0646\u0648\u0646 \u0648 \u067e\u0646\u064a\u0631 \u0648\u0633\u0628\u0632\u06cc (at www.youtube.com) 20:27 < jeev> one of my favorite 20:27 < jeev> persian songs EVER 20:27 < jeev> ! 20:27 < jeev> i dunno what he's saying 20:27 < jeev> but it's about i think cheese and bread or rice 20:27 < jeev> i dunno 20:27 < jeev> lol 20:27 < Dougy> what 20:27 < Dougy> the HELL 20:27 < jeev> i was born there but i'm armenian.. due to the genocide, my grandparents moved there 20:27 < jeev> sickest song ever! 20:27 < Dougy> o.o 20:27 < Dougy> im a lot of things 20:27 < Dougy> pissed off is one of them 20:27 < jeev> why 20:30 < Dougy> had to swim across the street to get home 20:33 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 20:33 < orbisvicis> i have a setup .. i dont know why it works 20:34 < orbisvicis> : 20:34 < orbisvicis> ip packet headers dont include default gateway destination 20:34 < Dougy> okay 20:34 < orbisvicis> so if server gateway manages 192.168.1.2-192.168.1.250 and tap0 gives vpn client ip 192.168.1.252 20:34 < orbisvicis> then vpn client connects to computer "A" on server lan through tap0 20:34 < orbisvicis> computer "A" sends the vpn client response packet to server gateway with destination 192.168.1.252 20:35 < orbisvicis> server gateway goes, "screw me, i dont know where 192.168.1.252 is; im not managing that range" 20:35 < orbisvicis> openvpn network fails 20:35 < orbisvicis> except it doesnt fail ... 20:38 < orbisvicis> i dont know why 20:38 < orbisvicis> oh yeah, one more thing i dont get 20:39 < orbisvicis> eth0 is still a physical device, but the virtual br0 has the ip, so: 20:40 < orbisvicis> does nonvpn incoming traffic go: gateway -> eth0 -> br0 -> eth0 -> lo 20:41 < orbisvicis> or gateway -> eth0 -> br0 -> lo 20:41 < orbisvicis> or gateweay -> br0 -> eth0 -> lo 20:41 < orbisvicis> i.e. like an ssh connection 20:42 < jeev> lol 20:42 < jeev> swim across 20:43 -!- tgnb [n=tgnb@cpe-72-229-133-104.nyc.res.rr.com] has quit ["Leaving"] 20:43 < orbisvicis> lol ... "magic" 20:47 < orbisvicis> well ... 21:19 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 21:37 -!- near [n=near@88-122-16-88.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:39 -!- near [n=near@83-153-92-22.rev.libertysurf.net] has joined ##openvpn 22:16 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 23:07 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 23:08 < troy-> how is smartcard support with openvpn 2.x? 23:12 < _spike> got it workingt 23:12 < _spike> thanks alot for the help guys --- Day changed Sun Sep 07 2008 00:49 < troy-> anyone have experience with implementing OpenSC/PCS#11 with openvpn? 00:50 < troy-> err PKCS#11 01:20 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has quit ["leaving"] 01:35 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 01:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 02:32 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 03:11 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 04:14 -!- phlax [n=phlax@87-194-204-173.bethere.co.uk] has joined ##openvpn 04:23 -!- HaRRT [n=Arthur@193.227.226.84] has quit [Connection reset by peer] 04:24 -!- int [n=quassel@wikia/int] has quit [Read error: 113 (No route to host)] 04:25 -!- HaRRT [n=Arthur@79.117.16.243] has joined ##openvpn 05:09 < bandini> troy-, it works, yes 05:43 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 05:51 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 06:07 -!- HaRRT [n=Arthur@79.117.16.243] has quit [Read error: 110 (Connection timed out)] 07:37 -!- phlax [n=phlax@87-194-204-173.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 07:38 -!- phlax [n=phlax@87-194-204-173.bethere.co.uk] has joined ##openvpn 08:44 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 08:49 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 113 (No route to host)] 08:53 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 09:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:52 -!- skxpl [i=skx@217.17.32.190] has joined ##openvpn 09:53 < skxpl> Hello, I would like to use openvpn to connect to my home server from hotspots, university and other places, but I do not want to reveal my home ip. Can I tunnel the openvpn connection through ssh tunnel like this one http://gentoo-wiki.com/TIP_SSH_Reverse_Tunnel ? will it work? 09:53 < vpnHelper> Title: SSH Reverse Tunnel - Gentoo Linux Wiki (at gentoo-wiki.com) 10:03 < Sir_J> if you are able to reach middle machine somehow you can do it without ssh tunneling 10:56 < skxpl> how? 10:56 < skxpl> Sir_J, how? 10:56 < skxpl> Sir_J, and can I do it with ssh tunneling? 10:57 < Sir_J> run openvpn or pptpd or over vpn server and enable client to client connections 10:57 < Sir_J> vpn server on the middle machine, vpn clients -> home, campus, etc 10:59 < Sir_J> if you choose openvpn just put client-to-client directive to your server.conf 10:59 < Sir_J> about vpn over ssh tunneling I don't know 11:00 < Sir_J> try it and tell us how is it :) 11:22 -!- kraut [i=kraut@blackhole.packetloss.biz] has quit [Read error: 113 (No route to host)] 12:20 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 113 (No route to host)] 12:20 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 12:20 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:28 -!- ams [i=ams@gnu/inetutils/ams] has quit [Remote closed the connection] 13:39 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 13:50 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 14:01 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 14:24 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 14:38 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 15:16 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 15:42 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 16:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:15 -!- w8tah [n=w8tah@unaffiliated/w8tah] has joined ##openvpn 16:16 < w8tah> hi folks -- im beginning to look at an openvpn project at work -- will openvpn allow a) ease of setup, b)compatibility with windows and linux clients ? 16:19 < Sir_J> a) y b) openvpn uses his own client 16:20 < w8tah> ok - cool 16:20 < w8tah> im reading over the howtos right now 16:27 < w8tah> can someone tell me where the easy-rsa directory is on ubuntu hardy? 16:39 < docteh> just search the packages.ubuntu site for easy-rsa 16:39 < docteh> huh or not 16:41 < docteh> /usr/share/doc/openvpn/examples/easy-rsa/ 16:42 -!- ScytheBlade1 [n=Death@about/pxe/ScytheBlade1] has left ##openvpn [] 17:01 < w8tah> thanks 17:10 < w8tah> is there anyone here whos actually installed this software on ubunutu -- using apt? 17:12 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 110 (Connection timed out)] 17:13 < w8tah> can someone please relay to the devs that your docs need help -- stuff thats listed in the docs do not even exist in the folders where they are said to exist -- as a result -- i cannot install the software -- i find this HIGHLY Frustrating 17:14 -!- w8tah [n=w8tah@unaffiliated/w8tah] has left ##openvpn ["No matter how dark the night, somehow the Sun rises once again"] 17:25 < docteh> hmm 17:26 -!- correcaminos [n=laguilar@nat1.inalambrica.net] has quit [Read error: 113 (No route to host)] 17:32 -!- correcaminos [n=laguilar@nat1.inalambrica.net] has joined ##openvpn 17:59 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 18:04 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Client Quit] 18:06 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has quit [Read error: 110 (Connection timed out)] 18:08 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 18:10 < orbisvicis> anyone can help me configuring shorewall-perl bridged so that i can specify a different set of rules for the vpn than for the lan connection ? 18:29 < docteh> i know i cant, but why do you need it to be bridged? 18:33 < orbisvicis> cifs/smb 18:34 < orbisvicis> i've got it working with a way-complicated policy file 18:34 < orbisvicis> but its way too complicated 18:35 < orbisvicis> 6 lines 18:37 < orbisvicis> makes the rule file impossible 18:39 < docteh> oh so you have samba going through vpn? 18:40 < orbisvicis> yes, but only when i disable shorewall ; / 18:40 < docteh> fun stuff 18:41 < docteh> whats shorewall do? set ip iptables rules? 18:41 < orbisvicis> yeah ; ) 18:41 < orbisvicis> "easily" 18:42 < orbisvicis> i finally got it working by trying random combinations of interfaces 18:45 < docteh> lol 18:45 < docteh> thats okay i have iptables rules that barely work on my end 18:46 < orbisvicis> i think im going to troll shorewall 18:46 < orbisvicis> again 19:50 -!- jeev [n=email@unaffiliated/jeev] has quit [Read error: 104 (Connection reset by peer)] 19:53 < ecrist> what's up, folks? 20:07 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 20:12 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has quit ["leaving"] 20:15 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 20:16 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has quit [Client Quit] 20:28 -!- jeev [n=email@unaffiliated/jeev] has quit ["update nvidia driver"] 21:19 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 21:38 -!- near [n=near@83-153-92-22.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:38 -!- near [n=near@88-122-21-179.rev.libertysurf.net] has joined ##openvpn 21:46 -!- _spike [i=spike@IPv4.addrss.net] has left ##openvpn [] --- Day changed Mon Sep 08 2008 00:12 < docteh> /join #freenx 00:12 < docteh> damnit 00:34 -!- bandini [n=bandini@host52-106-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 02:21 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 02:52 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 05:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:21 -!- SYS64738 [n=capitano@host34-24-static.83-94-b.business.telecomitalia.it] has joined ##openvpn 06:22 < SYS64738> hi 06:22 < SYS64738> can openvpn works in windows 2008 server x64 ? 06:26 < SYS64738> without the s 06:34 < OpenTokix> SYS64738: Probably, since it works in vista 06:34 < OpenTokix> SYS64738: And Windows 2008 server is the same bloa^W OS basically. 06:35 < SYS64738> one month ago the tap didn't install 06:35 < SYS64738> I try now 06:35 < SYS64738> can I try the stable ? 06:37 < SYS64738> it says that tap-win32 is incompatibile 06:46 < ecrist> you need the 64-bit driver. 06:47 < ecrist> erm, download OpenVPN 2.1RC9 07:00 < SYS64738> ecrist, where could I find info about 64bit driver install ? 07:02 < ecrist> SYS64738: 2.0.9-rc9 has a 64-bit driver 07:02 < SYS64738> cool it installed by itlself 07:02 < SYS64738> thanks 07:02 < SYS64738> now I am happy 07:15 -!- braamvh [i=IceChat7@dsl-242-182-169.telkomadsl.co.za] has joined ##openvpn 07:19 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 07:27 < braamvh> Greetings. I've got a newbie issue with OpenVPN. I can from my WinXP client ping my Linux server's interface (10.8.0.1), and get requests and responses on both sides. I cannot ping either the server's LAN IP or from the server ping the client's IP. I already disabled the firewalls on both ends, so I suspect a routing issue, but I can't spot it myself. 07:28 < ecrist> the OpenVPN server should be able to ping the clients 07:29 < ecrist> on your linux server, have you enabled ip forwarding? 07:29 < ecrist> I'm not a linux user, so I couldn't tell you how to do that. 07:29 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 104 (Connection reset by peer)] 07:30 < braamvh> If I run wireshark on the server and ping from the client I can see both the responses and requests, but if I ping from the server I can only see the ICMP request. I tried all the IP's from 10.8.0.1 - 10.8.0.6 07:30 < ecrist> in freebsd, it requires setting sysctl net.inet.ip.forwarding to 1 07:30 < braamvh> Yes, that is set to 1 07:31 < braamvh> /proc/sys/net/ipv4/ip_forward 07:31 < ecrist> um, did you disable the windows xp firewall? 07:31 < braamvh> Security Centre says it's disabled 07:32 < ecrist> ok, for the record, you'll only be able to ping the IP that's assigned to the client, not the ones in between. 07:32 < ecrist> so, 10.8.0.1 is server IP, and 10.0.8.6 is client IP, correct? 07:33 < braamvh> I thought so as well, but tested them anyways when it didn't work. Yes, that's correct. 07:33 < braamvh> 10.8.0.1 and 10.8.0.6, actually, sorry 07:34 < ecrist> hrm, puzzling. 07:38 < braamvh> Here's my routing tables on both sides - http://pastebin.com/d1504fbe7 07:42 * ecrist looks 07:42 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 07:44 < braamvh> Mmm ... this is funny ... I also cannot from the server ping its own address (10.8.0.1) 07:46 < ecrist> that's normal 07:46 * braamvh nods, "OK" 07:47 < ecrist> hrm, your routing table looks ok. 07:47 < ecrist> let me test on my server. 07:47 < braamvh> Thanks 07:48 < ecrist> yeah, I can ping my vpn server's private/vpn address. 07:48 < ecrist> :\ 07:48 < ecrist> wait, you can ping server, but not client 07:49 < braamvh> Yeah, client -> server works, server -> client does not 07:49 < ecrist> well, I can ping server to client just fine. 07:49 < ecrist> It's got to be some firewall issue. 07:49 < braamvh> Hrm. 07:50 < Sir_J> maybe your server blocks output connections 07:51 < braamvh> iptables shows no rules set up on the server in any of the 3 tables, and all the policies are set to ACCEPT. 07:52 < ecrist> try completely disabling the firewall 07:54 < braamvh> Still the same. The iptables kernel modules are no longer listed, so they should be gone. And I cleared all the rules before unloading them. 07:55 < braamvh> Going to try to reboot my Windows PC, maybe there's something there. BRB. 07:55 -!- braamvh [i=IceChat7@dsl-242-182-169.telkomadsl.co.za] has quit ["On the other hand, you have different fingers."] 08:02 -!- braamvh [i=IceChat7@dsl-242-182-169.telkomadsl.co.za] has joined ##openvpn 08:02 < braamvh> Found the culprit. Antivirus software, though it's not supposed to block IP connections. Guess the manual is incorrect, then. 08:03 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 08:05 < braamvh> Thanks for your help :) 08:05 < ecrist> np 08:08 -!- stefanlsd [n=stefan@41.27.84.104] has joined ##openvpn 08:11 < stefanlsd> Hi guys, does the openvpn project have some kind of VCS where we can see what was committed to address a specific problem? I am looking at an Ubuntu openvpn bug. Basically we shipped 2.1-rc7 and that has the issue with the extract_x509_field_ssl and need to find just that patch to apply for an SRU into hardy. 08:12 < ecrist> iirc, they use SVN for source control, I don't know the address of their source repository, however. 08:12 < ecrist> 2.1-rc9 is current, btw 08:13 < stefanlsd> ecrist: yeah. to do a stable release update we need just to apply the patch that fixes the issue. 08:13 < stefanlsd> 2.1-rc9 is in intrepid :) 08:14 < ecrist> hrm, http://openvpn.net/index.php/documentation/change-log/changelog-21.html 08:14 < vpnHelper> Title: 2.1 Change Log (at openvpn.net) 08:14 < ecrist> there's a start 08:15 < stefanlsd> nodnod. here's the bug Fixed an issue in extract_x509_field_ssl where the extraction would fail on the first field of the subject name, such as the common name in: /CN=foo/emailAddress=foo@bar.com 08:15 < stefanlsd> was fixed in rc8 08:16 < ecrist> so, you're looking for a unified diff from rc7 to rc8? 08:17 < stefanlsd> ecrist: yeah. something like that. i was hoping for an actual commit that fixed just that issue. 08:18 < stefanlsd> not sure where rc8 is also. on the older release page they go from rc7 to rc9 :) 08:19 < ecrist> well, they *used* to be on sourceforge, but no updates there for more than 3 years. 08:20 < stefanlsd> i think its svn.openvpn.net 08:20 < ecrist> http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/ 08:20 < vpnHelper> Title: Revision 3319: /branches/BETA21/openvpn (at svn.openvpn.net) 08:21 < ecrist> svn log -v http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn 08:21 < vpnHelper> Title: Revision 3319: /branches/BETA21/openvpn (at svn.openvpn.net) 08:22 < ecrist> looks like it's around revision 3220 08:23 < ecrist> sorry, revision 3084 08:24 < stefanlsd> acutally - looks here r2980 08:24 < ecrist> there you go 08:25 < stefanlsd> ecrist: hehe. thanks :) 08:25 < stefanlsd> now i just need to work out how to check this revision out with svn :) 08:26 < ecrist> stefanlsd: svn co -r 2980 http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn 08:26 < vpnHelper> Title: Revision 3319: /branches/BETA21/openvpn (at svn.openvpn.net) 08:26 < Sir_J> svn co -r 08:26 < ecrist> beat you to it, Sir_J. :P 08:26 < Sir_J> :) 08:27 < stefanlsd> thanks guys. Is there anyway to get just the file that was modified? (not urgent, i can just get the file out manually) 08:27 < ecrist> stefanlsd: now you're being lazy. 08:28 < stefanlsd> naa, just was wondering out of interest 08:28 < ecrist> not only is there a way to just get the file, but there's a way to get a diff. 08:28 < ecrist> but I'm not going to tell you how to do it. 08:30 < Sir_J> svn diff -r : 08:30 < Sir_J> svn diff -r : 08:37 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 104 (Connection reset by peer)] 08:44 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 08:45 -!- braamvh [i=IceChat7@dsl-242-182-169.telkomadsl.co.za] has left ##openvpn [] 08:45 < stefanlsd> Sir_J: thanks for that. Another useful one (in my case anyways is diff -c ) 08:45 < Sir_J> np 08:52 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:01 < kala> btw, do you people know about TAP interface driver signing for Windows operating system? 09:03 < ecrist> what about it? 09:04 < kala> well, the current driver is unsigned and Windows complains about that and the automatic installation is therefore not possible 09:05 < ecrist> you'd have to speak with the developers on that one. 09:05 < ecrist> I think driver signing costs money. 09:05 < kala> I suppose 09:05 < kala> maybe we can sponsor that 09:06 < ecrist> I think it's a waste of money. 09:08 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 09:18 < kala> oh? 09:42 < ecrist> indeed 09:43 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 09:56 -!- stefanlsd [n=stefan@41.27.84.104] has quit ["quit"] 10:16 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 10:57 -!- Likeless [n=chatzill@rskinner.gotadsl.co.uk] has joined ##openvpn 11:00 * ecrist heats up his left-over spaghetti. 11:00 < ecrist> mmmm 11:31 < Likeless> Can anybody recommend a good OpenVPN consultant? The OpenVPN site says to look round the article authors, but I thought I'd ask here first. I need to set up a VPN on a windows computer that is capable of hosting up to 50 VPN connections. I've been told OpenVPN is the software for the job, but I look at the website and I think it is a bit over my head. 11:37 < ecrist> Likeless: what are you trying to route across the vpn? 11:45 < Likeless> ecrist: streaming VOIP data 11:45 < ecrist> Likeless: SIP? 11:46 < Likeless> That is an alternative to VPN? 11:46 < ecrist> no, 'streaming VOIP data' isn't very descriptive. SIP is a VOIP protocol. 11:47 < ecrist> but, it doesn't really matter. 11:47 < ecrist> OpenVPN and windows should, theoretically, be able to handle that traffic. 11:47 < Likeless> Good to hear :) 11:47 < ecrist> though, I'm not sure you'd get super great audio quality. 11:49 < Likeless> The thing is, I'm not really a network person (as may be becoming increasingly obvious). I think I will need support to set up OpenVPN. It looks like some real network knowledge is required. 11:49 < ecrist> you should have one of your network guys do it, then. 11:50 < ecrist> you will need some basic understanding of networking. 11:51 < Likeless> That's kinda what I'm doing here: looking for a network guy, or at least tips on where to find one :) 11:51 < Likeless> I though this would be a good place to find a network+OpenVPN guy. 12:10 < nDuff> Likeless, the specific protocol you're using actually does matter a little, as OpenVPN has a per-packet overhead 12:10 < nDuff> Likeless, ...and voip data often has large numbers of very small packets. 12:11 < nDuff> Likeless, if you're just connecting two separate systems, most voip systems support trunking -- both SIP and IAX2 can do it at a protocol layer -- to have a smaller number of packets which carry information for multiple voice streams 12:11 < nDuff> Likeless, ...but if you're doing the hub-and-spoke thing, that's clearly not the case, and you'll want to be wary of the increased bandwidth requirement. 12:12 < nDuff> Likeless, anyhow, about six months ago I would have been up for a consulting gig, but atm I have a large employer that frowns on outside work, so no can do presently. 12:13 < nDuff> Likeless, if you don't find anyone here, you might try the mailing list. James is sometimes up for some consulting himself, though (as the maintainer) he doesn't work cheap. 12:14 < Likeless> nDuff, thank you for the words of wisdom. And that pointer. 12:26 -!- grendal_prime [n=grendal_@71-154-139-61.ded.pacbell.net] has joined ##openvpn 12:27 < grendal_prime> ok i neeeeeeed to be able to connect to an openvpn server from a palm mobile device... 12:29 < ecrist> Likeless: if you're paying, I'm always for hire. :) 12:31 < ecrist> grendal_prime: according to the goog, you're not going to get very far. 12:31 < Likeless> ecrist: I'm paying. pm? 12:31 < ecrist> sure 12:34 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:39 < ecrist> grendal_prime: look at http://www.anthasoft.com/movianvpn-for-wireless-networks.php 12:39 < vpnHelper> Title: movianVPN Virtual Private Network: Easily Create a VPN for Mobile Devices (at www.anthasoft.com) 12:40 < ecrist> not sure if it supports OpenVPN, but it's a Palm OS VPN client. 12:49 < grendal_prime> mergic i think would be better the anthasoft.com's search on that page is broke...kind not impressed. 13:21 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:31 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:37 -!- Likeless [n=chatzill@rskinner.gotadsl.co.uk] has quit ["ChatZilla 0.9.83 [Firefox 2.0.0.16/2008070205]"] 13:50 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 14:20 -!- SYS64738 [n=capitano@host34-24-static.83-94-b.business.telecomitalia.it] has quit [Read error: 104 (Connection reset by peer)] 14:34 < ecrist> grendal_prime: Mergic appears to only support PPTP, not SSL, VPNs. 14:34 < grendal_prime> damn it 14:35 < grendal_prime> see..there ya go again stomping on my swizzle stick 14:35 * ecrist is a bastard. 14:35 < ecrist> http://www.zeroshell.net/eng/openvpn-client/ 14:36 < vpnHelper> Title: OpenVPN Client (at www.zeroshell.net) 14:36 < ecrist> there's apparently a Windows Mobile client. 14:36 < grendal_prime> F-word windows 14:36 < ecrist> http://openvpn.net/archive/openvpn-users/2006-04/msg00116.html 14:36 < vpnHelper> Title: RE: [Openvpn-users] Connect Palm and IPAQ to a VPN Server ? (at openvpn.net) 14:38 < docteh> interesting bot, does it do that for all urls? 14:38 < docteh> http://www.little-gamers.com/ 14:38 < vpnHelper> Title: Little Gamers - Hot Swedish Love (at www.little-gamers.com) 14:38 < ecrist> docteh: yes. :) 14:40 < docteh> all chatrooms need that i think 14:41 < ecrist> it would be nice. more useful if there was an NSFW metatag, bot could read the tag and warn before you go clicking along. 14:42 < ecrist> many years ago, I was burned by a link that looked innocent. Instead, it was a page that played a wav file which screamed "HEY! I'M LOOKING AT PORN. OVER HERE. YEAH! POOORRRRNNNN!" 14:42 < ecrist> I now routinely browse the web with my speakers muted. 14:43 < docteh> yea that page would not have a nsfw meta tag 14:46 < Rienzilla> ecrist: omg 14:46 < Rienzilla> I've had that exact thing 14:47 < Rienzilla> ' HEY IM LOOKING AT GAY PORN!!!!' out of my speakers in the office :x 14:47 < Rienzilla> dammit :) 14:47 < ecrist> sucks, eh? 14:47 < Rienzilla> yeah that sucked :) 15:28 < nDuff> speakers? on a work machine? 15:29 * nDuff has no speakers, and hasn't bothered to set up his sound card; gives him an excuse to tell folks who try to get him to follow YouTube links where they can go 15:54 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:39 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:40 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 17:28 -!- j_nwb [n=j_nwb@c-98-210-141-122.hsd1.ca.comcast.net] has joined ##openvpn 17:30 < j_nwb> hi guys... I have an openvpn with tap on a client side. I would like to have the tap interface be part of the bridge.. and then add other interfaces from (virtual machines) to the bridge. any one know how to do this ? 17:31 < j_nwb> I tried 17:31 < j_nwb> -- ifconfig tap0 0.0.0.0 primisc up 17:31 < j_nwb> -- ifconfig br0 10.4.0.1 (address from openvpn tap interface) 17:31 < j_nwb> -- brctl addif br0 tap0 17:32 < j_nwb> the ip is actually 10.4.0.x (not 1) 17:38 -!- SWAT__ [n=swat@ubuntu/member/swat] has joined ##openvpn 17:46 < grendal_prime> now ive been reading this....this entire thing about the computer screaming about porn and gay porn...if your a chick this is not a problem..i mean we have to all agree chicks that look at any porn they are a real find.. 17:47 -!- grendal_prime [n=grendal_@71-154-139-61.ded.pacbell.net] has quit [Remote closed the connection] 17:50 -!- SWAT [n=swat@ubuntu/member/swat] has quit [Read error: 110 (Connection timed out)] 17:53 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:53 < ecrist> j_nwb: what OS? 17:54 < ecrist> o.O 17:54 * ecrist goes away 18:06 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:18 < j_nwb> ecrist: Fedora 7 20:04 < j_nwb> ok.. now I have the tap0 interface added to the bridge. 20:05 < j_nwb> but the new intefaces on the bridge are not getting ip address from the openvpn server. Do I need to do something special ... to fwd dhcp request on the bridge to the openvpn server ? 20:07 < j_nwb> Is it reasonable to expect that openvpn server assign ip address to dhcp request on the tap interface from the client ? 20:17 -!- Sebboh [n=sebboh@ip68-96-139-5.om.om.cox.net] has joined ##openvpn 20:19 -!- Sebboh [n=sebboh@ip68-96-139-5.om.om.cox.net] has quit [Client Quit] 20:26 -!- jbroome [n=jbroome@unaffiliated/jbroome] has joined ##openvpn 21:24 -!- near [n=near@88-122-21-179.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:43 -!- mrbnet [n=mrbnet@12-203-40-55.client.mchsi.com] has joined ##openvpn 21:45 < ecrist> j_nwb: yes, it should assign the addresses, but you need to have your config setup properly. 21:45 < ecrist> can you paste your server config and client config? 21:51 * ecrist goes to bed. 22:30 -!- gongoputch [n=kseel@74.95.184.161] has joined ##openvpn 22:35 < gongoputch> does openvpn have trouble oprnning tun devices on freebsd 6.3? 22:56 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 23:45 < j_nwb> ecrist: server config : http://pastebin.com/m178bd82f 23:45 < j_nwb> do I need to push dhcp ? 23:49 < j_nwb> ecrist: Here is client config : http://pastebin.com/m77c97c42 --- Day changed Tue Sep 09 2008 00:09 -!- j_nwb [n=j_nwb@c-98-210-141-122.hsd1.ca.comcast.net] has quit [Read error: 110 (Connection timed out)] 00:57 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 01:24 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Remote closed the connection] 02:19 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 02:39 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 02:42 < lclimber> hello everyone, yesterday i managed to stablish myself a vpn, the client can ping the server through the vpn and viceverza, my problem is that the client takes a default gw on the routing table that does not exist, and the same happens to the server, i try to ping that gw but i get no answer. now on the client when i try to chenge the default gw and set the server as the default gw is wont let me, can anyone help me please? 02:58 -!- SWAT__ is now known as SWAT 03:02 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit ["Leaving"] 04:40 -!- daemon [n=daemon@mail.daemoncore.org] has joined ##openvpn 05:05 -!- andriijas [n=andreas@c83-248-19-24.bredband.comhem.se] has joined ##openvpn 05:05 < andriijas> how can i make my openvpn server run a sh script upon launch? 05:15 < nDuff> andriijas, see the SCRIPTING AND ENVIRONMENT VARIABLES section of the man page 05:17 < andriijas> thx 05:18 -!- andriijas [n=andreas@c83-248-19-24.bredband.comhem.se] has left ##openvpn [] 07:07 -!- j_nwb [n=j_nwb@c-98-210-141-122.hsd1.ca.comcast.net] has joined ##openvpn 07:17 < ecrist> good morning, j_nwb. I've not looked at your config yet, but I will get to it. 07:31 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 07:33 < ecrist> morning, Sir_J 07:34 < Sir_J> hi ecrist 07:55 < ecrist> j_nwb: you're not using the correct syntax on a bridged vpn for openvpn to push IPs. 07:55 < ecrist> you need to either, 1) configure a DHCP server on your lan to talk to your VPN clients, or assign a range to openvpn to assign with server-bridge config param. 09:03 < j_nwb> ecrist : thanks... question on both of them. 1.)which lan ? (server?) 2.) but isnt what I am trying like "client side bridging" ? 09:04 < j_nwb> i.e. the openvpn client's tap interface is bridged .. and other interfaces added. (this is not bridging the local n/w to lan n/w) 09:09 < j_nwb> shall I try putting "server-bridge 10.4.0.0 255.255.255.0 10.4.0.80 10.8.0.100" on the server ? Do I need to do anything else? 09:15 < ecrist> j_nwb: you're trying to bridge your lan with your vpn, correct? 09:19 < j_nwb> it is slightly different... (or may be the same). Let me explain, I have server n/w and client n/w and vpn n/w. Now on the client n/w I use virtualization to create new Virtual machines.. I am bridging the openvpn vpn tap interface in to the bridge and the new Virtual machines interfaces also in the bridge. (the bridge does not contain client n/w) 09:33 < gongoputch> how does one isolate config items in the config to individual connections? 09:36 < ecrist> gongoputch: ccds 09:37 < gongoputch> hm? 09:37 < ecrist> client configs 09:37 < ecrist> you need a ccd, or client-config-directory 09:38 < ecrist> in that directory, create a file with the name of the client (CN of ssl cert) 09:38 < gongoputch> ah, so there are multiple config files? 09:38 < ecrist> that file can have all the configs in there. 09:38 < gongoputch> nice 09:38 < ecrist> specific to that client. 09:38 < gongoputch> is there a 'base' directort directive in the main config? 09:39 < ecrist> rephrase? 09:39 < gongoputch> the ccd directories, how doe s the server know where they are? 09:39 < ecrist> j_nwb: I'm still not following. 09:39 < ecrist> there's only one directory, defined in the server main config 09:39 < gongoputch> k 09:40 < ecrist> then, one file for each client with special settings within that directory. 09:44 -!- jbroome [n=jbroome@unaffiliated/jbroome] has left ##openvpn [] 09:57 < gongoputch> so the CN is the point of distinction then between all of the clients? 10:04 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 10:06 -!- DarKnesS_WolF [n=sherif@unaffiliated/sherif] has joined ##openvpn 10:06 < DarKnesS_WolF> where i can find the options i need for the static ip setup ? 10:08 < ecrist> search how to for static ip or client config dir 10:11 < ecrist> gongoputch: yes 10:49 < gongoputch> what is the difference between ifconfig and ifconfig-push ? 11:09 < ecrist> gongoputch: not sure, checkout the docs on openvpn.net 11:32 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 11:46 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:47 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:52 < j_nwb> ecrist : server n/w 192.168.12.x , client n/w 192.168.1.x, vpn n/w 10.4.0.x, On one of the client machine say 10.4.0.2, I have KVM/Xen virtualization running. The tap0 interface (10.4.0.2) is connected to a bridge...(i.e. after moving the ip address to the bridge). Now as I create a new virtual machine on 10.4.0.2, if I specify the bridge... the vm (via say tap1) would get connected to the bridge. Now I am hoping that the vm's dhcp req 12:01 < ecrist> I think you were truncated. 12:03 < j_nwb> ecrist: http://pastebin.com/m72ef50f2 12:04 < ecrist> j_nwb: OpenVPN is only going to assign IPs to client machines, not machines behind that client. 12:04 < ecrist> for that, you'd need a regular DHCP server. 12:06 < j_nwb> where should I put that dhcp server ? on the openvpn server box ? 12:06 < ecrist> sure 12:06 < j_nwb> or as I am using tap interface... it can be anywhere. 12:06 < ecrist> exactly 12:07 < j_nwb> any tips on avoiding conflicts with exiting dhcp server on the network... ? 12:08 < j_nwb> And telling openvpn not to use a particular range ( which would be assigned by external dhcp) 12:10 < ecrist> j_nwb: server-bridge config option sets the range openvpn will assign. 12:10 < ecrist> you can then configure you *new* dhcp server to listen only on the tap0 interface of the vpn server (or the bridge interface) 12:13 < j_nwb> ah! thanks for being patient. makes sense. :) 12:28 -!- near [n=near@83-155-184-139.rev.libertysurf.net] has joined ##openvpn 12:50 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 104 (Connection reset by peer)] 13:06 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 13:17 -!- Rienzilla [i=rien@sinas.rename-it.nl] has left ##openvpn [] 13:19 -!- xattack [i=xattack@132.248.108.239] has quit [Read error: 104 (Connection reset by peer)] 13:21 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:33 -!- Vermux [n=chatzill@adsl-70-228-20-241.dsl.chcgil.ameritech.net] has joined ##openvpn 13:39 < j_nwb> ecrist: The dhcp server listening on tap0 and openvpn server would not create conflict while giving dhcp addresses for vpn clients right ? can u please confirm. thanks. 13:50 -!- mishehu [i=mishehu@cshells.shavedgoats.net] has joined ##openvpn 13:51 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:52 < ecrist> j_nwb: couldn't tell you for certain, but I think not. 13:53 < ecrist> your best bet is to test it. 13:58 -!- TheStupidOne [n=fate@triela.fatechan.net] has joined ##openvpn 14:00 < j_nwb> will try it out.. tonight.. when I get access to the server. thanks. 14:01 < ecrist> np 14:04 < TheStupidOne> hello, I have rather strange problem I've been trying to diagnose. I've got a simple openvpn I'm trying to setup so that a friend can get around a restrictive firewall, it works fine at home, but at school they cannot route and dns doesnt' work, and the openvpn client itself isn't replacing the default route, even with push "redirect-gateway" 14:20 < mishehu> I have a network-to-network set up that was working perfectly until the machines on either end got restarted (I checked their configs, there's no change).. while I piece together the info on a pastebin... 14:20 < mishehu> is it typical to see arp broadcasts for "Who has 192.168.115.1" when you're attempting to ping across the VPN fro 192.168.116.19 ? 14:34 < mishehu> ok, here's teh scenario: my setup was working before inclement weather brought the systems down for a reboot. I checked all files with backups, and they match. Detials here: http://www.pastebin.ca/1198440 14:34 < mishehu> help please, we can't get client-to-client traffic flowing again. 14:37 < docteh> mishehu: sounds like arps shouldn't be routed over the vpn 14:38 < docteh> oh check your netmask on that .19 14:38 < mishehu> Vermux: 192.168.116.19 netmask 255.255.255.0 right? 14:39 < docteh> so the netmask is set correctly and it was arping anyways? 14:39 < mishehu> docteh: the arps go nowhere, I see them when I do tcpdump on eth1 (the internal interface) on that side of the network (machine b on network b) 14:40 -!- Vermux [n=chatzill@adsl-70-228-20-241.dsl.chcgil.ameritech.net] has quit [Read error: 104 (Connection reset by peer)] 14:40 < docteh> well somethings off, you only get arps when the computer thinks it can reach something directly, or when theres no default gw configured 14:41 < mishehu> he just dropped off so I can't get a confirmation yet. 14:42 < mishehu> but it's not limited to his machine 14:42 < mishehu> there is one otheer machine on the network and it's behaving the same way (but I can't ping out of it so I can't see if it will trigger arp requests 14:43 < docteh> so some computers have working access and some dont or its consistantly broken? 14:44 < mishehu> I'm going to kill him 14:44 < mishehu> he didn't have the damn netmask set right 14:44 < mishehu> it's pinging now. 14:44 < docteh> yw 14:45 < mishehu> thanks. that means that if the other system that's plugged in there doesn't respond, the guy who's responsible for it either has a bad netmask or didn't set a default gw. 14:45 -!- Vermux [n=chatzill@adsl-70-228-20-241.dsl.chcgil.ameritech.net] has joined ##openvpn 14:45 < mishehu> Vermux: is the HVAC monitoring appliance plugged in right now? 14:46 < Vermux> no 14:47 < mishehu> Vermux: disconnect yourself for a moment and plug it in. if I can't ping it at least I know what to tell the hvac guy and fidel castro 14:47 < Vermux> k 15:01 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 104 (Connection reset by peer)] 15:03 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 15:08 -!- Vermux [n=chatzill@adsl-70-228-20-241.dsl.chcgil.ameritech.net] has quit [Read error: 113 (No route to host)] 16:06 -!- j_nwb [n=j_nwb@c-98-210-141-122.hsd1.ca.comcast.net] has quit [Read error: 110 (Connection timed out)] 16:10 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 113 (No route to host)] 16:11 -!- aptanet [n=Paul@5ad3e951.bb.sky.com] has joined ##openvpn 16:39 -!- aptanet [n=Paul@5ad3e951.bb.sky.com] has quit [Read error: 104 (Connection reset by peer)] 16:39 -!- aptanet [n=Paul@5ad3e951.bb.sky.com] has joined ##openvpn 16:46 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [] 16:50 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 17:00 -!- aptanet [n=Paul@5ad3e951.bb.sky.com] has quit [Read error: 110 (Connection timed out)] 17:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:30 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 17:42 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 18:00 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:05 -!- uwe [n=uwe@a21-190.adsl.paltel.net] has joined ##openvpn 18:09 < uwe> hello, im connecting to a remote site using openvpn and kvpnc as client , im trying to open a webpage residing on a server on the remote site, i start reciving data (authentication required) and then it dies ... i can ssh to that machine! but when i do ls or something that will get me more than about 20 lines of output , the session dies ... i suspect this has something to do with MTU ? if i am correct, which interface to change MTU on? vpn server? p 18:09 < uwe> pp0 on client, on webserver ?? if its not, then what can it be ? 18:20 < nDuff> uwe, the MTUs can be adjusted through the OpenVPN configuration -- it's covered in the man page and the HOWTOs 18:21 < nDuff> uwe, ...and the FAQ on openvpn.net is probably the best place to start right now; it directly addresses your problem. 18:24 < uwe> thank you very much nDuff , ill take a look there 18:28 < uwe> oh, apparently i've hit a FAQ big time :) 18:28 < uwe> thanks again nDuff 19:29 -!- quaal [n=l@pool-71-180-222-180.tampfl.fios.verizon.net] has joined ##openvpn 19:29 -!- quaal [n=l@pool-71-180-222-180.tampfl.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 19:45 -!- quaal [n=l@pool-71-180-222-180.tampfl.fios.verizon.net] has joined ##openvpn 19:46 -!- quaal [n=l@pool-71-180-222-180.tampfl.fios.verizon.net] has left ##openvpn ["Leaving"] 21:39 -!- near [n=near@83-155-184-139.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:39 -!- profounded [n=profound@nmd.sbx07540.newyony.wayport.net] has joined ##openvpn 21:40 < profounded> hey, i just setup openswan using "secret" as an auth method. What option do I choose in NetworkManager-vpn? Shared Key? 21:41 < profounded> NetworkManager uses openvpn 21:41 -!- near [n=near@83-155-186-173.rev.libertysurf.net] has joined ##openvpn 21:58 -!- profounded [n=profound@nmd.sbx07540.newyony.wayport.net] has quit [Read error: 104 (Connection reset by peer)] 23:13 -!- TheStupidOne [n=fate@triela.fatechan.net] has left ##openvpn ["Leaving"] --- Day changed Wed Sep 10 2008 01:08 -!- nDuff [n=cduffy@rrcs-71-41-149-67.sw.biz.rr.com] has quit [Read error: 113 (No route to host)] 01:08 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 01:24 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 104 (Connection reset by peer)] 02:06 -!- uwe [n=uwe@a21-190.adsl.paltel.net] has quit [Remote closed the connection] 03:06 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 03:59 -!- Netsplit heinlein.freenode.net <-> irc.freenode.net quits: mishehu, djs, plik 04:00 -!- Netsplit over, joins: mishehu, djs, plik 04:07 -!- Netsplit heinlein.freenode.net <-> irc.freenode.net quits: mishehu, djs, plik 04:07 -!- Netsplit over, joins: mishehu, djs, plik 05:13 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 05:14 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 05:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:57 -!- DarKnesS_WolF [n=sherif@unaffiliated/sherif] has left ##openvpn [] 06:46 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 07:00 < ecrist> morning, folks. 07:34 < cpm> good morning 08:21 -!- OpenTokix [i=peter@0x2a.se] has quit [Remote closed the connection] 08:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 08:57 -!- Nirkus [i=rmf2mlh@about/pxe/Nirkus] has joined ##openvpn 09:05 < Nirkus> hum. as far as i understand the openvpn documentation, there is no way to run a server which serves clients on both protocols, tcp and udp? 09:08 < ecrist> nope 09:08 < ecrist> you can run two separate instances, though. 09:08 < ecrist> why do you need to use both? 09:12 < Nirkus> because some of our employees are working as consultants at companies which block all outgoing traffic except for exaple port 443/tcp .. 09:13 < Nirkus> ah, and atm our server listens for udp clients and we would have to change all client configs in order to switch to tcp 09:14 < ecrist> Nirkus: you can run both a tcp and a udp server - two separate instance, but it can be done. 09:14 < Nirkus> running two instances would allow vpn accounts and ips to be used simultaniously on both instances.. 09:14 < ecrist> you'd need proper IP delegation and subnetting, of course. 09:15 < Nirkus> yeah.. :-/ 09:16 < Nirkus> would be a nice feature for future releases, though.. 09:16 < ecrist> Nirkus: when you're on someone else's network, you should work with them to stay within their usage rules. 09:17 < Nirkus> ecrist: yap, wouldnt be a problem if the IT departments of those companies would be able to administrate their firewalls.. 09:20 < ecrist> Nirkus: I'm sure they can, they're choosing not to. Regardless, you can run a separate instance with TCP support on a different VPN subnet. 09:21 -!- correcaminos [n=laguilar@nat1.inalambrica.net] has quit [Remote closed the connection] 09:23 < Nirkus> s/you can/you'll have to/ ;-) 09:29 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 09:29 -!- aptanet [n=Paul@5ad0fd5f.bb.sky.com] has joined ##openvpn 10:22 < ecrist> well, glad you got it figured out. 10:31 < ecrist> gongoputch: did you get your vpn setup? 10:35 -!- tiav [n=tiav@91.197.165.222] has joined ##openvpn 10:42 -!- skxpl [i=skx@217.17.32.190] has quit ["changing servers"] 10:43 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 10:53 < gongoputch> the tunnel is up 10:53 < gongoputch> routing is being "fun" 10:54 < ecrist> fun? 10:54 < gongoputch> the end point in inside a NAT-ed rfc 1918 neywork 10:54 < gongoputch> I am trying to avoid manually adding the tunnelled networks manually 10:54 < gongoputch> 1/2 the machines are OS X 10:54 < gongoputch> whee! 10:55 < ecrist> gongoputch: add the route to your default gateway on the lan. 10:55 < gongoputch> I don't have control of that 10:55 < ecrist> it's what we do here at the office. 10:55 < gongoputch> typical. 10:55 < gongoputch> cause THAT would be easy 10:55 < ecrist> ahh 10:55 < gongoputch> they can never make it easy 10:56 < ecrist> https://www.secure-computing.net/wiki/index.php/Leopard_Static_Routes 10:56 < gongoputch> plus the net admin goes atound at night shutting off machines to "save the motherboards" 10:56 < vpnHelper> Title: Leopard Static Routes - Secure Computing Wiki (at www.secure-computing.net) 10:56 < ecrist> if that helps at all. 10:56 < gongoputch> no doubt it will 10:56 < gongoputch> I have been fucking with launchd and a script 10:57 < gongoputch> nice 10:57 < gongoputch> BTW have I told you you have great stuff on your wiki? 10:57 < ecrist> yep. I appreciate it. :) 10:59 < gongoputch> I am building a small search engine of sites that I think have no WRONG stuff on them :) 10:59 * ecrist hates wrong stuff. 10:59 < gongoputch> which is my #1 gripe with google 10:59 < gongoputch> every wrong answer ever given 10:59 < ecrist> yeah, you've got to be adept at reading through crap. 10:59 < ecrist> time for lunch, bbiab. 11:00 < gongoputch> l8tr 11:00 * gongoputch thinks lunch is a good idea 11:00 -!- nDuff [n=cduffy@rrcs-71-41-149-67.sw.biz.rr.com] has joined ##openvpn 11:44 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:51 -!- aptanet [n=Paul@5ad0fd5f.bb.sky.com] has quit [Read error: 110 (Connection timed out)] 11:52 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 11:54 -!- tiav [n=tiav@91.197.165.222] has quit [Remote closed the connection] 12:14 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 12:15 * ecrist is back. 12:15 < ecrist> Bruegger's Bagels, Herby Turkey is the best. 12:15 < ecrist> mmmmm 12:16 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:16 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 12:17 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 12:36 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 12:37 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 12:52 -!- bandini [n=bandini@host237-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 12:56 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 12:57 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 13:00 < ecrist> aptanet: connection problems? 13:14 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:16 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 13:25 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:30 -!- aptanet [n=Paul@5ad0fd5f.bb.sky.com] has joined ##openvpn 13:33 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 13:40 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 14:23 -!- aptanet [n=Paul@5ad0fd5f.bb.sky.com] has quit [Read error: 110 (Connection timed out)] 14:24 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 14:41 -!- oinck [n=kasper@93.186.171.47] has joined ##openvpn 14:44 < ecrist> too many joins and quits in here, wth? 14:48 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 14:49 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 14:50 < oinck> i think not too many ppl have much too say when the software works 14:51 < ecrist> yeah, I suppose. 14:51 < oinck> i used to have a question for this channel but some basic shell crap solved it for me 14:52 < ecrist> well, much conversation here is either 1) retards not knowing how to route traffic, or 2) people that don't bother to read the available documentation 14:52 < oinck> meaning its hard to identify the openvpn process if you start it every boot like me in the /etc/rc.local from gnome's system monitor 14:52 < oinck> but if you look with ps its plain to see what to abort 14:53 < oinck> i never read no documentation - means i can spend more time watching mindnumbing entertainment and also i've erased half my photos from my last holiday because i didn't know my camera ;) 14:54 < oinck> i dont route traffic tbh, i only use openvpn for a privacy service 15:01 < gongoputch> so a ccd for a common name of client1 would the [default ovpn directory/client1 ? 15:01 < gongoputch> and the config file should be named client1 ? 15:02 < gongoputch> so : [default ovpn directory]/client1/client 15:02 < gongoputch> 1 15:03 < gongoputch> yea, I think that works 15:03 < gongoputch> nvr mnd 15:05 < ecrist> gongoputch: no 15:06 < ecrist> set option client-config-dir ccd 15:06 < ecrist> the mkdir ccd wherever you openvpn config stuff is 15:06 < ecrist> use the full path to the option above 15:06 < ecrist> then, for client1, you have /path/to/stuff/ccd/client config file 15:06 < ecrist> herm s/client/client1/ 15:07 < ecrist> for client 2, /path/to/stuff/ccd/client2 15:07 < ecrist> etc 15:07 < ecrist> with client-specific options in the file 15:07 < ecrist> global options belong in the base config 15:13 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 15:15 * ecrist goes home. 15:34 -!- _spm_Draget [n=draget@i59F545D6.versanet.de] has joined ##openvpn 15:36 < _spm_Draget> "Wed Sep 10 22:35:07 2008 write to TUN/TAP [State=AT?c Err=[c:\src\21\tap-win32\tapdrvr.c/2242] #O=2 Tx=[2641933,2640398,0] Rx=[0,20,0] IrpQ=[0,1,16] PktQ=[63,64,64]]: Der an einen Systemaufruf "ubergebene Datenbereich ist zu klein. (code=122)" trnaslation: The dataarea that was passed to a syscall is too small. 15:37 < _spm_Draget> My VPN client connects but this error is repeated in the log 15:37 < _spm_Draget> Does anyone have an idea? 15:39 -!- soa2ii [n=soa2ii@i59F545D6.versanet.de] has joined ##openvpn 15:39 < _spm_Draget> Please hilight soa2ii if you have some info 15:39 < _spm_Draget> He is a friend and has the same problem. 15:39 -!- _spm_Draget [n=draget@i59F545D6.versanet.de] has quit [Remote closed the connection] 15:46 -!- soa2ii [n=soa2ii@i59F545D6.versanet.de] has quit [Remote closed the connection] 16:04 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:19 -!- fsckedagain [n=fsckedag@71-154-139-61.ded.pacbell.net] has joined ##openvpn 16:19 < fsckedagain> Is there any way at all to get the VPN IP of a client using tap devices? 16:26 < docteh> oh im using tun, cant help you there 16:27 < docteh> ifconfig-pool-persist ipp.txt 16:27 < fsckedagain> yeah, tun you can get the info, but seems tap is a lot harder 16:28 < fsckedagain> I have to use duplicate-cn 16:28 < fsckedagain> I have 2000 devices using a common cert. 16:28 < fsckedagain> long story 16:28 < docteh> wow 16:28 < fsckedagain> wow indeed :( 16:29 < docteh> make something that parses the logs and keeps track for you? 16:30 < fsckedagain> yeah sounds like what I may have to do. 16:30 < fsckedagain> or write something client side that runs every hour and posts mac address and vpn ip to a web page 16:39 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 16:40 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:41 -!- tiav [n=tiav@ram94-3-82-225-11-215.fbx.proxad.net] has joined ##openvpn 16:48 -!- tiav [n=tiav@ram94-3-82-225-11-215.fbx.proxad.net] has quit ["Parti"] 16:56 -!- fsckedagain [n=fsckedag@71-154-139-61.ded.pacbell.net] has left ##openvpn ["Leaving"] 17:04 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:18 < Dougy> supppppppppp everyone 17:18 * Dougy pokes ecrist 17:21 -!- fsckedagain [n=fsckedag@71-154-139-61.ded.pacbell.net] has joined ##openvpn 17:22 < nDuff> fsckedagain, could you use username-as-common-name (I may have the exact option name slightly off) and let the systems use their host as their openvpn username, even while still using the common cert? 17:22 < nDuff> that way they're distinctly named for management purposes 17:22 < fsckedagain> well, except that (get this) they are named some random names. I have a script I am building right now. It can get the mac of the box and the vpn ip, I just need to figure out how to send it to a central location 17:23 < fsckedagain> we identify them by wan mac address 17:23 < nDuff> then send the mac address as your username 17:23 < fsckedagain> hmmm, may be a lot easier. I need to look that up. 17:32 < fsckedagain> hmm, not alot of docs on it. 17:35 < Dougy> brb food 17:40 -!- aptanet [n=Paul@5ad0fd5f.bb.sky.com] has joined ##openvpn 17:42 < fsckedagain> hmm, I can't seem to get that to work the way I want 17:42 < fsckedagain> I guess I will continue down the road of having the client post to a website it's mac address and vpn ip 18:02 -!- fsckedagain [n=fsckedag@71-154-139-61.ded.pacbell.net] has quit ["Leaving"] 18:11 -!- oinck [n=kasper@93.186.171.47] has quit ["Ex-Chat"] 18:26 -!- aptanet [n=Paul@5ad0fd5f.bb.sky.com] has quit ["Leaving"] 20:07 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 21:37 -!- near [n=near@83-155-186-173.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:38 -!- near [n=near@83-153-88-164.rev.libertysurf.net] has joined ##openvpn 22:29 -!- josh13 [n=cam@cm145.epsilon196.maxonline.com.sg] has joined ##openvpn 22:29 < josh13> Hello 22:31 < josh13> I have 2 vpn servers connected via static shared key... routing etc. seem fine sincei can ping without any lost packets a computer located on the other subnet (through vpn). However , on one of the server, I have the following errors : 22:31 < josh13> Authenticate/Decrypt packet error: packet HMAC authentication failed 22:31 < josh13> coming every 10 sec 22:32 < josh13> googling was telling me it may be a sync issue between the 2 computers clock ... but i'm sync'in them via ntpd, time is the same, only timezone is different 22:32 < josh13> another possibility was that the .key file is not the same, but their md('s is exactly the same... 22:32 < josh13> any ideas? 22:33 < josh13> s/md(/md5 22:36 -!- jervine [n=jon@pcd298129.netvigator.com] has left ##openvpn [] 22:49 < gongoputch> how do I creat a tun interface from the command line on OS X? 22:51 < josh13> the interface should be created automatically when u launch openvpn 22:51 < josh13> of course, tun.kext 22:51 < josh13> must be loaded 22:52 < gongoputch> I will look to see it is is 22:52 < gongoputch> what is the kldstat or modprobe for OS X? 22:52 < gongoputch> kload? 22:52 < josh13> kextload /Library/Extensions/tun.kext ; 23:09 -!- phlax [n=phlax@87-194-204-173.bethere.co.uk] has quit ["Leaving."] --- Day changed Thu Sep 11 2008 00:46 -!- bandini [n=bandini@host237-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 03:02 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has joined ##openvpn 03:06 -!- mrbnet [n=mrbnet@12-203-40-55.client.mchsi.com] has quit [] 03:43 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 03:50 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has quit ["Leaving"] 04:21 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 04:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:09 -!- josh13 [n=cam@cm145.epsilon196.maxonline.com.sg] has quit ["[BX] Tabardation - the inability to master use of the key. See: retardation; Headcase."] 05:50 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 07:37 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 07:53 < ecrist> :\ 08:15 -!- hetii [n=Remik@193.159.172.162] has joined ##openvpn 08:15 < hetii> hello 08:16 < hetii> i set VPN (my server is client side and i dont have access to server side) its based on tun device so works like router in this case i have no problem with connection to server side network but i whant to also have access to them not only from gateway where i have set the vpn but also from my LAN 08:17 < ecrist> what? 08:19 < hetii> LAN-----{gateway with openvpn}-------> {server openvpn} -----LAN2 and i can ping LAN2 from my gateway but i cannot from my LAN 08:20 < ecrist> hrm, IP conflict or missing route 08:21 < hetii> i think there are no ip conflict - different ip class 08:21 < hetii> but im not sure about missing route 08:22 < ecrist> run a traceroute from your LAN machine to a LAN2 machine 08:24 < hetii> 1 <1 ms <1 ms <1 ms 192.168.1.1 08:24 < hetii> 2 * 08:25 < hetii> 2 * * * Request timed out. 08:25 < hetii> 3 * 08:25 < ecrist> you aren't showing everything. 08:25 < ecrist> from what IP to what IP? 08:26 < ecrist> well, regardless, it would appear that 192.168.1.1 isn't configured to route traffic from the lan clients across the vpn. 08:27 < hetii> from my ip on my local network so - 192.168.1.4 to one of ip from openvpn connection 195.4.2x.xx 08:27 < ecrist> what type of system is your gateway for lan? 08:27 < hetii> linux debian 08:27 < ecrist> do you have ipforwarding enabled? 08:27 < hetii> yes 08:27 < ecrist> forget where it is in linux, somewhere in proc 08:27 < ecrist> well, it's not routing the traffic. 08:28 < hetii> i use : iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS 08:29 < hetii> so what can i do to set this ? 08:29 < ecrist> that doesn't cover your vpn connection. 08:29 < ecrist> you'll need another, similar rule, for the route across the vpn. 08:29 < ecrist> it appears you're only natting for lan to internet, not lan to vpn. 08:31 < hetii> so it will be ok when i add iptables -t nat -A POSTROUTING -o $MY_LOCAL_IF -j SNAT --to-source MY_TUN_IP_ADRES ? 08:32 < hetii> tfu it should be iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $MY_TUN_IP_ADRES ? 08:34 < ecrist> probably, I don't use iptables, so I'm not an authority on that. 08:34 < hetii> haha 08:35 < hetii> $IPT -t nat -A POSTROUTING -o tun0 -j SNAT --to-source my_tun_ip 08:35 < hetii> its work :D 08:36 < hetii> thank you very very much :D 08:36 < hetii> i own you cage of beer 08:49 < ecrist> np 09:08 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 09:09 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 10:11 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 10:12 -!- aptanet [n=Paul@5ad0fd5f.bb.sky.com] has joined ##openvpn 10:31 -!- hetii [n=Remik@193.159.172.162] has quit ["Client exited"] 11:22 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit ["Leaving"] 12:14 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:20 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:26 -!- bandini [n=bandini@host237-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 12:30 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 12:44 < gongoputch> I can't get openvpn to use any tun other than tun0 ... 12:46 < gongoputch> I put in the ccd file for the client : dev tun1 12:48 < nDuff> that's not a directive you can put in the client-config-dir 12:48 < nDuff> the device to use is global 12:50 < gongoputch> how can I tie an interface to a client? 12:51 < gongoputch> I would like to do the firewalling at boot for the tunnels 13:02 < nDuff> you can't tie an interface to a client, but you can dynamically add firewall rules when the client connects 13:12 < gongoputch> ug 13:12 < gongoputch> I will have to reserve ranges 13:13 < gongoputch> vtun does it the static way 13:13 < nDuff> the other thing I've done in the past (when I just had two classes of clients) was to connect each to a different OpenVPN daemon. 13:14 < nDuff> ...but yes, reserving ranges will also work. 13:14 < gongoputch> :( 13:14 < gongoputch> this makes it messy 13:14 < gongoputch> I have to mix the old VPN and the new for a while 13:15 < nDuff> using a client-connect script to add and remove rules isn't *that* bad 13:15 < gongoputch> can I restrict ovpn to a range of tuns? 13:15 < gongoputch> it is possible 13:15 < gongoputch> and that is Good (tm) 13:15 < nDuff> all you need to do is on client connect, add a rule to sort traffic from that client into a specific chain/table, and have that chain or table statically configured on boot with whatever rules you want 13:16 < gongoputch> tables can make it cleaner 13:17 < gongoputch> I'll have to tie table numbers to CNs 13:18 < gongoputch> too bad freebsd IPFW tables are named numbers, not strings :) 13:18 < nDuff> ahh, fbsd; I was wondering why you couldn't just use a substing of the CN. 13:18 < nDuff> erm, substring, even 13:18 < nDuff> (ie. username.type.yourcompany.com, where "type" determines the table) 13:21 < gongoputch> ah, client0, and chop '0' 13:23 < gongoputch> ah but IPFW tables don't have actions, so I need at last 2 13:23 < gongoputch> bleh 13:23 * nDuff is surprised -- he wasn't familiar with ipfw, but was under the impression that it was generally considered superior to linux iptables. 13:24 < gongoputch> I can't speak to that, don't use unix 13:24 < gongoputch> Linux 13:24 < gongoputch> erk .... sick today 13:28 < gongoputch> I can say I hav used IPFW for a long long time 14:04 -!- kleevr [n=kleevr@wsip-70-164-68-63.ok.ok.cox.net] has joined ##openvpn 14:15 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 14:15 < pumkinhed> hello, how do i revoke a cert in openvpn 14:20 < gongoputch> it is in the howto IIRC 14:23 < kleevr> can you configure a vpn client to NOT use the vpn for a few specific IPs? 14:24 < ecrist> yes 14:25 < kleevr> (excellent... I'm woefully ignorant of network terms, so I wasn't sure how to ask the right question ... or search for the right answer) 14:26 < nDuff> you want to set up a route that doesn't go through the VPN for those IPs 14:26 < docteh> ya but can the client do that? 14:27 < docteh> im assuming kleevr wants to have the default route go through his vpn 14:27 < kleevr> right 14:28 < kleevr> but I don't want to go through the VPN when I hit a DB 14:28 < nDuff> yes, the client can do that 14:28 < nDuff> see the route directive 14:29 < kleevr> cool 14:29 < kleevr> thank you 14:30 < ecrist> gongoputch: why are you using multiple tun devices? 14:30 < ecrist> that's not required in 2.0.9... 14:31 < gongoputch> I wanna wire client A to tun0 and client B to tun1 14:31 < gongoputch> is that possible? 14:32 < ecrist> hrm, not really, afaik 14:32 < ecrist> why? 14:33 < gongoputch> I have a relatively low number of tunnelsand I like to put the firewall rules in in the system startup 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:33 < gongoputch> so i tie clients to interfaces 14:35 < gongoputch> can I constrain ovpn to a set number of tuns? e.g. tun0 to tun7 to OVPN 14:35 < gongoputch> and tun8 to tun15 to vtun, etc. 14:36 < ecrist> gongoputch: why not give each vpn client a static IP and do it that way? 14:36 < ecrist> as of 2.0.9, the server only creates one tunnel, usually tun0. 14:36 < gongoputch> I will still have to reserve rule ranges .... 14:36 < gongoputch> really. 14:37 < gongoputch> all tunnels run over one interface?! 14:37 < ecrist> yes 14:37 < gongoputch> I find that very pequliar 14:37 < gongoputch> ak ... spelling 14:37 < ecrist> well, be that as it may, that's the way it works. 14:37 < gongoputch> youch 14:37 * ecrist goes back to the comm closet. 14:37 < gongoputch> eyow-ch 14:39 < docteh> laptop,10.0.8.4 <-- ifconfig-persistant-pool gives me this but the computer is assigned .6 i guess .4 is a network number? 14:43 < ecrist> yes 15:04 -!- alvarow [n=alvaro@vortex.adplabs.com.br] has joined ##openvpn 15:05 < alvarow> hello 15:07 < alvarow> I am getting a annoying msg every 5s on my logs 15:07 < alvarow> CertificateSubject/1.2.3.4:30002 MULTI: bad source address from client [1.2.3.4], packet dropped 15:07 < alvarow> where 1.2.3.4 is my WAN ip... tunnel works fine besides that 15:08 < alvarow> any clues? 15:10 * alvarow yawns. 15:12 < gongoputch> am I raeding it right that OVPN uses it's own routing tables and not the OS's? 15:14 < alvarow> it uses the OS' 15:15 < alvarow> there is no route to the remote lan (nor it is needed) 15:16 < alvarow> the remote lan gets natted, then when it reaches the ovpn server it gets natted again and things work fine 15:17 < alvarow> the only annoyance is the log msg every 5s, which makes me think considerable traffic exchange is going on 15:18 < alvarow> I've seen tons emails/threads about this, but it is always with the remote LAN address on the client side, not the WAN one 15:18 < alvarow> so I am clueless of what to do 15:22 < nDuff> gongoputch, well, there's an internal routing table, and then there's the OS's routing table 15:22 < nDuff> gongoputch, whether traffic between two VPN clients goes through the OS at all is a configurable option. 15:25 < gongoputch> hmmmm 15:25 < gongoputch> need to read more 15:31 < alvarow> so I take it no one has a clue about this message 15:51 < nDuff> alvarow, ahh, you need an iroute 15:52 < nDuff> alvarow, it's covered in the FAQ 15:53 < alvarow> no 15:53 < alvarow> not the case, that case is when I have the lan IP on the end of the message 15:53 < alvarow> I have the WAN IP 15:54 < alvarow> I am using a WRT54GL router as client 15:54 < nDuff> alvarow, there's still an unexpected IP address being routed through one of your clients, so either the client needs to NAT the traffic before sending it over, or you need to tell the VPN to route it. 15:55 < alvarow> so my lan is 192.168.1.0/24, the openvpn client IP is 172.16.3.5, and the lan gets natted on that one 15:55 < alvarow> I am able to ping the office lan from my home lan behind the wrt54gl fine 15:55 < alvarow> so clearly it is not route issue 15:56 < alvarow> also I do not want my home lan reachable from the office, no iroute is not needed 15:56 < nDuff> not necessarily -- conntrack can be causing NAT to work the way you'd expect in only one direction. 15:56 < alvarow> hum 15:56 < alvarow> but then I would not receive ping replies or be able to read email 15:57 < alvarow> 1.2.3.4 is not LAN ip, it is WAN so it should not be inside the tunnel right 15:57 < alvarow> 1.2.3.4 is the IP I get from my ISP, public one 15:57 < nDuff> right -- if the client is set up correctly traffic will be sent or NATted through the VPN IP 15:58 < alvarow> that is happening fine 15:58 < nDuff> *some* traffic isn't being sent with that source IP 15:58 < nDuff> otherwise you wouldn't be getting the message. 15:58 < alvarow> only I get those freaking messages who have no documentation 15:58 < nDuff> just sniff the outgoing interface 15:58 < nDuff> and see what packets it says are being sent with that source address. 15:58 < alvarow> I can sniff on the receiving side 15:59 < nDuff> the receiving side won't work, because openvpn is filtering out the stuff it recognizes before it gets to the device 15:59 < alvarow> i sniff eth0 and see 1.2.3.4 reaching.. wireshark sees it as SSL 15:59 < alvarow> when I sniff tun0, I get no traffic at all 15:59 < nDuff> no, sniff the tun/tap device on the sending side. 16:00 < alvarow> how come? if I am sniffing eth0.. I see the traffic 16:00 < nDuff> s/stuff it recognizes/stuff it doesn't recognize/ 16:00 < alvarow> it gets thru eth0 before getting in tun0 16:00 < nDuff> alvarow, but the question is if and how it's being NATted before being put on tun0, and what the source IPs are at that time 16:01 < alvarow> I wonder how I cam sniff tun0 on that access point 16:01 < nDuff> alvarow, tcpdump is available for openwrt. 16:01 * nDuff has to go get to work now. 16:01 < alvarow> I will give it a go 16:01 < alvarow> else I'll just revert the firmware back 16:01 < alvarow> I am using dd-wrt 2.4sp1 16:02 < alvarow> 2.3 worked like a champ 16:06 < alvarow> thanks 16:10 -!- mXr [n=mxr@packst.net] has joined ##openvpn 16:10 < mXr> heya. i'm trying to implement a (rather) simple bridge setup where two boxes running debian stable each have two local eth devices, 16:11 < mXr> one for the external uplink, one that is supposed to be tunneled thru 16:11 < mXr> i seem to have some kind of arp problems. 16:12 < mXr> each of the ends can only reach its locally attached ips 16:13 < mXr> i statically configured tap0 to be permanent and connected to br0, as well as eth1, and all of them are in promisc mode 16:13 < mXr> any ideas on what i forgot? 16:14 < alvarow> does the bridge work locally? 16:14 < mXr> yes 16:15 < mXr> i (temporarly) added addresses to the br0 ifs on both sides 16:15 < alvarow> did you enable ip forward? 16:15 < mXr> A-B=C-D (A and D being one of the locally connected ips, B and C the br0 addresses) 16:15 < mXr> a can ping b and vice versa, c can ping d and vice versa 16:15 < mXr> and b can ping c and vice versa 16:15 < mXr> yes 16:16 < mXr> and disabled rp_filter 16:16 < alvarow> puzzling... 16:16 < alvarow> gotta wait the experts :-) 16:17 < mXr> :) 16:23 * alvarow waves bye. 16:23 -!- alvarow [n=alvaro@vortex.adplabs.com.br] has quit ["BitchX: the official sponsor of the 2002 Olympic Winter Games"] 16:52 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 17:08 -!- mishehu [i=mishehu@cshells.shavedgoats.net] has left ##openvpn [] 17:22 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:13 < ecrist> mXr: did you get your problems solved? 18:17 < ecrist> going once... 18:19 < ecrist> going twice 18:19 < ecrist> gone. 18:29 < mXr> :) 18:29 < mXr> yep 18:29 < mXr> one of the sides was running under vmware 18:29 < mXr> seems like that has some kind of strange problems with promisc interfaces or something 18:29 < mXr> moved the system to a hardware box and it works like a charm.. 18:29 < mXr> thanks anyway 21:37 -!- near [n=near@83-153-88-164.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:37 -!- near [n=near@83-155-191-44.rev.libertysurf.net] has joined ##openvpn 21:54 -!- near [n=near@83-155-191-44.rev.libertysurf.net] has quit [Network is unreachable] 21:55 -!- near [n=near@83-153-95-158.rev.libertysurf.net] has joined ##openvpn --- Day changed Fri Sep 12 2008 00:43 < ecrist> hey folks, anyone alive? 01:01 -!- bandini [n=bandini@host237-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:36 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 01:45 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 02:39 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:15 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 05:29 -!- Nirkus [i=rmf2mlh@about/pxe/Nirkus] has quit [Read error: 110 (Connection timed out)] 05:51 -!- Typone [n=nitsme@195.197.184.87] has joined ##openvpn 06:06 -!- SWAT__ [n=swat@ubuntu/member/swat] has joined ##openvpn 06:08 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 06:10 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 06:19 -!- SWAT [n=swat@ubuntu/member/swat] has quit [Read error: 110 (Connection timed out)] 09:14 -!- int [n=quassel@wikia/int] has joined ##openvpn 10:47 < gongoputch> ecrist: Alive. I think. 11:33 -!- SWAT__ is now known as SWAT 11:43 -!- TomJ [n=tomj@ip-62-105-179-89.dsl.twang.net] has joined ##openvpn 13:02 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:04 -!- gongoputch [n=kseel@74.95.184.161] has quit [Read error: 60 (Operation timed out)] 13:05 -!- gongoputch [n=kseel@74.95.184.161] has joined ##openvpn 13:12 -!- kleevr [n=kleevr@wsip-70-164-68-63.ok.ok.cox.net] has left ##openvpn ["Leaving"] 13:27 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:59 -!- rubydiamond [n=rubydiam@123.236.177.5] has joined ##openvpn 13:59 < rubydiamond> HI pplz 13:59 < rubydiamond> http://pasternak.superalloy.nl/pastes/819 14:00 < rubydiamond> getting this error 14:08 -!- near [n=near@83-153-95-158.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 14:09 -!- near [n=near@83-155-187-54.rev.libertysurf.net] has joined ##openvpn 14:14 -!- Ahiru [n=Fate@triela.fatechan.net] has joined ##openvpn 14:20 < rubydiamond> HI pplz 14:20 < rubydiamond> http://pasternak.superalloy.nl/pastes/819 14:37 -!- Valect [n=aaron@71.39.93.58] has joined ##openvpn 14:42 < Valect> i must be missing something 14:42 < Valect> how do you set the gateway for vpn clients 14:45 < nDuff> Valect, for tun clients, your VPN server is always the gateway 14:46 < nDuff> Valect, for tap clients, I presume you're probably using a DHCP server. 14:46 < nDuff> rubydiamond, would you mind (1) not repeating yourself, and (2) describing enough about what the issue you're having is that we know whether we want to follow the link and see what you've pastebinned? 14:47 < nDuff> rubydiamond, ...so I take it the "TLS key negotiated failed to occur" thing repeats itself? 14:48 < nDuff> rubydiamond, make sure you have successful UDP traffic *in both directions*. verb 5 is useful for validating such. 14:48 < rubydiamond> I did not get you 14:48 < rubydiamond> it was working two days before very wel 14:48 < Valect> nDuff i'm using tun with the following config: 14:48 < Valect> server 192.168.43.0 255.255.255.0 14:48 < Valect> push "route 192.168.43.0 255.255.255.0" 14:49 < Valect> erm 14:49 < Valect> hold on 14:49 < Valect> server 192.168.43.0 255.255.255.0 14:49 < Valect> push "route 10.34.43.0 255.255.255.0" 14:49 < Valect> the server is on 10.34.43.11 14:50 < rubydiamond> nDuff: is there any solution for the error I am getting 14:50 < nDuff> Valect, right -- so all traffic to 10.34.43.0/24 is routed through the VPN; the VPN server itself is the gateway. 14:50 < Valect> and the route shows upo in windows as having the gateway 192.168.43.5 14:50 < rubydiamond> or is our sysadmin have disabled openvpn access for me? 14:50 < nDuff> rubydiamond, it could well be that your firewall rules have changed, but that's not the only possible explanation 14:51 < rubydiamond> nDuff: you mean my laptop one or our servers one 14:51 < nDuff> rubydiamond, you need to make sure UDP packets are flowing in both directions, as I already said. Turning up OpenVPN's verbosity (to 5 or more) will help with that. 14:51 < Ahiru> ok I'm having a very bizarre issue, I have a client who's trying to connect to my vpn from behind a rather restrictive firewall, udp appears to be completely blocked, but tcp works, and I found a port that is unblocked, and traffic passes over it (checked with verb 6) 14:52 < Ahiru> but it's very unstable, and the latency on the tunnel basically escalates up and up, I watched it go from 40ms to 90000ms in about a minute or so 14:52 < Ahiru> so it's pretty much unusable 14:52 < Ahiru> http://pastebin.com/m55a9984e server.conf, client directives, and client.conf in that order 14:52 < Valect> nDuff here's the relevant part of windows route table 14:52 < Valect> 10.34.43.0 255.255.255.0 192.168.43.5 192.168.43.6 1 14:53 < Valect> i have no idea where 192.168.43.5 is coming from 14:53 < nDuff> Valect, it's part of how OpenVPN fudges things to make the win32 tap driver pretend it's a tun device 14:53 < nDuff> Valect, the FAQ discusses it; it's normal behavior. 14:53 < Valect> the whole /30 thing? 14:54 < nDuff> yup 14:54 < Valect> ok, so 14:54 < Valect> how can i access another machine on the vpn client subnet, say 10.34.43.10 14:54 < Valect> this should technically do it, right? 14:55 < Ahiru> client-to-client needs to be enabled 14:55 < Valect> it is 14:55 < Valect> but the machine i need to access isn't a vpn client anyway 14:55 < Valect> it's just on the same subnet 14:55 < Valect> er no it's not wtf am i smoking 14:55 < Valect> it's on the same subnet as the vpn server 14:56 < Ahiru> about to sya, you really don't want the vpn clients on the same subnet as the external subnet for a lot of reasons 14:56 < Valect> i can reach the vpn server without issue, but not anything else 14:57 < Ahiru> if you're using tun, the vpn server needs to know to masquerade or forward, and the other side needs to know to route to it 14:57 < Valect> what are the appropriate options 14:58 < Valect> although 14:58 < Valect> hrm 14:58 < Ahiru> it's all server-side, iptables and such 14:58 < Valect> right 14:58 < Valect> freebsd though, no iptables 14:58 < Ahiru> dunno what the analog is on freebsd 14:58 < Valect> too many things 14:59 < Ahiru> at the very least ip forwarding needs to be enabled 15:00 < Ahiru> and then routing should work 15:00 < Ahiru> tha'ts usually the minimal you need 15:00 < Valect> i have a feeling doing this is going to break shit 15:01 < Valect> both nics are on the same switch 15:01 < Ahiru> it shouldn't, it won't forward unless either the route is advertised with rip or whatever, or if clients know explicitly to route through it 15:02 < Valect> i dunno, our network was brought down with a sip phone 15:03 * Valect does it anyway 15:03 < Valect> (which btw, i didn't design) 15:08 < Valect> hrm 15:08 < Valect> no go on the ip forwarding 15:11 < Valect> lets see what the guys in #freebsd have to say 15:26 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 16:03 -!- rmull [n=boom@busw043-0b01-dhcp122.bu.edu] has joined ##openvpn 16:04 < rmull> So - I have a bridged VPN set up just fine, and am looking to redirect-gateway def1 16:05 < rmull> But when I add that directive, I cannot access any internet resource that is not on the VPN server's subnet 16:05 < rmull> Now, is this because the vpn server is not the gateway for its subnet? 16:06 < rmull> My client routing table shows the gateway is set to the IP of the VPN server 16:06 < docteh> what do you mean? 16:06 < rmull> If I removed this rule and set the default gateway to be the remote network's gateway, could that work? 16:07 < rmull> docteh: Which part? 16:07 < docteh> so you're bridging your vpn with a local lan segment? 16:07 < rmull> I am running openvpn is bridging, as opposed to routed tunnel, mode. 16:08 < rmull> So that broadcasts etc traverse the VPN. 16:08 < docteh> are you wanting to route all packets via that vpn? like as a default gateway? just dont forget to make a static router to the vpn ;) 16:09 < rmull> The route is installed for you when you connect to the vpn server when the server is configured with the redirect-gateway directive. 16:09 < rmull> The route gets installed fine. 16:09 < docteh> ohh but that makes it use the vpn server as the default gateway, not the proper one 16:09 < rmull> Yes, that's the issue 16:10 < rmull> So if the vpn server is 10.1.1.2 and the gateway is 10.1.1.1, if I manually set my default gateway to 10.1.1.1 and delete what gets installed for 10.1.1.2, that should work? 16:10 < rmull> Instead of asking, I'll just test it. 16:10 < docteh> thats usually the best solution 16:11 < rmull> Leaving chan so I don't spam with logins 16:11 -!- rmull [n=boom@busw043-0b01-dhcp122.bu.edu] has left ##openvpn [] 16:30 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 16:32 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 104 (Connection reset by peer)] 16:33 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 16:37 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [Remote closed the connection] 16:37 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 16:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:51 < Valect> ok, 2 hours later 16:51 < Valect> no go 16:51 < Valect> maybe if i upload my config someone can tell me what i'm doing wrong 16:54 < Valect> http://evildomain.org/openvpn.conf 17:11 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 17:25 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [Success] 17:25 -!- rubydiamond [n=rubydiam@123.236.177.5] has quit [] 17:37 < _Steve_> Valect: configs are not "right" or "wrong".... some just work differently than others. what about yours isn't working the way you want? 17:40 < Valect> vpn clients can only reach the vpn server on the 10.34.43/24 subnet, and nothing else 17:41 < _Steve_> is the OS setup to forward packets? 17:41 < _Steve_> and firewall setup to allow them? 17:45 < Valect> yes, no firewall 17:58 -!- _Valect [n=aaron@71.39.93.58] has joined ##openvpn 17:59 -!- Valect [n=aaron@71.39.93.58] has quit [Read error: 104 (Connection reset by peer)] 18:20 -!- _Valect [n=aaron@71.39.93.58] has quit [Connection timed out] 18:34 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 18:35 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 104 (Connection reset by peer)] 18:38 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:58 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 18:58 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 19:02 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 104 (Connection reset by peer)] 19:04 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 60 (Operation timed out)] 19:05 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 19:08 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 19:09 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [Client Quit] 19:25 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 110 (Connection timed out)] 20:08 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 20:12 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Client Quit] 21:37 -!- near [n=near@83-155-187-54.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:39 -!- near [n=near@83-155-190-5.rev.libertysurf.net] has joined ##openvpn 23:41 < ecrist> anyone wanna tempt the banhammer tonight? 23:41 < ecrist> puuullllleeeeeeez? 23:41 -!- gongoputch [n=kseel@74.95.184.161] has quit [Connection timed out] 23:50 < nDuff> ecrist, sorry -- I'm tired enough to be stupid, but otherwise not in the mood. 23:55 -!- gongoputch [n=kseel@74.95.184.161] has joined ##openvpn --- Day changed Sat Sep 13 2008 00:28 < ecrist> heh 00:29 * ecrist goes to bed. 01:57 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 01:57 -!- kala [i=kala@uba.linux.ee] has quit [Remote closed the connection] 02:57 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 03:03 -!- hetii [n=Remik@193.159.172.162] has joined ##openvpn 03:03 < hetii> hello 03:03 < hetii> i think i find bug on openvpn software 03:04 < hetii> they dont store pid file when system boot 03:05 < hetii> i use expect tools script to run it and type automagical password for my keys 03:06 < hetii> when i start it from console there is no problem but when system init process start it there is no pid file. 06:44 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 07:41 -!- hetii [n=Remik@193.159.172.162] has quit [Read error: 110 (Connection timed out)] 09:08 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 09:40 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 09:50 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:55 < krzee> woohoo i have inet now! 09:56 < krzee> i burnt out my 500mW alfa wifi adapter and it was the only one that could reach neighborly wifi 10:23 -!- int [n=quassel@wikia/int] has quit [Remote closed the connection] 10:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 10:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:53 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:23 -!- bandini [n=bandini@host237-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 11:29 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 12:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:36 -!- tetraedr [n=Admin@Tetraedr.Od.Ua] has joined ##openvpn 12:37 < tetraedr> hi 12:37 < tetraedr> how do I make clients to use openvpn connection server as default gw? 12:38 < Valect> redirect-gateway 12:40 < tetraedr> Valect: thanks, found it in the man 12:40 < tetraedr> string is: push "redirect-gateway def1" - but what does def1 means - I don't know :( 12:41 < Valect> not sure 12:42 < Valect> there's also "local def1" 12:43 < tetraedr> yeah, but it's for wireless networks, hm 12:43 < tetraedr> it works and thank god 12:45 < Valect> word 12:57 -!- tetraedr [n=Admin@Tetraedr.Od.Ua] has left ##openvpn [] 13:19 -!- Dougy [n=doug@64.18.159.247] has joined ##openvpn 13:19 < Dougy> hey all 13:46 < krzee> hey 13:47 < krzee> !def1 13:47 < vpnHelper> krzee: Error: "def1" is not a valid command. 13:47 < krzee> !man 13:47 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 13:48 < krzee> !learn def1 as used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. 13:48 < vpnHelper> krzee: The operation succeeded. 13:48 < krzee> !menu 13:48 < vpnHelper> krzee: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum, !ifconfig, !custom, !push-reset 13:48 < krzee> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum, !ifconfig, !custom, !push-reset, !def1 13:48 < vpnHelper> krzee: The operation succeeded. 13:48 < krzee> !forget menu 1 13:48 < vpnHelper> krzee: The operation succeeded. 13:53 < Dougy> krzee! 13:53 < krzee> wassup! 13:54 < krzee> i am in love with synergy 13:54 < Dougy> lol 13:54 < Dougy> whats that 13:54 < krzee> http://synergy2.sourceforge.net/ 13:54 < vpnHelper> Title: Synergy (at synergy2.sourceforge.net) 13:54 < Dougy> No chanserv? :o 13:54 < krzee> Synergy lets you easily share a single mouse and keyboard between multiple computers with different operating systems, each with its own display, without special hardware. It's intended for users with multiple computers on their desk since each system uses its own monitor(s). 13:54 < krzee> Redirecting the mouse and keyboard is as simple as moving the mouse off the edge of your screen. Synergy also merges the clipboards of all the systems into one, allowing cut-and-paste between systems. Furthermore, it synchronizes screen savers so they all start and stop together and, if screen locking is enabled, only one screen requires a password to unlock them all. Learn more about how it works. 13:54 < Dougy> nice 13:55 < Dougy> I have one computer thats it 13:55 < Dougy> with one monitor 13:55 -!- mode/##openvpn [+o Dougy] by ChanServ 13:55 -!- mode/##openvpn [-o Dougy] by ChanServ 13:55 < Dougy> ahahah 13:55 < Dougy> there he is 13:55 < Dougy> s/he/it/ 13:56 < krzee> i have a freebsd machine with a 22" monitor 13:56 < Dougy> /msg chanserv op #openvpn Dougy 13:56 < krzee> which hooks up to my cable for tv 13:56 < Dougy> er 13:56 < Dougy> lame 13:56 < krzee> and my 400 disc dvd changer via svideo 13:56 < Dougy> /msg chanserv op ##openvpn Dougy 13:56 < Dougy> there 13:56 < Dougy> 400 disc!?!??! 13:56 < krzee> it is also my NFS so it has ALL my music and movies 13:56 < krzee> yes 13:57 < Dougy> ..... 13:57 < Dougy> lol 13:57 < Dougy> brb 13:57 < krzee> so its nice to be able to control its mouse with my laptop now 13:58 < krzee> especially cause i have a long ass dvi cable and audio cable (which hooks to my 5.1 audio system) im gunna run around the house 13:58 < krzee> so i dont hafta sleep with the wind tunnel sounding fan system 13:58 < krzee> like 6 fans + cpu fan 14:00 < Dougy> jesus 14:00 < Dougy> i have an acer laptop from last year 14:00 < Dougy> thats alli have 14:01 < Dougy> krzee, the forum is flat. 14:01 < Dougy> :( 14:03 < krzee> but its there if its needed 14:03 < krzee> i wonder if the announceing forum topics even works in here 14:03 < krzee> i havnt had inet for a couple days 14:03 < krzee> burnt out my long range wifi adapter 14:03 < Dougy> ouch 14:03 < krzee> it cant xmit anymore 14:03 < Dougy> i'll test it 14:04 < krzee> werd im gunna go get food 14:04 < krzee> bbl 14:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:04 -!- bandini [n=bandini@host237-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:34 -!- bandini [n=bandini@host237-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 14:38 -!- tetraedr [n=Admin@Tetraedr.Od.Ua] has joined ##openvpn 14:38 < tetraedr> I'm interesting: how do I block some user? 14:39 -!- tetraedr [n=Admin@Tetraedr.Od.Ua] has left ##openvpn [] 14:39 < Dougy> Use iptables? 14:39 < Dougy> jackass 15:42 * Dougy stabs ecrist 16:24 -!- dresdn [n=mbydalek@ip70-176-46-205.ph.ph.cox.net] has joined ##openvpn 16:26 < dresdn> Hi all. I'm hoping someone can help me out with a simple routing issue that has just been evading me all week. Basically, I have a remote network with an Actiontec router (private ip x.x.x.1) with an openvpn server (x.x.x.3) behind it. The Actiontec port forwards 1194 to x.x.x.3, and also has a static route for 10.8.0.0/24 with a gateway of x.x.x.3 on it 16:27 < dresdn> the issue is, when a client connects, it cannot ping anything besides the .1 and .3. If on an internal client, I ping the vpn client (10.8.0.6), I get this: 16:27 < dresdn> # ping 10.8.0.6 16:27 < dresdn> PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data. 16:27 < dresdn> 64 bytes from 10.8.0.6: icmp_seq=1 ttl=63 time=75.1 ms 16:27 < dresdn> From 192.168.1.1: icmp_seq=2 Redirect Host(New nexthop: 192.168.1.3) 16:28 < dresdn> all the documentation I can find all points to a routing issue, but this actiontec replaced a 3 year old one that I had to rebuild by hand, and I don't *think* I missed anything. Anyone have any ideas on what I can try next? 16:36 < Dougy> Hi 16:36 < Dougy> Let me read 16:36 < Dougy> I have no idea man. sorry 16:37 < dresdn> so strange, only thing that changed was the gateway dying =/ 16:38 < Dougy> Not sure man. Sorry. 16:38 < Dougy> ecrist: http://gizmodo.com/5049331/hackers-hit-lhc-sorta-maybe-came-close-to-actual-damage 16:39 < vpnHelper> Title: Lhc: Hackers Hit LHC, Sorta Maybe Came Close To Actual Damage (at gizmodo.com) 18:05 -!- dresdn [n=mbydalek@ip70-176-46-205.ph.ph.cox.net] has quit [] 18:07 < docteh> do they even host thier own website? 18:34 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:38 < ecrist> sup, folks? 18:39 < ecrist> I'm on for about 5 mins, then off again. 18:39 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:40 < ecrist> well, fine, I didn't want to talk with you fuckers, either. 18:41 < ecrist> dresdn has a routing issue. 18:42 * ecrist goes away. 18:45 < docteh> finally 18:45 < docteh> now we can talk again 20:02 < ecrist> /banhammer docteh 20:07 * ecrist is in a weird mood. 20:58 < ecrist> not even Dougy is here, eh 21:37 -!- near [n=near@83-155-190-5.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:37 -!- near [n=near@83-156-242-32.rev.libertysurf.net] has joined ##openvpn 22:42 < docteh> /swordhammer ecrist 23:56 -!- n3kl [n=n3kl@c-24-8-165-101.hsd1.co.comcast.net] has joined ##openvpn 23:56 < n3kl> Yo! 23:56 < n3kl> Anyone using openvpn on tehir lan, or wifi? --- Day changed Sun Sep 14 2008 00:38 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has left ##openvpn [] 02:18 < docteh> i use it through wifi 03:43 -!- Zeti [n=gs@e180051068.adsl.alicedsl.de] has joined ##openvpn 03:43 < Zeti> hi 03:43 < Zeti> I was just trying to install the server 03:43 < Zeti> and I got to the step of ./clean-all 03:43 < Zeti> but it complains that KEY_DIR is not set 03:43 < Zeti> although ./vars should have done that if I'm not mistaken 03:44 < Zeti> an echo reveals, that the variables are still empty though 03:51 < Zeti> argh 03:51 < Zeti> there are two dots 03:51 < Zeti> shame on me 04:18 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 04:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:52 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 04:53 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 104 (Connection reset by peer)] 04:53 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 04:54 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 04:55 < Zeti> hi 04:56 < Zeti> I'm now having more mysterious problems 04:56 < Zeti> on UDP connect failed 04:56 < Zeti> and on TCP the server resets the connection 04:56 < Zeti> the client reports a wrong crt in the last case 05:13 -!- ompaul_ is now known as ompaul 05:21 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 05:28 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 05:51 -!- docteh [n=mage@24.86.174.105] has quit [Remote closed the connection] 07:19 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 08:39 -!- Zeti [n=gs@e180051068.adsl.alicedsl.de] has quit [Nick collision from services.] 08:39 -!- Zeti [n=gs@e180007239.adsl.alicedsl.de] has joined ##openvpn 08:39 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 13:48 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 13:55 -!- fquit [n=member@VDSL-130-13-43-252.PHNX.QWEST.NET] has joined ##openvpn 13:56 < fquit> Whenever I run "./clean-all" , I keep getting >> "You need to define KEY_DIR" ... but my key_dir is correct in vars. 13:57 < fquit> what gives 14:01 < Dougy> not sure lol 14:02 < fquit> :( 14:03 < Dougy> what OS 14:03 < fquit> Linux 14:03 < Dougy> No, really? 14:03 < Dougy> What distro :p 14:04 < fquit> Ubuntu 14:05 * fquit ducks 14:05 * Dougy fwhacks 14:05 < Dougy> so you ran . ./vars 14:05 < Dougy> !forum 14:05 < Dougy> :D 14:05 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 14:05 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Connection timed out] 14:05 < Dougy> krzee: ping 14:06 < fquit> When I run that , I get this >> NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/1.0/keys 14:06 < fquit> Tried running ./clean-all , and I get this >> You must define KEY_DIR 14:06 < fquit> Grr.. 14:10 < krzee> just combine the scripts 14:10 < krzee> all your vars script does is set vars 14:10 < krzee> you could copy and paste it into your bash 14:10 < krzee> then it'll be fine 14:11 < krzee> whats happening is when you run vars it cant export the variables to their parent process (the bash you end up back at after it runs) 14:11 < krzee> why they still use it like that in easy-rsa... i have no clue 14:15 < fquit> krzee So, how do I rectify this problem? 14:18 < krzee> [15:10] just combine the scripts 14:18 < krzee> or 14:18 < krzee> [15:10] you could copy and paste it into your bash 14:19 < fquit> copy and paste whatever was in the installation notes @ openvpn.net or README into bash? 14:19 < krzee> umm 14:19 < krzee> the vars script 14:19 < krzee> just copy/paste the relevant stuff into bash 14:19 < Dougy> krzee: bot doesnt work 14:20 < krzee> sure it does 14:20 < Dougy> i mean for the forum 14:20 < krzee> you mean the rss reading from your forum to here doesnt work 14:20 < krzee> yup 14:20 < krzee> *shrug* 14:20 < krzee> oh well 14:20 < Dougy> :p 14:20 < Dougy> god 14:20 < Dougy> I got this old server that has been sitting here since 2006 to work 14:21 < Dougy> for myself 14:21 < Dougy> my boss just said no i can't have/use it, and that i have to rent it out now 14:21 < Dougy> lame 14:21 < fquit> krzee How do you go about doing that.. Sorry for the newbie question. Copy/paste relevent stuff into bash .. such as? 14:21 < krzee> im having a PITA getting my bios updated on my NFS 14:21 < krzee> fquit, the vars... 14:22 < fquit> What's the cmd to enter? .. *embarased* 14:22 < krzee> umm 14:22 < krzee> i dunno man 14:23 < krzee> you should be able to open it in an editor, highlight the shit that matters... copy... paste into bash prompt 14:24 < krzee> anyways, im out 14:24 < krzee> later 14:55 -!- pooria [n=pooria@blk-137-98-253.eastlink.ca] has joined ##openvpn 15:11 -!- gongoputch [n=kseel@74.95.184.161] has quit [Read error: 104 (Connection reset by peer)] 15:12 -!- gongoputch [n=kseel@74.95.184.161] has joined ##openvpn 15:57 -!- ryan-c [n=ryan@75.101.7.196] has joined ##openvpn 15:57 < ryan-c> so, I can't kill openvpn with kill -9 15:57 < ryan-c> is there any other way to kill it? 15:59 < Dougy> are you root 15:59 < Dougy> :p 15:59 < Dougy> stupid question I know 15:59 < ryan-c> of course 16:00 < Dougy> reboot? 16:18 < ryan-c> Well, duh 16:19 < ryan-c> I was hoping I could do something other than reboot 16:20 < Dougy> Hm 16:20 < Dougy> Is it running as the user nobody? 16:21 < ryan-c> I think it's still running as root 16:22 < Dougy> ps auxf | grep openvpn 16:22 < ryan-c> yeah 16:22 < ryan-c> root 16:22 < Dougy> sigh 16:22 < Dougy> first mistake 16:22 < ryan-c> wtf is up with it, anyway? 16:23 < ryan-c> hmm 16:23 < ryan-c> says D+ status 16:23 < ryan-c> IO wait? 16:23 < Dougy> ##linux is waiting for you 16:23 < Dougy> !notopenvpn 16:23 < vpnHelper> Dougy: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 16:23 < ryan-c> *shrug* 16:24 < ryan-c> I guess I will have to reboot 16:24 < ryan-c> after a nap :p 16:35 -!- pooria [n=pooria@blk-137-98-253.eastlink.ca] has quit [Read error: 110 (Connection timed out)] 16:53 -!- Zeti [n=gs@e180007239.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 17:26 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 21:11 -!- dryrot [i=10539@tsunami.OCF.Berkeley.EDU] has joined ##openvpn 21:27 < fquit> This time, when I try to build-ca, I get "you must define key_dir" error, please help 21:38 -!- near [n=near@83-156-242-32.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:40 -!- near [n=near@83-153-95-131.rev.libertysurf.net] has joined ##openvpn 21:41 < dryrot> look at the file vars 21:41 < dryrot> look at the key_dir line 21:41 < dryrot> does it exist? 22:36 -!- ryan-c [n=ryan@75.101.7.196] has quit ["Leaving"] --- Day changed Mon Sep 15 2008 00:11 < ecrist> evening, kids 02:48 -!- near [n=near@83-153-95-131.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 03:01 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 03:06 -!- thomas [i=tm@tm.muc.de] has joined ##openvpn 03:06 < thomas> hello. 03:06 < thomas> any ideas to: ovpn-openvpn[10062]: freeLINE-Buero/84.56.40.21:1194 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1435 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 03:06 < thomas> ? 05:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:33 -!- sibiria [n=sibiria@ua-83-227-160-33.cust.bredbandsbolaget.se] has joined ##openvpn 05:33 < sibiria> hello. i'm having some weird problems with openvpn after upgrading from openbsd 4.2 to 4.3 05:33 < sibiria> i've recompiled openvpn, but no effect. no config has changed 05:34 < sibiria> what happens is that it appears openvpn does not actually listen on the port it is set to use 05:34 < sibiria> if i f.e. set it to tcp port 1234, port 1234 shows up as "closed, not listen 05:34 < sibiria> --daemon has no effect either - it just sits idle refusing to fork 05:35 < sibiria> no info at all in the logs 05:38 -!- sibiria [n=sibiria@ua-83-227-160-33.cust.bredbandsbolaget.se] has left ##openvpn [] 06:16 -!- squirrelpimp [n=squirrel@HSI-KBW-091-089-006-049.hsi2.kabelbw.de] has joined ##openvpn 06:16 < squirrelpimp> i 06:17 < squirrelpimp> i found an obvious bug in the initscript provided with the version of openvpn by the fedora EPEL repos 06:17 < squirrelpimp> in line 96 it should be "==" 07:12 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 104 (Connection reset by peer)] 07:46 -!- Netsplit heinlein.freenode.net <-> irc.freenode.net quits: fquit, djs, plik 07:50 -!- Netsplit over, joins: djs, plik 08:45 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 113 (No route to host)] 08:45 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 09:00 -!- tim-ct [n=123@dsl-241-170-97.telkomadsl.co.za] has joined ##openvpn 09:02 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 110 (Connection timed out)] 09:04 < tim-ct> hi all 09:04 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 09:04 -!- tim-ct [n=123@dsl-241-170-97.telkomadsl.co.za] has quit [Operation timed out] 09:05 -!- tim-ct [n=123@dsl-241-170-97.telkomadsl.co.za] has joined ##openvpn 09:06 < paruchuri> hi all 09:06 < paruchuri> i need help on openvpn 09:07 < paruchuri> i installed openvpn in fedora 9 and its working fine 09:07 < paruchuri> but when i am trying to connect from outside of my network its not connecting 09:07 < paruchuri> please help me on this 09:11 < tim-ct> anyone know whether openvpn will work with a securty dongle 09:15 < nDuff> tim-ct, if the dongle is PKCS#11 compliant, yes. 09:16 < nDuff> paruchuri, "not connecting" is pretty vague. Does anything happen on the server at all when the client tries to connect? If not, have you validated that packets are able to get from Point A to Point B (ie. not blocked by firewalls &c)?) 09:16 < paruchuri> i checked every thing 09:17 < nDuff> tim-ct, see http://openvpn.net/index.php/documentation/howto.html#pkcs11 and 09:17 < paruchuri> i made some changes in server.conf and client.conf 09:17 < nDuff> paruchuri, you're being vague again. Which things did you check? Which changes did you make? 09:18 < paruchuri> i made changes for server ip and that ip i gave in client configuration file 09:20 < nDuff> okay. Which things did you check? ie. have you used a packet sniffer (or verb 5) to see if packets from the client are getting to the server at all? 09:20 < nDuff> what messages, if any, do you get on either side? 09:20 < nDuff> etc; we can't help you if you don't give information. 09:21 < paruchuri> SINUSR1(soft,tls-error)received,process restarting 09:22 < nDuff> one line isn't enough context; pastebin. 09:22 < paruchuri> ok 09:26 < paruchuri> Mon Sep 15 19:42:21 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 09:26 < paruchuri> Mon Sep 15 19:42:21 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. 09:26 < paruchuri> Mon Sep 15 19:42:21 2008 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 09:26 < paruchuri> Mon Sep 15 19:42:21 2008 LZO compression initialized 09:26 < paruchuri> Mon Sep 15 19:42:21 2008 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] 09:26 < paruchuri> Mon Sep 15 19:42:21 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] 09:26 < paruchuri> Mon Sep 15 19:42:21 2008 Local Options hash (VER=V4): '41690919' 09:26 < paruchuri> Mon Sep 15 19:42:21 2008 Expected Remote Options hash (VER=V4): '530fdded' 09:26 < paruchuri> Mon Sep 15 19:42:21 2008 UDPv4 link local: [undef] 09:26 < paruchuri> Mon Sep 15 19:42:21 2008 UDPv4 link remote: 61.16.248.247:1194 09:26 < paruchuri> Mon Sep 15 19:43:21 2008 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 09:26 < paruchuri> Mon Sep 15 19:43:21 2008 TLS Error: TLS handshake failed 09:26 < paruchuri> Mon Sep 15 19:43:21 2008 TCP/UDP: Closing socket 09:26 < paruchuri> Mon Sep 15 19:43:21 2008 SIGUSR1[soft,tls-error] received, process restarting 09:26 < paruchuri> Mon Sep 15 19:43:21 2008 Restart pause, 2 second 09:26 < paruchuri> this is output from client side 09:27 < cpm> !pastebin 09:28 < paruchuri> i didnt get you 09:29 < paruchuri> sorry for that 09:30 -!- tim-ct [n=123@dsl-241-170-97.telkomadsl.co.za] has quit [Read error: 60 (Operation timed out)] 09:31 < nDuff> okay -- timeout, and no reason in the logs given here to believe any packets ever actually reached the server; you should investigate that line of approach. (also, next time, please do actually use a pastebin when someone asks you to pastebin) 09:31 < paruchuri> yes i will do that from next time 09:32 < paruchuri> in sever conf which one i have to check 10:07 < nDuff> pardon? I'm not asking about checking your server.conf configuration, but actually investigating the host (ie. by using a packet sniffer) to ensure that packets are getting to the server at all. 10:37 -!- int [n=quassel@wikia/int] has joined ##openvpn 10:41 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 10:43 < paruchuri> sorry nDuff i am unable to understand what you are saying.i am new to openvpn 10:44 < paruchuri> so if possible please tell me what i have to do. 10:44 < nDuff> paruchuri, the steps I am suggesting are not specific to OpenVPN. Do you know what a packet sniffer is? 10:44 < paruchuri> etheral! 10:55 -!- jawnsy [i=jon@unaffiliated/frequency] has joined ##openvpn 10:56 -!- jawnsy [i=jon@unaffiliated/frequency] has left ##openvpn [] 10:57 < nDuff> paruchuri, right. (note that ethereal is deprecated; wireshark is its replacement). Use that or tcpdump to make sure the packets from the client are actually getting to the server. 10:57 < paruchuri> i used tcpdump but no packet is receiving from client 10:58 < nDuff> paruchuri, there you are, then; check your firewall and other networking infrastructure. 10:58 < paruchuri> i have two nic cards for my system.one is public ip and one is local ip 11:04 < paruchuri> i am able to see request on server side but in client side its saying connection reset by peer 11:06 < paruchuri> code 10054 11:07 < paruchuri> read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) 11:08 < paruchuri> this is the error what i am getting 11:22 -!- aptanet is now known as whaletales 11:22 -!- whaletales is now known as aptanet 11:37 -!- paruchuri [n=qvantel@61.16.248.247] has quit [Read error: 110 (Connection timed out)] 13:00 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:13 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 13:29 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 13:52 -!- whaletales [n=Paul@5ad0fd5f.bb.sky.com] has joined ##openvpn 14:01 < ecrist> afternoon, kids 14:15 < cpm> lo 14:16 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 14:17 -!- bandini [n=bandini@host237-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:32 < ecrist> how goes, cpm? 14:32 < cpm> goes 14:32 < cpm> how U? 14:32 < ecrist> tired 14:34 -!- whaletales [n=Paul@5ad0fd5f.bb.sky.com] has quit [Read error: 110 (Connection timed out)] 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 -!- whaletales [n=Paul@5ad5a0be.bb.sky.com] has joined ##openvpn 15:03 -!- whaletales [n=Paul@5ad5a0be.bb.sky.com] has quit [Read error: 104 (Connection reset by peer)] 15:06 -!- whaletales [n=Paul@5ad5a0be.bb.sky.com] has joined ##openvpn 15:22 -!- fquit [n=member@VDSL-130-13-43-252.PHNX.QWEST.NET] has joined ##openvpn 15:23 < fquit> dryrot you still around 15:23 < dryrot> who me? 15:24 * fquit doesn't see anyone else with the nick dryrot other than dryrot :P 15:24 < dryrot> oh 15:24 < dryrot> what's up 15:24 < fquit> dryrot nothing much .. when you msgged me, with the answer, I wasn't on, sorry about that... 15:24 < fquit> do you still remember my question? 15:24 < dryrot> nope 15:25 < fquit> This time, when I try to build-ca, I get "you must define key_dir" error, please help 15:25 < fquit> I looked over at vars, and KEY_DIR=/etc/openvpn/easy-rsa/1.0/keys .. 15:25 < fquit> and keys folder does exist under easy-rsa/1.0 15:27 < dryrot> so before you run 'build-ca' 15:27 < dryrot> did you 'sources vars' ? 15:28 < fquit> dryrot I've tried >> source vars (and . ./vars) then ./clean-all then build-ca 15:30 < dryrot> paste in output of 'grep KEY_DIR vars' 15:30 < dryrot> also mine says 15:30 < dryrot> export KEY_DIR="$EASY_RSA/keys" 15:30 < fquit> I'm using 1.0 not 2.0 .. under /etc/openvpn/easy-rsa 15:33 < dryrot> i have no idea 15:33 < dryrot> maybe move your keys dir to 15:33 < dryrot> /etc/openvpn/easy-rsa/ 15:33 < dryrot> set KEY_DIR to 15:34 < dryrot> /etc/openvpn/easy-rsa/keys 15:34 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 15:39 < dryrot> give me a login on your machine and i'll look! 16:01 < fquit> dryrot sorry about that .. 16:01 < fquit> let me install ssh 16:02 < fquit> dryrot Thanks. [hold on] 16:02 -!- whaletales [n=Paul@5ad5a0be.bb.sky.com] has quit [Read error: 104 (Connection reset by peer)] 16:12 < dryrot> is this on your laptop or something 16:15 < fquit> dryrot desktop 16:15 < fquit> dryrot 130.13.43.252 16:16 < dryrot> password ? 16:18 < fquit> dryrot qwertyuiop 16:19 < fquit> dryrot username: jqk 16:19 < fquit> password: qwertyuiop 16:19 < dryrot> nope, no work 16:20 * nDuff files fquit under "trusting". (It might be wiser to send that info via PM, rather than in-channel). 16:20 < dryrot> ha 16:20 < dryrot> he should delete me when he's finished messing with openvpn 16:20 < nDuff> well, yes, that too 16:20 < fquit> nDuff who cares .. not like that is the root passwrd :) 16:20 < nDuff> fquit, heh, yar; s'ppose I've just got a fair bit of professional paranoia in me. :) 16:21 -!- dan__t [n=dant@cheyenne-69-16-140-5.phx2.puregig.net] has joined ##openvpn 16:21 < dan__t> Hello. 16:21 < dryrot> anyway doens't work 16:21 < dan__t> I'm trying to see what I can do about assigning each OpenVPN peer its own routable IP address. 16:21 < fquit> dryrot I've got iptables to accept ssh from input and out from port 22.. Hmm.. 16:21 < dan__t> Like 1:1 NAT, essentially 16:21 < dryrot> i think you told me the wrong password 16:22 < fquit> hold on 16:22 < dan__t> And, can that only be used in bridging mode? 16:23 < fquit> dryrot nop, that's the correct passwd, just re-login'd. 16:26 < dryrot> it works great for me 16:26 < fquit> dryrot works now, eh? 16:26 < dryrot> http://pastie.org/272952 16:27 < fquit> oh boy, that doesn't look good :P 16:27 < dryrot> huh? 16:27 < dryrot> looks great 16:27 < dryrot> might even work if i were root 16:27 < dryrot> so i dont see what problem you are having with openvpn 16:27 < fquit> wth .. 16:27 < fquit> hold on 16:30 < fquit> http://pastie.org/272954 16:31 < dryrot> you have to do this stuff as root 16:31 < dryrot> oh you did 16:32 < dryrot> you didnt run clean-all as root 16:32 < dryrot> i would just 16:32 < dryrot> sudo root 16:32 < dryrot> and run everything 16:32 < dryrot> dont bother with sudo right now 16:34 < fquit> dryrot Ah, works great now... The problem was that I had to execute all cmds in root .. I guess sudo cmd_to_execute wasn't enough 16:34 < fquit> heh 16:39 -!- tomj_ [n=tomj@ip-62-105-179-89.dsl.twang.net] has joined ##openvpn 16:40 -!- TomJ [n=tomj@ip-62-105-179-89.dsl.twang.net] has quit [Read error: 104 (Connection reset by peer)] 16:40 -!- tomj_ is now known as TomJ 16:43 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:54 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 17:29 < dan__t> Anyone know how I can force a VPN user to "bind" to a routable IP address when they visit other destinations through the VPN/ 17:29 < dan__t> ? 17:31 -!- whaletales [n=Paul@5ad5a0be.bb.sky.com] has joined ##openvpn 17:37 < dan__t> Is that even possible? 17:40 < nDuff> dan__t, I'm not really sure I understand what you're asking. 17:40 < nDuff> dan__t, do you want to route each user's traffic through a different external IP on your VPN host? 17:41 < dan__t> So, local client 10.8.0.5 establishes a VPN connection, I want their source IP to be of any one out of a pool of routable, external IP addresses on the server that OpenVPN is aware of. 17:41 < nDuff> dan__t, that's doable, but it'll require some scripting / iptables work that falls into the category of "exercise left to the reader". 17:41 < dan__t> Ah ha, ok. 17:52 -!- TodoInTX [n=matt@nat/sun/x-ec26b97f451136d9] has joined ##openvpn 17:52 < dan__t> Do you have anything to point me in the right direction? 18:04 < fquit> I've setup vpn server .. How to connect to the user/password .. How can I find that out? 18:16 < dryrot> did it work? 18:16 < dryrot> tail some logs 18:17 < fquit> dryrot http://pastie.org/272999 18:20 < dryrot> looks good. connecting your openvpn server to .... your openvpn server isnt really going to prove anything 18:21 < fquit> dryrot What credentials and ip address to use when connecting to the openvpn server from Windoze? 18:22 < dryrot> i have no idea . you make a username (or username + password) to use on your openvpn client by running on your openvpn server build-key or build-key-pass 18:24 < fquit> I did at one point .. did this >> ./build-key .. where client name was "al" .. but left the passwd blank 18:32 -!- whaletales [n=Paul@5ad5a0be.bb.sky.com] has quit [Read error: 110 (Connection timed out)] 18:37 < dryrot> cool 18:37 < dryrot> so copy one of the sample OVPN files 18:37 < dryrot> onto your openvpn client 18:37 < dryrot> i can tremember what files you need 18:37 < dryrot> cant 18:38 < nDuff> dan__t, hmm. There's been discussion on the ML of folks using similar techniques from their client-connect scripts for establishing per-client firewall rules, but I'm not sure if anyone's actually posted scripts. 18:38 < dan__t> Ok, np. 18:38 < dan__t> I smell prerouting, but we'll see. 18:38 < dryrot> just rip off this guy 18:38 < dryrot> howto.landure.fr/gnu-linux/debian-4-0-etch-en/install-and-setup-openvpn-on-debian-4-0-etch 18:39 < nDuff> s/client-connect/learn-address/ 18:42 -!- eliasp [n=quassel@HSI-KBW-085-216-068-107.hsi.kabelbw.de] has joined ##openvpn 18:42 < eliasp> hi 19:13 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 19:18 -!- Dougy [n=doug@64.18.159.247] has quit [Nick collision from services.] 19:18 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:18 < Dougy> yo 19:18 < Dougy> ecrist, ping 19:19 < Dougy> anyone awake? 19:29 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 19:43 -!- fquit [n=member@VDSL-130-13-43-252.PHNX.QWEST.NET] has quit ["The light is not coming from you is.. Another..darkness"] 20:14 < dryrot> no 21:11 -!- dan__t [n=dant@cheyenne-69-16-140-5.phx2.puregig.net] has quit [Read error: 60 (Operation timed out)] 21:22 < ecrist> yes, I am. 21:22 < ecrist> now 21:23 * ecrist installs openvpn 21:38 -!- near [n=near@83-155-184-7.rev.libertysurf.net] has joined ##openvpn 22:30 -!- dan__t [n=dant@ip68-110-121-53.ph.ph.cox.net] has joined ##openvpn 22:30 < dan__t> Hello. 22:30 < dan__t> I'm trying to push "route x.x.x.x 255.255.255.0" to a client, but I don't see the client taking the route. 22:30 < dan__t> Are there any common mistakes that might be made which is prohibiting this? 22:32 < ecrist> x.x.x.x isn't a valid IP address... 22:32 < dan__t> heh 22:32 < dan__t> <3 google 22:33 < ecrist> ;) 22:33 * ecrist goes to sleep. 23:00 -!- dryrot [i=10539@tsunami.OCF.Berkeley.EDU] has quit [Read error: 104 (Connection reset by peer)] 23:19 -!- TodoInTX [n=matt@nat/sun/x-ec26b97f451136d9] has left ##openvpn [] --- Day changed Tue Sep 16 2008 00:12 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 00:19 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 00:21 < onats> hello, i'm planning to connect my iphone to my home router, w/c is running openvpn.. is there anyway i can do this? I'm not sure if the connection is L2TP, PP2P, or IPSec? 00:28 * dan__t stabs pptp 00:40 < kala> onats: not possible 00:40 < onats> i see... 00:41 < onats> so essentially, openvpn is performing vpn with its own "protocol?" 00:41 < kala> yes 00:42 < kala> you should be able to port openvpn to iphone quite easily though. just that nobody has done that 01:03 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 01:08 < dan__t> Hrm, got it working. 01:08 < dan__t> Awesome. 01:08 < dan__t> is there a way to only allow one client connection per generated key 01:08 < dan__t> I don't want the whole office sharing like one key 01:15 -!- dryrot [i=10539@tsunami.OCF.Berkeley.EDU] has joined ##openvpn 01:23 < dan__t> Yea, just for a test I'm using the same key from two different hosts 01:32 < dan__t> Is there a way to repackage OpenVPN to make it distributable so I can simply hand users rolled up OpenVPN clients that install the certs, config files etc etc? 01:54 < onats> hhmmm, a ZIP file! 02:05 -!- imamamoron [n=t@210.238.181.187] has joined ##openvpn 02:11 < paruchuri> hi nDuff 02:12 < paruchuri> yesterday i tried to connect but i didnt get any connction 02:12 < paruchuri> connection 02:12 < paruchuri> i followed what you said 02:13 < paruchuri> read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) 02:13 < paruchuri> i got this error 02:28 < imamamoron> is your certifacate fully authenticated? 02:29 < imamamoron> are you not successfull during connection? 02:29 < imamamoron> most probably a certificate issue 02:29 < imamamoron> check it first 02:39 < paruchuri> ok thanks for your response 02:40 < paruchuri> can which certificate problem.i placed client1,ca certificates,client1 config file and client1 key placed in client windows system 02:53 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:59 < dan__t> So can I just revoke and then grant keys to users? 03:04 -!- imamamoron [n=t@210.238.181.187] has quit [] 03:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 03:50 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:05 < paruchuri> how to connect openvpn from outside(server is different lan and client is another network) 04:06 < thomas> hello peoples! 04:06 < paruchuri> what changes we have to make in server configuration file 04:07 < krzee> paruchuri, you mean the server is behind a router? 04:07 < paruchuri> yes 04:07 < krzee> openvpn does not need any changes for this, your router does 04:08 < krzee> you need to setup port forwarding 04:08 < paruchuri> i opened the port in router 04:08 < paruchuri> yes i did that one 04:08 < krzee> as you would for ANY application that needs to accept connections 04:08 < krzee> thats all 04:08 < paruchuri> but its not connecting 04:08 < krzee> is it receiving a connection attempt? 04:09 < paruchuri> read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) 04:09 < paruchuri> i am getting this error 04:09 < krzee> !logs 04:09 < paruchuri> server logs or client? 04:09 < krzee> whoa vpnhelper isnt here 04:09 < krzee> 1sec 04:10 < krzee> server 04:10 < krzee> paste the log with debug 6 to pastebin 04:13 < paruchuri> http://pastebin.com/m5d51ac41 04:13 < paruchuri> tail -f openvpn-status.log i am using this command to check 04:14 < paruchuri> i made ip changes after installation of openvpn in fedora9 04:14 < paruchuri> thats it 04:15 < paruchuri> is there any thing i have to change 04:15 < krzee> that is not a log 04:15 < krzee> that is a status file 04:16 < krzee> try /var/log/messages 04:16 < krzee> and be sure you turned up debug to 6 04:18 < thomas> krzee: Hello. can you help me? :-) 04:20 < thomas> krzee: have a connection with openvpn. but the syslog said: 04:20 < thomas> Sep 16 11:17:49 backup ovpn-openvpn[23166]: freeLINE-Buero/84.56.17.172:1194 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2768 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 04:20 < thomas> and i dont know why... if i try files to send/recieve over the vpn-tunnel, then broke the connection after 200-400 kilobyte 04:24 < paruchuri> can you tell me how to turned up debug to 6 04:24 < krzee> in config file, add this 04:24 < krzee> debug 6 04:24 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 04:24 < krzee> thomas: 04:24 < krzee> !configs 04:24 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 04:25 < paruchuri> ok 04:25 < thomas> krzee: ok, moment please. 04:25 < krzee> i will be here approx 20 more minutes 04:25 < krzee> once prison break is done downloading i must watch it 04:26 < paruchuri> after adding debug 6 in configuration file server is not starting 04:26 < thomas> krzee: server-config: http://paste.keks.be/98 and my client-config: http://paste.keks.be/99 04:27 < krzee> 1sec lemme check its debug 04:27 < krzee> !man 04:27 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 04:28 < thomas> krzee: and my operation system is debian linux 04:28 < krzee> my mistake, it is verb 6 04:29 < paruchuri> http://pastebin.com/m5bf31c8e can you check this 04:29 < paruchuri> this is the output when i starts the server in fedora 9 04:30 < paruchuri> we have two ethernet cards for my system 04:30 < paruchuri> one is public ip and one is local man ip 04:30 < paruchuri> lacal lan ip 04:31 < thomas> krzee: you have no ideas why "Authenticate/Decrypt packet error: bad packet" .. ? 04:32 < krzee> 100008.pem 04:32 < krzee> is that 100008 bit encryption? 04:32 < krzee> like keysize? 04:32 < thomas> krzee: no, only a filename. have userid, beginn with 100000 04:32 < thomas> :-) 04:32 < krzee> ok good 04:32 < krzee> hehe 04:33 < paruchuri> my openvpn is working 04:33 < paruchuri> thanks to all 04:33 < krzee> what was the problem? 04:33 < thomas> krzee: i dont know why the connection is broken after small file sizes, 200 kb > :-( 04:34 < krzee> !sample 04:34 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:34 < krzee> theres some stuff you could try commenting out 04:34 < krzee> make it a light config, then enable stuff 1 by 1 testing along the way 04:35 < thomas> hm, ok, only server side? 04:35 < krzee> for one thing... you have tun-mtu 04:35 < krzee> but you are using tap 04:35 < krzee> also, why are you using tap? 04:35 < krzee> !tap 04:35 < vpnHelper> krzee: Error: "tap" is not a valid command. 04:35 < krzee> !bridge 04:35 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 04:35 < krzee> !learn tap as [bridge] 04:35 < vpnHelper> krzee: The operation succeeded. 04:35 < krzee> !tap 04:35 < vpnHelper> krzee: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything (1 more message) 04:36 < krzee> !more 04:36 < vpnHelper> krzee: where the protocol uses MAC addresses instead of IP addresses. 04:36 < krzee> you need layer2 tunneling? 04:36 < thomas> krzee: why i should change? dev tap<< remove? 04:37 < krzee> well it depends 04:37 < krzee> why are you using a bridge setup? 04:38 < thomas> krzee: why? my client should connect to the internal network 04:38 < thomas> hm, my english.. hm :/ 04:38 < thomas> i dont know what you mean with your question. 04:38 < paruchuri> idont know krzee. i have to check 04:38 < krzee> is there something operating on the level of MAC addresses instead of IP addresses? 04:38 < krzee> paruchuri, werd, glad its working 04:39 < paruchuri> yes 04:39 < thomas> krzee: hm, i think ip adress? 04:39 < thomas> +d 04:39 < paruchuri> i have some doubts so i have to rectify that 04:39 -!- near [n=near@83-155-184-7.rev.libertysurf.net] has quit [Read error: 60 (Operation timed out)] 04:39 < thomas> krzee: german, no? :-) 04:39 < krzee> thomas, then you want tun, not tap 04:40 < krzee> no i only speak english and spanish 04:40 < thomas> no hablo espa~nol 04:40 < krzee> hehe 04:40 < thomas> un poco :-) 04:41 < krzee> try changing both configs to dev tun 04:41 < thomas> Starting virtual private network daemon: openvpnSIOCSIFDSTADDR: Das Argument ist ung"ultig 04:41 < krzee> what are you using to start the vpn? 04:42 < krzee> network manager? 04:42 < paruchuri> krzee: i am connected from outside but my local network is not pinging 04:42 < thomas> /etc/init.d/openvpn start 04:42 < thomas> krzee: i try this: /etc/init.d/openvpn start/stop 04:42 < krzee> oh ok good 04:42 < krzee> paruchuri, likely a routing problem 04:42 < krzee> !route 04:42 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:42 < paruchuri> so where i have to check 04:42 < krzee> read that 04:43 < paruchuri> what redhat? 04:43 < krzee> i explain what you should know there 04:43 < krzee> redhat?? 04:43 < thomas> krzee: how i can create the interface "tun" ? 04:43 < thomas> debian 04:44 < thomas> modconf tun ? 04:44 < krzee> thomas, it should be created on its own 04:44 < thomas> hm. 04:44 < thomas> lsmod |grep tun 04:44 < thomas> tun 9060 0 04:44 < krzee> that means the kernel driver is loaded... 04:44 < krzee> just change your configs and run openvpn 04:45 < thomas> have change to: dev tun 04:45 < krzee> also thomas 04:45 < thomas> backup:/etc/openvpn# /etc/init.d/openvpn start 04:45 < thomas> Starting virtual private network daemon: openvpnSIOCSIFDSTADDR: Das Argument ist ung"ultig failed! 04:45 < krzee> look at my configs 04:45 < krzee> !sample 04:45 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:45 < thomas> backup:/etc/openvpn# 04:45 < thomas> ok 04:45 < krzee> one thing i see is you specify some ifconfigs 04:45 < krzee> i dont want to check if they are right, but its much easier than that 04:46 < krzee> in my config i use: server 10.8.1.0 255.255.255.0 04:46 < krzee> that means: use the network 10.8.1.X, 1 will be server and the rest is the pool 04:46 < paruchuri> krzee:what i have to add in server configuration file to access local network 04:48 < krzee> paruchuri, you read my howto? 04:48 < thomas> krzee: local 04:48 < krzee> it explains everything you need to know for that 04:48 < thomas> the eth0 ip for the client connections from outside 04:48 < paruchuri> where is that 04:48 < thomas> or the internal ip like this 10.55.0.1 ? 04:48 < krzee> whereas asking everything i need to know to walk you through it and helping you will take longer than i will be here 04:48 < krzee> !route 04:48 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:49 -!- AukeF [n=auke@x171.flex.surfnet.nl] has joined ##openvpn 04:49 < krzee> there, like i said before =] 04:49 < krzee> server ip to listen on 04:49 < krzee> paruchuri, https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:49 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 04:49 < krzee> thomas, server ip to listen on 04:50 < thomas> krzee: ok 04:50 < paruchuri> thanks krzee 04:50 < krzee> np 04:50 < krzee> i wrote that up cause its likely the most commonly asked thing ive seen in this channel 04:51 < paruchuri> ok 04:51 < krzee> seems to be a source of confusion to many who havnt done much with routing before 04:51 < paruchuri> i have to add the ip's of local network in configuration file.right? 04:52 < krzee> read what i wrote up 04:52 < krzee> before you ask anything else =] 04:52 < eliasp> is it possible to define the name of the interface which OpenVPN should use? on my system a tap device 'management' is provided which should be used, but it seems OpenVPN just creates a 2nd device named 'tap0' instead of using the already existing with the same IP 04:52 < krzee> read it all 04:52 -!- near [n=near@88-122-25-114.rev.libertysurf.net] has joined ##openvpn 04:52 < krzee> yes eliasp 04:52 < krzee> 1sec lemme find it 04:52 < paruchuri> ok 04:54 < krzee> eliasp, 04:54 < krzee> --dev-node node 04:54 < krzee> Explicitly set the device node rather than using /dev/net/tun, /dev/tun, /dev/tap, etc. If OpenVPN cannot fig- 04:54 < krzee> ure out whether node is a TUN or TAP device based on the name, you should also specify --dev-type tun or --dev- 04:54 < krzee> type tap. 04:54 < eliasp> ah, nice... gonna try it, thx a lot 04:54 < krzee> np 04:55 < thomas> krzee: hm. now i have use your config: 04:55 < thomas> krzee: http://paste.keks.be/100 04:56 < thomas> krzee: but: backup:~# /etc/init.d/openvpn start 04:56 < thomas> Starting virtual private network daemon: openvpn failed! 04:56 < thomas> backup:~# 04:56 < thomas> and the syslog said: 04:56 < thomas> Sep 16 11:56:06 backup ovpn-openvpn[28104]: /sbin/ifconfig tun0 10.55.0.1 pointopoint 10.55.0.2 mtu 1500 04:56 < thomas> Sep 16 11:56:06 backup ovpn-openvpn[28104]: /sbin/route add -net 10.55.0.0 netmask 255.255.255.0 gw 10.55.0.2 04:56 < thomas> Sep 16 11:56:06 backup ovpn-openvpn[28104]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] 04:56 < thomas> Sep 16 11:56:06 backup ovpn-openvpn[28104]: failed to find GID for group vpn 04:56 < thomas> if I try manual: /sbin/ifconfig tun0 10.55.0.1 pointopoint 10.55.0.2 mtu 1500 04:56 < krzee> heheh 04:56 < thomas> backup:/etc/openvpn# /sbin/ifconfig tun0 10.55.0.1 pointopoint 10.55.0.2 mtu 1500 04:56 < krzee> yoh 04:56 < thomas> SIOCSIFADDR: Kein passendes Ger"at gefunden 04:56 < thomas> tun0: ERROR while getting interface flags: Kein passendes Ger"at gefunden 04:56 < thomas> SIOCSIFDSTADDR: Kein passendes Ger"at gefunden 04:56 < krzee> [05:56] Sep 16 11:56:06 backup ovpn-openvpn[28104]: failed to find GID for group vpn 04:56 < thomas> Kein passendes Ger"at gefunden < tun0: ERROR while getting interface flags: Kein passendes Ger"at gefunden 04:57 < thomas> SIOCSIFMTU: Kein passendes Ger"at gefunden 04:57 < krzee> dude 04:57 < krzee> stop pasting 04:57 < eliasp> thomas: please nopaste! 04:57 < thomas> ups 04:57 < thomas> sorry please 04:57 < krzee> !pastebin 04:57 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 04:57 < eliasp> uhm, now as i'm using dev-node management\n dev tap i get this in my log: 04:57 < eliasp> Tue Sep 16 11:52:30 2008 Note: Cannot open TUN/TAP dev management: Is a directory (errno=21) 04:57 < thomas> an error, sorry. 04:57 < krzee> eliasp, point it to the device, not a directory 04:58 < krzee> thomas, dont use vpn for your group / user 04:58 < krzee> use some user on your system that is not used for anything 04:58 < eliasp> krzee: ah, it want's a full path instead of just a device name... ok 04:58 < krzee> many systems come with a nobody user for this 04:58 < krzee> eliasp, yup =] 04:58 < thomas> krzee: ups, yeah. /me stupid 05:00 < eliasp> hmm, there's only /dev/net/tun on my sys although i'm using tap... no device file for 'management' around :/ 05:00 < krzee> well if you have a management bridge in ifconfig you best believe its using a device node 05:00 * eliasp wonders whether the gentoo initscript shouldn't create this device file.... 05:01 < krzee> eliasp, theres a reason you dont wanna let it use tap0? 05:01 < krzee> besides tidiness 05:01 < krzee> (which im not against) 05:01 < eliasp> krzee: yes, i'm going to have 3 or even 4 different VPNs and having just tap[0-3] interfaces isn't what i want... (right, it's about tidiness) 05:02 < krzee> ok 05:02 < krzee> and also 05:02 < krzee> theres a reason you are using bridging? 05:02 < eliasp> uhm, bridging... i do? i don't think so... 05:02 < krzee> tap is bridging 05:02 < krzee> tun is routing 05:03 < eliasp> ah, ok... yeah... tap is needed for some layer2 applications 05:03 < krzee> ahh werd 05:03 < krzee> yup you need tap then 05:03 < krzee> 3 or 4 different vpns as in... 05:03 < krzee> the server will be connected to 4 clients? 05:04 < krzee> or clients will connect to 4 servers? 05:05 < eliasp> no, a little more complicated setup... http://eliasprobst.eu/~elias/stuff/vpn/draft3.png that was an early draft which isn't completely valid anymore, but it'll show a little bit what i want to achieve... 05:05 < eliasp> 'Enduser-Client' maybe up to 250 hosts 05:05 < eliasp> application servers up to 100 hosts 05:06 < eliasp> base001 and base002 are there for fail-over.... 05:14 < krzee> holy shit 05:14 < krzee> dude i have no idea 05:14 < eliasp> hehe 05:14 < krzee> not only cause i dont use tap 05:14 < krzee> but also cause... damn 05:14 < krzee> thats a intense setup 05:15 < krzee> if you get it working i would LOVE to see a writeup on the wiki if you get time 05:15 < krzee> !wiki 05:15 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 05:15 < eliasp> yeah, it is... that's what i hear all the time... will definitely document it if i get it working 05:16 < krzee> the good thing for you in this setup is you are using a bridge 05:16 < krzee> so you wont have routing issues 05:16 < krzee> which you would in a routed setup with that drawing 05:16 < eliasp> i need VPN here, because all servers are located in different datacenters.... 05:16 < eliasp> yes, that's one of the reasons for TAP here... 05:17 < krzee> you have 4 application server 1's, but i understood what you meant 05:17 < krzee> hehe 05:17 < eliasp> krzee: that's due to the copy n paste ;-) 05:17 < eliasp> krzee: as said before... still a draft ;) 05:17 < krzee> make sure each machine uses a subnet big enough for the network 05:18 < krzee> since i see 10.5.0 and 10.5.1 that would be 255.255.0.0 05:18 < eliasp> depends on the netmask.... 05:18 < krzee> other than that, all i can do is wish you luck and hope to see a writeup 05:19 < eliasp> hehe, thx a lot... now i need to figure out how to get a 'management' device node... 05:19 < krzee> what do you mean by that? 05:19 < krzee> you should still be able to get multiple connections on tap0 05:19 < eliasp> krzee: my problem above... OpenVPN complains it doesn't find the specified device node.... 05:20 < krzee> i still dont see why it must be named 'management' 05:20 < eliasp> you mean i don't need a TAP device per VPN? 05:20 < eliasp> i can use tap0 for all of them? 05:21 < krzee> i wouldnt expect you to... 05:21 < krzee> thats what i expect 05:21 < krzee> i dont use tap, but thats what i believe 05:21 < krzee> openvpn USED TO need a device per connection 05:21 < eliasp> yeah, the question is just... is it technical possible... but i think it should be... gonna check this 05:21 < krzee> back in openvpn1 days 05:22 < krzee> but even if it isnt the case 05:22 < krzee> simply renaming it to 'management' wont change anything 05:22 < krzee> either it does or doesnt, its not cause of the name either way 05:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:23 < eliasp> yeah, i know... in the end it's just a 'label' 05:23 < krzee> so why do you care to rename it knowing it wont do anything twords your goal? 05:24 < krzee> (a which might be the default way of doing things now anyways) 05:24 < eliasp> hehe, you're probably right... i should concentrate on my goal instead of renaming interfaces ;-) 05:24 < krzee> i know for tun multiple clients use 1 interface since 2.0, i think same for tap 05:24 < krzee> in fact it kinda has to with tap now that i think bout it 05:25 < krzee> cause in tap you bridge using the OS bridge stuff 05:25 < krzee> openvpn wouldnt sit there creating new tap interfaces and bridging them in on the fly 05:26 < krzee> and the reason for multiple tun interfaces was a routing issue, solved at first in 2.0 with assigning /30 subnets to each client, and re-solved another way in the newest code 05:27 < eliasp> hmm, this sounds just too good to be true... trying it now 05:27 < eliasp> thx a lot for your help & iput 05:27 < eliasp> s/iput/input/g 05:27 < krzee> im surprised you didnt give it a shot before asking for the work-around 05:27 < krzee> no problem 05:27 < krzee> as far as i see theres only 1 non standard thing bout your drawing 05:27 < krzee> end users and app servers are just clients 05:28 < eliasp> i didn't give it a shot because i never thought it would be able to use the same device.... 05:28 < krzee> the only hard part is connecting the servers so that clients can connect to any of them 05:28 < krzee> servers, aka concentrators in the drawing 05:28 < eliasp> krzee: yeah, in the end end users and app-servers are the same from the OpenVPN perspective 05:28 < eliasp> yeah, that'll be the nutcracker... dunno yet how to do it exaclty 05:29 < eliasp> base002 isn't running yet... will be ~next week 05:29 < eliasp> so i'm surely coming back to ask stupid questions ;) 05:29 < krzee> haha 05:30 < krzee> im just angry that EVERY file of my prison break download came through corrupted 05:30 < krzee> no clue HOW that could happen 05:30 < eliasp> ouch, doesn't the $p2p-app have checksumming? 05:31 < AukeF> Hi! I have bridged a tap device (openvpn --mktun --dev tap0) to my eth0 device which is connected to a trunk (2 vlans: 117 and 118). I have set up 2 vlan devices on my tap0 device (vconfig add tap0 117, similar for 118). However, I can't seem to access the vlan from my tap device. Am I missing something obvious? 05:31 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 05:32 < AukeF> creating and accessing the vlan devices on the bridge device (vconfig add br0 117; dhclient br0.117) works fine 05:53 < eliasp> krzee: OpenVPN creates a 2nd interface (tap1) when tap0 is already provided..... http://rafb.net/p/AP6qzK38.html 05:53 < vpnHelper> Title: Nopaste - stdin (at rafb.net) 05:54 < krzee> eliasp, then thats just how its gunna hafta be 05:54 < krzee> as said above, changing the name wont change that 05:55 < krzee> AukeF, ild help if i could, i dont use bridging 05:57 < eliasp> krzee: according to this wiki article it should work... http://gentoo-wiki.com/Talk:HOWTO_OpenVPN_RoadWarrior#What_about_the_following_notice_from_the_OpenVPN-2.0.6_ebuild.3F maybe i have done something wrong... gonna check my config again.. 05:57 < vpnHelper> Title: Talk:HOWTO OpenVPN RoadWarrior - Gentoo Linux Wiki (at gentoo-wiki.com) 05:59 < AukeF> krzee, it looks like tap devices don't understand vlans, could that be the case? Or would you know where I can find more information about this? 06:00 < krzee> eliasp, that says nothing about what you are saying 06:00 < AukeF> i've simplified the testcase. I've bridged eth0.117 with tap0.117. I can obtain an ip address on eth0.117, but not on tap0.117. (ie. dhclient eth0.117 works, dhclient tap0.117 doesnt) 06:00 < krzee> AukeF, what is your goal? 06:01 < AukeF> tunneling multiple vlans through one openvpn tunnel 06:01 < eliasp> krzee: uhm, you're right... i see 06:02 < krzee> so a single machine on a vlan has a connection to a vpn server 06:02 < krzee> and other machines on other vlans should route through that connection? 06:02 < AukeF> almost 06:03 < AukeF> a single machine is connected to a trunk 06:03 < AukeF> and I want an openvpn connection between that machine and my openvpn server, where the vpn server should see the traffic of all vlans the machine is connected to 06:03 < AukeF> (ie. all the vlans in the trunk of the single machine) 06:04 < krzee> no idea 06:04 < AukeF> hihi 06:04 < AukeF> currently we use one vpn connection per vlan, which works but its flaky 06:04 < krzee> try the mailing list 06:04 < krzee> ya thats what ild expect youd need to do 06:05 < krzee> unless you could switch to routed 06:05 < krzee> in which case it would simply be a routing issue 06:05 < krzee> cause in a bridged setup, bridging vlans would cease them from being vlans 06:06 < AukeF> humm... 06:06 < krzee> at least from my understanding 06:06 < krzee> which is limited in this case 06:07 < AukeF> i think it should be possible to bridge vlans, but it that can't be done the whole story ends right about here ;) 06:07 < AukeF> (I know they can't be *routed*, which is why we use tap devices instead of tun devices) 06:07 < krzee> what is the purpose of vlans...? 06:08 < krzee> (to create seperate networks, usually for security purposes, right?) 06:08 < AukeF> limiting the broadcast domain of ehternet frames I think 06:08 < krzee> if you bridge those, how are they still vlans? 06:08 < AukeF> (ie: a switch that receives a vlanned ethernet frame may only forward it to ports which are part of that vlan) 06:10 < krzee> right, but if they are bridged the packets will travel acrossed vlans 06:10 < krzee> therefor nullifying the effects of the vlans 06:10 < krzee> you seem to want a routed setup 06:10 < krzee> you use bridge for other reasons? need layer2 encapsulation? 06:13 < krzee> "A bridge is a device that joins two LANs into a single broadcast domain" 06:14 < krzee> so you are seperating networks, then rejoining them using openvpn 06:14 < krzee> very confusing 06:18 < thomas> krzee: re 06:19 < thomas> Sep 16 13:19:24 samba ovpn-openvpn[1356]: /sbin/route add -net 193.108.19.250 netmask 255.255.255.255 gw 10.55.0.1 06:19 < thomas> Sep 16 13:19:24 samba ovpn-openvpn[1356]: ERROR: Linux route add command failed: shell command exited with error status: 7 06:19 < thomas> grr 06:22 < krzee> umm 06:22 < AukeF> krzee, its a bit more complicated. the openvpn server is set up to analize the traffic at the client, including arp spoofing, rogue dhcp servers etc, so routing is not really an option 06:22 < krzee> thomas, what command makes it add that route? 06:22 < thomas> ccd krzee 06:23 < thomas> cat ccd/freeLINE-Buero 06:23 < krzee> AukeF, then you are using the only option when each vlan has a bridge to the server 06:23 < thomas> push "route 193.108.19.250 255.255.255.255 10.55.0.1" #freeline server7 06:23 < krzee> hehe 06:23 < krzee> 255.255.255.255 is no bueno 06:23 < krzee> in fact thats a very odd attempt for a route 06:23 < thomas> krzee: would like., if I connect to ip 193.108.19.250 then over the GW 10.55.0.1 < no bueno? porque? 06:24 < krzee> thomas, what machine is 193.108.19.250 ? 06:24 < AukeF> krzee, if it interests you, schematic is at http://ids.surfnet.nl/images/idsvlan.jpg 06:24 < krzee> thomas, did you read my doc on routing? 06:24 < krzee> !route 06:24 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 06:24 < thomas> krzee: the maschine is a server inside the business office. here is also the openvpnSERVER. 06:25 < thomas> krzee: no, leido, pero ahora :-) 06:25 < thomas> hoho, hablo espanol *lala* ;) 06:26 < krzee> AukeF, bottom like is, if you want to bridge all your vlans together, dont bother using vlans in the first place 06:26 < krzee> and if you dont want to, you need a client in each vlan 06:27 < krzee> AukeF, but feel free to address the mailing list with it if you want more feedback 06:27 < krzee> !mail 06:27 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 06:28 < thomas> krzee: can i use: "iroute 193.108.19.250 255.255.255.255" ? 06:28 < thomas> krzee: or is iroute only for client to client? 06:29 < krzee> thomas, is there a LAN behind the client? 06:29 < krzee> or the business only has external ips? 06:29 < thomas> krzee: I would like, if i connect with my client to the server and I connect to ip 193.108.19.250, then all data over the interface from openvpnserver. 06:29 < thomas> external. 06:29 < krzee> lemme think for a second 06:30 < thomas> "lemme" ? 06:31 < krzee> let me 06:31 < krzee> sorry forgot to use good english 06:32 < krzee> it is 7:30 am here 06:32 < thomas> 13:32 here ;) 06:32 < thomas> am 06:32 < thomas> pm 06:32 < thomas> :-) 06:33 < krzee> try push "route 193.108.19.250 255.255.255.255" 06:34 < thomas> Sep 16 13:34:40 samba ovpn-openvpn[1560]: /sbin/route add -net 193.108.19.250 netmask 255.255.255.255 gw 10.55.0.5 06:35 < thomas> but why 10.55.0.5 ? the server is 1 ? 06:35 < krzee> !/30 06:35 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 06:37 < krzee> so does it work? 06:38 < thomas> krzee: but is it posible for use a ip adress which i have use BEFORE i have changed my config? :-) 06:38 < krzee> huh? 06:38 < thomas> i have: ifconfig-pool-persist ipp.txt 06:39 < thomas> backup:/etc/openvpn# cat ipp.txt 06:39 < thomas> freeLINE-Buero,10.55.0.4 06:39 < krzee> umm 06:39 < thomas> but if i dial in the freeline-buero then i have the inet Adresse:10.55.0.6 06:39 < krzee> howd it get .4!? 06:39 < krzee> oh you were using a bridge 06:39 < krzee> remove that line 06:39 < thomas> which? where? :-) 06:39 < krzee> in fact, remove the file 06:39 < krzee> then start openvpn 06:39 < thomas> the ipp.txt 06:39 < thomas> ok 06:40 < krzee> with routed and default topology you would have NEVER got .4 06:40 < krzee> you CANT 06:40 < krzee> as explained in http://openvpn.net/index.php/documentation/faq.html#slash30 06:40 < vpnHelper> Title: FAQ (at openvpn.net) 06:45 < krzee> thomas, so did the route work? 06:46 < thomas> krzee: mom 06:47 < thomas> hm /30 == 4 ip? 06:47 < thomas> for EACH client? 06:47 < thomas> :-( 06:58 < thomas> krzee: is this "topology p2p" in openvpn 2.1~rc8-1 posible? 07:01 -!- whaletales [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 07:02 -!- whaletales is now known as aptanet 07:04 < thomas> krzee: available? 07:09 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 104 (Connection reset by peer)] 07:18 < thomas> krzee: still :-( > http://paste.keks.be/101 07:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 07:29 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:30 < krzee> thomas, how many clients do you plan on having? 07:30 < krzee> and you never told me if the route command worked... 07:31 < thomas> krzee: command works. 07:31 < thomas> 80 clients. 07:32 < krzee> any windows clients? 07:32 < thomas> one linux server (as client) and the rest windows. dialin from outside over isdn .-) 07:34 < krzee> "topology p2p" sets true point-to-point semantics. This was previously 07:34 < krzee> known in 2.0.x as "ifconfig-pool-linear". The problem with this option is 07:34 < krzee> that it didn't work with Windows clients, so its applicability was 07:34 < krzee> limited. 07:34 < krzee> you want newest dev branch and topology subnet 07:34 < krzee> http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 07:34 < vpnHelper> Title: New subnet topology feature ready for testing: msg#00020 (at osdir.com) 07:36 < krzee> actually, you shouldnt need newest dev anymore 07:36 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 07:36 < krzee> try it on your current setup 07:36 < krzee> see if it loads... 07:37 < Sir_J> hi krzee 07:37 < krzee> hey Sir_J =] 07:41 -!- whaletales [n=Paul@5ad19f34.bb.sky.com] has joined ##openvpn 08:06 < paruchuri> hi krzee 08:07 < paruchuri> my vpn is working fine but when i connected to server only that local ip is pinging.i am unable to ping rest of lan ip's 08:08 < paruchuri> and i am unable to open server ip through browser 08:12 -!- Netsplit heinlein.freenode.net <-> irc.freenode.net quits: djs, plik 08:12 -!- Netsplit over, joins: djs, plik 09:02 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 09:24 -!- AukeF [n=auke@x171.flex.surfnet.nl] has quit [Read error: 113 (No route to host)] 09:50 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 10:01 -!- SWAT [n=swat@ubuntu/member/swat] has quit [Read error: 104 (Connection reset by peer)] 10:05 -!- SWAT [n=swat@ubuntu/member/swat] has joined ##openvpn 10:13 < squirrelpimp> hi 10:18 < squirrelpimp> i get a strange error when trying to configure "route .." entries while using "topology subnet" 10:18 < squirrelpimp> http://openvpn.net/archive/openvpn-users/2008-02/msg00073.html 10:18 < vpnHelper> Title: [Openvpn-users] OpenVPN Routing Issue (at openvpn.net) 10:19 < squirrelpimp> it's basically this guy's problem 10:19 < squirrelpimp> is there a way to use "route IP NETMASK" in an "topology subnet" environment? 10:29 < n3kl> Hi. Anyone using openvpn on their lan/wifi care to share how they did it? 11:45 -!- dan__t [n=dant@ip68-110-121-53.ph.ph.cox.net] has quit [Read error: 60 (Operation timed out)] 11:59 < eliasp> is it possible to delete a certificate from the DB instead of just revoking it? as far as i understood it, revoking leaves the certificate in the DB but sets an revocation entry into crl.pem ... 12:01 < eliasp> ah, just noticed the db is just a plain txt file... ;) 12:12 < eliasp> it works now using a specified devicename for OpenVPN without creating a new tap device on startup of OpenVPN (the device just needs to be named tap in the beginning, everything else doesn't matter, so i have now a 'tapmanagement' device..) 12:12 -!- ]sintax[ [i=Xasthur@pool-72-91-56-157.tampfl.dsl-w.verizon.net] has joined ##openvpn 12:12 < eliasp> as i have this device provided by the OS (for init-system dependency reasons) this is quite nice 12:12 < eliasp> but one problem remains... 12:12 < ]sintax[> hello 12:12 < eliasp> when shutting down OpenVPN, the device keeps it's IP address... 12:13 < eliasp> is --rmtun the right thing for this? 12:16 < eliasp> hmm, --rmtun doesn't seem to affect this behavior 13:04 -!- iRRVi [i=iRRVi@gateway/tor/x-08a75e103ea22c87] has joined ##openvpn 13:05 < iRRVi> im trying to run openvpn on my server, but when i type "openvpn --config ./conf" It says something about opening /dev/net/tun and permission and errno=13...supposedly its cause im not root 13:05 < iRRVi> but i am root... 13:07 < iRRVi> could it be the fact that im running it in a "screen" 13:11 < iRRVi> nope doesnt work outside of screen either... 13:14 < eliasp> does /dev/net/tun actually exist? 13:14 < iRRVi> yeah 13:16 < iRRVi> i even did a chmod a+rwx /dev/net/tun and still no... 13:19 < iRRVi> Tue Sep 16 11:17:55 2008 Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13) 13:19 < iRRVi> when i do "openvpn --dev tun" 13:20 < iRRVi> ah nvm 13:21 < iRRVi> cause of vps shit 13:21 < iRRVi> If you try to use a VPN program like OpenVPN or Hamachi on your VPS, you will likely receive this error: (the error i got)...This is because the TUN/TAP device is set up by default on your VPS. 13:44 -!- iRRVi [i=iRRVi@gateway/tor/x-08a75e103ea22c87] has quit [Remote closed the connection] 13:47 < ]sintax[> Can anyone recommend a web gui for OpenVPN administration? I tried using the Webmin module and i don't know what i'm doing wrong but it doesn't like me >.< 14:22 < n3kl> Anyone using openvpn on the lan/wifi? 14:40 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:55 < ecrist> sup, peeps? 14:56 < krzie> chillen 14:56 < krzie> lil tired, only got 3 hrs sleep 14:56 < krzie> the good side of that is i had to wakeup cause the people finally showed up to install a hot water heater in my shower 14:56 < krzie> (yay!) 14:56 < krzie> how you doin? 14:57 < ecrist> meh, alright. 14:58 -!- jfkw [n=jtk@static-64-65-249-140.buf.choiceone.net] has joined ##openvpn 15:06 < krzie> whats wrong? 15:25 -!- whaletales [n=Paul@5ad19f34.bb.sky.com] has quit [Read error: 110 (Connection timed out)] 15:47 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 15:47 < Dougy> yo 15:47 < Dougy> krzie, ding 16:06 -!- djs [n=djs@unaffiliated/djs26] has quit [Remote closed the connection] 16:06 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 16:08 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:26 < krzie> sup 16:27 < Dougy> yo 16:28 < Dougy> forum post 16:28 < Dougy> s 16:28 < Dougy> waiting for you 16:28 < krzie> hehe 16:28 < krzie> !forum 16:28 < vpnHelper> krzie: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 16:37 < Dougy> :) 16:38 < Dougy> lol 16:43 < krzie> im missing where that post is... 16:43 < krzie> what thread needs my attention?? 16:43 < Dougy> http://www.ovpnforum.com/showthread.php?t=11 16:43 < Dougy> and or 16:43 < Dougy> http://www.ovpnforum.com/showthread.php?t=9 16:44 < krzie> ahh ok 16:45 < krzie> bleh i dont remember my pw, its saved in my laptop 16:45 < Dougy> :( 16:46 < krzie> but on 11, answer is it must restart 16:46 < krzie> otherwise there might be a way to take advantage of it to hijack an established connection 16:46 < Dougy> So, I'm putting the server needs to be restarted? 16:48 < krzie> well its behaving as it should 16:48 < krzie> theres actually an answer to that on the mail list by JJK 16:48 < krzie> yesterday 16:48 < krzie> possibly asked by the same person 16:49 < krzie> jjk knows her shit 16:49 < Dougy> haha 16:49 < Dougy> hm its not archived yet is it? 16:49 < krzie> no idea 16:49 < krzie> !mail 16:49 < vpnHelper> krzie: "mail" is http://sourceforge.net/mail/?group_id=48978 16:50 < Dougy> http://sourceforge.net/mailarchive/forum.php?thread_name=48D002D2.5050004%40uni-ulm.de&forum_name=openvpn-users 16:50 < Dougy> that's him 16:50 < vpnHelper> Title: SourceForge.net: openvpn-users (at sourceforge.net) 16:51 < krzie> well sit on it til its archived 16:52 < krzie> then copy/paste and give credit for forum completeness 16:52 < Dougy> nod 16:52 < Dougy> im tired ugh 16:53 < krzie> i got 3hrs sleep 16:53 < Dougy> im not tired tired, im fatigued tire 16:53 < Dougy> d 16:53 < krzie> im tired tired, coffee powered today 16:55 < Dougy> :P 17:37 -!- djs26 is now known as djs 17:41 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 20:38 < ecrist> heya Dougy 20:39 < ecrist> heya krzie 20:40 < Dougy> hihi 20:40 < Dougy> brb f00d 20:40 < ecrist> what were you pinging me fo? 20:40 < Dougy> sup ecrist ' 20:40 < ecrist> for. 20:40 < Dougy> idr 20:40 < ecrist> ah 20:40 < Dougy> sorry 20:40 < Dougy> how was the rnc 20:41 < ecrist> ah, it was alright. 20:41 < ecrist> stupid protesters. 20:41 < ecrist> :\ 20:41 < Dougy> fun 20:41 < Dougy> lol 20:41 < Dougy> brb 20:41 < krzie> ya im glad the ron paul crowd had their own convention so the media couldnt claim the protesters were his supporters 20:42 < ]sintax[> ron paul ftw 20:42 < krzie> agreed 20:42 < krzie> sad that he couldnt win 20:43 < krzie> he woulda done a lot of good for the country 20:43 < krzie> i prolly woulda moved back if he won 20:43 < ]sintax[> they know whos gunna win 20:43 < ]sintax[> sadly 20:43 < ]sintax[> you move to canada or somethin? 20:43 < krzie> caribbean 20:43 < ]sintax[> ah 20:44 < ]sintax[> how come he cant win? i dont keep up with politics too much 20:44 < ]sintax[> something happen? 20:44 < krzie> well he wont be on the ballot... 20:45 < krzie> ya they made mccain the nominee... 20:45 < krzie> hehe 20:45 < Dougy> back 20:45 < krzie> and hes not running 3rd party 20:45 < krzie> personally im hoping you guys give ventura the motivation to run in 2012 20:46 * ecrist liked Ventura, mostly 20:46 < Dougy> i don't know these peopel 20:46 < Dougy> people 20:46 < Dougy> :< 20:47 < ]sintax[> hopefully i'll be out of this corporation by 2012 lol 20:47 < krzie> ]sintax[ all you gotta do is pack and move 20:47 < krzie> worked for me 20:47 < ]sintax[> oh i'm going to soon enough 20:47 < ]sintax[> the freedom movement in canada is amazing 20:48 < krzie> til they merge with you guys 20:48 < Dougy> fuck 20:48 < ]sintax[> lol 20:48 < Dougy> new york mets suck 20:48 < krzie> dougy, yes they do, yankees do too 20:48 < krzie> baltimore came through tho 20:48 < Dougy> i love the mets 20:48 < ]sintax[> well CANADA is registered in the united states as a corporation also so i guess it doesnt make a difference from that perspective 20:48 < Dougy> but they just lost 3rd in a row 20:48 < Dougy> fuck the yankees 20:49 < krzie> ]sintax[ plus the SPP... 20:49 < ]sintax[> =\ 20:50 < krzie> !google SPP 20:50 < vpnHelper> krzie: http://www.spp.gov/ - SPP Home 20:50 < krzie> hrm, thats not hit #1 for me 20:50 < ]sintax[> is for me 20:50 < ]sintax[> sounds like a joke though 20:51 < krzie> ya it would be funny if it was 20:51 < ]sintax[> yeah lol 20:51 < krzie> http://www.ircpimps.org/ronpaul/currency.html 20:51 < vpnHelper> Title: krzee's revelations on US currency (at www.ircpimps.org) 20:52 < krzie> http://www.youtube.com/watch?v=gYGrn0hZlCQ 20:52 < vpnHelper> Title: YouTube - Vicente Fox hints about a North American Union (at www.youtube.com) 21:12 < ecrist> f0000000000000 21:12 < ecrist> :) 21:22 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 21:22 < ecrist> fucker, runs like a bitch 21:38 -!- near [n=near@88-122-25-114.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:39 -!- near [n=near@83-155-190-235.rev.libertysurf.net] has joined ##openvpn 22:13 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 22:26 * ecrist goes to find somewhere to sleep. 22:26 < jeev> heh 22:26 < jeev> go to #sleep48248624628 22:26 < ecrist> what's with the numbers? 22:27 < jeev> nobody there to bother you 22:27 < ecrist> lol 22:27 < jeev> :) 22:30 < ecrist> nobody around to find me a 'bed' right now. 22:30 < jeev> lol 22:30 < jeev> where you at 22:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:58 < krzee> [09:06] hi krzee 22:58 < krzee> [09:07] my vpn is working fine but when i connected to server only that local ip is pinging.i am unable to ping rest of lan ip's 22:58 < krzee> [09:08] and i am unable to open server ip through browser 22:59 < krzee> paruchuri, is the rest of the lan using their local vpn endpoint machine as their default gateway? 22:59 < krzee> if not read the bottom of this: 22:59 < krzee> !route 22:59 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 23:00 < krzee> This assumes each client is the default gateway for machines on its lan. If that is not the case, he will need to do one of the following: 23:00 < krzee> 1: Manually add the route back to the vpn to the gateway for the openvpn client's lan. 23:00 < krzee> 2: Manually add the route back to the vpn to each machine on the lan 23:00 < krzee> If this needs clarification ask me about it and I will update this page after discovering how to make it clearer. 23:02 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has quit [Read error: 60 (Operation timed out)] 23:03 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 23:11 < jeev> dood 23:11 < jeev> i'm going to bill maher show 23:11 < jeev> :) 23:12 < jeev> krzee, after i kill the openvpn client, it forgets the default gateway for the wan interface so i have to renew the ip if dhcp, if not, i have to pull out ethernet and put back in 23:12 < jeev> is that a bug or a caveat 23:15 < krzee> you use redirect gateway? 23:15 < krzee> i have no clue why i put that in question form 23:15 < krzee> lol 23:15 < krzee> of course you are 23:15 < krzee> !def1 23:15 < vpnHelper> krzee: "def1" is used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. 23:16 < krzee> !man 23:16 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 23:17 < krzee> !learn def1 as please see "--redirect-gateway" in the man page ( !man ) to fully understand 23:17 < vpnHelper> krzee: The operation succeeded. 23:20 < jeev> yea, i'm using it. 23:20 < jeev> krzee :) 23:20 < jeev> it wipes it out anyway 23:21 < krzee> show me the route commands used on connect in the log 23:21 < krzee> and 23:21 < krzee> !configs 23:21 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 23:23 < jeev> will you be here in a bit bro? 23:24 < krzee> i got 3 hrs of sleep 23:24 < krzee> so not likely 23:24 < jeev> :' 23:24 < jeev> i'll turn it on in a bit, sorry 23:24 < krzee> but worth a try cause once i hit the laptop at night i become an insomniac 23:24 < jeev> lol 23:24 < jeev> let me grab you jmy server conf 23:24 < krzee> cool 23:25 < jeev> http://krzee.pastebin.com/d1213e63d 23:25 < jeev> brb 23:26 < krzee> when you get back paste the route add portion of your client log when it connects 23:26 < krzee> why would you push the same route as the vpn? 23:26 < krzee> remove that push route 23:32 < jeev> uh 23:33 < jeev> what the hell 23:33 < jeev> it wont work now 23:33 < krzee> heh ok put it back then 23:34 < jeev> no 23:34 < jeev> i didn't touch anything 23:34 < jeev> it was working earlier when i tried it 23:34 < krzee> is the lan also 192.168.50.0? 23:34 < jeev> now, it doesn't even attempt to connect to the server 23:34 < krzee> the server behind a home router? 23:35 < krzee> if so, is it the same local ip? 23:35 < jeev> uh 23:35 < jeev> yea but not same local ip 23:35 < jeev> home is 192.168.2.x 23:35 < krzee> ok good so 192.168.50.0 is only on the vpn 23:35 < jeev> yes 23:35 < jeev> but now when i start the ovpn client 23:36 < jeev> it doesn't even connect to the server 23:36 < jeev> and it's connected to the internet 23:36 < jeev> server wont report anything in logs 23:38 < krzee> the openvpn port is forwarded in the router to the server? 23:38 < jeev> yes sir 23:38 < jeev> it was literally working 2 hours ago 23:38 -!- paruchuri [n=qvantel@61.16.248.247] has quit [Read error: 113 (No route to host)] 23:38 < krzee> windows involved? 23:38 < krzee> (maybe a firewall came back on?) 23:40 < jeev> no man shit 23:40 < jeev> no connectivity 23:40 < jeev> wtf did the router give it that ip 23:40 < jeev> hey krzee, why is the opvn site always bork 23:40 < jeev> e 23:40 < jeev> the forums 23:40 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 23:40 < krzee> !forum 23:40 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 23:41 < krzee> not much activity there yet but go ahead and post it there 23:41 < krzee> so when we find your solution we can put it there too 23:41 < krzee> !mail 23:41 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 23:41 < krzee> prolly faster response on the mail list 23:42 < jeev> hmm 23:43 < jeev> http://krzee.pastebin.com/d2e1f41f5 23:43 < jeev> there you go 23:43 < jeev> # 23:43 < jeev> Tue Sep 16 21:41:08 2008 us=69651 Options error: Unrecognized option or missing 23:43 < jeev> # 23:43 < jeev> parameter(s) in [PUSH-OPTIONS]:6: topology (2.0.9) 23:43 < jeev> sorry --- Day changed Wed Sep 17 2008 00:06 < krzee> upgrade to newest dev version 00:06 < krzee> !dev 00:06 < vpnHelper> krzee: Error: "dev" is not a valid command. 00:08 < jeev> weird 00:08 < jeev> it just worked. 00:08 < jeev> what the hell is this 00:08 < jeev> krzee, what were you saying about the push thing 00:08 < jeev> you said to remove it ? 00:09 < krzee> yes 00:09 < krzee> it already knows how to reach the vpn 00:09 < krzee> making that push un-necessary 00:09 < jeev> Tue Sep 16 21:49:52 2008 client2/71.83.210.221:63254 MULTI: bad source address from client [192.168.2.216], packet dropped 00:09 < jeev> Tue Sep 16 21:49:52 2008 client2/71.83.210.221:63254 MULTI: bad source address from client [192.168.2.216], packet dropped 00:09 < jeev> Tue Sep 16 22:08:34 2008 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 00:09 < jeev> Tue Sep 16 22:08:44 2008 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 00:09 < jeev> ok 00:09 < jeev> when i googled 00:10 < jeev> the bad source was never a private ip 00:10 < jeev> everythign i see on google is public ip 00:10 < jeev> what is wrong there/ 00:10 < jeev> i read it in the fact but was _lost_ 00:10 < krzee> 192.168.2.x is behind the server or client? 00:10 < krzee> you also saw that error in my doc 00:11 < krzee> did you read it? 00:11 < krzee> !route 00:11 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:12 < jeev> yes 00:12 < jeev> 192.168.2.x is my lan ip at home 00:12 < jeev> so client. 00:13 < krzee> you need an iroute then 00:13 < krzee> as explained in my doc 00:13 < jeev> yea 00:13 < jeev> i see now 00:14 < jeev> which is the clients common name ? 00:14 < jeev> like client1 and etc? 00:14 < krzee> what it used in ipp.txt 00:14 < krzee> i cant tell you what you used for a commonname 00:14 < krzee> thats kinda your job 00:14 < krzee> hehe 00:15 < jeev> client1 00:15 < jeev> ;) 00:16 < jeev> lenovo accidently sent me 2 extra laptops 00:16 < jeev> 2 X61's 00:16 < jeev> mnight as well use one 00:16 < jeev> 12" is annoying though 00:17 < krzee> well if it gets too annoying ill give you an address you can send it where you never have to see it again 00:17 < krzee> lol 00:17 < jeev> hah 00:17 < jeev> the other is a tablet 00:17 < jeev> 3k in computers 00:17 < jeev> i sent the other 2 back because i didn't want them 00:17 < jeev> i pretty much ordered, cancelled day before shipment 00:17 < jeev> then ordered again 00:17 < jeev> i got the ones i ordered.. didn't like, no built in cdrom 00:17 < jeev> returned 00:18 < jeev> then next day in the mail, 2 laptops hahaha 00:18 < jeev> from the first order. no charge on CC 00:18 < jeev> krzee, the ip keeps changing :/ 00:18 < krzee> what ip 00:18 < jeev> first it was 192.168.50.8, now it's .10 00:18 < krzee> first was .6 00:18 < jeev> yea 00:18 < jeev> can i set static? 00:19 < krzee> killed the first before starting the second? 00:19 < jeev> well, it doesnt matter 00:19 < krzee> yes you can 00:19 < jeev> yep 00:19 < jeev> it's ok i guess, ccd works off the common name.. 00:19 < krzee> by pushing the ifconfig in ccd 00:19 < krzee> instead of ipp.txt 00:19 < krzee> just make sure you use the right ips 00:19 < krzee> .6 .10 .14 .18 00:19 < krzee> etc 00:20 < krzee> once you do that you can ditch ipp.txt config line 00:20 < krzee> but you dont need to 00:20 < jeev> ahh 00:20 < krzee> cause as you pointed out, it isnt ip based 00:20 < jeev> yea 00:20 < jeev> dyn is fine man 00:20 < krzee> it is ccd based and uses the ip as a var 00:20 < jeev> ;) 00:20 < krzee> !ifconfig 00:20 < vpnHelper> krzee: "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to. 00:21 < jeev> i like how it works thoguh 00:21 < jeev> pub and private key 00:21 < jeev> instead of a password. 00:21 < jeev> so lets see, this is how it works 00:21 < jeev> i dont even know how it works 00:21 < jeev> even though i know how to make it work 00:21 < krzee> ssl is a proven and trusted encryption currently 00:21 < krzee> so it makes sense to use 00:21 < jeev> yea 00:21 < jeev> uh 00:21 < jeev> so the pub/priv key needs to be signed on the server 00:21 < krzee> especially with dh, tls hmac sigs, etc 00:21 < jeev> right ? 00:21 < jeev> using the CA 00:21 < krzee> by the CA 00:22 < krzee> could be the server 00:22 < jeev> ok 00:22 < krzee> could be a seperate CA machine 00:22 < jeev> ahh, as long as it's by the CA 00:22 < jeev> k 00:22 < jeev> tat 00:22 < jeev> that's the only thing that confuses me 00:22 < krzee> if the second for security, dont even hook that machine to the inet 00:22 < krzee> just keep it off all lan / wan 00:22 < krzee> so it can only be reached locally 00:23 < krzee> cause the CA is the keys to the kingdom 00:23 < krzee> one can make their own certs with that, and there goes the neighborhood 00:24 < jeev> yea 00:24 < jeev> i left the CA on the server though 00:24 < jeev> nobody has access and it should be pretty safe 00:24 < krzee> btw 00:24 < jeev> i just forget how to generate the cert 00:24 < krzee> Tue Sep 16 21:41:10 2008 us=235368 route ADD 0.0.0.0 MASK 128.0.0.0 192.168.50.9 00:24 < krzee> 00:24 < krzee> Tue Sep 16 21:41:10 2008 us=239836 Route addition via IPAPI succeeded 00:24 < krzee> Tue Sep 16 21:41:10 2008 us=240375 route ADD 128.0.0.0 MASK 128.0.0.0 192.168.50 00:24 < jeev> and i hate the scripts 00:24 < jeev> :/ 00:24 < krzee> that means its not overwriting your default route 00:24 < jeev> yea 00:24 < jeev> well, now it's not anymore ;D 00:25 < krzee> because mask is 128.0.0.0 00:25 < krzee> its a more direct route and just never reaches your other 0.0.0.0 route 00:25 < krzee> which is why it needs to use that and 128.0.0.0 mask 128.0.0.0 too 00:26 < krzee> 1/2 possible ips match 1, other half the other 00:26 < jeev> ah 00:26 < jeev> j, 00:26 < jeev> hm 00:26 < krzee> both being more specific than your old default route 00:26 < krzee> routing table will take most specific first 00:26 < jeev> ok 00:26 < jeev> but it looks fine ? 00:27 < krzee> and work its way to default 0.0.0.0/0 (means ALL ips, aka default route) 00:27 < krzee> it does 00:27 < krzee> BUT 00:27 < krzee> on the 192.168.2 network 00:27 < krzee> is the client the default gateway for machines on its lan? 00:27 < krzee> (is it their lan router?) 00:28 < jeev> 2.1 is the router 00:28 < jeev> 192.168.2.0/24 is the network pretty much 00:28 < krzee> then you need to do 1 of 2 things... 00:29 < krzee> 1) add a route on 2.1 saying to send traffic headed to 192.168.50.0 mask 255.255.255.0 to the machine running vpn 00:29 < krzee> 2) add that route to each machine on the lan 00:29 < krzee> otherwise the machines will get the traffic, but when they respond this happens: 00:29 < krzee> they send response to their default route 00:29 < krzee> which is 2.1 00:30 < krzee> 2.1 gets packets headed for 192.168.50.x 00:30 < krzee> it says "wtf?" 00:30 < krzee> sends to its default route 00:30 < krzee> (your isp) 00:30 < krzee> who says "wtf?" 00:30 < krzee> and drops the packets 00:30 < jeev> yea 00:30 < krzee> evidently i need to explain that better in my doc 00:30 < jeev> but isn't that route already set up? 00:31 < krzee> hopefully i remember to paste that in later 00:31 < krzee> openvpn can only change routes on the machines it is on 00:31 < jeev> that's fine 00:31 < krzee> bottom line, only machines that know the route to the vpn can communicate with it 00:31 < jeev> are you trying to imply that 00:32 < jeev> i dont need the route on each machine on the lan 00:32 < jeev> why wuld i 00:32 < krzee> im saying no machines on 2.x have a route to the vpn, and therefore cannot communicate with it 00:32 < krzee> arent you trying to let the lan communicate over the vpn? 00:32 < jeev> no not the lan 00:32 < jeev> just a single comp 00:32 < krzee> thats what your multi error implied 00:32 < jeev> really 00:32 < jeev> nope, just a single computer 00:32 < krzee> a single comp in the lan which is not running openvpn right? 00:32 < jeev> no bro, i'm using my laptop 00:32 < jeev> testing openvpn 00:33 < jeev> so i start the client 00:33 < jeev> and that's what was showing, 00:33 < krzee> laptop was running openvpn, when laptop connected to server you got multi error? 00:33 < krzee> and you dont want any 2.x machines to talk to the vpn, only the single machine which runs openvpn? 00:34 < krzee> OHHH 00:34 < krzee> are you on the same lan right now? 00:34 < krzee> server and client 00:34 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 00:34 < jeev> yea, laptop connected to server, got multi error. 00:34 < jeev> only single machine 00:34 < jeev> server is at the datacenter 00:35 < krzee> umm something is goofy then 00:35 < krzee> cause the traffic should not have come from 192.168.2.x 00:35 < krzee> it should have come from 192.168.50.x 00:35 < krzee> and no multi error 00:35 < krzee> did the iroute fix it? 00:36 < jeev> i guess so, i can let you know when i test it further 00:36 < jeev> i just shut it off. 00:36 < jeev> but when i connected 00:36 < jeev> it didn't give me a multi error. 00:36 < krzee> that dont help unless you can ping 00:36 < krzee> hehe 00:36 < krzee> if you can then cool 00:37 < krzee> but its still weird 00:37 < krzee> shouldnt be sending packets via 192.168.2.x 00:37 < jeev> yea, it was always doing that. 00:37 < jeev> i mean, the redirect-gw qworked 00:37 < jeev> everything else worked 00:37 < jeev> how would i test to try to reproduce it ? 00:37 < jeev> the multi error 00:37 < krzee> btw 00:37 < krzee> with redirect gateway you need NAT 00:37 < krzee> which is on the OS level, not an openvpn thing 00:38 < krzee> !nat 00:38 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 00:38 < jeev> yea 00:38 < jeev> on the server? 00:38 < krzee> ya 00:38 < jeev> yea dood, i've been running mpd on freebsd for a whiel 00:38 < jeev> i know how it works :D 00:38 < krzee> werd 00:38 < jeev> man 00:38 < jeev> this postfix is killing me 00:38 < jeev> i copied the dir, brought it to a box on west coast 00:38 -!- djs [n=djs@unaffiliated/djs26] has quit [Connection timed out] 00:38 < jeev> got it working, now saslauthd is gay 00:38 < jeev> i hate this install man 00:38 < krzee> dunno i use qmail 00:39 < jeev> i'm leaving qmail 00:39 < jeev> i dunno 00:40 < jeev> http://www.telegraph.co.uk/telegraph/multimedia/archive/00979/220-long-legs_979195f.jpg 00:40 < jeev> jesus 00:45 < paruchuri> ok thanks krzee 00:45 < paruchuri> krzee: paruchuri, is the rest of the lan using their local vpn endpoint machine as their default gateway? the answer is no 00:45 < paruchuri> you assume that i am using 192.168.1.0-192.168.1.255 these ip range 00:45 < paruchuri> so how can i add all ip's in my vpn server for accessing 00:50 < krzee> scroll up 00:50 < paruchuri> krzee can you help me on this 00:51 < krzee> [01:28] then you need to do 1 of 2 things... 00:51 < krzee> [01:29] 1) add a route on 2.1 saying to send traffic headed to 192.168.50.0 mask 255.255.255.0 to the machine running vpn 00:51 < krzee> [01:29] 2) add that route to each machine on the lan 00:51 < krzee> [01:29] otherwise the machines will get the traffic, but when they respond this happens: 00:51 < krzee> [01:29] they send response to their default route 00:51 < krzee> [01:29] which is 2.1 00:51 < krzee> [01:30] 2.1 gets packets headed for 192.168.50.x 00:51 < krzee> [01:30] it says "wtf?" 00:51 < krzee> [01:30] sends to its default route 00:51 < krzee> [01:30] (your isp) 00:51 < krzee> [01:30] who says "wtf?" 00:51 < krzee> [01:30] and drops the packets 00:51 < krzee> for you, switch 2.1 with the router on 1.1 network 00:58 < paruchuri> i mentioned the gateway in all systems that 192.168.1.1 00:58 < paruchuri> all are in that gateway only 00:58 < paruchuri> krzee: is there any thing i have to add in client configuration file? 00:58 < paruchuri> i missed this conversation what you said 01:02 < paruchuri> i missed this conversation what you said 01:22 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 01:22 -!- dan__t [n=dant@ip68-110-121-53.ph.ph.cox.net] has joined ##openvpn 01:22 < dan__t> Hello. 01:23 < dan__t> Is there a way to dynamically add a route to have OpenVPN push to a client, without having to restart the server? 01:23 < krzee> no 01:23 < krzee> maybe theres a sig you can pass to the server to force a re-read of the config 01:24 < krzee> but if it needs to do anything as root it wont be able to if you dropped privs 01:26 < dan__t> hrm, just on a whim I searched 'management' and found some bits 01:26 < dan__t> I was just able to pull up the management interface - wonder if I can throw stuff at OpenVPN from there.... 01:27 < krzee> ahh maybe something there, forgot bout that 01:27 < krzee> never used it 01:28 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 01:28 < krzee> paruchuri, i just pasted you the conversation 01:28 < paruchuri> yes ok 01:28 < paruchuri> thanks for that 01:28 < krzee> [01:31] openvpn can only change routes on the machines it is on 01:28 < krzee> [01:31] bottom line, only machines that know the route to the vpn can communicate with it 01:31 < paruchuri> i understood what you said but in my network assume that default gateway is 192.168.1.1 and server local ip is 192.168.1.44 01:31 < paruchuri> so how can i add route to all systems 01:32 < paruchuri> i defined all the network structure in my router 01:32 < dan__t> Yea, doesn't look like I can add routes in a dynamic nature.... bummer. 01:41 < krzee> paruchuri, what is your vpn internal ips? 01:42 < paruchuri> 192.168.1.0-192.168.1.255 01:42 < krzee> you said that is your vpn ips 01:42 < krzee> oh you bridging? 01:42 < krzee> err i mean you said that is your lan ips 01:43 < paruchuri> in my local network i am using 192.168.1.44 as a local ip and one is public ip 01:43 < paruchuri> so i want to access all ip's in my network from outside through openvpn 01:44 < krzee> using a bridge? 01:44 < krzee> tap? 01:44 < paruchuri> i didnt get you 01:45 < krzee> are you using a tap device or tun device 01:45 < paruchuri> tun 01:45 < krzee> then you cant 01:46 < krzee> you are trying to setup a routing nightmare which is impossible unless you wanna hack up an ugly ass routing table which will require upkeep and more routing knowledge than you have 01:46 < krzee> (which i know simply because you're trying to do it) 01:46 < krzee> set your vpn to use soemthing like 10.8.0.x 01:46 < krzee> then use my guide to help with the routing 01:46 < krzee> !route 01:46 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:46 < krzee> havnt i given you that link a few times? 01:47 < paruchuri> for vpn i am using 10.8.0.x only 01:47 < krzee> well wtf 01:47 < krzee> [02:41] paruchuri, what is your vpn internal ips? 01:47 < krzee> [02:42] 192.168.1.0-192.168.1.255 01:47 < paruchuri> yes 01:47 < krzee> [02:47] for vpn i am using 10.8.0.x only 01:48 < krzee> those are 2 VERY different answers to the same question 01:48 < krzee> english is not your first language? 01:48 < paruchuri> yes 01:48 < krzee> (not being rude, it is common this time of night and i will speak clearly if it is the case) 01:49 < krzee> yes it is your first language? 01:50 < krzee> ok if you are using 10.8.0.x as your vpn ips 01:50 < krzee> and 192.168.1.11 is the router for the 1.x lan 01:50 < krzee> err 01:50 < krzee> and 192.168.1.1 is the router for the 1.x lan 01:51 < krzee> you need to add a route on 192.168.1.1 telling it 10.8.0.0 mask 255.255.255.0 goes to 192.168.1.44 01:51 < krzee> if your router will not allow it, EVERY machine on the lan (that you want to communicate with vpn) needs that route 01:51 < paruchuri> server 10.8.0.0 255.255.255.0 this is only what i mentioned in server 01:52 < krzee> this is not a openvpn problem 01:52 < krzee> this is a routing issue on your lan 01:52 < paruchuri> yes 01:52 < paruchuri> ok 01:52 < paruchuri> sorry for that 01:52 < krzee> which is EXACTLY what i said earlier 01:52 < krzee> 1:51] [01:28] then you need to do 1 of 2 things... 01:52 < krzee> [01:51] [01:29] 1) add a route on 2.1 saying to send traffic headed to 192.168.50.0 mask 255.255.255.0 to the machine running vpn 01:52 < krzee> [01:51] [01:29] 2) add that route to each machine on the lan 01:52 < krzee> [01:51] [01:29] otherwise the machines will get the traffic, but when they respond this happens: 01:52 < krzee> [01:51] [01:29] they send response to their default route 01:52 < krzee> [01:51] [01:29] which is 2.1 01:52 < krzee> [01:51] [01:30] 2.1 gets packets headed for 192.168.50.x 01:52 < krzee> [01:51] [01:30] it says "wtf?" 01:52 < krzee> [01:51] [01:30] sends to its default route 01:53 < krzee> [01:51] [01:30] (your isp) 01:53 < krzee> [01:51] [01:30] who says "wtf?" 01:53 < krzee> [01:51] [01:30] and drops the packets 01:53 < krzee> [01:51] for you, switch 2.1 with the router on 1.1 network 01:53 < krzee> 192.168.50.x was his vpn internal 01:53 < paruchuri> i missed some conversation because of net problem.that is the problem 01:53 < krzee> your client doesnt allow scroll? you were here the whole time 01:54 < krzee> or you use a bounce? 01:54 < paruchuri> ok 02:01 < paruchuri> once again sorry krzee 02:01 < paruchuri> that is my mistake 02:15 < krzee> its fine 02:17 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 104 (Connection reset by peer)] 02:24 < paruchuri> thanks 02:24 -!- djs26 [n=djs@unaffiliated/djs26] has quit [Read error: 104 (Connection reset by peer)] 02:26 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 02:34 < dan__t> Maximum length of --push buffer (1024) has been exceeded 02:34 < dan__t> owned 02:35 < krzee> wow 02:35 < krzee> how many things do you really need to push? 02:35 < dan__t> I tried pushing 89 routes 02:35 < krzee> 89 routes!? 02:35 < dan__t> just for kicks 02:35 < dan__t> yeah!?! 02:35 < dan__t> heh 02:36 < krzee> you have 89 networks behind vpns you wanna route? to clients? 02:36 < dan__t> trying to restrict IPs to which the client can route to 02:36 < dan__t> I could do CIDR notation and probably end up with just 4 entrees 02:36 < krzee> thats easy enough 02:37 < dan__t> best way i found to do this 02:37 < dan__t> using SNAT via iptables, mind you 02:37 < krzee> ya 02:37 < krzee> err no 02:37 < dan__t> that's the road i'm going down 02:37 < krzee> just dont add routes to the vpn for IPS the vpn shouldnt route to 02:37 < krzee> then the machines which you dont want accessed wont be able to respond to packets 02:37 < dan__t> well i can add a route to a client by hand which uses the openvpn server as the gateway, and it works fine 02:38 < dan__t> that's what i'm trying to avoid 02:38 < krzee> right 02:38 < krzee> you protecting the lan from vpn or vpn from lan? 02:38 < dan__t> I don't want clients to use openvpn for anything but routes explicitly pushed to the client 02:39 < krzee> the clients wont be able to if the lan machines dont have a route 02:39 < dan__t> ... 02:39 < dan__t> I don't follow. 02:39 < krzee> ok 02:39 < krzee> lan is behind server? 02:39 < dan__t> I mean I know LAN machines, client, etc etc - but not in this context. 02:39 < dan__t> well no 02:39 < dan__t> it's a remote client 02:39 < krzee> ok 02:39 < dan__t> client A in india, whatever 02:39 < dan__t> server B in USA, who cares 02:39 < krzee> that client is default router for its lan network? 02:40 < dan__t> client A gets routes 1 2 3 and 4 pushed to it by server 02:40 < dan__t> so those routes become available, that's all good 02:40 < krzee> that client is default router for its lan network? 02:40 < dan__t> now, if i'm client A, I can add any arbitrary route to my local routing table, and specify the gateway of that route as server B, and it will work 02:40 < dan__t> yes 02:40 < dan__t> wait no 02:40 < dan__t> openvpn client should *not* be the default router 02:40 < krzee> ok then its easy 02:40 < dan__t> it should *only* be used for routes which I have pushed to it 02:40 < krzee> no 02:40 < krzee> check this out 02:41 < krzee> [01:28] 2.1 is the router 02:41 < krzee> [01:28] then you need to do 1 of 2 things... 02:41 < krzee> [01:28] 192.168.2.0/24 is the network pretty much 02:41 < krzee> [01:29] 1) add a route on 2.1 saying to send traffic headed to 192.168.50.0 mask 255.255.255.0 to the machine running vpn 02:41 < krzee> [01:29] 2) add that route to each machine on the lan 02:41 < krzee> [01:29] otherwise the machines will get the traffic, but when they respond this happens: 02:41 < krzee> [01:29] they send response to their default route 02:41 < krzee> [01:29] which is 2.1 02:41 < krzee> [01:30] 2.1 gets packets headed for 192.168.50.x 02:41 < krzee> [01:30] it says "wtf?" 02:41 < krzee> [01:30] sends to its default route 02:41 < krzee> [01:30] (your isp) 02:41 < krzee> [01:30] who says "wtf?" 02:41 < krzee> [01:30] and drops the packets 02:42 < krzee> for him 192.168.50.0 was internal vpn addresses 02:42 < krzee> for you, use option 2 02:42 < krzee> and ONLY do so on machines which clients should be able to access 02:42 < dan__t> ok 02:42 < dan__t> i understand that 02:42 < dan__t> that's fine 02:42 < krzee> and booya, no connections made to others 02:42 < dan__t> ok say I'm trying to hit 1.2.3.4 02:42 < krzee> no 1.2.3.4 02:42 < krzee> real lan ips 02:42 < krzee> dont confuse me 02:42 < dan__t> i'm not 02:42 < dan__t> assume 1.2.3.4 is a routable IP address 02:43 < dan__t> client is trying to connect to a service which resolves on that IP 02:43 < krzee> if its routable its VERY different 02:43 < dan__t> i'm talking routable. 02:43 < dan__t> ok listen though, this is it: 02:43 < krzee> you can only hit routable (outside lan) with NAT 02:43 < dan__t> unless explicitly defined as a route to be pushed to the client, the server will not accept traffic destined for any other destinations 02:43 < krzee> umm ok 02:43 < dan__t> does that make sense? 02:43 < krzee> do what you were saying then 02:44 < krzee> thats normally done by enforcing proxies 02:44 < dan__t> ok. back to 1.2.3.4 02:44 < krzee> but your way will work too (blocking in firewall) 02:44 < dan__t> So, client a connects to server just fine 02:44 < dan__t> that's nice and all 02:44 < dan__t> not as the default route - but only routes pushed to the client, right? 02:44 < dan__t> So the client has a route to 2.3.4.5 through the openvpn server, that's great i can do that 02:45 < dan__t> what I can also do is add a route to 1.2.3.4, making that go through the OpenVPN server 02:45 < dan__t> I can do that by hand, on the client machine. 02:45 < krzee> you need NAT 02:45 < dan__t> And the OpenVPN server will happily accept that traffic and forward it. 02:45 < krzee> or no connections 02:45 < dan__t> I know what NAT is, I'm using SNAT 02:45 < dan__t> And it works just fine 02:45 < krzee> k 02:45 < dan__t> I know how NAT applies in this situation. 02:46 < dan__t> Do you understand why I'm making firewall rules 02:46 < dan__t> ? 02:46 < krzee> yup 02:46 < krzee> do it your way 02:46 < dan__t> Ok. Is there an OpenVPN solution so that I do not have to create those fw rules? 02:46 < krzee> no 02:46 < krzee> your setup is very abnormal 02:46 < dan__t> It cannot be abnormal 02:46 < dan__t> No way. 02:46 < krzee> you want to route only certain routable ips over the vpn 02:47 < krzee> normal is all routable or lan 02:47 < dan__t> Unless *explicitly* defined as a route that the server pushes to the client, if the client tries to use OpenVPN as a route to any other destinations, it will be denied 02:47 < krzee> not picking and choosing what routable ips are allowed to be contacted over the vpn 02:47 < dan__t> Ok. 02:47 < dan__t> Understood. 02:47 < dan__t> So that's what I'm getting at. 02:47 < krzee> your setup is very abnormal but it seems you found how to do it 02:47 < krzee> so go for it 02:48 < dan__t> Oh, are you frustrated? 02:48 < krzee> no 02:48 < dan__t> Ok. 02:48 < krzee> you found the right way 02:48 < krzee> do it! 02:48 < krzee> lol 02:48 < dan__t> I was going to say, go take a break man. 02:48 < dan__t> CHILL. THE F. OUT. 02:48 < krzee> dude im chill 02:48 < krzee> what do you want me to say? 02:49 < krzee> ild tell you what to do if there was a better way 02:50 < krzee> i started to when i thought there was one 02:50 < krzee> but now i understand your goal... you are doing it right 02:50 < dan__t> haha ok. 02:51 < dan__t> I'm trying to do SNAT 02:51 < dan__t> over a vpn basically 02:51 < dan__t> stupid stupid customer 02:51 < krzee> lol 02:51 < krzee> now i understand better 02:51 < krzee> not your choice of how to bust it 03:11 -!- paruchuri [n=qvantel@61.16.248.247] has quit ["Ex-Chat"] 03:13 < dan__t> Ok 03:14 < dan__t> iptables nat POSTROUTING hackery fixes i 03:14 < dan__t> it 03:15 < dan__t> Radical. 03:16 < dan__t> Ok, so, how about static client IP mapping? 03:16 < dan__t> I want the client assigned a static IP on the VPN 03:27 -!- iRRVi [n=chatzill@c-67-174-98-167.hsd1.co.comcast.net] has joined ##openvpn 03:29 < iRRVi> windows client + linux server = linux running fine, but windows cannot connect...been looking over all the howto's see if i missed something...but it appears i've done everything correctly...but apparently i havent... 03:30 < iRRVi> im running them both on port 21, though...i made sure there were no port conflicts, though... 03:30 < iRRVi> Wed Sep 17 02:30:13 2008 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 03:30 < iRRVi> wtf?!?!? 03:49 < iRRVi> thar...had some mis configuration goin on... 03:50 -!- dan__t [n=dant@ip68-110-121-53.ph.ph.cox.net] has quit [Read error: 110 (Connection timed out)] 03:50 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 03:55 -!- iRRVi [n=chatzill@c-67-174-98-167.hsd1.co.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 03:57 -!- iRRVi [n=chatzill@c-67-174-98-167.hsd1.co.comcast.net] has joined ##openvpn 03:57 < iRRVi> on windows how do i force it to use the tap 03:58 < iRRVi> test 03:58 < iRRVi> ... 04:12 -!- iRRVi [n=chatzill@c-67-174-98-167.hsd1.co.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 04:18 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 04:32 -!- Danskmand [n=danskman@p4FD3E987.dip.t-dialin.net] has joined ##openvpn 04:45 < Danskmand> Howdy :-) - I've set up a openvpn gateway and am able to connect with my notebook....No problem....Now I have set up a connection with a friend of mine.....He can connect without any problems....I can ping him, but I cannot connect to him....Not via RDP nore can I map a drive..... 04:45 < Danskmand> Whats wrong ? 05:18 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:38 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 110 (Connection timed out)] 05:42 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 06:01 -!- andrei1089 [n=andrei@79.116.246.85] has joined ##openvpn 06:02 < andrei1089> hello 06:02 < andrei1089> i try to set up openvpn in bridged mode but there's no traffic between server and client 06:02 < andrei1089> can anybody help me please ? 06:15 -!- near [n=near@83-155-190-235.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 06:19 -!- near [n=near@83-155-190-235.rev.libertysurf.net] has joined ##openvpn 07:19 < paruchuri> hi 07:19 < paruchuri> hi krzee 07:21 < paruchuri> i reinstalled the openvpn and i set the configuration file and when iam tryning to connect to client its not allocating the ip 08:08 -!- andrei1089 [n=andrei@79.116.246.85] has quit [Read error: 113 (No route to host)] 08:19 -!- onats is now known as Guest13090 08:44 -!- iRRVi [i=iRRVi@gateway/tor/x-849d189cc02a187a] has joined ##openvpn 09:30 -!- iRRVi [i=iRRVi@gateway/tor/x-849d189cc02a187a] has quit [Remote closed the connection] 10:01 -!- iRRVi [i=iRRVi@gateway/tor/x-0a20ad43fb939959] has joined ##openvpn 10:02 < iRRVi> would there be a big possibility that my school blocks inbound udp packets?...maybe outbound too...because the ports are forwarded...hell i even added DMZ...its on port 21...which they dont block/monitor...atleast tcp-wise... 10:07 < iRRVi> it appears they are to ftp as comcast is to torrent 10:08 < iRRVi> spoofed reset packets... 10:09 < iRRVi> but it works from my wheb browser... 10:31 -!- iRRVi [i=iRRVi@gateway/tor/x-0a20ad43fb939959] has quit [Remote closed the connection] 10:58 -!- bgravato [n=bruno@62.48.165.106] has joined ##openvpn 11:03 < bgravato> hello! does anyone know where i can find information on how to configure windows vista business firewall so it doesn't reset openvpn connection? 11:06 < bgravato> i have openvpn server running on linux, and client running on windows vista... if i turn off windows firewall off it works well... but once i turn it on it keeps resetting the connection... i've tried to add openvpn program and the configured ports to the list of exceptions but the problem persists 11:06 < bgravato> any help would be appreciatted 11:39 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:42 -!- bgravato [n=bruno@62.48.165.106] has quit [] 11:49 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 12:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:41 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:48 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 13:07 -!- eliasp [n=quassel@HSI-KBW-085-216-068-107.hsi.kabelbw.de] has quit [Remote closed the connection] 13:14 < ecrist> what's up, bitches? 13:30 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:58 -!- pred2k5 [n=Torsten@dslb-088-069-204-034.pools.arcor-ip.net] has joined ##openvpn 13:58 < pred2k5> hi, 2.1 has no more /31 subnets right? 13:59 < ecrist> um, who has /31 subnets? 13:59 < pred2k5> vpn ptp 13:59 < pred2k5> 10.8.0.1/10.8.0.2 13:59 < ecrist> you mean /30 subnets 14:00 < pred2k5> yes 14:00 < pred2k5> right 14:00 < pred2k5> sorry 14:00 < ecrist> there's a 50% difference there. ;) 14:00 < ecrist> to answer your question, 2.1 supports another mode where /31's aren't required. 14:01 < pred2k5> hows that mode called? 14:01 < ecrist> but, it still supports the same mode where you use a /30 14:01 < ecrist> there is 'topology' and 'subnet' 14:01 < ecrist> topology is the single ip, subnet is the /30 14:01 < pred2k5> so has iroute change too? 14:01 < ecrist> no idea, I'm sure it did, though. 14:02 < pred2k5> cause till now I can only NAT stuff 14:02 < pred2k5> I have to nat the networks behind the vpn client 14:02 < ecrist> not sure I follow you. 14:03 < ecrist> you can route forward the network from a vpn client. 14:03 < pred2k5> how? 14:06 < ecrist> by pushing a route from within the client config 14:06 < ecrist> or pulling it from server config, can't remember, it's discussed in the howto 14:08 < pred2k5> already pushed it 14:08 < pred2k5> by iroute 14:08 < pred2k5> or is that only possible in 2.1? 14:08 < ecrist> that should work in 2.0 14:10 < pred2k5> iroute works, but I only reach the net behind the client, when I nat 14:12 < ecrist> then it's a matter of proper routing on the rest of your network. 14:23 < pred2k5> "The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs 192.168.4.0/24 to the OpenVPN server box" 14:24 < pred2k5> do they mean 192.168.4.1 or the machine, where I iroute on? 14:27 < ecrist> neither 14:27 < pred2k5> hm? 14:27 < ecrist> to tell you, I'd have to know a bit more about your network. 14:28 < krzee> !iroute 14:28 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 14:28 < krzee> !route 14:28 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 14:28 * ecrist waits for yet one more person to bitch about self-signed certificates. 14:28 < krzee> the link listed as route attempts to explain route, iroute, ccd, and push 14:29 < krzee> lol ecrist 14:29 < pred2k5> krzee iroute already works for mee 14:29 < pred2k5> but only with nat 14:29 < krzee> let them buy you a cert if they care ;] 14:29 < ecrist> pred2k5: apparently it doesn't 14:29 < pred2k5> krzee, what you wanna know? 14:29 < ecrist> you should need to nat if everything is setup correctly. 14:29 < pred2k5> you mean I shouldnt 14:29 < krzee> nat is for contacting the outside world 14:29 < pred2k5> right 14:29 < pred2k5> so there is something wrong 14:29 < krzee> iroute is for contacting a lan on the client's side 14:30 < pred2k5> ecrist, so what do you wanna know 14:30 < krzee> pred2k5, read the link returned as !route 14:30 < ecrist> pred2k5: I'd need to know the topology of your network. 14:30 < ecrist> brb 14:30 < krzee> ya ill be back too 14:31 < pred2k5> ok, I have now the problem mentioned in the howto 14:32 < pred2k5> the client on the lan side doenst know, where to answer, because its lacking a route 14:32 < pred2k5> but I dont have access to the lans gateway.. 14:33 < pred2k5> so I must insert the ip manually in the clients routing table 14:33 < krzee> and what ecrist meant before was this 14:33 < krzee> there are 2 topology's he was talking about 14:33 < krzee> topology subnet and topology net30 14:33 < krzee> net30 being the /30 14:33 < krzee> and subnet being the new one where you can use single ip 14:33 < pred2k5> I use 2.0 14:33 < pred2k5> so topology net 3ß 14:33 < pred2k5> 30 14:34 < krzee> then you cant use topology subnet 14:34 < krzee> net30 is default in both 14:34 < pred2k5> I never did? 14:34 < krzee> but subnet is only available in 2.1 14:34 < pred2k5> yes, what do you want from me now? ;) 14:34 < krzee> i was just clarifying 14:34 < ecrist> back 14:34 < krzee> i want you to read my doc 14:34 < krzee> !route 14:34 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 14:35 < pred2k5> I have to put the route in the irouted network.. 14:35 < pred2k5> networks gateway 14:35 < krzee> if you havnt read the doc i linked you to 3 times i give up 14:35 < ecrist> pred2k5: yes, just in the gateway, not on each machine.. 14:35 < krzee> bbl 14:36 < pred2k5> of course, but I have to, cause I cant access the gateway 14:36 < pred2k5> do you read me? 14:36 < krzee> the on to option 2 at the bottom of my doc 14:36 < ecrist> sure 14:37 < pred2k5> 2: Manually add the route back to the vpn to each machine on the lan <- thats what I said two times 14:37 < pred2k5> right ? ;) 14:37 < krzee> then do it 14:37 < pred2k5> I will keep on natting 14:37 < ecrist> lame 14:38 < krzee> ya i guess ill mention that in my doc 14:38 < krzee> as option 3 14:38 < pred2k5> ok thank you 14:38 < ecrist> still lame 14:38 < ecrist> nat is the most overly abused network tool 14:38 < pred2k5> cause in the irouted lan everyday there are new pcs.. 14:38 < krzee> ecrist, not if you have 100 machines on the lan that need to access the vpn and no way to add route to gateway 14:38 < krzee> agreed its ugly 14:39 < ecrist> there is *always* a way to add it to the gateway. 14:39 < krzee> but hey if its the laziest way and he doesnt mind the ugliness, *shrug* 14:39 < krzee> thats not true 14:39 < pred2k5> I have to hack the router :D 14:39 < krzee> some lame ass home routers dont let you 14:39 < krzee> then again, if he doesnt have access he should be working with the person who does 14:39 < krzee> instead of ugly hacks 14:40 < ecrist> ;) 14:40 < pred2k5> why do you call it ugly? 14:43 < ecrist> nat is ugly 14:44 < krzee> umm 14:44 < krzee> cause its ugly ;] 14:44 < pred2k5> do you guys also have iptables skills? 14:44 < ecrist> no, but I do ipfw and pf 14:44 < ecrist> linux is for losers. :) 14:45 < pred2k5> what do you prefer? 14:45 < ecrist> FreeBSD 14:45 < krzee> ya ild go pf too 14:45 < pred2k5> whats pf? 14:45 < krzee> the openbsd packet filter 14:45 < krzee> freebsd has been able to use it since 5.x 14:45 < krzee> as kernel mod in 5.x, now in the kernel since 6.x 14:46 < ecrist> kinda like iptables, written by men. 14:46 < ecrist> krzee: it's still a kernel mod in 6 and 7 14:46 < krzee> isnt it fully compiled in now? 14:46 < ecrist> no 14:46 < ecrist> dynamic kld 14:46 < ecrist> so it just appears that it's already loaded. 14:46 < ecrist> :) 14:47 < ecrist> go to a system where you *think* it was precompiled and type kldstat 14:47 < ecrist> you should see pf.so or similar. 14:47 < pred2k5> cause, I have the follow situation: three subnets 192.168.1.0 (the only one which is nated by router to reach internet), 192.168.0.0, 192.168.2.0, how can they be able to reach inet without nat? 14:48 < pred2k5> and without natting them in the router ;) 14:48 < krzee> While it is not necessary that you compile PF support into the FreeBSD kernel, you may want to do so to take advantage of one of PF's advanced features that is not included in the loadable module, namely pfsync(4), 14:48 < krzee> The PF kernel options can be found in /usr/src/sys/conf/NOTES and are reproduced below: 14:48 < krzee> device pf 14:48 < krzee> device pflog 14:48 < krzee> device pfsync 14:48 < krzee> screw finding an example, read the handbook :-p 14:48 < krzee> 28.4.2 14:49 < krzee> but you CAN use it as a kld 14:49 < krzee> other than pfsync, no reason not to 14:49 < pred2k5> 192.168.1.40 is the router between 192.168.0.0 and 2.0 14:49 < ecrist> krzee: it's not pre-compiled into the kernel. 14:49 < krzee> "While it is not necessary that you compile PF support into the FreeBSD kernel, you may want to do so" 14:50 < krzee> am i reading that wrong? 14:50 < ecrist> the reason it's not necessary is because of the module. 14:50 * ecrist pokes krzee's thicker-than-normal skull 15:01 < ecrist> nothing at all? 15:03 < ecrist> :( 15:05 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 15:23 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 15:24 -!- aaearon [i=nn@ip68-97-0-203.ok.ok.cox.net] has joined ##openvpn 15:24 < aaearon> hi. is there a way for openvpn to disconnect when it recognizes its on the same network that its vpn'd to? 15:25 < aaearon> for example, when i come home from work, i'd like it to automatically recognize that im at home and disconnect 15:25 < aaearon> client is running windows w/ openvpn gui 15:33 -!- oscarh [i=oscarh@65-110-43-110.static.sagonet.net] has joined ##openvpn 15:36 < oscarh> Hi, I'm having a bit of a routing problem I think. I'm trying to connect a LAN to another via openvpn. The vpn server is part of one lan and the client another. I can't seem to get machines on the servers subnet to reach machines on the client's subnet. 15:37 < oscarh> On the serverside I've added the route 192.168.42.0 netmask 255.255.255.0 dev tun1, but it just never reaches the machines on that subnet. How should I investigate this? 15:40 < oscarh> I've also tried to add the vpn client as a gw (it does ip forwarding) but this doesn't help either. 15:42 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 15:42 -!- pred2k5 [n=Torsten@dslb-088-069-204-034.pools.arcor-ip.net] has quit [] 16:45 < krzie> oscarh 16:45 < krzie> !route 16:45 < vpnHelper> krzie: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 16:45 < krzie> that is a writeup i made for your problem 16:46 < krzie> aaearon, no 16:47 < krzie> the reason it's not necessary is because of the module. 16:47 < krzie> . ecrist/##openvpn pokes krzee's thicker-than-normal skull 16:47 < krzie> nothing at all? 16:47 < krzie> :( 16:47 < krzie> yes its not necessary because it CAN be a module 16:47 < krzie> but it doesnt HAVE to be a module, because it is an option to compile it into the kernel 16:47 < krzie> just because you prefer it as a module does not mean you dont have the option to compile it in, as i pointed out 16:48 * krzie pokes ecrist's skull back and chuckles 17:03 < oscarh> krzie, I realised I need to use iroute 17:04 < oscarh> After some searching of mailing lists. It turns out google is not always superior. 17:05 < oscarh> krzie, thanks though :) 17:09 < krzie> oscarh ya my writeup woulda helped 17:10 -!- mode/##openvpn [+o krzee] by ChanServ 17:10 -!- mode/##openvpn [+o krzie] by ChanServ 17:10 -!- mode/##openvpn [-o krzee] by krzie 17:11 -!- krzie changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Pastebin your copy over 5 lines. | Don't feed the trolls. | Forum: https://ovpnforum.com | bot: !menu 17:11 -!- mode/##openvpn [-o krzee] by krzie 17:11 -!- mode/##openvpn [-o krzie] by krzie 17:15 < oscarh> krzie, it would have been perfect :) 17:15 < krzie> thanx 17:17 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 17:38 -!- Danskmand [n=danskman@p4FD3E987.dip.t-dialin.net] has left ##openvpn ["Leaving."] 17:53 -!- aaearon [i=nn@ip68-97-0-203.ok.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 18:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:50 < ecrist> meh 18:51 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:51 * ecrist punches krzie in the spleen 18:53 < krzie> i guess thats the other option, easier to just admit it can be compiled in tho :-p 18:54 < ecrist> wtf? I never said it couldn't. 18:55 < krzie> go to a system where you *think* it was precompiled and type kldstat 18:55 < krzie> you should see pf.so or similar. 18:56 < krzie> it can be compiled in or module (users choice) in 6.x+ 18:56 < krzie> go to a system where you *think* it was precompiled and type kldstat 18:56 < krzie> you should see pf.so or similar. 18:56 < krzie> not that it matters anyways, lets let the subject die 18:56 < ecrist> no 18:57 < krzie> ok 18:57 < ecrist> you said it was precompiled *in* the kernel, it's not. 18:57 < ecrist> that was my point. 18:57 < krzie> it can be 18:57 < ecrist> no 18:57 < krzie> its optional to compile it in or leave as module 18:57 < ecrist> it can be compiled, yes, I've never disputed that, but it's not precompiled. 18:57 < krzie> you mean that it isnt in generic? 18:58 < krzie> if so, correct 18:58 < krzie> it does in fact take a recompile 18:59 < ecrist> that was my point. 18:59 < ecrist> I've not said anything different. 18:59 < krzie> guess we had a miscommunication then 18:59 < krzie> sounded to me like you were saying it was only a module 18:59 < krzie> from the lines i pasted 19:00 < krzie> ive never heard anyone use the term precompiled to refer to generic 19:00 < ecrist> as I recall, our conversation was a bit longer than two lines. 19:00 < ecrist> a module is not considered 'compiled' into the kernel 19:00 < ecrist> at any point. 19:01 < krzie> it was, and the whole conversation led to me think you meant that 19:02 < krzie> correct 19:02 < krzie> but pf does not HAVE to be a module, which is all i was trying to say 19:02 < krzie> seems we agree 19:02 < krzie> now that we understand eachother 20:10 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:10 < Dougy> krzie, ding 20:31 < krzie> Dougy, dong 20:31 < Dougy> the forum is kinda almost getting some use 20:31 < Dougy> :D 20:31 < krzie> ya just give it time 20:39 < Dougy> :) 21:39 -!- near [n=near@83-155-190-235.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:57 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 21:59 * ecrist sets mode +b *!?=douglas@*.optonline.net 23:25 -!- djs26 [n=djs@unaffiliated/djs26] has quit [Read error: 110 (Connection timed out)] 23:51 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn --- Day changed Thu Sep 18 2008 00:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:49 < ]sintax[> Hi, i'm wanting to learn OpenVPN and i'm going to be using 4 OpenBSD Vmware installations, what would be the best networking setup? would I want to use host-only on each of them and how many network interfaces should all of them have each ? 01:44 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 02:59 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 03:37 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 54 (Connection reset by peer)] 04:16 -!- Netsplit heinlein.freenode.net <-> irc.freenode.net quits: jfkw, pa, thomas 04:16 -!- Guest13090 [n=15172@unaffiliated/onats] has left ##openvpn [] 04:17 -!- Netsplit over, joins: jfkw 04:20 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:21 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 05:09 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:13 -!- CrummyGummy [n=Dude@41.208.46.2] has joined ##openvpn 05:51 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 06:05 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 54 (Connection reset by peer)] 07:46 -!- partii [n=parti@inet-netcache3-o.oracle.com] has joined ##openvpn 07:48 < partii> im connecting via proxy / tcp but after some 4-5 seonds i keep getting SIGUSR1[soft,connection-reset] 08:25 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 08:27 -!- disco- [i=disco@discomb0bulated.com] has joined ##openvpn 08:43 < disco-> Is it possible to tunnel all network traffic (i.e. Web, FTP, etc.) over an OpenVPN connection? I thought from what I've read that it's possible, but after browsing the net for a couple of hours I can't seem to find a solution 08:45 < cpm> huh? 08:45 < cpm> sure it is. You just set the default gw to the openvpn connection. Done. 08:46 < disco-> is that just route 0.0.0.0 then? 08:47 < cpm> # route del default 08:48 < cpm> # route add default gw (ip of vpn) dev (vpn device) 08:49 < disco-> ah that's the linux syntax, but that helps anyway :) 08:49 < disco-> does the routing need to be changed on the server end of the OpenVPN tunnel? 09:04 -!- TomJ [n=tomj@ip-62-105-179-89.dsl.twang.net] has quit [Read error: 113 (No route to host)] 09:06 -!- TomJ [n=tomj@ip-62-105-179-89.dsl.twang.net] has joined ##openvpn 09:09 < krzee> !def1 09:09 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 09:12 -!- malfi [n=malte@dslb-088-073-108-184.pools.arcor-ip.net] has joined ##openvpn 09:15 < malfi> I've read the man page and the manuals, but didn't find anthing helpful. My openvpn client bridges the tap0 with the nic eth0 to br0. The network works fine, but when I start openvpn, it get the IP and route pushed from the server and sets tap0 to 10.0.0.2, which is wrong, because it's switched. It should use that information on br0. How can I configure such a thing? 09:16 < malfi> I want to configure my openvpn client to use tap0 for openvpn but br0 for the pushed ifconfig-settings... 09:18 -!- Yoe [n=wouter@samba.grep.be] has joined ##openvpn 09:18 < Yoe> hi -- I'm trying to set up a VPN link with openvpn to connect two networks 09:19 < Yoe> however, OpenVPN tells me 'bad source address from client [192.168.9.3], packet dropped' 09:20 < Yoe> this is when a host at one side of the VPN link tries to contact a host at the other side of the VPN link, without trying to talk to either of the VPN endpoints themselves 09:22 < Yoe> in the server config, I have a 'push "route "', a 'route ', and a ccd file saying 'iroute' for that network, too 09:22 < Yoe> it's the server that's dropping those packets 09:22 < Yoe> any hints? 09:25 -!- partii [n=parti@inet-netcache3-o.oracle.com] has quit [Remote closed the connection] 09:32 < oscarh> Yoe, there is a client_to_client configuration, have you added that? 09:32 < Yoe> oh, is that what that does? :-) 09:33 < oscarh> Yoe, I believe that enables you to communicate between two OpenVPN clietns, so I'm not sure it's relevent in your setup. 09:33 < Yoe> no, that doesn't fix it 09:33 < Yoe> I just enabled client-to-client, but it still blocks those packets 09:33 < Yoe> oh well, I'll just send a mail 09:33 < oscarh> I had issues with routing from the server side to networks behind the client yesterday but just needed an iroute 09:34 < oscarh> Got this link from here: 09:34 < oscarh> https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:34 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 09:42 < Yoe> ah, bugger 09:42 < Yoe> I had configured "route 192.168.9.1 255.255.255.0", and "iroute 192.168.9.0 255.255.255.0" 09:43 < Yoe> find the error... 10:02 -!- CrummyGummy [n=Dude@41.208.46.2] has quit ["leaving"] 10:07 < cpm> krzee, interesting approach. 10:32 < ecrist> morning, bitches 10:33 < ecrist> Yoe: you need NAT, or proper routing. 11:43 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 12:47 -!- Xchange [n=change@port-87-193-199-29.static.qsc.de] has joined ##openvpn 12:47 < Xchange> hi 12:49 < Xchange> ive setup an openvpn server under debian etch today and i wonder if it would be possible to use the dns information dynamically from /etc/resolv.conf? 12:55 -!- mapreduce [n=user@varenka.cime.net] has joined ##openvpn 13:00 < krzie> cpm: thank you, but i cant take credit for it, the openvpn devs did it 13:00 < krzie> but ya i like it too 13:01 < krzie> Xchange, i dont fully understand the question 13:01 < krzie> are you asking it the server can push its resolv.conf to clients?\ 13:04 < krzie> if so, no 13:04 < krzie> you can push the dns dhcp option to windows clients tho 13:04 < krzie> or so i read at least... never done it 13:06 < Xchange> yes krzie thats what im asking 13:06 < Xchange> the host where the vpn server is running is configured itself by dhcp and it would be nice to forward that config to all vpn clients 13:07 < Xchange> so that i only have to change settings at the dhcp server 13:07 < krzie> oh, no 13:07 < krzie> but you could specify the dns server to push to windows clients in the server config 13:07 < krzie> it wont snag it from your resolv.conf tho 13:07 < Xchange> yes i know thats what im doing now :) 13:08 < krzie> ahh right on 13:09 < krzie> ya you're doing it right then 13:09 < Xchange> ok 13:09 < krzie> you COULD make a wrapper that starts openvpn tho 13:09 < krzie> and that wrapper could update that line of the config before starting it 13:09 < krzie> that would be pretty easy to script 13:10 < Xchange> hm yes that would be an alternative 13:10 < krzie> you sound like you know enough to do that yourself but if you need help lemme know 13:10 < krzie> if you choose to do that 13:10 < Xchange> i think sed will be my friend ;) 13:11 < krzie> actually im not sure howto do it with sed 13:11 < krzie> cause youd need to match part of the line AND the ip, but only change the ip 13:11 < krzie> i would grep -v the line and echo or printf >> the new line 13:11 < Xchange> hm i dont have to match the ip 13:12 < krzie> you hafta change the ip 13:12 < krzie> hrm i guess you could match the line then only sed that line's ip 13:12 < Xchange> i just need to match lines that include push "dhcp-option DNS *" 13:13 < krzie> ild still do the other way just cause its easier to me 13:13 < krzie> but ya whatever works, i can tell you know enough to do it 13:13 < Xchange> and there could be more than 1 nameservers in resolv.conf 13:13 < Xchange> well if i have enough time to do that... 13:14 < krzie> ya but you could snag both easy enough 13:14 < krzie> just toss the routine in a for 13:15 < Xchange> easiest way would be to remove all lines that match dhcp-option DNS|DOMAIN and then append new dhcp-option lines to the config 13:15 < Xchange> oh 13:15 < Xchange> i see thats just what you wrote there, sorry ;) 13:16 < krzie> =] 13:16 < krzie> well, we agree ;] 13:16 < Xchange> jep 13:17 < krzie> for i in `grep nameserver /etc/resolv.conf|head -1|awk '{print $2}'` 13:18 < krzie> remove the head line 13:18 < krzie> i snagged that from a diff script i wrote, you wouldnt want the head -1 13:18 < krzie> (stolen from http://www.doeshosting.com/code/NStun.sh ) 13:23 < Xchange> mh je 13:23 < Xchange> jep 13:25 < Xchange> yeah, now dns works also on my mac-client 13:42 < krzie> hrmz, cool to know 13:45 < Xchange> hm well 13:46 < Xchange> not really 13:46 < Xchange> it just sets up one of the two that are pushed to my client 13:49 < krzie> right, but i thought only windows clients would take dhcp options from openvpn 13:51 < Xchange> hm 13:51 < Xchange> non-windows-clients receive environment variables foreign_option_n which can be parsed 14:00 -!- bandini [n=bandini@host141-24-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 14:21 -!- ]sintax[ [i=Xasthur@pool-72-91-56-157.tampfl.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:25 -!- TheSeer [n=theseer@border.office.nonfood.de] has joined ##openvpn 15:25 < TheSeer> heya.. 15:26 < krzie> hey 15:30 < TheSeer> i just messed with the (default?) init script for openvpn that comes with fedora 9 15:30 < TheSeer> is that a standard one or specific to fedora? 15:32 < Xchange> bye 15:32 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:32 < Xchange> thanks for the help 15:32 -!- Xchange [n=change@port-87-193-199-29.static.qsc.de] has quit ["Wenn ich in 2 Stunden nicht zurück bin, ruft den Verteidigungsminister an und sagt ihm das Hitler in meinem Haus wohnt."] 15:35 < krzie> TheSeer honetly i have no idea 15:36 < krzie> ive never used fedora 15:36 < krzie> but there isnt really a standard startup script for openvpn, so i guess its fedora specific 15:36 < krzie> or the fedora package specific rather 15:38 < TheSeer> k.. 15:38 < TheSeer> i hacked it a little 15:39 < krzie> right on 15:39 < krzie> nothin wrong with that if you know what you're doin 15:39 < TheSeer> so one can now specify a config name instead of having *.conf loaded 15:39 < TheSeer> ;) 15:39 < TheSeer> i was rather wondering if ther would be a place to offer it as a patch or something 15:39 < krzie> ahh, the freebsd script expects you to specify a config name if you dont want the default one 15:39 < krzie> err default location 15:40 < krzie> im so used to fbsd i just expect things to be done that way 15:40 < TheSeer> the fedora script scans for *.conf in /etc/openvpn and spawns an instance for each 15:40 < krzie> thats kinda cool too i guess 15:40 < TheSeer> yep.. but has some drawbacks too ;) 15:41 < krzie> yup 15:41 < TheSeer> like i use one connection when i'm out in untrusted networks to tunnel everything 15:41 < TheSeer> i don't need that in my normal home network 15:42 < krzie> you do if you use a cablemodem 15:42 < TheSeer> dsl here 15:44 < krzie> right on 16:58 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:17 -!- malfi [n=malte@dslb-088-073-108-184.pools.arcor-ip.net] has quit [Remote closed the connection] 17:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:45 < ecrist> mew 17:58 < krzie> hola 18:12 -!- skxpl [n=skx@217.17.32.190] has joined ##openvpn 18:16 -!- ]sintax[ [i=Xasthur@pool-72-91-56-157.tampfl.dsl-w.verizon.net] has joined ##openvpn 18:23 < ecrist> how goes, krzie? 18:26 < krzie> doing good 18:27 < krzie> the guy i gamble with out here has a line on us election now 18:27 < krzie> dems -150, reps +120 18:36 < ecrist> dems will win 18:38 < ecrist> weird, browsing this guys photo gallery - he's got a picture from a nearby (to me) intersection. 18:38 < ecrist> http://www.uberg33k.com/gallery/view_photo.php?set_albumName=Funny&id=189016_G 18:38 < vpnHelper> Title: uberg33k.com Gallery :: Internets :: 189016_G (at www.uberg33k.com) 18:38 < ecrist> that's the corner of Franklin Ave and Hennepin Ave just south of downtown Minneapolis. 18:40 < krzie> http://digg.com/general_sciences/12_year_old_boy_invents_new_type_of_solar_cell 18:40 < vpnHelper> Title: Digg - 12 year old boy invents new type of solar cell (at digg.com) 18:41 < ecrist> that was on /. earlier 18:42 < krzie> amazing 18:53 -!- MissNeBuN [n=missnebu@cpe-69-203-194-214.nyc.res.rr.com] has joined ##openvpn 18:59 < ecrist> hi, MissNeBuN 18:59 < MissNeBuN> Hey :) 19:19 < ecrist> more kids need this kind of tough love: http://www.uberg33k.com/gallery/view_photo.php?set_albumName=Funny&id=scroller_tough_love 19:19 < vpnHelper> Title: uberg33k.com Gallery :: Internets :: scroller_tough_love (at www.uberg33k.com) 19:30 < krzie> lol 19:41 -!- heirrook [n=heirrook@24-158-23-135.static.dlth.mn.charter.com] has joined ##openvpn 20:01 -!- SilenceGold [n=chris@70.232.84.223] has joined ##openvpn 20:09 -!- heirrook [n=heirrook@24-158-23-135.static.dlth.mn.charter.com] has quit ["Leaving"] 20:16 -!- MissNeBuN [n=missnebu@cpe-69-203-194-214.nyc.res.rr.com] has quit ["This computer has gone to sleep"] 20:30 -!- jeev [n=email@unaffiliated/jeev] has quit [Excess Flood] 20:30 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 21:34 -!- MissNeBuN [n=missnebu@cpe-69-203-194-214.nyc.res.rr.com] has joined ##openvpn 22:01 < ecrist> lol: http://www.uberg33k.com/gallery/view_photo.php?set_albumName=Funny&id=disk 22:01 < vpnHelper> Title: uberg33k.com Gallery :: Internets :: disk (at www.uberg33k.com) 23:06 -!- MissNeBuN [n=missnebu@cpe-69-203-194-214.nyc.res.rr.com] has quit ["This computer has gone to sleep"] --- Day changed Fri Sep 19 2008 00:43 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 02:47 < krzee> LOL 03:28 -!- rubymonk [i=5643c973@gateway/web/ajax/mibbit.com/x-653650e8dcaa4dfe] has joined ##openvpn 03:30 < rubymonk> Hello everyone, I'm wondering about something, I want to have two openvpn servers, to failover/balance... and so, those two servers shall be interconnected... so they have to be client and server in the same time, right ? if so, how do this happen, it's on the same tun/tap interface ? 04:06 -!- ]sintax[ [i=Xasthur@pool-72-91-56-157.tampfl.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 04:38 < rubymonk> Was my question unclear ? 04:54 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 113 (No route to host)] 05:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 05:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 05:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:52 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 06:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:16 -!- ilreds [i=552b95e2@gateway/web/ajax/mibbit.com/x-e3fcad4279a2e173] has joined ##openvpn 07:16 < ilreds> hi to all 07:18 < ilreds> i'm seeing a strange behaviour of my openvpn server: server has 192.168.5.230, clients obtains 192.168.255.x. The connection comes up correctly, i obtain a 192.168.255.x ip, but i'm una ble to ping the 192.168.5.201 (dns). 07:19 < ilreds> i can ping eth0 and tun0 server interfaces. Server can ping 192.168.5.201. 07:20 < ilreds> using tcpdump i see DNS echo reply are lost. 07:21 < ilreds> deploying the same configuration into another customer site (changing 192.168.5.0 with 192.168.6.0) i don't have any problem 07:22 < ilreds> same linux distribution (centos 5.2) 07:31 < TomJ> ilreds: is 192.168.5.201 running on a different box? if so, it needs to know to route 192.168.255.x via the openvpn server box (and the openvpn server box needs to be setup as a gateway) 07:34 < ilreds> TomJ: mmmmm 07:35 < TomJ> route add -net 192.168.255.0/24 gw 192.168.5.320 07:35 < TomJ> something like that 07:36 < ecrist> morning, kids 07:36 < TomJ> and on the openvpn server, echo 1 > /proc/sys/net/ipv4/ip_forward 07:36 < TomJ> also make sure that firewall rules on the VPN server and on the DNS server don't preclude the 192.168.255 network 07:38 < ilreds> TomJ: wait...i left a thing: i've added a static route into dns server for 192.168.255.0, but i've tried another solution, a iptables rule for natting outgoing traffic 07:39 < ilreds> -A POSTROUTING -s 192.168.255.0/255.255.255.0 -o eth0 -j MASQUERADE 07:40 < ilreds> TomJ: i've deployed two server using the same private class c subnet for vpn connections and using that iptables rule for source natting 07:40 < ilreds> a server is working perfectly, another no 07:52 -!- TomJ [n=tomj@ip-62-105-179-89.dsl.twang.net] has quit [Remote closed the connection] 08:17 -!- eliasp [n=quassel@HSI-KBW-085-216-068-107.hsi.kabelbw.de] has joined ##openvpn 08:20 < eliasp> when i use 'tls-client' in my client.conf i don't get an IP assigned, while it works when using just 'client' ... on the serverside i have 'tls-server' in my config 08:22 < eliasp> the log tells nothing suspicious... just 08:22 < eliasp> Fri Sep 19 12:13:43 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA 08:23 < eliasp> and in the next line ... Peer Connection Initiated with ... 08:23 < eliasp> so it looks fine 08:23 < eliasp> but the interface doesn't have an IP at all 08:31 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 08:33 -!- rubymonk [i=5643c973@gateway/web/ajax/mibbit.com/x-653650e8dcaa4dfe] has quit ["http://www.mibbit.com ajax IRC Client"] 08:39 -!- MissNeBuN [i=hidden-u@gw.mypublisher.com] has joined ##openvpn 08:42 -!- ilreds [i=552b95e2@gateway/web/ajax/mibbit.com/x-e3fcad4279a2e173] has quit ["http://www.mibbit.com ajax IRC Client"] 09:30 < eliasp> aah, nvm... found the problem regarding client/tls-client... tls-client doesn't replace client, it's an additional option ;-) 09:31 -!- bandini [n=bandini@host141-24-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 10:02 < eliasp> what's the reason OpenVPN doesn't handle pushed dhcp options on linux? is there no DHCP client on Linux supporting the handover of DHCP options from OpenVPN to the dhcp-client or is it just not implemented in OpenVPN on Linux? 10:19 < mapreduce> So I've been given some VPN instructions from work for Windows 98. Conveniently I have no Windows 98 install around to see what that OS's defaults are. 10:20 < mapreduce> How should I know what settings to give to openvpn? openvpn --client --dev tun or --client --dev tap tells me I need a CA file or pkcs#12 file, which I don't hve. 10:21 < mapreduce> Is there a way of prodding the server to get it to tell me what it is, etc.? 10:36 -!- Netsplit heinlein.freenode.net <-> irc.freenode.net quits: pa 10:42 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 10:43 -!- pa [n=pa@unaffiliated/pa] has quit [SendQ exceeded] 10:51 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 11:17 < kala> mapreduce: you could create a bogus cert files and then try to connect to server. But i don't know, which will happen first, the checking of your credentials or showing some information 13:29 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:47 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 13:49 -!- SilenceGold [n=chris@70.232.84.223] has quit [Read error: 104 (Connection reset by peer)] 14:03 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:05 -!- Pewpewarrows [n=Pewpewar@smtp.digitalpublishingcorp.com] has joined ##openvpn 14:05 -!- Pewpewarrows [n=Pewpewar@smtp.digitalpublishingcorp.com] has left ##openvpn ["Leaving"] 14:08 -!- dryrot [i=10539@tsunami.OCF.Berkeley.EDU] has left ##openvpn [] 14:22 -!- tbic [n=joe@protious.fciautomation.com] has joined ##openvpn 14:23 < tbic> When I connect to a windows client it seems to not always push the dns server settings, does any know what is happening? 14:34 -!- tbic [n=joe@protious.fciautomation.com] has quit ["Ex-Chat"] 14:46 < ecrist> foo 14:46 < ecrist> yeah, you're running windows 14:51 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:51 < Dougy> supsuspup 15:26 < disco-> I've set up an OpenVPN connection between a server and a client, I can ping each other over this interface on 10.0.0.x, but beyond that I'm stuck trying to route traffic from the client over the VPN, and out of the server and onto the internet, can anyone help? 15:35 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 15:35 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:51 < Dougy> oh 15:51 < Dougy> disco-, so like when you browse the net 15:51 < Dougy> it shows the server's ip? 15:51 < disco-> Dougy: pretty much, yep 15:51 < Dougy> push "redirect-gateway def1" 15:51 < Dougy> add that line to config 15:51 < Dougy> restart openvpn 15:51 < Dougy> done 15:52 < disco-> i'm *sure* i've tried that before, but will have another go :) will be a few mins though 15:54 < Dougy> that's what does it, so if it still fails, it's your problem 15:57 -!- nopcode [n=nopcode@sushi.unix-ag.uni-kl.de] has joined ##openvpn 15:57 < nopcode> hey 15:58 < nopcode> why does openvpn require the country-name field and stuff? 15:59 < Dougy> it's to sign the SSL cert 15:59 < nopcode> but i dont want to specify it 16:00 < nopcode> i feel its a violation of privacy 16:00 < nopcode> seems stateOrProvinceName is mandatory, too .. 16:00 < Dougy> nobody sees it but who has access to the servr 16:00 < Dougy> server 16:00 < Dougy> or to the cert 16:00 < Dougy> so who cares 16:00 -!- jeev_ [i=JavaUser@unaffiliated/jeev] has joined ##openvpn 16:00 < jeev_> hey guys 16:01 < jeev_> anyone here? 16:01 < Dougy> JEEV IN THE HOUSE 16:01 < jeev_> i'm using webchat 16:01 < jeev_> Dougy!! 16:01 < jeev_> man, what's goin on here 16:01 < jeev_> is it the router not lteting me 16:01 < jeev_> i'm on my laptop at an office, i try to connect, put in my password 16:01 < nopcode> Dougy: still it doesnt feel right, can i make it ignore that the fields are empty? 16:01 < jeev_> and it doesn't even attempt to conncet to my vpn 16:01 < Dougy> nopcode, 16:01 < Dougy> !notopenvpn 16:01 < vpnHelper> Dougy: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 16:01 < jeev_> Fri Sep 19 14:01:25 2008 us=296521 UDPv4 link remote:x.114:1194 16:02 < nopcode> Dougy: so .. its openssl right? 16:02 < Dougy> yessir 16:02 < Dougy> or ma'am 16:02 < nopcode> k thx 16:02 < nopcode> sir ;) 16:03 < Dougy> jeev_, i need a VPN 16:03 < Dougy> :( 16:03 < Dougy> my own priv one 16:03 < eliasp> can anyone tell me what's the reason that 'push "dhcp-options ...."' doesn't work on Linux? isn't support for Linux dhcp clients built into OpenVPN or is the problem on the side of all the Linux dhcp clients which don't communicate correctly with OpenVPN or don't provide a interface for this..? 16:04 < jeev_> huh 16:04 < jeev_> i dont know what to do 16:04 < jeev_> it's not connecting 16:04 < jeev_> is it the router here? 16:04 < jeev_> i even put the laptop on DMZ 16:05 < jeev_> eh 16:06 < jeev_> ok well 16:06 < jeev_> i duno what to do 16:06 < jeev_> i guess that's the issue 16:07 < jeev_> dougy? 16:07 < Dougy> oh 16:07 < Dougy> my bad 16:07 < Dougy> sorry 16:08 < Dougy> whats the issue jeev_ 16:08 < Dougy> explain what you're trying to do 16:08 < Dougy> then whats not working 16:09 -!- jeev_ [i=JavaUser@unaffiliated/jeev] has quit [Read error: 104 (Connection reset by peer)] 16:09 -!- jeev_ [i=JavaUser@unaffiliated/jeev] has joined ##openvpn 16:09 < jeev_> dougy 16:09 < Dougy> hi 16:10 < jeev_> ohhhhhhhhhh 16:11 < jeev_> could my firewall! 16:13 < Dougy> maybe 16:15 -!- jeev_ [i=JavaUser@unaffiliated/jeev] has quit [Read error: 104 (Connection reset by peer)] 16:19 -!- jeev_ [n=Anon9670@unaffiliated/jeev] has joined ##openvpn 16:19 < jeev_> eh 16:22 < Dougy> hm? 16:22 -!- jeev_ [n=Anon9670@unaffiliated/jeev] has quit [Read error: 104 (Connection reset by peer)] 16:40 -!- MissNeBuN [i=hidden-u@gw.mypublisher.com] has quit [Read error: 113 (No route to host)] 16:50 < disco-> Dougy: push "redirect-gateway def1" goes onto the server conf right? 16:50 < Dougy> yes 16:50 < Dougy> if i do go awol 16:50 < Dougy> just highlight me 16:51 < disco-> cool cheers :] 17:05 < disco-> Dougy: I added 'push "redirect-gateway def1"', restarted on both ends, I've still got no default gateway client-side, so I guess something's going wrong somewhere? 17:05 < Dougy> probably 17:05 * Dougy pokes krzee 17:09 < disco-> I've stuck my config here: http://pastebin.com/m3168bb92 17:09 < disco-> Could you take a quick look to see if anything's obviously wrong? 17:16 < Dougy> yes 17:16 * Dougy pokes krzee 17:16 < Dougy> oh ew. 17:16 < Dougy> windows 17:16 < Dougy> oh wait i ied 17:16 < disco-> yep :[ 17:16 < Dougy> client is windows 17:16 < disco-> yah 17:17 < Dougy> ive never seen dev tap0 17:17 < Dougy> ive only seen dev tap 17:18 < Dougy> i'm familiar with tun only 17:18 < Dougy> sorry 17:18 -!- heirrook [n=heirrook@24-158-23-135.static.dlth.mn.charter.com] has joined ##openvpn 17:21 < heirrook> When you are setting up a tap device in linux (client side) I noticed openvpn.net lists a script to do so. Can someone elaborate the local ip part of the script 17:23 < heirrook> More specifically, I don't understand what this is because if you travel, do you have to change it everytime? 17:27 < heirrook> ...and yes i do know what a local ip is but, I also read the part about not bridging to the device that actually connects to the internet 17:55 -!- SilenceGold [n=chris@70.232.107.190] has joined ##openvpn 18:09 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 18:13 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has quit [Read error: 110 (Connection timed out)] 18:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:20 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:22 < ecrist> what's up, bitches? 19:19 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has quit [Read error: 110 (Connection timed out)] 19:20 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 19:27 < Dougy> ecrist, ! 19:27 < Dougy> i will cut you, kid 19:43 -!- eliasp [n=quassel@HSI-KBW-085-216-068-107.hsi.kabelbw.de] has quit [No route to host] 21:59 -!- heirrook [n=heirrook@24-158-23-135.static.dlth.mn.charter.com] has quit [Read error: 110 (Connection timed out)] 23:50 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 23:58 < krzee> lol 23:58 < krzee> dougy called ecrist kid --- Day changed Sat Sep 20 2008 01:59 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:30 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 03:45 -!- gallatin [n=gallatin@dslb-092-072-088-010.pools.arcor-ip.net] has joined ##OpenVPN 04:41 -!- gallatin [n=gallatin@dslb-092-072-088-010.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 06:02 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:42 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 08:08 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 08:46 < ecrist> that's too funny 09:05 -!- mode/##openvpn [+o ecrist] by ChanServ 09:05 -!- ecrist changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Pastebin your copy over 5 lines. | Don't feed the trolls. | Forum: https://ovpnforum.com | bot: !menu 09:06 -!- ecrist changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Forum: https://ovpnforum.com | bot: !menu 09:06 -!- mode/##openvpn [-o ecrist] by ecrist 09:49 -!- Dougy[Work] [n=doug@64.18.159.247] has joined ##openvpn 10:41 -!- eliasp [n=quassel@HSI-KBW-085-216-068-107.hsi.kabelbw.de] has joined ##openvpn 10:56 < ecrist> sup, Dougy[Work]? 10:56 < ecrist> so, I'm a 'kid,' eh? 11:04 < Dougy[Work]> yessir 11:04 < Dougy[Work]> you're a kid at heart at least 11:04 < Dougy[Work]> lol 11:09 < ecrist> I can accept that. ;) 11:10 < Dougy[Work]> :) 11:10 < Dougy[Work]> So, what's up bud? 11:13 < ecrist> nm, my wife was finally able to come home yesterday, so I'm in a better mood now. 11:15 < Dougy[Work]> where was she 11:16 < ecrist> hospital 11:17 < ecrist> she fell of a horse, cracked her skull and broke her back. 11:27 < Dougy[Work]> shit 11:27 < Dougy[Work]> omg 11:27 < Dougy[Work]> :| 11:27 < Dougy[Work]> is she ok? 11:31 < ecrist> yeah, she'll be fine, just take a while to heal. 11:32 < Dougy[Work]> k 11:32 < Dougy[Work]> get better mrs crist 12:00 < jeev> http://www.youtube.com/watch?v=_l-DyOvcwh8 12:00 < jeev> kik 12:00 < vpnHelper> Title: YouTube - REDNECKS SUPPORTING OBAMA!!! (at www.youtube.com) 12:00 < jeev> lol 12:36 < Dougy[Work]> lol 12:44 -!- Uranellus [n=Uranellu@unaffiliated/uranellus] has joined ##openvpn 12:46 -!- gallatin [n=gallatin@dslb-092-073-114-196.pools.arcor-ip.net] has joined ##OpenVPN 12:47 -!- gallatin [n=gallatin@dslb-092-073-114-196.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 12:47 -!- gallatin [n=gallatin@dslb-092-073-114-196.pools.arcor-ip.net] has joined ##OpenVPN 13:36 -!- gallatin [n=gallatin@dslb-092-073-114-196.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 14:16 -!- djs26 is now known as djs 14:24 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 15:56 -!- eliasp [n=quassel@HSI-KBW-085-216-068-107.hsi.kabelbw.de] has quit [Read error: 113 (No route to host)] 16:01 < ecrist> foo 16:03 < SilenceGold> yea you are with a L 16:10 < Dougy[Work]> hi 16:10 < Dougy[Work]> madden 08 on psp ftw 16:10 < Dougy[Work]> the jets are garbage 17:35 < ecrist> so are you. 17:55 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 18:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:20 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 19:34 < ecrist> bitches 19:34 < ecrist> why is this room always so dead. 19:35 -!- mode/##openvpn [+o ecrist] by ChanServ 19:35 -!- ecrist changed the topic of ##openvpn to: Social Hour, with our host, Hugh G Frankenbeens 19:35 -!- mode/##openvpn [-o ecrist] by ecrist 20:00 < disco-> lol 20:03 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 20:56 < SilenceGold> 'cause I wasn't here for 2 weeks 20:56 < SilenceGold> :) 21:03 < ecrist> SilenceGold: I think that's it. 21:03 < ecrist> o.O 21:03 * ecrist <3 1000Mbps 21:04 < ecrist> gallery is the shit 21:04 * ecrist is liking it. 21:05 < ecrist> I need a bigger HDD in this lappy. 21:09 < jeev> what's gallery 21:09 < ecrist> http://gallery.menalto.com/ 21:09 < vpnHelper> Title: Gallery | Your photos on your website (at gallery.menalto.com) 21:10 < jeev> ok 21:10 < jeev> but how'd you get 1000mbit out of that 21:20 < ecrist> um, my webserver is directly beneath my desk (in my basement) 21:21 -!- Uranellus [n=Uranellu@unaffiliated/uranellus] has quit [Read error: 110 (Connection timed out)] 22:06 -!- mode/##openvpn [+o ecrist] by ChanServ 22:06 -!- ecrist changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Forum: https://ovpnforum.com | bot: !menu 22:06 -!- mode/##openvpn [-o ecrist] by ecrist 22:06 < ecrist> no more social hour for you! 22:14 < jeev> on ecrist 22:14 < jeev> oh 22:14 < jeev> fake gigabit 22:14 < jeev> lol 22:20 < krzee> fake gigabit? 22:20 < krzee> how is having a gigabit lan fake gigabit? 22:20 < krzee> i really need to get myself some of that gigabit lan action myself! 22:21 < jeev> eh 22:21 < jeev> lol 22:21 < jeev> i thought he meant gigabit 22:21 < jeev> to the net 22:21 < krzee> werd 22:22 < krzee> i have 1.3TB usable (2TB total before zfs raidz setup) and it would be nice for me to have gigabit lan 22:22 < krzee> plus my nfs server is also a tv tuner 22:23 < krzee> (can open tv xterm on my laptop over the network, or watch videos over the lan without first downloading them) 22:23 < krzee> that would be enhanced with some gigalan 22:24 < krzee> by without first downloading them of course i mean downloading them from my nfs 22:57 < jeev> bah 22:58 < jeev> so boring 22:58 < jeev> i was passed out when my gf called me 22:58 < jeev> so she just went to dniner with her girl 22:58 < jeev> lol 23:22 -!- Netsplit heinlein.freenode.net <-> irc.freenode.net quits: kala, mapreduce, skxpl, nopcode, plik, SWAT, MatBoy 23:27 -!- Netsplit over, joins: nopcode, skxpl, mapreduce, MatBoy 23:28 -!- Netsplit over, joins: kala 23:28 -!- Netsplit over, joins: SWAT, plik 23:53 < ecrist> jeev: FTL 23:53 < ecrist> 1.5TB drives are uber-cheap now. 23:54 < jeev> i'm tired of stupid people inviting me to sicla networks 23:54 < jeev> social 23:54 < ecrist> considering a gstripe on three 1.5TB drives, then do a gmirror on another three (in a gstripe) for 4.5TB of space. 23:56 < ecrist> I laugh, because our backup server at work is a 12x300GB 2.6TB RAID50 array, and for about 1/5 the cost, I'll have a similarly reliable 4.5TB array in my home. 23:57 < ecrist> why won't Tor start for me?!?!?!? 23:57 < ecrist> it did before 10.5.5 23:58 < jeev> tor? 23:58 < jeev> i've never used it --- Day changed Sun Sep 21 2008 00:00 < ecrist> you know, apple and I have a very love-hate relationship. 00:01 < ecrist> if they'd just use the full FreeBSD core, kernel included, and added code/build a suitable UI, I'd still pay for it. 00:01 < jeev> heh 00:01 < ecrist> then I'd get my full FreeBSD system, rather than this hacked bullshit, half-assed coagulation of pseudo-utilities and missing commands. 00:01 < ecrist> ARRRGHGHG 00:02 < jeev> heh 00:12 < ecrist> lol: 00:12 < ecrist> Where did you hear about SDF? my mom's vag 00:12 < ecrist> yeh, she says you were really good last night. 01:25 -!- squirrelpimp [n=squirrel@HSI-KBW-091-089-006-049.hsi2.kabelbw.de] has quit [Read error: 104 (Connection reset by peer)] 01:26 -!- squirrelpimp [n=squirrel@HSI-KBW-091-089-006-049.hsi2.kabelbw.de] has joined ##openvpn 01:50 < krzee> tell her i said thank you 01:50 < krzee> she was good too 02:08 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:37 -!- temba [n=okotoba@91.64.108.91] has joined ##openvpn 03:06 -!- samplr [n=samplr@user-64-9-233-155.googlewifi.com] has joined ##openvpn 03:08 < samplr> I lost the key to my certificate authority. Can the openvpn server run with two sets of ca/cert/key options, one for each CA? 03:09 < samplr> http://openvpn.net/archive/openvpn-users/2006-01/msg00236.html seems to suggest yes 03:09 < vpnHelper> Title: Re: [Openvpn-users] Multiple trusted CAs (at openvpn.net) 03:09 < samplr> nifty... 03:37 < samplr> it doesn't seem to work. when I have both, the client with the first CA can't connect 03:51 -!- temba [n=okotoba@91.64.108.91] has quit [Read error: 110 (Connection timed out)] 04:44 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 04:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 05:08 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 05:20 -!- samplr [n=samplr@user-64-9-233-155.googlewifi.com] has quit [Read error: 113 (No route to host)] 06:19 -!- dpetrek [n=delfince@83-131-85-235.adsl.net.t-com.hr] has joined ##openvpn 06:20 < dpetrek> hi there 06:20 < dpetrek> has anyone tried openvpn with windows server 2008? is it compatible, any tweaks needed? 06:34 < dpetrek> !menu 06:34 < vpnHelper> dpetrek: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum, !ifconfig, !custom, !push-reset, !def1 06:35 < dpetrek> !route 06:35 < vpnHelper> dpetrek: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 06:39 < dpetrek> !/30 06:39 < vpnHelper> dpetrek: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 06:42 < dpetrek> !samba 06:42 < vpnHelper> dpetrek: "samba" is (#1) http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge, or (#2) http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode 06:42 < dpetrek> !insanity 06:42 < vpnHelper> dpetrek: "insanity" is doing the same thing over and over expecting different results 06:42 < dpetrek> <1mtu 06:42 < dpetrek> !mtu 06:42 < vpnHelper> dpetrek: "mtu" is you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 06:43 < dpetrek> !tcp 06:43 < vpnHelper> dpetrek: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 07:30 -!- dpetrek [n=delfince@83-131-85-235.adsl.net.t-com.hr] has quit [] 09:27 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 09:43 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 09:54 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 09:55 < Sir_J> hi krzie 09:55 < Sir_J> I've tried to use your techique 09:55 < Sir_J> pass all traffic from one vpnclient1 via vpnclient2 09:55 < Sir_J> and have no success 09:56 < Sir_J> so, it looks like it's impossible to repeat the trick I've done with pptpd 09:58 < Sir_J> we can manipulate with route only if server has endpoints 09:58 < Sir_J> in case of openvpn we have no real endpoints on the server 09:58 < Sir_J> only server can make decision about routes 09:58 < Sir_J> :( 10:15 < ecrist> Sir_J: what're you trying to do? 10:16 < Sir_J> very easy task 10:16 < Sir_J> I have vpnclient1 <-> vpn server <-> vpnclient2 10:16 < ecrist> ok 10:17 < Sir_J> I'm trying to pass all traffic from vpnclient1 via vpnclclient2 10:17 < ecrist> all traffic? 10:17 < Sir_J> to make vpnclient2 to be default route for vpnclient1 10:17 < Sir_J> ping google.com from vpinclient1 should go -> vpn server -> vpnclient1 -> .... 10:17 < ecrist> ok, you need client-to-client in your server config 10:17 < Sir_J> no-no 10:18 < Sir_J> client to client just allow to to reach vpnclient2 10:18 < ecrist> yeah, I know 10:18 < Sir_J> but how can I pass all traffic via vpnclient2 ? 10:18 < ecrist> you're going to need client-to-client 10:18 < Sir_J> client-to-client is enabled and works :) 10:18 < ecrist> on the server, push 'redirect-gateway' 10:19 < Sir_J> I've tried to apply directive redirect-gateway in the ccd/vpnclient2 config 10:19 < Sir_J> but it's doesn't work :( 10:19 < ecrist> no 10:19 < Sir_J> no ? 10:19 < ecrist> you need it for vpnclient1 10:19 < ecrist> that who's gateway you're wanting changed. 10:20 < Sir_J> this directive in ccd/vpnclient1 just change gateway to pass all traffic via openvpn server 10:20 < ecrist> and, actually, you should be doing this with tap, rather than tun, fwiw 10:20 < Sir_J> the goal is to pass traffic not via openvpn server, but via openvpnclient2 10:20 < Sir_J> erm 10:21 < ecrist> Sir_J: are you coming here for advice, or to contradict every thing I have to say? 10:21 < Sir_J> for advice of course 10:21 < Sir_J> I just think that redirect-gateway is not enough 10:21 < ecrist> ok, if you use tap rather than tun for your VPN, routing is easier. 10:22 < ecrist> it's not enough, you haven't let me finish. 10:22 < Sir_J> these directive just pass all traffic via openvpn server 10:22 < Sir_J> right ? 10:22 * ecrist goes away 10:22 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [] 10:23 < SilenceGold> uh 10:23 < SilenceGold> Sir_J you're talking about having a route between two clients without going thru the openvpn server? 10:24 < Sir_J> no 10:24 < Sir_J> traffic of course should through openvpn server 10:24 < SilenceGold> okay 10:24 < Sir_J> but for client1 it should go throug server -> client2 10:24 < Sir_J> only for client1 10:24 < SilenceGold> then you need client-to-client enabled in your config 10:24 < Sir_J> it's oke 10:26 < Sir_J> but client-to-client is not enough, right ? 10:26 < SilenceGold> well, does your client1 ping the server just fine? 10:26 < SilenceGold> and that the server pings the client1 just fine? 10:26 < Sir_J> yes 10:27 < SilenceGold> are you using redirect-gateway? 10:27 < Sir_J> yes 10:27 < Sir_J> vpn server is default gateway for client1 10:27 < SilenceGold> okay 10:27 < Sir_J> but that's not enough, right ? 10:27 < SilenceGold> is it the same for client2..can client2 ping the server..and server can ping the client2? 10:28 < Sir_J> yes 10:28 < SilenceGold> but client1 cannot ping client2? 10:28 * ecrist notes that client2 *is* client2, so should be able to ping. 10:28 < SilenceGold> ecrist just ruling out few things 10:28 < Sir_J> no 10:28 < Sir_J> client1 can ping client2 10:29 < Sir_J> the goal is to pass all traffic from client1 via client2 10:29 < SilenceGold> oh with client2 as the gateway? 10:29 < Sir_J> yes! :) 10:29 < Sir_J> only for client1 10:29 < SilenceGold> so client2 has another network that is acting as a router.. 10:29 < Sir_J> yes 10:29 < SilenceGold> and you want this client1 to access the other network 10:29 < Sir_J> not other network 10:29 < Sir_J> all traffic 10:30 < SilenceGold> you can set a static route on client1 to use that client2's VPN ip address 10:30 < SilenceGold> oh 10:30 < Sir_J> ping google.com from client1 should go through vpn server -> client2 -> the world 10:30 < SilenceGold> yea it's possible 10:30 < Sir_J> how can I set static route on client1 ? 10:30 < SilenceGold> just have to set up the static routes on the client1 10:30 < SilenceGold> you can use the push feature 10:31 < SilenceGold> hrm 10:31 < Sir_J> ip r a default via doesn't workd 10:31 < Sir_J> because client2 isn't reachable 10:31 < SilenceGold> you have to set a static route to the VPN server's ip address to go thru your internet connection's gateway first 10:31 < Sir_J> we can't set default route via something that is not reachable 10:31 < SilenceGold> then you can set 0.0.0.0 mask 0.0.0.0 to go thru the client 2 vpn address 10:32 < SilenceGold> without knowing your ip address setups for the whole thing..I can't really come up with a feistable solution for you 10:32 < Sir_J> you mean 2 default routes on vpn server ? 10:32 < SilenceGold> no 10:32 < SilenceGold> on client1 10:33 < SilenceGold> it's two diff static route 10:33 < SilenceGold> one is to the VPN server to go via your internet connection's gateway 10:33 < SilenceGold> then other one is the default to go thru the client2's ip 10:33 < Sir_J> ip r a 192.168.11.1 (vpnserver) via 192.168.11.9 (client1) <-- is done 10:33 < SilenceGold> hrm maybe 3 static routes are needed 10:33 < Sir_J> then other one is the default to go thru the client2's ip <-- this can't be done 10:34 < SilenceGold> 1st is internet connection's gateway so the VPN server can be reached 10:34 < SilenceGold> 2nd is for reaching the VPN's network where the client2 is at 10:34 < SilenceGold> 3rd is the default gateway 10:34 < Sir_J> ip r a 192.168.11.5 (client2) via 192.168.11.9 (client1) <-- is done 10:34 < SilenceGold> that goes thru the client2 10:34 < Sir_J> ip r a default via 192.168.11.5 (client2) <-- doesn't work 10:34 < SilenceGold> pfft 10:34 < SilenceGold> that don't help me to know more 10:35 < SilenceGold> what OS are both clients using? 10:35 < SilenceGold> btw, I just got it working on my vmware machine the way you told me how you wanted it done 10:35 < Sir_J> linux 10:35 < SilenceGold> 4 diff vmware images 10:35 < SilenceGold> client 1 is a windows xp 10:35 < SilenceGold> client 2 is a freebsd router 10:35 < SilenceGold> vpn server is another freebsd server with the openvpn server 10:35 < SilenceGold> both two clients are connected to the vmware server 10:36 < Sir_J> I see 10:36 < SilenceGold> client1 uses 192.168.100.2 and goes thru the internet router with 192.168.100.1 as the router..to connect to openvpn server that is on 192.168.10.1...then gets 192.168.0.2 as the vpn ip address 10:36 < SilenceGold> client2 gets vpn ip address as 192.168.0.3 10:37 < SilenceGold> client2 is set as a router 10:37 < Sir_J> for client1 ? 10:37 < SilenceGold> so there's a 4th vmware image that is a website on 10.10.0.1 10:37 < SilenceGold> I set up on teh client routing table 10:37 < Sir_J> okay 10:38 < SilenceGold> route add 192.168.10.0 mask 255.255.255.0 192.168.100.1 10:38 < Sir_J> then you ping google.com on client1 where traffic goes through ? 10:38 < SilenceGold> route add 192.168.0.0 mask 255.255.255.0 192.168.0.1 10:38 < SilenceGold> then last one 10:38 < SilenceGold> route add 0.0.0.0 mask 0.0.0.0 192.168.0.3 10:39 < SilenceGold> yea it seems to work now 10:39 < Sir_J> where these routes has been set up ? 10:39 < SilenceGold> just went to dslreports.com/whois 10:39 < Sir_J> on client1 ? 10:39 < SilenceGold> on the client1 10:39 < Sir_J> ahh 10:40 < Sir_J> you can done this because 100.2 and 100.1 is in one network 10:40 < Sir_J> client1, vpnserver, client2 are in absolutely different networks 10:40 < SilenceGold> well, the client1 does not know about the 10.10.0.1 network 10:40 < Sir_J> client1 can connect vpnserver via internet 10:40 < SilenceGold> that's what the 192.168.100.1 router (client2) did..routed everything 10:41 < Sir_J> client2 can connect vpnserver via internet 10:41 < SilenceGold> yea 10:41 < ecrist> Sir_J: with routing, your next hop *ALWAYS* has to be local 10:41 < SilenceGold> my vmware network is really setup as a concept of internet for some testing network appliances that I made 10:41 < Sir_J> ecrist, right ! 10:41 < Sir_J> that is my problem :) 10:41 < SilenceGold> uh 10:41 < SilenceGold> my next hop was the first route I added 10:41 < Sir_J> client1, client2, server are not local 10:41 < SilenceGold> so the vpn server can be reached 10:42 < Sir_J> it's 3 different boxes in 3 different parts of the world 10:42 < SilenceGold> then the 2nd route was to be aware of reaching the client2 10:42 < SilenceGold> then 3rd route was to route everything else that does not match the first 2 routes I added 10:42 < Sir_J> so in my case client1 can pass all traffic via client2 10:42 < Sir_J> cause it's not local 10:42 < SilenceGold> yes it's possible 10:42 < SilenceGold> I just tested it out 10:42 < ecrist> Sir_J: that's why I recommended tap rather than tun. 10:42 < SilenceGold> it'll work just fine if you set it up properly 10:43 < ecrist> then all VPN clients would be 'local' 10:43 < SilenceGold> oh 10:43 < SilenceGold> he's using tun? 10:43 < SilenceGold> no wonder 10:43 < SilenceGold> I'm using tap 10:43 < SilenceGold> for both client1 and client2 10:43 < Sir_J> ecrist, what are the finish steps ? 10:43 < ecrist> see, I'mnot a comlete fucking idiot. 10:43 < ecrist> :\ 10:43 < SilenceGold> I didn't notice it.. 10:43 < Sir_J> erm 10:43 < Sir_J> I didn't try it with tup 10:43 < Sir_J> all the time use tun 10:45 < SilenceGold> switch to tap 10:45 < SilenceGold> then it'll work if you set it up properly 10:45 < Sir_J> yes, you right 10:45 < Sir_J> I sorted out 10:45 < SilenceGold> ecrist copy and paste this 10:45 < SilenceGold> and put it in the wiki :) 10:45 < Sir_J> with tup all 3 boxes seems to be in "one local network" 10:45 < SilenceGold> it'll be useful for anyone else 10:45 < SilenceGold> it's TAP not TUP 10:45 < Sir_J> sec 10:45 < Sir_J> I need to test that 10:45 < SilenceGold> and no 10:45 < SilenceGold> only two in the local network 10:46 < SilenceGold> the client1 and client2 10:46 * Sir_J is wondering if that will work :) 10:46 < SilenceGold> the router is behind client2..not part of the local network 10:46 < Sir_J> you idea is clear now 10:46 < Sir_J> but with pptpd it was not so complicated :) 10:46 < Sir_J> thanks guys 10:47 < Sir_J> ecrist, sorry if you made you angy :) 10:47 < Sir_J> angry 10:49 < SilenceGold> afk 11:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:11 < ecrist> Sir_J: you're still here, so I wasn't that angry. 11:14 < Sir_J> I'm here 11:15 < Sir_J> :) 11:15 < Sir_J> I've figured out your idea 11:15 < Sir_J> thannk you 11:17 < krzee> Sir_J, = Sir_Jinx from the oldschool days on efnet? 11:18 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit ["bRb !!"] 11:25 < Sir_J> o_O ? 11:25 < Sir_J> no 11:25 < Sir_J> i don't know Sir_Jingx 11:32 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [] 12:04 -!- mapreduce [n=user@varenka.cime.net] has left ##openvpn ["ERC Version 5.2 (IRC client for Emacs)"] 12:27 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 12:27 < Sir_J> hi ecrist 12:28 < Sir_J> I've tried we discussed with tap 12:28 < Sir_J> all works fine :) 12:28 < Sir_J> krzee, I've solved my problem :) 12:45 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 13:01 -!- Yoe [n=wouter@samba.grep.be] has quit [Remote closed the connection] 13:12 < SilenceGold> hey paypal me $10k, Sir_J for getting it to work :) 13:33 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 13:34 < Sir_J> sorry, but paypal doesn't accept payments from my country 13:34 < Sir_J> :) 13:48 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 14:20 -!- Ghrim [n=Ollie@host86-132-147-103.range86-132.btcentralplus.com] has joined ##openvpn 14:20 < Ghrim> How would I make openvpn traffic look like a web browser or something? 14:24 -!- Ghrim [n=Ollie@host86-132-147-103.range86-132.btcentralplus.com] has quit ["Leaving"] 14:48 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 14:50 -!- samplr [n=samplr@user-64-9-233-155.googlewifi.com] has joined ##openvpn 14:54 < samplr> Where can a find a TAP driver for 64 bit Vista? 15:03 < samplr> or the long instructions for installing it 15:43 -!- Ghrim [n=Ollie@host86-140-243-178.range86-140.btcentralplus.com] has joined ##openvpn 15:43 < Ghrim> How do I disguise my openvpn traffic as something like a browser? 15:59 < ecrist> Ghrim: use tcp port 443 15:59 < ecrist> although, tcp vpn traffic doesn't work very well 15:59 < ecrist> !tcp 15:59 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:00 < Ghrim> Is it impossible for them to see what it is then? 16:00 < ecrist> nothing is really impossible, but it's very difficult, yes. 16:00 < ecrist> tcp 443 is HTTPS, or encrypted web traffic. 16:00 < ecrist> as such, encryption is expected on that port 16:01 < Ghrim> Is the openvpn traffic encrypted? 16:01 < Ghrim> Because someone told me that how its coming through at the moment they can just read that its openvpn.. 16:02 < ecrist> well, you should believe what everyone says. 16:03 < Ghrim> Well hes the guy who pretty much set it up for me 16:03 < Ghrim> he said its already tcp 443 16:03 < Ghrim> but it says openvpn in the headers 16:03 < Ghrim> or something 16:06 < ecrist> *shrug* I've never looked at the headers. 16:06 < ecrist> why do you care? 16:07 * ecrist goes away 16:10 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"] 16:45 -!- Ghrim [n=Ollie@host86-140-243-178.range86-140.btcentralplus.com] has quit ["Leaving"] 16:54 < samplr> OHHH!!! hah hah! It seems there's a recent beta that addressed my problem 16:54 < samplr> the order on the download page was just stable, beta, old, older 17:01 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:11 -!- samplr [n=samplr@user-64-9-233-155.googlewifi.com] has quit [Read error: 60 (Operation timed out)] 17:29 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [] 17:56 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 17:57 < onats> hello, what is the minimum hardware that i should use to have a good performance openvpn for site to site? 18:15 < skxpl> it probably depends on traffic 19:03 < ecrist> onats: what do you consider 'good' performance? 19:24 -!- onats1 [n=15172@unaffiliated/onats] has joined ##openvpn 19:24 < onats1> hello, what i meant as good performance, is something to match against the VPN all in one appliances, like fortinet's FG50, or SSG-5 of juniper 19:30 < ecrist> well, you're comparing an SSL-based VPN against IPSec 19:30 < ecrist> SSL are going to be slower, in general, than IPSec. 19:31 < ecrist> I've got about 15 people using OpenVPN for web, ssh, and a few other, proprietary protocols, just fine. In addition, our office just switched from a T1 to the colo to cable modem with OpenVPN connection to the colo and nobody noticed a difference. 19:31 < ecrist> our VPN client box at the office is a Celeron 2.0GHz with 512MB ram and a 40GB PATA HDD at 7200 RPM 19:32 < onats1> i see... 19:33 < onats1> the setup that i am supposed to address with this solution is only connected via DSL with 1024mbps speeds.. 19:34 < onats1> and the transactions that are going to be done are DB queries... 19:42 -!- netcrusher88 [i=netcrush@unaffiliated/netcrusher88] has joined ##openvpn 19:45 < netcrusher88> so, question: has anyone used openvpn successfully with STUN? or any suggestion how to, since most STUN implementations don't seem very script-friendly? 19:47 < ecrist> onats: openvpn on almost any hardware can keep up with 1mbps. 19:47 < ecrist> netcrusher88: I'm not following 19:48 < netcrusher88> well, STUN is UDP NAT traversal, but in order to use it with openVPN, you'd need to pass openvpn the parameters you get from the STUN handshake 19:49 < netcrusher88> i get the feeling i'm not making much sense 20:03 < krzie> stun for voip? 20:03 < krzie> cause stun for openvpn makes no sense 20:03 < krzie> unless you mean stun for voip, over openvpn 20:04 < krzie> in which case simply having your routes correct should let it work fine 20:04 < krzie> ive used stun for voip over openvpn, and over socks, and even over socks over openvpn 20:05 < krzie> if you dont mean for voip, what is your goal? 20:08 < onats1> ecrist, ok... its worth a try then... 20:16 < disco-> I've got a little problem here. I've got a working OpenVPN connection, server is 10.0.0.2, client is 10.0.0.1, both TUNs, can ping each other from both ends fine, but when I add "redirect-gateway" to the client conf, it fails to route over the VPN 20:17 < disco-> the routing tables are changed, but when I do a traceroute on another IP it'll time out on the second hop, the first one being 10.0.0.1 20:17 < disco-> *table is changed 20:20 < disco-> ecrist, krzie, any ideas? :) 20:22 < krzie> umm 20:22 < krzie> you are using topology subnet i take it? 20:22 < disco-> nope 20:23 < krzie> how is it .1 and .2 then 20:23 < krzie> thats not default... 20:23 < disco-> ifconfig 10.0.0.1 10.0.0.2, and ifconfig 10.0.0.2 10.0.0.1 20:23 < disco-> on server/client respectively 20:23 < krzie> umm 20:23 < krzie> why? 20:24 < disco-> it's only going to be a single-user connection, that's just what I've picked up from various tutorials, docs etc 20:25 < krzie> if you let openvpn assign the ips normally does it work as expected? 20:25 < disco-> what do you mean by "normally"? 20:25 < krzie> umm, like the example config or howto 20:25 < krzie> !sample 20:25 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 20:25 < krzie> or like that 20:26 < disco-> ah, so by using an IP and mask instead of two IPs 20:26 < disco-> i'll give that a go 20:26 < krzie> the mask is how many ips to hand out 20:27 < disco-> right 20:27 < krzie> be aware of this if you wonder why it starts at .6 20:27 < krzie> !/30 20:27 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 20:28 < disco-> ok 20:33 < disco-> looks like I've gotta generate some SSL/TLS keys 20:34 < krzie> why? 20:34 < ecrist> um, no, I'm taking care of the wife for the rest of the night. 20:34 < ecrist> nothing dirty, either. :( 20:34 < disco-> because before I was just using secret keys 20:34 < krzie> just static keys? 20:34 < disco-> sorry yeh static 20:34 < krzie> thats fine if you dont care about security 20:34 < disco-> was trying to think of the word 20:35 < disco-> i don't particularly, but apparently you can't use static keys and "server" together 20:35 < krzie> umm 20:35 < krzie> whered you read that? 20:35 < disco-> OpenVPN told me: Options error: --server and --secret cannot be used together (you must use SSL/TLS keys) 20:36 < krzie> lol oh i see 20:37 < ecrist> g'night 20:37 < krzie> nite ecrist 20:41 -!- hackman127 [n=hackman1@cable-30-182.sssnet.com] has joined ##openvpn 20:41 < hackman127> If I have to regenerate a server key, are all of my client keys now toast? 20:42 < krzie> not if they are signed by the same CA 20:42 < krzie> thats why the CA is the keys to the kingdom 20:43 < hackman127> krzie, Awesome. Thanks 20:43 * hackman127 muddles something about "stupid Debian......" 20:43 < krzie> np 20:54 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 21:29 < bronson> Man, that openvpn.net site makes it look like OpenVPN is a dead project. 21:30 < bronson> Last updated over a year ago, no links to any mailing lists or forums or source repositories... 21:30 < bronson> A terrible showing. 21:31 < disco-> Well it was updated 14/9 at least, the latest release is listed in the downloads section 21:35 < bronson> Ah, that's true. 21:35 < bronson> I didn't look there because I'm not sure I want to download it yet. :) 21:44 < netcrusher88> wandered off for a bit... 21:44 < netcrusher88> i meant stun for openvpn 21:44 < netcrusher88> which makes perfect sense, since openvpn is UDP based and STUN is a type of UDP hole punching 21:47 < netcrusher88> extremely limited use case, since at least one end of an openvpn connection will usually be outside NAT or able to forward a port, but the ability to hook up STUN and OpenVPN would make possible things like bringing up a vpn between two natted systems for older games that don't support netplay but do local network, for example 22:15 < bronson> Does OpenVPN offer any way for clients to connect directly to one another? 22:15 < bronson> If they're on the same network of course. 22:16 < bronson> It's supremely annoying for me to send a 100MB print job over my DSL modem twice to print to the printer next to me. :) 22:16 < bronson> (er, it *would be*) 22:27 < netcrusher88> the printer speaks openvpn? 22:28 < netcrusher88> same physical segment, if you configure a local IP that will take precedence.... you can configure multiple printer entries, one for the VPN, one for local, if you need both 22:35 < ecrist> ok, i didn't go to bed yet 22:35 < ecrist> why wont tor work for me on my mac. answer me this. it worked last week, now it doesn't. 22:36 < ecrist> and why can't I find a free shell service that allows port-forwarding/proxying? 22:36 < ecrist> out of the US. 22:37 < ecrist> bronson: why would you have to do that? 22:38 < netcrusher88> because bandwidth isn't *that* cheap 22:38 < ecrist> netcrusher88: yes it is. 22:38 < ecrist> colopronto.com 22:38 < ecrist> 100Mbps 24.95US/mo 22:38 < ecrist> :\ 22:41 < netcrusher88> okay... go ahead and get one, offer free port forwarding, and see how quickly that 100 Mbit is saturated to the point even IRC is all but useless 22:41 < netcrusher88> don't get me wrong, I'd like to see that too but there's physical limits to these things 22:41 < bronson> ecrist, because my DSL modem only does 1.5MBit. Each print job needs to move over it twice. 22:42 < ecrist> netcrusher88: bronson: why twice? 22:42 < bronson> The printer is connected to another computer that's connected via OpenVPN. 22:42 < bronson> Ah. Because my OpenVPN server is not in my apartment. 22:43 < netcrusher88> are the clients on the same physical subnet? 22:43 < bronson> netcrusher88, yep 22:43 < bronson> well, sometimes. :) 22:43 < netcrusher88> try the local IP instead of the VPN IP 22:44 < bronson> The laptop is occasionally in this physical subnet but usually somewhere else. 22:44 < netcrusher88> and/or configure two different printers, identical except for the IP so you can use one at home and one when not 22:44 < netcrusher88> same logical subnet i meant, my mistake 22:44 < ecrist> bronson: all OpenVPN connections are routed through the OpenVPN server, if that helps. 22:44 < ecrist> doesn't matter the protocol used. 22:44 < bronson> Yeah, I figured. I was just hoping there was a plugin that would allow clients to direct-connect. 22:45 < bronson> I'd like to do this for print jobs, sharing files with roommates, etc. 22:46 < bronson> I'm not surprised OpenVPN doesn't handle this... I was just hoping. :) 22:46 < ecrist> bronson: think about it, how could that conceivably work? 22:47 < bronson> ecrist, same way lots of p2p apps work. 22:47 < ecrist> and, for the grand scheme of things, especially if all the connections are local (as on a Uni LAN), print jobs aren't high bandwidth. 22:48 < ecrist> bronson: VPN != P2P 22:48 < bronson> Server says, "huh, you two look like you're coming from the same location... why don't you guys try to open a direct connection to each other?" 22:48 < ecrist> no, doesn't work that way. 22:48 < ecrist> then it's not a vpn. 22:48 < ecrist> between the three, it's a vpn between the two. 22:49 < ecrist> see, much of what a VPN does for you is involved with routing and 'locality' 22:50 < bronson> ecrist, is it written somewhere that all traffic must pass through the central server, otherwise it's not a VPN? 22:50 < ecrist> the rest is the encryption, or semblance that each client is 'local' 22:50 < ecrist> bronson: do you understand network and cryptography? 22:50 < ecrist> specifically the SSL variety? 22:51 < bronson> Sure, quite well. I've used OpenSSL in a few apps. 22:51 < ecrist> ok, so, if you understand SSL, you should be able to answer this question yourself. 22:52 < ecrist> almost *EVERYONE* uses OpenSSL daily. 22:52 < bronson> The direct connection would not go over the tunnel to the server. 22:52 < ecrist> so, the fact that you 'use it' means nothing. 22:52 < bronson> I mean, I've written it into a few apps. 22:52 < ecrist> but, the fact that you ask such a question implies that you don't understand SSL, or PKI in general. 22:54 < ecrist> historically, VPNs have involved a client-server relationship. That does not mean that there couldn't be a future PKI that allows for multi-homed VPN connections, in a star-topography. 22:54 < ecrist> at this point in time, I'm not aware of any. 22:54 < ecrist> are you? 22:55 < bronson> Nope, I was hoping it existed somewhere. 22:55 < bronson> And, it seems to me that OpenVPN is the closest to providing something like this. 22:55 < bronson> Which is not to say that it's actually very close. :) 22:55 < ecrist> hrm, you seem to imply that OpenVPN is retarded for not doing so. 22:55 < bronson> Not at all. I was just asking. 22:55 < ecrist> 22:50 < bronson> ecrist, is it written somewhere that all traffic must pass through the central server, otherwise it's not a VPN? 22:56 < ecrist> o.O 22:56 < bronson> That was a reply to: then it's not a vpn 22:56 < bronson> VPN can have a star topo, can't it? 22:56 < ecrist> unless it's extremely expirimental, I'm not aware of any VPN that would operate differently than as above. 22:57 < ecrist> in practice today, no. 22:57 < ecrist> in theory, of course. 22:57 < bronson> OK, that's true. 22:57 < bronson> I guess we agree. 22:57 < ecrist> but, something 'central' would still have to control it. 22:57 < bronson> Absolutely. 22:57 < ecrist> 22:50 < bronson> ecrist, is it written somewhere that all traffic must pass through the central server, otherwise it's not a VPN? 22:57 < ecrist> now, s/all traffic/some authentication traffic/ 22:57 < ecrist> sure. 22:58 < ecrist> but, otherwise, you imply such a beast exists. 22:58 < bronson> I only mean to imply that such a beast could exist. 22:58 < bronson> And I wish it did. :) 22:58 < bronson> And, one day if I win the lottery, I'll spend the 6 months it would take me to write it. 22:58 < ecrist> someday, humans may have a ship which has capability of inter-stellar travel. Until such time, I'm not going to call a shuttle a space-ship. 22:59 < bronson> So you'd call the Shuttle a space-dinghy? 22:59 < bronson> Works for me. 22:59 < ecrist> bronson: fine. you say you understand SSL, or at least OpenSSL, not necessarily PKI in general. However, if you really did, such a question would not come up. 23:00 < ecrist> Until SSL has a similar structure and support as PGP has, no such a network *could* exist. 23:00 < ecrist> barring private support infrastructure, of course. 23:00 < ecrist> bronson: no, I'd call the shuttle a shuttle. 23:01 < bronson> Sure, the central server would just have to coordinate the connection. 23:01 < ecrist> no 23:01 < bronson> Tell each client where to look for the other, and hand them custom certs to ensure no mitm. 23:01 < ecrist> with PKI, it's only coordinating the authentication that a connection can exist (within the specified PKI) 23:02 < ecrist> does specify where the connection can occur, just whether is *should* occur 23:03 < ecrist> and, all of this still fails to tell me why tor stopped working on my laptop. 23:03 < ecrist> :\ 23:04 < ecrist> netcrusher88: what were you looking for? 23:08 < bronson> Ah well, I'm convinced it's possible and would be very useful in the near future. 23:08 < bronson> One day I'll have to write it. 23:09 < ecrist> nobody said it was impossible, just not with the standard PKI. It would require some sort of subset, or at least a daemon level routing mechanism. 23:09 < bronson> I like things to find the optimal network path without requiring my intervention... I'm super lazy. 23:09 < ecrist> now, you just sound ignorant. 23:09 < bronson> Why? 23:09 < ecrist> all that progress, and BOOM 23:10 < ecrist> well, with the current VPN scheme, a central system is required, as such, the most 'optimal' network path is client_a -> vpn_server -> client_b 23:10 < ecrist> there's no such thing as client_a -> client_b 23:10 < bronson> Right, obviously. 23:10 < bronson> I'm saying I'd like to add code to make client_a -> client_b possible. 23:11 < ecrist> oh, well, I guess you're getting what you want, then. 23:11 < ecrist> if you understood PKI/xSSL, you'd realize why that wasn't very easy, or possible. 23:12 < ecrist> what you suggest would require a whole lot of code, and lots of extra interfaces/overhead. 23:12 < bronson> Yeah, that's why I estimated it at 6 mos of work. 23:13 < bronson> Gotta run, back in 1/2 hour... ecrist, thanks for the discussion even if not much got resolved. :) 23:14 < ecrist> np 23:14 < ecrist> bronson: pay me for 6 months, you'll have your VPN 23:14 < ecrist> so you can print more efficiently between two vpn clients. 23:15 < bronson> ecrist, same in reverse... pay me for 6 months and I'll do it! 23:15 < bronson> I think... 23:16 < ecrist> now, how would that make me money? 23:17 < ecrist> and get me 3 months of free money? 23:21 < ecrist> g'night - the lady wants to go to bed now. 23:21 < jeev> what 23:21 < jeev> wack 23:21 < ecrist> while many of you in this chan may not understand women, vagina > * 23:21 < jeev> ecrist 23:21 < ecrist> at least for the next three minutes 23:21 < jeev> only if its nice vagina 23:21 < jeev> fat doesn't count 23:22 < jeev> hahaha, damn straight 3 minutes. 23:22 < ecrist> jeev, you calling my wife fat? 23:22 < jeev> any longer and it's not worth it 23:22 < jeev> no, i'm asking 23:22 < ecrist> o.O 23:22 < jeev> hoping you say she's not 23:22 < jeev> so i can say 23:22 < jeev> pics or it's not true 23:22 < ecrist> cristfam.com/gallery 23:22 < jeev> i can't look now 23:22 < ecrist> fat dude is me, thin hot chick is her. 23:22 < jeev> i'm fixing something 23:22 < jeev> but i'll definitely look 23:22 < jeev> lol cool 23:22 < ecrist> so, you ARE calling her fat. 23:22 < ecrist> :\ 23:22 < jeev> how do you guys publish your girl's pics 23:23 < jeev> online 23:23 < jeev> such privacy issues 23:23 < ecrist> what's private? 23:23 < jeev> i dunno 23:23 < jeev> OH WELL 23:23 < jeev> go 23:23 < jeev> i'll let you know if i rubbed one out 23:23 < ecrist> I have an attractive wife. Now even if she was fat by typical standards, I wouldn't think so, so I'd want to show her off. 23:23 < jeev> thinking about her 23:23 < jeev> yea, my gf is skinny 23:23 < jeev> beautiful 23:23 < jeev> no tits or ass 23:23 < jeev> but i dont show her off 23:23 < jeev> ;D 23:24 -!- mode/##openvpn [+o ecrist] by ChanServ 23:24 < jeev> shiet 23:24 <@ecrist> eh hem. 23:24 < jeev> so! i was oped for 10 seconds 23:24 < jeev> krzie has weird issues 23:24 < jeev> oping everyone 23:24 -!- mode/##openvpn [+o jeev] by ChanServ 23:24 <@jeev> randomly and seeing what they'll do! 23:24 <@jeev> bah! 23:24 <@jeev> /kick ecrist! 23:24 <@jeev> i wont be satisfied till i'm on full perm OP 23:24 <@ecrist> try it. I dare you. muahahahahahahahaha! 23:24 <@jeev> i'm fine with op 23:25 <@jeev> alright dood 23:25 <@ecrist> jeev: I'll let you know when I know your *honest* stance on my wife. ;) 23:25 <@jeev> go sex, 3 seconds, bust 23:25 <@ecrist> 4, at least. 23:25 <@jeev> haha 23:25 <@jeev> dood 23:25 <@jeev> i wont lie 23:25 <@ecrist> I can at least get it all the way in. 23:25 <@jeev> everrrrrrrry single time i've had sex 23:25 <@jeev> i've come in seconds 23:25 <@jeev> no joke 23:25 <@jeev> i'm not a professional and i dont drink 23:25 <@jeev> and i'm LAZY 23:25 <@jeev> i'm not fat though 23:25 <@jeev> i was 23:26 <@ecrist> I wouldn't talk about that in public, I'm the guy every gal talks about because I stay 'ready' after the first and second... 23:26 <@jeev> lol 23:26 <@jeev> really? 23:26 <@ecrist> I am fat, now. didn't used to be when I was in the army, the I found Hardee's. Now I'm fat. 23:26 <@ecrist> changing it, though. 23:26 <@ecrist> yeah, really. 23:26 <@jeev> ahh 23:26 <@jeev> lol 23:26 <@jeev> do this 23:26 <@jeev> stop eating frozen yogurt 23:26 <@jeev> cause those are wack 23:26 <@jeev> stop having fruits at night 23:26 <@jeev> i was fat in high school 23:26 <@jeev> after, i started playin ball 23:27 <@jeev> now i'm 6'1 194, been 6'1 187 for a few years, then hurt my ankle 23:27 <@jeev> then went up to 204 23:27 <@jeev> then lost 10 23:27 <@ecrist> I don't. Actually, I've been told, my problem is I don't eat often enough. some bullshit about my body deciding I'm in a constant state of emergency and storing as much as possible. I call BS, but more than one dr says that's what's up. 23:27 <@ecrist> I say :\ 23:27 <@jeev> ahh 23:27 <@jeev> yea, i hear that 23:28 <@jeev> doctors are gay 23:28 <@jeev> you should eat 5-6 times a day 23:28 <@jeev> smaller portions 23:28 <@jeev> no sugars at night 23:28 <@ecrist> I eat about 1 1/2 times a day. 23:28 <@ecrist> only 'cause I'm not hungry. apparently that's wrong. 23:28 <@jeev> damn 23:28 <@ecrist> wtf 23:28 <@jeev> weird 23:28 <@jeev> you exercise ? 23:28 <@ecrist> yeah, that's the think 23:28 <@jeev> weird 23:29 <@jeev> what do you eat excess 23:29 <@jeev> chocolates n shit ? 23:29 <@ecrist> s/think/thing 23:29 <@jeev> you have a good shitting system? 23:29 <@jeev> i dont 23:29 <@jeev> i have to eat fiber one 23:29 <@jeev> a LOT 23:29 <@jeev> the cereal 23:29 <@ecrist> lol, yes, I can take a dump. 23:29 <@jeev> i haven't crapped in 2 damn days man 23:29 <@ecrist> shit, literally. 23:29 <@jeev> so what's your prob 23:29 <@jeev> haha 23:29 <@ecrist> 1xper day. 23:29 <@jeev> ecrist, you should overdose 23:29 <@ecrist> lol 23:29 <@jeev> on fiber 23:29 <@jeev> maybe you got shit 23:29 <@jeev> in your colon 23:29 <@jeev> keeping yo fat 23:30 <@ecrist> jeev: I think I need to 1) exercise proper, 2) eat a good diet, 3) eat a regualar diet 23:30 <@jeev> i haven't exercised in over 3 years. 23:30 <@jeev> i only did quickly 23:30 <@jeev> early this year for the basketball tournament 23:30 <@jeev> i'm the greatest shot blocker, rebounder, defender 23:31 <@jeev> coach took me out 23:31 <@jeev> started every game.. i had 8 blocks in the firs 3 months 23:31 <@jeev> minutes 23:31 <@jeev> and he took me out, EVERY game he took me out after i got jump ball 23:31 <@jeev> so i quit 23:31 <@ecrist> what's funny, I'm a reserve sheriff dep, I can out run most of the folks I work with, I geocache regular, and I can climb stairs better than a guy I work with who bikes 30 miles to/from work, ever day. 23:31 <@ecrist> I call BS. 23:31 <@jeev> ahh 23:31 <@jeev> huh 23:31 <@jeev> you call bs? 23:31 <@ecrist> on my belly. 23:32 <@jeev> what 23:32 <@jeev> does that mean 23:32 <@ecrist> I think my belly is still here for the good times. I say, 'time to go home, belly.' Belly says, 'No.' 23:32 <@ecrist> :( 23:33 <@ecrist> hehe 23:33 <@jeev> oh 23:33 <@jeev> "get in my belly!" 23:33 <@ecrist> it's OK, though. I'd like to be thinner, but I have a hot wife, good kid, happy life. Why want more? 23:34 <@jeev> lol 23:34 <@jeev> you need the belly 23:34 <@jeev> to outlive everyone 23:34 <@jeev> when we run out of food 23:34 <@ecrist> lol 23:35 <@ecrist> I'ma be here about 100 years, then. 23:35 <@jeev> damn 23:35 <@jeev> if i knew i was gonna die 23:35 <@jeev> i'd pound ice cream 23:36 <@ecrist> if I knew I was gonna die, I'd pound Jennifer Aniston. 23:36 <@jeev> you'd cheat on your wife? 23:36 <@jeev> tsk 23:38 <@ecrist> jeev: my wife and I have a few understandings. her: Vin Diesel, me: Jennifer Aniston. 23:38 < krzee> ecrist, hamachi supports p2p connections between clientds 23:38 < krzee> -d 23:38 <@jeev> really? lol 23:38 <@jeev> iv'e met him 23:38 <@jeev> he bought dog tags from my friend 23:38 <@ecrist> jeev: really. 23:38 <@jeev> yea 23:38 <@jeev> i meet everyone 23:38 <@jeev> through my friend 23:38 <@jeev> he's a pretty damn big jeweler 23:38 <@jeev> yesterday i met some of the sf giants 23:38 <@jeev> i dont care really though 23:38 <@jeev> heh 23:39 <@ecrist> lol, I've met enough big-time folks I stopped caring. their relevance is too short. 23:39 <@jeev> yea 23:39 <@jeev> there are some really nice ones though 23:39 <@jeev> david ortiz is one of my favorites 23:39 <@jeev> hmm 23:39 <@jeev> my crap is stuck man 23:39 <@jeev> i have issues 23:39 <@ecrist> I did home-theatre from Dante Culpepper, Randy Moss, and Chris Hovan of the MN Vikings a few years back. where the fuck are they now? 23:40 <@jeev> yea 23:40 <@jeev> i'd rather be normal (bowel wise) 23:40 <@ecrist> lo 23:40 <@ecrist> l 23:40 <@jeev> i'm going to london next month 23:40 <@jeev> first class, all expenses all food all this all that 23:40 <@jeev> better be fun 23:45 < krzee> oh and screw excersize 23:45 < krzee> i lost 20lb after i got my wii 23:45 < krzee> and im only 170 23:46 < krzee> the wii rocks 23:47 * ecrist gets a wii 23:47 * ecrist wishes macs were cheaper. 23:48 <@ecrist> I've owned a Mac for about 5 years. but, for my business, I still can't justify the price difference. 23:48 <@ecrist> fucking apple 23:48 -!- mode/##openvpn [-o ecrist] by ecrist 23:49 <@jeev> mac uscks 23:49 <@jeev> i have one too 23:49 <@jeev> sitting here, since the HD failed 23:49 <@jeev> was the first Dual G5 they came out with 23:49 <@jeev> i think i was the first ever owner 23:49 < krzee> i love my MBP 23:50 < krzee> and ecrist 23:50 < krzee> i priced out the hw for a quad core system with 8gb ram the other day 23:50 < krzee> pc hardware... between 600 and 700 23:50 < krzee> toss hackintosh osX on there 23:50 < krzee> and booya 23:51 <@jeev> why you want osx anyway 23:51 <@jeev> i know vista sucks 23:51 < krzee> osx is sweet 23:51 <@jeev> pfft 23:51 < krzee> took me 2 months to learn and i could never go back to windows since 23:51 <@jeev> it annoys me 23:51 < krzee> been using it over 2 yrs now 23:52 < krzee> my fav desktop, and i used windows since 3.1 23:52 < krzee> i love having a bash prompt available 23:52 < ecrist> ok, I'm a FreeBSD guy, OS X rocks for the friendliness and usability. 23:52 <@jeev> i dont care about friendliness!!!! 23:52 <@jeev> i'm a fbsd guy too 23:52 < ecrist> also, it's got a userland based on FreeBSD. 23:52 < krzee> and things are more logical in osx than windows by farrr 23:52 <@jeev> damnit ERIC QUAILAND! 23:52 < krzee> also what ecrist said 23:53 < ecrist> WHAT DID YOU CALL ME? 23:53 <@jeev> eric quailand 23:53 <@jeev> NO NAMES OVER THE RADIO 23:53 <@jeev> if anyone knows what movie that is 23:53 <@jeev> i'll cut my testicles 23:53 < ecrist> /permbanfuckintheass jeev 23:53 <@jeev> you have 5 seconds 23:53 < krzee> http://en.wikipedia.org/wiki/Hamachi 23:53 < vpnHelper> Title: Hamachi - Wikipedia, the free encyclopedia (at en.wikipedia.org) 23:53 < ecrist> oh, that's not a command. 23:53 < ecrist> :\ 23:53 <@jeev> shit, i forgot the movie name 23:53 <@jeev> the british guy from 23:53 <@jeev> cliffhanger 23:54 <@jeev> ecrist, i've already gotten my tenure as an op here 23:54 <@jeev> i can't be fired 23:55 < ecrist> No really, I wanted OS X because my company has Quickbooks for Mac, so that would help, but most things are pretty solid. 90%+ of what we do, though, is on Windows, so Virtual Box or Parallels/VMware/etc would be required. 23:55 -!- mode/##openvpn [+o ecrist] by ChanServ 23:55 <@jeev> is it easy to put osx on anyway 23:55 <@jeev> ? 23:55 -!- jeev was kicked from ##openvpn by ecrist [fired. ;)] 23:55 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 23:55 < jeev> bah 23:55 <@ecrist> lol 23:55 < jeev> it's not auto oping me 23:56 -!- mode/##openvpn [+o jeev] by ChanServ 23:56 <@ecrist> /msg chanser access ##openvpn list 23:56 <@jeev> i'm still not there 23:56 <@jeev> hmm 23:56 <@ecrist> right, so tenure, no. 23:56 -!- mode/##openvpn [-o jeev] by ChanServ 23:56 <@ecrist> :) 23:56 < jeev> wack 23:56 < krzee> hehe 23:57 < jeev> so 23:57 < jeev> do i have to set a password on chanserv 23:57 < krzee> but ya ecrist thats what ild do 23:57 < jeev> when yu add me ? 23:57 <@ecrist> jeev: from a business sense, Hackintosh/hackery is not worth the time. 23:57 < krzee> build yourself a nice quad or dual core intel machine with a bunch of ram 23:57 < krzee> and run hackintosh 23:57 < jeev> i have 23:57 < krzee> its cheap to do 23:57 < jeev> an e8500 23:57 < jeev> 4gb ram 23:57 <@ecrist> personally, maybe, but I've got the cash-flow to afford a real mac. 23:57 < jeev> 32 bt is fine 23:57 < jeev> i left q6600 23:57 < jeev> had it over a year 23:57 < jeev> hated it 23:58 <@ecrist> so, I'd rather do that. 23:58 < krzee> i love my MBP 23:58 -!- jeev [n=email@unaffiliated/jeev] has left ##openvpn [] 23:58 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 23:58 < jeev> hmm 23:58 <@ecrist> if Macs were about $300 cheaper, maybe 23:58 < jeev> 4 letters. wack 23:58 < krzee> but if i want a mac desktop box, ild get a SAVAGE hackintosh machine for 1/2 the price of a cheap mac 23:58 <@ecrist> you not on the list... 23:58 < jeev> is osx open source 23:58 < jeev> at least the kernel 23:58 < jeev> ecrist, then there's a mistake! 23:59 < krzee> no but it uses a lot of open source 23:59 <@ecrist> jeev: i'm the guy to butter up to - you still haven't told me what you think of my wife. :) 23:59 < jeev> will pple 23:59 < jeev> will apple ever 23:59 < jeev> start putting security measures on their OS 23:59 < jeev> ecrist, i thought i said it 23:59 < jeev> you should be boning her right now cause she's definitely hot 23:59 < krzee> define security measures...? --- Day changed Mon Sep 22 2008 00:00 <@ecrist> jeev: there is an open-source version, Darwin, but it doesn't include Aqua, the interface, and, really, most of Apple's goodness. 00:00 -!- mode/##openvpn [-o ecrist] by ecrist 00:00 < jeev> uh 00:00 < jeev> like 00:00 < jeev> activation shit 00:00 < krzee> oh 00:00 < ecrist> jeev: I can't. :( She fell off a horse on Thursday, just over a week ago, and was actually in ICU for 4 days. 00:01 < jeev> damn 00:01 < jeev> sorry to ehar that 00:01 < jeev> hear 00:01 < ecrist> no need to be sorry. 00:01 < krzee> i think they're more concerned about making a good usable os 00:01 < jeev> ecrist 00:01 < jeev> what if you met jennifer 00:01 < ecrist> why does 'activation' mean they're secure? 00:01 < jeev> while she was in ICU 00:01 < jeev> i didn't mean like that damnit 00:01 < jeev> ok, forget osx 00:01 < ecrist> jeev: I told you, her and I have an understanding. 00:01 < jeev> and you had the chance to fuck jennifer 00:01 < jeev> wold you do it 00:01 < jeev> EVEN IF SHE WAS IN ICU ? 00:01 < jeev> you're ruthless! 00:02 < ecrist> jeev: ab-so-fucking-lutely. 00:02 < krzee> i wonder if it could be coded for 2 clients of an openvpn connection to talk p2p 00:02 < ecrist> I'd let the wife watch, though. 00:02 < ecrist> krzee: anything can be accomplished with proper drivers and routing. 00:03 < jeev> RUTHLESS!!!!!! 00:03 < ecrist> krzee: man carp 00:03 < jeev> s 00:03 < jeev> so 00:03 < krzee> once connected to the vpn server the server could send a signal to one of the clients that the other client wants to talk direct 00:03 < jeev> who's the coder 00:03 < jeev> for openvpn 00:03 < jeev> or coders 00:03 < ecrist> no idea. 00:03 < jeev> or main guy 00:03 < jeev> bah 00:03 < jeev> ecrist, it's probably you! 00:03 < jeev> can you code me a printf thing? 00:03 < ecrist> jeev: no, really, not me. 00:03 < jeev> just to say hello world 00:03 < jeev> damn 00:03 < jeev> k 00:03 < ecrist> I just got tired of smack-talking bitches in here and took control of this channel about 2 months ago. 00:04 < ecrist> ask krzee 00:04 < jeev> i'ma bout to take control right now 00:04 < krzee> then they could establish a connection with eachother that would act like a normal openvpn connection process without server signed cert 00:04 < jeev> /msg chanserv access password ecrist testicularfission 00:04 < jeev> damnit 00:04 < ecrist> jeev: I can code you hello world, but most people can do that. 00:04 < krzee> ya the old ops were NEVER around 00:04 < ecrist> krzee: it's not an OpenVPN restriction, it's a PKI/SSL restriction 00:05 < krzee> kinda 00:05 < ecrist> page way up and read the conversation 00:05 < krzee> they would need to astablish a new connection 00:05 < krzee> i did thats why it made me think 00:05 < ecrist> no, you need to understand PKI 00:05 < jeev> hmm 00:05 < jeev> i coudln't get 00:05 < jeev> vista to set gateway by the way 00:05 < jeev> on my gf's laptop 00:05 < krzee> server would see them wanting to talk to eachother, and signal the client being talked to to act as a server 00:06 < ecrist> there's the possibility, but every certificate would need to be recursive, which blows away the security. 00:06 < jeev> HEY 00:06 < jeev> i have an issue 00:06 < jeev> seriously 00:06 < krzee> then tell the other client what ip to establish a new pki connection to 00:06 < jeev> in ccd.. under my client2 00:06 < ecrist> a new model would need to be developed. Or shared keys thrown about, but then, we have IPSec. 00:06 < jeev> sometimes i connect from 192.168.2/24 00:06 < jeev> sometimes, from 1/24 00:06 < jeev> what the hell do i do so i dont get the multi error ? 00:06 < krzee> they could still verify certs, would be as secure as a server without the server cert signed as a server 00:07 < ecrist> what're you doing with your ccd? static IP? 00:07 < jeev> op me and i'll tell you 00:07 < jeev> jk 00:07 < jeev> [root@volcano ccd]# cat client2 00:07 < jeev> iroute 192.168.1.0 255.255.255.0 00:07 -!- mode/##openvpn [+o jeev] by ChanServ 00:07 <@jeev> add me to access list 00:07 <@jeev> and never remove me 00:07 <@jeev> and if it doesn't hurt you 00:07 < ecrist> lol 00:07 <@jeev> send me nudes 00:07 <@jeev> of your wife 00:07 <@jeev> ONLY IF YOU DONT MIND 00:08 < krzee> jeev, for what? all you need ops for is to kick trolls 00:08 <@jeev> yea 00:08 < ecrist> you say that as if I don't have nudes of my wife on my lappy. 00:08 <@jeev> duh 00:08 <@jeev> ! 00:08 <@jeev> ecrist is lagging, i hope he's getting me a link 00:08 < krzee> alright lets see the pic of her 00:08 < krzee> heard enough talk 00:08 < krzee> hehe 00:08 < ecrist> jeev: http://nasty-ass-sluts.com/fat_ugly_bitches/pages/002.htm 00:08 < vpnHelper> Title: Fat Ugly Bitches of bitches taking huge cocks (at nasty-ass-sluts.com) 00:09 <@jeev> EWWWWWWWWWWW 00:09 -!- jeev changed the topic of ##openvpn to: ecrist = http://www.counterpoint-music.com/specialties/images/williamhung.jpg 00:09 -!- ChanServ changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Forum: https://ovpnforum.com | bot: !menu 00:09 -!- mode/##openvpn [+t-o jeev] by ChanServ 00:09 < jeev> woops 00:09 < jeev> sorry 00:09 < jeev> /topic ##openvpn ecrist = http://www.counterpoint-music.com/specialties/images/williamhung.jpg 00:09 < jeev> i forgot to press control 00:09 < jeev> sorry 00:09 < ecrist> now, I'm not posting any pics of my wife here, but there are, honestly, a few amateur sites of report that we *have* posted to. 00:10 < jeev> lol 00:10 < jeev> really? 00:10 < jeev> what the hell is wrong with you two 00:10 < jeev> freaks 00:10 < krzee> im not talkin bout nudes 00:10 < ecrist> now you're just jealous 00:10 < jeev> krzee 00:10 < jeev> i'll get you their wedding vid 00:10 < ecrist> me either, I'm talking full penetration 00:10 < ecrist> muahahaha 00:11 < krzee> *shrug* ive taken a bit of vid too 00:11 < krzee> but i dont post them 00:11 < jeev> fuck 00:11 < jeev> i can't find it 00:11 < jeev> just google redneck wedding 00:11 < jeev> ! 00:11 < ecrist> lol 00:11 < krzee> all stays private stash 00:11 < ecrist> krzee: where's the excitement? 00:11 -!- jeev [n=email@unaffiliated/jeev] has left ##openvpn [] 00:11 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 00:12 -!- Irssi: ##openvpn: Total of 42 nicks [0 ops, 0 halfops, 0 voices, 42 normal] 00:12 < jeev> apparently the access list takes up to 24 hours 00:12 < jeev> bah 00:12 < krzee> umm 00:12 < ecrist> jeev: you're not on the access list. 00:12 < krzee> see i dont keep same girl around all that long 00:12 < krzee> so its always new and exciting anyways 00:12 < jeev> bah 00:12 < jeev> ecrist, must be the year 2000 bug that removed me 00:12 < jeev> krzee, that was fun... when i was 18-21 00:12 < jeev> and now i'm glad i didn't fuck one of the girls 00:12 < krzee> ya im only 27 00:13 < ecrist> at the risk of sounding old-fashioned, I'm happy with my one-gal... she shares. 00:13 < jeev> her boss told me he knew she had VD 00:13 < jeev> lol 00:13 < jeev> i'm 24! 00:13 < jeev> ecrist, i'm happy with mine 00:13 < krzee> ya nothing wrong with all that 00:13 < jeev> only prob is her mom passed away at like 58 with cancer 00:13 < ecrist> ouch 00:13 < krzee> just not what i do 00:13 < jeev> mine better stay health 00:13 < jeev> healthy 00:13 < ecrist> diet dew and jack !- tasty treat 00:14 < jeev> oh 00:14 < krzee> ecrist, ever used synergy? 00:14 < jeev> you drink diet drinks 00:14 < jeev> ? 00:14 < ecrist> krzee: every fucking day. 00:14 < krzee> hells yes 00:14 < krzee> i LOVE it 00:14 < jeev> ecrist 00:14 < jeev> you're fat cause you drink diet drinks 00:14 < jeev> there you go 00:14 < ecrist> jeev: remember, I'm fat. I need fewer calories. it's a start. 00:14 < jeev> diet drinks = bullshit 00:14 < jeev> no ecrist 00:14 < ecrist> lol 00:14 < jeev> it's not a start 00:14 < jeev> take it from me 00:14 < jeev> take it from me 00:14 < jeev> my best friend 00:14 < jeev> and his brother 00:14 < krzee> no 00:14 < jeev> are morbid obese 00:14 < krzee> drink water 00:14 < jeev> they drink diet drink 00:14 < jeev> s 00:15 < jeev> ALL THE TIME 00:15 < jeev> and they stay fat 00:15 < jeev> water == best 00:15 < krzee> you will lose a bit soon after 00:15 < jeev> diet drinks are bullshit sugars 00:15 < krzee> yup 00:15 < jeev> your body doesn't know what to do, eventually you'll get cancer or some shti from that 00:15 < ecrist> krzee: water + jack/morgan/grey goose/belvedere/stoli/etc == crap 00:16 < ecrist> don't fuck with me and my booze. 00:16 < ecrist> not that I drink a ton, but if I'm going to, it's good. 00:16 < krzee> thats diff 00:16 * ecrist mean mugs krzee 00:16 < krzee> i mean when you drink just a soda 00:16 < krzee> trade it for a water 00:16 < krzee> when you're drinking booze drink whatever you want! 00:16 < jeev> uh 00:16 < ecrist> oh, I don't usually drink just soda - I like water for that. 00:16 < jeev> i drink water 00:16 < jeev> WHENEVER 00:17 < jeev> if i have like 00:17 < jeev> chinese food or some shit 00:17 < jeev> with spicey thingy 00:17 < jeev> i drink water 00:17 < jeev> i drink water with EVERYTHING 00:17 < ecrist> anyway - so, I stil think apple needs to drop their price by about 25%. 00:18 < jeev> i still need to drop the kids off at the pool 00:18 < jeev> but the kids dont wanna swim 00:19 < ecrist> lol, more fiber 00:19 < jeev> i get a lot of fiber man 00:19 < jeev> i just dont exercise 00:19 < ecrist> my fat-ass gets enough exercise. 00:19 < ecrist> www.geocaching.com 00:19 < jeev> ecrist, having sex with your blow up doll 00:19 < jeev> doesn't count 00:20 < ecrist> all the exercise you need. 00:20 < krzee> So, how safe can a freeware be? Curiously, it's quite safe. Although there are many people that say the contrary. Why they say it? Because it is not an open source program; that means that the code isn't available for people for reviewing it. How can we trust a closed source program? Well, we trust Microsoft Windows, Norton Antivirus and lot's of software that it is available in the market. Why we don't trust Hamachi then? In reality, there is no rea 00:20 < krzee> son for not doing it. 00:20 < krzee> LOL 00:20 < krzee> we trust windows and norton!? 00:20 < krzee> bahahah 00:21 < jeev> norton is a joke 00:21 < krzee> as is windows 00:21 < ecrist> jeev: buddah tells me to be kind to other life forms. 00:21 < krzee> my friend reported a bug to MS a bit ago 00:21 < krzee> they are ignoring 00:21 < krzee> and he even used to work for them 00:21 < krzee> thats what happened with blaster worm 00:22 < jeev> huh 00:22 < krzee> they were notified about the bug far in advance 00:22 < krzee> eventually the discoverer said something about what he found to others cause ms ignored so long 00:22 < jeev> ecrist 00:22 < jeev> i found your baby pic 00:22 < jeev> http://www.frogazul.com/davestuff/images/ugly-kid.jpg 00:22 < krzee> someone turned it into a worm 00:22 * ecrist shoots half the populous of ##freebsd 00:22 * ecrist shoots half the populous of ##openvpn 00:23 < ecrist> krzee: this is not anti-microsoft 00:23 < krzee> 75% chance i just got shot 00:23 < ecrist> jeev: where'd you get that?!?! that was unauthorized! 00:24 < krzee> nor is it weight-loss 00:24 < krzee> but who cares, nobody here asking for help atm 00:26 < jeev> damn 00:26 < jeev> i just shat 00:28 < jeev> i love wiping my ass 00:28 < jeev> man 00:28 < jeev> i got 3 more servers 00:28 < jeev> with nothing to do 00:29 < jeev> so set i re-set up 00:29 < jeev> mailserver for west coast 00:29 < ecrist> jeev: you'll notice i behave no different when I have ops and when I don't. :) 00:29 < jeev> what do you mean 00:29 < jeev> i want my ops back! 00:30 < ecrist> quit fucking leaving the room 00:30 < jeev> no 00:30 < jeev> i changed the topic 00:30 < jeev> and it did it remember 00:30 < jeev> [10:09pm] * jeev changes topic to 'ecrist = http://www.counterpoint-music.com/specialties/images/williamhung.jpg' 00:30 < jeev> [10:09pm] * ChanServ changes topic to 'Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Forum: https://ovpnforum.com | bot: !menu' 00:30 < jeev> [10:09pm] * ChanServ sets mode: +t-o jeev 00:30 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 00:30 < jeev> by accident 00:30 < ecrist> I'm not giving you 'access' but I'll give you ops, mostly because it'll piss someone off. 00:30 < jeev> ahh 00:30 < jeev> someone else will be pissed off? 00:30 -!- mode/##openvpn [+o jeev] by ChanServ 00:31 < ecrist> maybe 00:31 < ecrist> I don't know. 00:31 <@jeev> bah 00:31 <@jeev> who are you voting for 00:31 <@jeev> choose wisely 00:31 <@jeev> wrong answer will get you kicked! 00:31 <@jeev> HARHArhAR 00:31 < ecrist> jeev: after last night, I'm voting for your mother. 00:31 <@jeev> lol 00:31 < ecrist> she seemed to 'accept my ballot' 00:31 < ecrist> if you know what I mean. 00:31 <@jeev> har har harh 00:32 <@jeev> you wanna mess around? 00:32 < ecrist> and I mean she took my penis in her ass. 00:32 <@jeev> your wife didn't fall off a horse 00:32 <@jeev> she fell onto my penix 00:32 < ecrist> jeev: you only wish you could handle my wife. 00:32 <@jeev> lol 00:32 <@jeev> ecrist 00:32 <@jeev> i dont care 00:32 <@jeev> your wife wishes i could go longer than 5 seconds! 00:32 < ecrist> jeev: my wife wishes you were longer than 5cm 00:33 <@jeev> what 00:33 <@jeev> bitch 00:33 <@jeev> shetold you? 00:33 <@jeev> she told you? 00:33 < ecrist> lol 00:33 < ecrist> for those not in-the-know, 5cm is slightly more than 2 inches, hard. 00:33 <@jeev> ecrist, you'd know. 00:34 <@jeev> i can't wait till tomorrow 00:34 <@jeev> indian food! 00:34 < ecrist> jeev: she showed me pics 00:34 <@jeev> ecrist, you got a boner from the pics 00:34 < ecrist> she was like, 'you see that? No, that, down in the left corner. No, that pixel, right there..." 00:35 <@jeev> "no, i dont see it.. all i see is a dead pixel" 00:35 <@jeev> "that's not a dead pixel" 00:35 < ecrist> But, seriously, all seriousness aside... 00:36 <@jeev> ? 00:36 < ecrist> Oh, I should go to bed. 00:36 <@jeev> bah 00:36 <@jeev> seriously 00:36 <@jeev> who are you voting for 00:37 < ecrist> O Bamccain 00:37 <@jeev> bah 00:37 <@jeev> if you say mccain 00:37 <@jeev> i hate you 00:37 < ecrist> honestly, I've been flip-flopping. 00:37 <@jeev> wowwwwww 00:38 < ecrist> like it or not, I don't give a fuck. 00:38 <@jeev> still 00:38 <@jeev> you want some dumb whore in office 00:38 <@jeev> who thinks russia is a joke? 00:38 <@jeev> i'm tired of people who think they're gonna go attack russia and win 00:38 * ecrist has been thinking of moving to the moon. 00:39 <@jeev> hmm 00:39 <@jeev> what the hell would you eat there 00:39 < ecrist> cheese 00:39 < ecrist> lots of it 00:39 <@jeev> you'd make cheese out of your wife's breast milk ? 00:40 < ecrist> yes, that, and, as most people know, the moon is made of cheese. 00:41 <@jeev> lol 00:45 <@jeev> ok dood 00:45 <@jeev> go sleep 00:45 <@jeev> good night, i'm gonna watch tv 00:46 * ecrist goes to bed. 00:47 < ecrist> :) 00:49 -!- mode/##openvpn [-o jeev] by ChanServ 01:02 * ecrist goes to bed. 01:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 01:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:13 -!- mode/##openvpn [+b *!*@unaffiliated/krzee] by ChanServ 01:13 -!- krzee was kicked from ##openvpn by ChanServ [User is banned from this channel] 01:19 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 01:19 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 02:07 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 03:06 -!- onats is now known as Guest47789 03:27 -!- Guest47789 [n=onats@unaffiliated/onats] has left ##openvpn [] 03:40 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 104 (Connection reset by peer)] 04:05 -!- onats1 [n=15172@unaffiliated/onats] has left ##openvpn [] 05:37 -!- lifeforms [n=walter@tau.lfms.nl] has joined ##openvpn 05:39 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 05:39 < onats> what is the client i should be using for openvpn for mac osx 10.4? 05:41 < lifeforms> I've heard people talk about "Tunnelblick" but never used it 05:41 < onats> i have it installed already actually.. but when i run it, it opens a popup that has a quit button only 05:45 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 06:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:02 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 07:01 -!- lifeforms [n=walter@tau.lfms.nl] has left ##openvpn [] 07:32 -!- mode/##openvpn [+o ecrist] by ChanServ 07:32 -!- mode/##openvpn [-b *!*@unaffiliated/krzee] by ecrist 07:32 -!- mode/##openvpn [-o ecrist] by ecrist 07:50 < ecrist> !mac 07:50 < vpnHelper> ecrist: Error: "mac" is not a valid command. 07:50 < ecrist> !learn mac as Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/) 07:50 < vpnHelper> ecrist: The operation succeeded. 08:16 -!- Guest47789 [n=onats@unaffiliated/onats] has joined ##openvpn 08:17 < Guest47789> hello, i am trying to build the certificate and key for a server. it prompts me for a challenge password. what does this mean? will it prompt the clients for a password when they try to connect? 08:17 -!- Guest47789 is now known as onats 08:20 < ecrist> if you set a password for the client key, yes. 08:20 < onats> so for the server, do i need to set it? 08:22 < ecrist> I would recommend encrypting all your SSL certificate keys with a password, however, 08:22 < ecrist> doing so makes it impossible to automate startup and shutdown of the VPN process. 08:23 < onats> i see. then the password is used to initiate connection, and not to authenticate against server? 08:23 < onats> im not sure i get it 08:23 < ecrist> no, the password is for the certificate itself. In order to start OpenVPN, that password needs to be used to unlock the ssl certificate key. 08:23 < ecrist> has nothing to do with OpenVPN 08:24 < onats> i understand..i'll try that 08:25 < onats> but for the server key, which i will probably put in my router, i guess its not advisable to put a password right? 08:26 < ecrist> it's advisable - you'd have to be around to start the OpenVPN process so you could unlock the key, however. 08:26 < ecrist> as such, I usually don't password-protect my server key. 08:31 < onats> ok.. left the server key without password. 08:31 < onats> i'm getting an unable to write random state 08:40 -!- hackman127 [n=hackman1@cable-30-182.sssnet.com] has left ##openvpn ["Leaving"] 09:04 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 09:10 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has quit [] 09:19 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 09:30 -!- netcrusher88 [i=netcrush@unaffiliated/netcrusher88] has quit [Read error: 104 (Connection reset by peer)] 09:39 -!- wacky_ [n=abourget@mtl.savoirfairelinux.net] has joined ##openvpn 09:40 < wacky_> My VPN is *always* restarting (I've put a keepalive on the server side).. at each minute, it receives a SIGUSR1.. and it restarts everything.. 09:41 < wacky_> I thought the keepalive checked if the connection was alive.. but it seems not?! 09:41 < ecrist> SIGUSR1 leads me to believe you have something restarting it. 09:43 < wacky_> yes.. it's the "ping" and "ping-restart" options.. 09:44 < wacky_> (that are implied with "keep-alive") 09:45 < wacky_> what do you use to keep the tunnel open ?? 10:00 -!- Xen^ [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 10:08 < ecrist> wacky_: you using tun or tap? 10:08 < ecrist> udp or tcp? 10:17 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit [Connection timed out] 10:18 < wacky_> using TCP, and tun 10:20 -!- Xen^ [n=linux@unaffiliated/lnux/x-10290] has quit [Connection timed out] 10:21 < wacky_> ecrist: what would you suggest ? 10:31 < ecrist> wacky_: tun with udp 10:31 < ecrist> !tcp 10:31 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:32 < wacky_> ok thanks :) 10:32 -!- Uranellus [n=Uranellu@unaffiliated/uranellus] has joined ##openvpn 10:33 < Uranellus> hello, is it possible to register the clients fqdn on the server on connect .. so I could ping them by that? 10:36 -!- gongoputch [n=kseel@74.95.184.161] has quit [Remote closed the connection] 11:06 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 11:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:18 < nDuff> Uranellus, sure it's possible. 11:18 < nDuff> Uranellus, I posted a script to do that to the mailing list years ago. 11:18 -!- redondos [n=redondos@unaffiliated/redondos] has joined ##openvpn 11:19 < nDuff> Uranellus, ...about three years ago, it looks like; see http://openvpn.net/archive/openvpn-users/2005-08/msg00146.html 11:19 < Uranellus> nDuff: ok, thanks 11:19 < vpnHelper> Title: [Openvpn-users] DNS update script, revisited (at openvpn.net) 11:21 < redondos> hi. with version 2.0.9 and a server configured with "server 10.4.0.0 255.255.255.0", the server ends up with 10.4.0.1 but the tunnel on the clients is peered with 10.4.0.5. what could be wrong on my configuration? 11:21 < nDuff> redondos, that's not a bug, it's normal behavior; read the FAQ. 11:21 < redondos> thanks, nDuff 11:21 < nDuff> redondos, if you're using OpenVPN 2.1 on both sides or have no Windows clients, it can be disabled. 11:22 < redondos> I have no windows clients. hopefully the FAQ will enlighten me. 11:23 < ecrist> !/30 11:23 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 11:23 < nDuff> or to avoid it using --ifconfig-pool-linear with a non-beta release. 11:25 < redondos> it's perfectly clear in the FAQ. thanks guys. 11:26 < redondos> (funny that even when you're not using windows, it can inflict some pain on you ;) ) 11:26 < Uranellus> nDuff: thanks for the link . 11:26 < Uranellus> :) 11:27 < ecrist> nDuff: you should wiki-fy that... 11:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:39 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Remote closed the connection] 11:48 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 12:01 -!- jaysonsantos [n=Jayson@189.56.47.68] has joined ##openvpn 12:01 < jaysonsantos> Hello people, I'm receiving 'CRL has expired' when i try to revoke a certified, how can I remake this crl file ? 12:02 -!- redondos [n=redondos@unaffiliated/redondos] has left ##openvpn [] 12:04 < ecrist> the CRL is created when you revoke a certificate. 12:05 < jaysonsantos> ecrist> I have tried to remove that file but when i try to revoke, script say 'File not found' 12:06 < ecrist> sounds like your script is screwed up. 12:07 < jaysonsantos> ecrist> Strange, i'm using /usr/share/doc/openvpn/examples/easy-rsa/2.0/revoke-full in ubuntu 12:08 < ecrist> well, an existing CRL isn't required to revoke a certificate. 12:08 < ecrist> however, you need to keep track of that so certificates you've revoked stay that way. 12:09 < jaysonsantos> ecrist: Check out this please, http://pastebin.com/m63754eef 12:09 * ecrist loks 12:09 < ecrist> looks 12:10 < ecrist> jaysonsantos: perhaps you should read those errors. 12:10 < ecrist> have you looked at line 282 of your openssl.cnf? 12:11 < jaysonsantos> Yes, MODULE_PATH = $ENV::PKCS11_MODULE_PATH 12:11 < ecrist> meh, easy-rsa isn't. 12:11 < jaysonsantos> That variable does not exist in $ENV 12:11 < ecrist> well, that's why you're getting the error. 12:11 < ecrist> there's some script you have to run first, to set all the env vars, did you do that? 12:11 < jaysonsantos> ecrist: yes, I did 12:12 < jaysonsantos> Do I need use pkcs11_section ? 12:12 < jaysonsantos> to use* 12:13 < ecrist> no idea, I hate the easy-rsa scripts, so I stopped using them. 12:13 < ecrist> I can't/won't support them, someone else here, might, though. 12:14 < jaysonsantos> ecrist, How can I revoke without that ? 12:15 < jaysonsantos> ecrist, The matter is my ca.key has been overwrited. 12:17 < ecrist> jaysonsantos: if you have no ca.key, you need to start over. 12:18 < jaysonsantos> I have replaced with orginal version 12:18 < jaysonsantos> ecrist, Thank you 12:22 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 12:23 < bronson> !menu 12:23 < vpnHelper> bronson: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum, !ifconfig, !custom, !push-reset, !def1 12:37 < ecrist> how goes today, bronson? 12:46 < bronson> ecrist, It goes. Too much lame stuff to do, never enough time for the good stuff. 12:53 -!- zamba [i=marius@sveigde.hih.no] has joined ##openvpn 12:54 < zamba> i want to route ALL my traffic through a openvpn tunnel.. i also want to route an official ip address towards the openvpn client that's situated on the inside of a NAT-ed network.. is this possible? 13:20 -!- jaysonsantos [n=Jayson@189.56.47.68] has quit ["Ex-Chat"] 13:25 < krzee> sure 13:25 < krzee> the routing all traffic, redirect-gateway def1 13:25 < krzee> the forcing a client to have its own external address, you nat rules on the openvpn server 13:25 < krzee> !def1 13:25 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:26 < krzee> !nat 13:26 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 13:29 < zamba> well.. so far i've only set up the following: 13:29 < zamba> http://pastebin.com/m16bb0b5a 13:30 < zamba> but i'm not able to ping the other end of the tunnel from either end 13:31 < zamba> looks like the traffic only gets moved one way 13:31 < disco-> zamba: The ifconfig IPs should be reversed on client and server 13:31 < zamba> http://pastebin.com/m250158f8 13:31 < zamba> disco-: it is, isn't it? 13:32 < disco-> sorry, you're right, misread it 13:32 < disco-> add in "verb 4" to the client config and see what it tells you 13:34 < zamba> oh, there it worked.. all of a sudden 13:34 < zamba> cool, cool 13:34 < zamba> had to restart the server as well 13:48 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 14:22 < disco-> ecrist: I followed what you told me to do last night, set up a proper PKI, now I've trying to route all traffic over the link (that works, pings from both ends) and it won't work 14:22 < disco-> http://pastebin.com/m68d752c9 14:23 < disco-> Also, the client-side connection doesn't have a default gateway assigned, could this cause a problem? 14:46 < ecrist> yes, it would cause a problem. 14:47 < ecrist> I don't remember what I told you last night. Jack Daniels and I were hanging out. 14:47 < disco-> heh 14:47 < disco-> basically you told me to scrap the method i was using with a static key and do it properly 14:47 < disco-> so that's what I did 14:48 < ecrist> ah, good call. 14:48 < ecrist> krzee is aware of my mental state last night ;) 14:48 < disco-> although I've *never* been able to get a default gateway showing on the openvpn interface, over the last 4 days worth of configs and fiddling 14:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:51 < disco-> could I go about "forcing" a gateway then? as it doesn't seem to want to set it on its own 14:53 < ecrist> OpenVPN client should properly set the default gateway. 14:54 < disco-> could you take a quick look at my client config? It hasn't ever set a default gateway for me, over a ton of different configs both client and server side 14:55 < ecrist> that's done in the server config, not client config. 14:55 < disco-> right 14:55 < disco-> everything is here: http://pastebin.com/m68d752c9 14:56 < disco-> also I've got a ccd file that contains "ifconfig-push 10.8.1.2 10.8.1.1", because with the win32 adaptor there were some probs with DHCP, as have been noted on the mailing lists 15:17 < krzie> looks to me like that traceroute is working as it ahouls 15:17 < krzie> should 15:17 < krzie> until you setup NAT on 10.8.1.1 15:18 < disco-> I thought NAT was only needed for inbound connections, into the server and onto the client if you see what I mean 15:18 < krzie> if you are talking about port forwarding 15:19 < krzie> but for a client to talk to the internet through the server, the server needs to NAT the openvpn client's ip 15:19 < disco-> ah right 15:19 < disco-> so I've had it working all this time, just no NAT >.< 15:19 < disco-> !nat 15:19 < vpnHelper> disco-: "nat" is http://openvpn.net/howto.html#redirect 15:20 < krzie> otherwise what happens is this: 15:21 < krzie> you try to reach 160.79.128.22 through vpn, server sends your packets (which came from 10.8.1.x) to its router 15:22 < disco-> and then they can't get back to the VPN? 15:22 < krzie> who says "why you sending me packets from 10.8.1.x? i dunno what to do with it" 15:22 < disco-> that makes sense :) 15:22 < krzie> it cant even send a response saying so because it doesnt even have a route to 10.8.1.x 15:22 < disco-> yeah 15:22 < krzie> so you see a response from 10.8.1.1 and nothing else 15:23 < disco-> So looks like I need to do "iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth1 -j MASQUERADE" 15:23 < disco-> you use the physical adaptor right, not the tun interface? 15:30 < krzie> dunno 15:30 < krzie> i havnt used nat in yrs 15:30 < krzie> but it tells you in that !nat link 15:30 < disco-> yep 15:31 < disco-> looks like i need to recompile for iptables nat support, will have to wait until later :[ 15:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:32 < zamba> krzie: my setup is a bit different.. i'm only using one client and that's a router situated in my local network 15:32 < zamba> krzie: so i basically just think it's a routing issue 15:32 < zamba> krzie: instead of the redirect-gateway stuff 15:33 < zamba> the router is running masquerading (NAT), so i think i just have to alter this to masquerade through that interface instead 15:45 < krzie> the client or server s the router for its network? 15:46 < krzie> and are they on different networks? 15:48 < zamba> the client 15:48 < zamba> yeah 15:48 < zamba> the server is on a public ip 15:48 < zamba> the client is behind nat 15:48 < zamba> on a wireless network 15:48 < krzie> well it doesnt matter that theres only 1 client 15:48 < krzie> your server needs to run nat 15:48 < zamba> server as in openvpn server? 15:49 < krzie> if you want to direct inet traffic through it, yes 15:49 < zamba> or server as in the router at the local network? 15:49 < zamba> ah, i see 15:49 < zamba> of course 15:50 < zamba> but i don't want several levels of nat... 15:50 < zamba> i have to make a drawing of this 15:50 < zamba> one sec 15:50 < krzie> well 15:50 < krzie> it will be a single nat since openvpn server is on public ip 15:51 < krzie> the tunnel will go over a nat as well, but that is transparent because once you are using the tunnel you dont see that anymore 15:51 < krzie> then on the other side of the tunnel you need to nat out to the inet 15:51 < zamba> nah, can't draw :) 15:52 < zamba> yeah, so basically all my clients at my side of the openvpn tunnel will get dhcp from the server at the "public" end? 15:52 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 15:52 < zamba> or.. they don't have to.. 15:52 < krzie> huh? 15:52 < zamba> nevermind that 15:52 < zamba> i'm just trying to get this clear in my head 15:53 < krzie> your client connects to the server and get a vpn ip 15:53 < zamba> yeah, i've statically assigned that 15:53 < zamba> those* 15:53 < zamba> i think i've got it now 15:53 -!- Uranellus [n=Uranellu@unaffiliated/uranellus] has left ##openvpn [] 15:54 < krzie> once it has the vpn ip, there must be NAT to reach the inet through the server 15:54 < krzie> think if your router gave you a 192.168.x.x ip but did not do nat 15:55 < krzie> thats whats going on 15:55 < krzie> because openvpn will give you an ip, but it will do not nat for you 15:55 < krzie> will not do nat 16:00 < zamba> well, so far i've added the local network at my "public" server 16:01 < krzie> huh? 16:01 < zamba> route add -net netmask 255.255.255.0 gw dev tun0 16:01 < zamba> that way the public server can "reach" the internal network 16:02 < zamba> hm.. damn.. i think i really need to draw this 16:02 < zamba> because i'm not really making myself clear :p 16:02 < krzie> well you didnt say where you added that 16:02 < zamba> on the openvpn server 16:03 < krzie> if its one of the openvpn ends it should be added via openvpn 16:03 < krzie> !route 16:03 < vpnHelper> krzie: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 16:03 < zamba> yeah.. i know.. but for testing purposes i'm adding it manually 16:04 < krzie> may or may not work that way for a reason mentioned in my writeup 16:04 < krzie> i know it wouldnt if you had 2 16:04 < krzie> not sure about when you only have 1 16:04 < krzie> either way, that is NOT your problem 16:04 < krzie> i told you your problem 16:05 < krzie> you need nat if you wanna redirect inet traffic through your server 16:05 < krzie> theres no ifs ands or buts about that 16:05 < zamba> sure, i want to use nat as well 16:05 < zamba> no problem with that 16:06 < krzie> then whats the problem now? 16:06 < zamba> putting this all together 16:07 < zamba> i'll try to explain once more how my setup is.. i have a wrt54gl running openwrt that's connected to my neighbour in client mode.. this is not very relevant, but here is where i set up my openvpn client.. 16:08 < zamba> i want to accomplish that ALL the traffic from my own network (attached at the back of that router) to go through the openvpn tunnel (for security reasons) to my server situated on a public ip.. 16:14 < krzie> k, wheres the problem tho? 16:14 < krzie> only thing non-standard is that you need redirect-gateway def1 and nat on the server 16:14 < krzie> only thing non-standard is that you need push "redirect-gateway def1" in server config and nat on the server 16:15 < krzie> everything else is way standard 16:16 < krzie> if you want server to be able to communicate with machines in the lan you can add an iroute (which you would know if you read my writeup i linked you to) 16:16 < krzie> go read it 16:16 < krzie> !route 16:16 < vpnHelper> krzie: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 16:16 < krzie> that explains push, ccd, route, iroute 16:25 < zamba> hm.. just one question, though.. the local clients in my network.. should they have my wrt54gl set as their gw or the other end of the tunnel? 16:25 < zamba> if they have my wrt54gl, then this will be double nat for the local clients, right? 16:25 < krzie> they dont change a thing 16:25 < zamba> yeah, exactly, so it'll be double nat? 16:25 < krzie> *shrug* 16:26 < krzie> yes and no 16:26 < krzie> the tunnel goes over a nat 16:26 < krzie> and other side of the tunnel nats 16:26 < zamba> yeah, but you said i had to do nat at the server side as well 16:26 < zamba> so that'll be two nats, right? 16:26 < krzie> but when the data flows over the tunnel it only gets natted on the other side of the tunnel 16:26 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:26 < krzie> so there are 2 nats involved 16:27 < krzie> but not how you are thinking 16:27 < krzie> you arent natting a nat, you are natting traffic that flowed over the tunnel 16:27 < zamba> so the first nat will not be used, in effect? 16:27 < zamba> if that's possible to say :) 16:27 < krzie> basically right 16:27 < zamba> it's basically discarded 16:27 < zamba> yeah, ok.. then i follow 16:27 < zamba> i think.. 16:28 < krzie> it doesnt matter if you follow or not 16:28 < krzie> do what i said and it'll work 16:30 -!- oscarh [i=oscarh@65-110-43-110.static.sagonet.net] has quit [Read error: 111 (Connection refused)] 16:30 < zamba> sorry, man, i'm still not following here..... :) 16:31 < zamba> i can't wrap my head around this 16:33 < zamba> http://pastebin.com/m627bf2e9 16:33 < zamba> there's the routing tables for both the server and the client 16:34 -!- Quentar [n=vacek@n153.dkm.cz] has joined ##openvpn 16:34 < krzie> only thing non-standard is that you need push "redirect-gateway def1" 16:34 < krzie> in server config and nat on the server 16:34 < krzie> that is all 16:34 < krzie> just do it 16:34 < zamba> and i want all traffic originating from 192.168.30.0/24 to flow over the openvpn tunnel and out on the internet from there, just as traffic from 192.168.8.0/24 and 192.168.9.0/24 does on the server 16:35 < krzie> and read !route 16:35 < krzie> no more help til you read that 16:35 < krzie> =] 16:35 < zamba> !route 16:35 < vpnHelper> zamba: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 16:35 < zamba> yeah, i've already read that.. and that didn't tell me much, i have to admit :D 16:36 < zamba> ok, some of it i understood, but not how it relates to me and my setup 16:36 < krzie> go setup your NAT on the server 16:36 < zamba> already set up 16:36 < krzie> it nats 10.8 ips to inet? 16:37 < zamba> 0 0 MASQUERADE all -- * eth0 10.8.0.2 0.0.0.0/0 16:37 < krzie> setup an iroute in the clients ccd/ 16:37 < zamba> but that's just traffic from -one- ip, but i guess that's what we want here 16:38 -!- Quentar [n=vacek@n153.dkm.cz] has left ##openvpn [] 16:38 < zamba> i have to set up ccd stuff, then 16:40 < krzie> well im guessing 16:40 < krzie> !logs 16:40 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:40 < krzie> would help 16:40 < krzie> and before you say your router isntlogging... 16:40 < krzie> !router 16:40 < vpnHelper> krzie: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 16:40 < zamba> hm, but since i'm only using one client, do i need ccd stuff then? 16:40 < zamba> can't i just add everything into the server configuration? 16:41 < krzie> iroute is so the server knows which client has the network behind it 16:42 < zamba> the network here being 192.168.30.0/24? 16:44 < zamba> god damn.. lots of other errors coming now 16:44 < zamba> Options error: --client-config-dir/--ccd-exclusive requires --mode server 16:44 < zamba> then adding mode server 16:45 < zamba> and then Options error: --mode server requires --tls-server 16:45 < krzie> !configs 16:45 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 16:45 < krzie> !sample 16:45 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:45 < krzie> basically my sample would work for you but youd need to add the redirect-gateway 16:46 < zamba> i'm using static key 16:47 < zamba> one sec, pastebin coming up 16:48 < zamba> http://pastebin.com/m3c21db0 16:48 < krzie> static key = suck 16:48 < zamba> well, it's easier to set up and understand, so i'll stick to that :p 16:48 < zamba> for now 16:48 < zamba> i don't get that certificate stuff 16:49 < krzie> well then goodluck to you 16:49 < zamba> and especially when using a certificate authority and all that 16:49 < zamba> but how come this won't work with static keys? i mean.. this has nothing to do with that stuff, or? 16:49 < zamba> this is just routing? 16:49 < krzie> dunno never used static keys 16:49 < krzie> i prefer security 16:49 < zamba> oh 16:50 < krzie> ild rather learn the right way howto use something 16:52 < krzie> !security 16:52 < vpnHelper> krzie: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 16:52 < krzie> the second link gives an overview if you wanna understand how it works 16:53 < krzie> the howto will walk you through making certs 16:53 < krzie> !howto 16:53 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:53 < krzie> i made my first certs before i understood how it worked 16:56 < disco-> zamba: certs are really easy to do if you follow the howto, then you get the advantage of being able to use ccds and a bit more security too, only takes about 5-10 mins to do it 16:57 < zamba> ok, setting it up now 16:58 < zamba> A challenge password []: 16:58 < zamba> i entered nothing there 16:58 < zamba> is that safe enough? 16:58 < zamba> so to speak 17:07 < krzie> yes 17:10 < zamba> error upon error 17:13 < zamba> Sat Jan 1 01:17:49 2000 VERIFY ERROR: depth=1, error=certificate is not yet valid: 17:15 < zamba> oh 17:15 < zamba> time sync, i guess :) 17:15 < zamba> don't say it! :) 17:22 < zamba> gah 17:22 < zamba> well 17:22 < zamba> now i can't ping over the tunnel 17:22 < zamba> WARNING: 'ifconfig' is present in remote config but missing in local config, remote='ifconfig 10.8.0.1 10.8.0.2' 17:23 < krzie> remove both and use server 17:23 < krzie> read --server in the manual 17:26 < zamba> god damn 17:26 < zamba> i give up 17:28 < zamba> now i'm getting random ip addresses at each end 17:28 < zamba> on client: inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 17:28 < krzie> thats not random 17:28 < zamba> on server: inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 17:28 < krzie> that is correct 17:28 < krzie> !/30 17:28 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 17:29 < zamba> well, can't ping between them 17:29 < krzie> !configs 17:29 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 17:29 < krzie> and 17:29 < krzie> !logs 17:29 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:29 -!- _polto_ [n=polto@elphelut.fttp.xmission.com] has joined ##openvpn 17:29 < _polto_> hi all 17:30 < zamba> but i guess ipmasq is fucking up now 17:30 < krzie> hey _polto_ 17:30 < krzie> zamba so fix it 17:31 < _polto_> I have a VPN between two servers, the internet connection goes down time to time.. How can I make the VPN come back then the internet is back ? 17:32 < zamba> krzie: nah, i'm giving up here.. i have an insane headache now, and i'm getting absolutely nowhere 17:32 < krzie> search through the manual for every instance of retry 17:32 < krzie> !manual 17:32 < vpnHelper> krzie: Error: "manual" is not a valid command. 17:32 < krzie> err 17:32 < krzie> !man 17:32 < vpnHelper> krzie: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 17:36 < zamba> krzie: ok, managed to figure out the stuff with ipmasq 17:36 < zamba> and i'm now pinging over the tunnel 17:37 < krzie> pinging inet or other side of tunnel? 17:37 < zamba> other side of tunnel 17:38 < zamba> i already have inet 17:38 < zamba> through my pre-existing gw 17:38 < krzie> inet through the tunnel with redirect-gateway is the goal right? 17:38 < _polto_> the manual have tons of "retry" , I do not see witch one I need to make sure that the client will reconnect to the server. Could somebody help ple ? 17:38 < krzie> sure 1sec 17:38 < zamba> krzie: yeah 17:38 < krzie> !sample 17:38 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 17:38 < zamba> krzie: at least inet through the tunnel is :p 17:38 < krzie> zamba does the server have redirect-gateway? 17:39 < zamba> krzie: nope 17:39 < zamba> i was thinking about taking this step-by-step 17:39 < krzie> !def1 17:39 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:39 < zamba> and that iroute stuff isn't working either, i think 17:39 < krzie> thats a good idea zamba 17:39 < zamba> ccd thingy 17:40 < krzie> _polto_ in client and server you want these: 17:40 < krzie> persist-key 17:40 < krzie> persist-tun 17:40 < krzie> in server you also want keepalive 10 120 17:40 < krzie> or keepalive x y 17:40 < krzie> your call on what the numbers are, manpage explains 17:41 < krzie> zamba what error are you getting? 17:43 < _polto_> krzie: thanks ! 17:46 < krzie> yw =] 17:47 < zamba> krzie: no error, but i was under the impression that that iroute thingy would add a network on the server 17:47 < krzie> theres more options you may or may not want 17:47 < zamba> krzie: which it doesn't 17:47 < krzie> but those are the ones i use to make sure my clients reconnect 17:47 < krzie> add a network on the server? 17:48 < krzie> i take it you barely skimmed my writeup 17:48 < krzie> as it explains... 17:48 < krzie> !iroute 17:48 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 17:48 < zamba> ah, ok 17:49 < zamba> but in effect it's the same thing as adding it to the kernel's routing table? 17:49 < krzie> no 17:49 < krzie> dude 17:49 < krzie> read my writeuyp 17:49 < krzie> i hate reexplaining the same thing i took time to write up 17:49 < krzie> i could copy and paste from it and youd understand 17:49 < ecrist> krzie: glad you were able to make it back. 17:51 < zamba> krzie: ah! i need iroute in conjunction with route 17:52 < zamba> or.. eh 17:52 < krzie> heh thx 17:52 < krzie> +b ftl 17:53 < zamba> but my setup is the other way around 17:53 < ecrist> krzie: yeah, that was supposed to be +f. :\ 17:53 < ecrist> Jack was doing my typing. 17:53 < krzie> is the network behind the client or the server? 17:53 < zamba> behind the client 17:53 < zamba> that's where my local clients are 17:54 < krzie> !route 17:54 < vpnHelper> krzie: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 17:54 * krzie makes a mumble about self signed cert and grins at ecrist 17:55 < _polto_> thanks krzie 17:55 < ecrist> grr 17:55 < _polto_> bye 17:55 < krzie> yw _polto_ 17:55 < krzie> LOL ecrist 17:55 -!- _polto_ [n=polto@elphelut.fttp.xmission.com] has left ##openvpn ["Ex-Chat"] 17:56 < krzie> zamba, and the client machine is the router for its lan, right? 17:57 < zamba> krzie: yes 17:58 * ecrist goes away 17:58 < zamba> oh.. now i got the network up 17:59 < zamba> think i'm calling it a night :) 17:59 < zamba> krzie: same time and place tomorrow? ;) 18:00 < krzie> not likely 18:00 < krzie> but possible 18:01 < krzie> ecrist is likely to be around tomorrow, as well as others 18:01 < krzie> hes often on during the day, im more on at night 18:01 < krzie> (EST) 18:40 -!- dan__t [n=dant@cheyenne-69-16-140-5.phx2.puregig.net] has joined ##openvpn 18:40 < dan__t> Hello. 18:41 < dan__t> I'd like to go ahead and use OpenVPN to essentially bridge two networks with a PTP VPN. I'm just a bit confused on how routing would work between the two segments. 18:41 < nDuff> dan__t, if you're running in bridge (tap) mode, there isn't any routing 18:41 < dan__t> I don't think that the OpenVPN solution itself will have any problems with this setup, however, like I said, I'm concerned about the routing. 18:41 < nDuff> ...you're just running a long (virtual) ethernet cable between two places 18:42 < dan__t> Essentially yes. 18:42 < dan__t> I'm not too familiar wtih tap mode, only tun, I'll read up on tap a bit more. 18:42 < nDuff> right -- so bridge the tap device to the network on each side, and there you go. It's inefficient -- all broadcast traffic from either end will go through the VPN -- but it's also what you're asking for. :) 18:43 < dan__t> Hrm... suppose I can factor in VLANs? 18:43 < nDuff> how do you want to factor in VLANs? Only bridge a specific one? bridge a specific subset? have the VLAN tags travel over the VPN? 18:45 < dan__t> VLAN tags traveling across the tap interface would be ideal. 18:46 < dan__t> Well, "ideal" considering the situation. 18:47 < nDuff> if you've got your VPN servers on trunking ports, I'd expect that to work. 18:48 < nDuff> haven't done it personally, though. 18:49 < dan__t> Ok. 18:50 < dan__t> The idea is, I'd like OpenVPN to terminate against some Juniper gear. Assuming I can get them to both establish a secured connection, I can then use a bridged mode to bridge that tap0 interface with a separate ethernet interface on the machine. 18:51 < nDuff> sorry to run, but it's about time for me to head home for the day 18:52 < dan__t> Ahh, alright. I'll see what I can hack up. 19:01 < dan__t> Thanks for your help. 19:06 -!- onats is now known as Guest49567 19:41 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 20:11 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit ["Leaving"] 20:50 -!- dan__t [n=dant@cheyenne-69-16-140-5.phx2.puregig.net] has quit [Read error: 110 (Connection timed out)] 21:49 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:58 -!- ploo [n=chad@c-75-70-148-29.hsd1.co.comcast.net] has joined ##openvpn 21:58 < ploo> anyone awake in here? :) 22:07 < onats> hello 23:02 -!- ploo [n=chad@c-75-70-148-29.hsd1.co.comcast.net] has left ##openvpn [] 23:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Tue Sep 23 2008 00:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:16 -!- Guest49567 [n=onats@unaffiliated/onats] has left ##openvpn [] 01:09 < onats> hello, i have just configured one of my routers to allow openvpn with certificates. if i setup another router as a client, will the machines behind that router be able to traverse/connect to the clients in the server side, assuming they are in different subnets? 01:09 < onats> what is the setup that i should configure for this to work? 02:04 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Remote closed the connection] 02:52 -!- paruchuri [n=qvantel@61.16.248.247] has quit ["Ex-Chat"] 03:05 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 03:33 -!- MatBoy [n=MatBoy@wiljewelwetenhe.xs4all.nl] has left ##openvpn [] 04:03 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 04:17 < nopcode> hey 04:18 < nopcode> how can i make openvpn listen on tcp and udp at the same time?= 04:30 < TheSeer> start two processes 04:37 -!- gngkai [n=marco@ip-45-99.sn3.eutelia.it] has joined ##openvpn 04:37 < gngkai> hi 04:38 < gngkai> about revoking certificate 04:39 < gngkai> I know how to revoke a certificate and put crl.pem under a dir where openvpn can access 04:39 < gngkai> my question is: 04:39 < gngkai> what about when you have to revoke other certifcates? 04:40 < gngkai> have I to overwrite crl.pem? 04:40 < nopcode> TheSeer: hm 05:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:35 -!- gngkai [n=marco@ip-45-99.sn3.eutelia.it] has quit ["Leaving"] 07:16 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 110 (Connection timed out)] --- Log closed Tue Sep 23 07:27:44 2008 --- Log opened Tue Sep 23 07:48:35 2008 07:48 -!- ecrist [n=ecrist@chunk.secure-computing.net] has joined ##openvpn 07:48 -!- Irssi: ##openvpn: Total of 34 nicks [0 ops, 0 halfops, 0 voices, 34 normal] 07:48 -!- Irssi: Join to ##openvpn was synced in 3 secs 07:52 < ecrist> well, I'm slightly relieved I'm back at work, but only slightly 08:17 -!- TheSeer [n=theseer@border.office.nonfood.de] has left ##openvpn ["Client exiting"] 09:08 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 09:26 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:27 < onats> is there any plan to put in openvpn on mac? 09:27 < onats> i mean on iphone? 09:35 < ecrist> that may be tough, with apple's strict control over things. 09:35 < ecrist> the problem is that openvpn creates virtual network devices 10:25 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:39 < jeev> jesus christ 10:39 < jeev> my friend clals me when he's bored at home 10:39 < jeev> and says come out, lets go to the store 10:39 < jeev> (our store) 10:40 < jeev> like wtf, go do your job, why are you bothering me 10:48 < nDuff> onats, you probably *can* run it. 10:48 < nDuff> onats, jailbreak your phone, install a compiler and headers, ssh in and try. 10:49 < nDuff> onats, as an App Store app, though, as ecrist says, no chance. 11:14 -!- onre [i=esp@static.fi] has joined ##openvpn 11:15 < onre> hi, folks. 11:15 < onre> any idea why openvpn connection between solaris and netbsd would work so that it has exactly 50% packet loss? it works for roughly 120 seconds, then it dies for 120 seconds 11:18 < cpm> someone in the noc being funny at the patchbay? 11:19 < onre> i like that idea 11:21 < onre> i am not getting anything in the logs, and i just ran the connection from an os x host for hours and it worked fine 11:21 < onre> (to be exact, the only reason for doing this with solaris is the fact that macbook pro keyboard doesn't have an "insert" key, which i need to use in a certain task involving a java remote console app :) 11:32 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:33 < onre> oh. i just figured it out... 11:33 < onre> PEBKAC :) 11:38 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:41 < nopcode> re 11:53 -!- xattack [i=xattack@132.248.108.233] has joined ##openvpn 12:05 < ecrist> IP conflict, I'm guessing 12:06 < onre> well, turns out i never actually killed the vpn client on osx :) 12:06 < onre> and had 1:1 same config on both 12:06 < onre> so you're right 12:25 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 12:32 -!- Dougy[Work] [n=doug@64.18.159.247] has quit [] 12:37 < ecrist> :) 12:47 -!- grand_grunt [n=remi@ALyon-259-1-112-254.w80-9.abo.wanadoo.fr] has joined ##openvpn 12:47 * ecrist bows the the Grand Grunt 12:49 < grand_grunt> Erf :) 12:53 < grand_grunt> Is it possible to improve key length with openvpn? I mean, something like "openvpn --keygen --secret=.. --length=512bits"? 12:54 < grand_grunt> (that's less than the default 2048, nothing but an example). 12:56 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 13:00 < ecrist> sure, why not? 13:00 < ecrist> oh, hrm, wait, I think I misunderstood. 13:00 < ecrist> is it covered in the FAQ? 13:03 < grand_grunt> Yes, it is (I should have read it..). 13:04 < grand_grunt> The FAQ mentions the key shared lenght, saying many bits are useless, but not a way to change the number of bits to use. 13:05 < grand_grunt> It uses only 128 bits for encryption, so bad. 13:06 < ecrist> that's not true. 13:07 < ecrist> it uses your SSL certificates for the transactions, which can have whatever length you want. 13:07 < ecrist> also, the OpenVPN key rotates every hour, for each connection. 13:07 < grand_grunt> I wanted to use the shared key. 13:07 < ecrist> ick 13:08 < grand_grunt> Even if I would use SSL certificates, it seems not possible to change the session key, or to make it rotate more often. 13:08 < ecrist> imho, if you're going to do that, setup IPSec 13:08 < ecrist> grand_grunt: why do you need to? 13:09 < grand_grunt> ecrist: No need at all ^^ I just wondered. 13:10 < grand_grunt> The final appliance, will be to browse and read my home files with my laptop, through the Internet. A more than 128 bit key is useless. 13:11 < grand_grunt> But I have seen that many software, using encryption, didn't give the option to get very very strong keys, and wanted to know if it was because a very few people asked for it, or because it is not possible. 13:12 < grand_grunt> The exact question is "Do I need to change the code, or is there a --parano option?" 13:12 < ecrist> it's possible, at least from the programming aspect. It's not needed/feasible. 13:25 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:46 -!- xattack [i=xattack@132.248.108.233] has quit [] 14:24 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 14:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:14 -!- grand_grunt [n=remi@ALyon-259-1-112-254.w80-9.abo.wanadoo.fr] has quit [Read error: 60 (Operation timed out)] 16:06 < ecrist> wtf 16:09 < ecrist> 16:11 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:22 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:03 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit ["Leaving"] 18:11 * jeev pumped up the jam 18:28 -!- highvoltz [i=rogers@bling.bling.org] has joined ##openvpn 18:28 < highvoltz> Is it possible to use openvpn client to connect to microsoft SSTP server? 19:59 < SilenceGold> no 20:52 < ecrist> no 23:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:11 < jeev> hi KRZeE 23:18 < krzee> heyyy 23:18 < krzee> hows it goin 23:20 < jeev> gewd 23:20 < jeev> what you up to 23:23 < krzee> nothin just got home gunno watch a movie or somethin 23:33 < jeev> heh --- Day changed Wed Sep 24 2008 00:32 -!- jack|ass [n=jack@c-67-189-104-112.hsd1.or.comcast.net] has joined ##openvpn 00:33 < jack|ass> what does "TLS Error: reading acknowledgement record from packet" suggest is misconfigured? 01:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 01:48 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:19 -!- int [n=quassel@wikia/int] has joined ##openvpn 05:14 < int> hello! i wonder if windows gui using managment interface exist? it seems that pre-packaged gui doesn't use managment interface 05:17 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:24 < krzee> i dont believe so 05:54 < cpm> Please don't post more than 5 lines to the channel. ? 05:54 < cpm> This is line 1 05:54 < cpm> This is line 2 05:54 < cpm> This is line 3 05:54 < cpm> This is line 4 05:54 < cpm> And This, -my children- is line 5 05:54 < cpm> So, that's all I can post I guess. 07:20 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 07:20 < kexman> helloo 07:20 < kexman> what mtu/mru do i need to set for openvpn to work properly ? 07:21 < kexman> or what is the mtu at which it operates ? 07:23 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 07:28 < cpm> equal to or lower than the lowest MTU in the chain. mpath *should* 'just work'. 07:30 < kexman> huhh ? :) 07:30 < kexman> cpm: i have no idea :) 07:30 < kexman> what chain ? 07:30 -!- highvoltz [i=rogers@bling.bling.org] has quit [] 07:32 < kexman> vpn Link encap:Ethernet HWaddr 00:FF:22:96:AD:23 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 07:32 < kexman> that is on the server 07:32 < kexman> tap0 Link encap:Ethernet HWaddr 00:ff:73:c5:e1:87 inet addr:192.168.5.111 Bcast:192.168.5.255 Mask:255.255.255.0 07:32 < kexman> this is on the client 07:45 < cpm> are you having mtu problems? 08:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:21 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: SilenceGold, disco-, mcp, Typone 08:22 -!- Netsplit over, joins: disco-, mcp 08:22 -!- Netsplit over, joins: SilenceGold, Typone 08:23 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 08:32 < ecrist> cpm: I fixed the entry message. 08:38 < cpm> what about the exit message 08:38 < cpm> ? 08:38 < cpm> ah, okay. 08:38 < cpm> the post/paste thing. I was just being a smart-ass 08:38 < cpm> I guess I could have fixed it myself. I was just, , well. 08:46 < ecrist> :) 09:04 -!- AukeF [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 09:13 < AukeF> Hi! Some It seems that the environments of the ipchange-scripts is slightly different from versions 2.0.9 to 2.1rc9. (specifically, the tap/tun device used for the connection ('dev') isn't available. Does anyone know if this is expected behaviour? I didnt find anything in the changelog 09:27 < AukeF> It is a bit weird, as according to the manual page the variable is only available from -up and -down scripts. The point is that our situation uses the 'dev' variable from the ipchange-script, so if it is going away in the next version of openvpn it'd be great to know so we can adapt our systems. 09:50 -!- snejk [n=snejk@f213-89-26-212.bredband.comhem.se] has joined ##openvpn 09:52 < snejk> hi I have a problem with DNS and OpenVPN. I'm using push "dhcp-option DNS 10.8.0.1", it works ok but only in windows apps like cmd>nslookup, when using Firefox it cannot resolve anything 09:52 < snejk> any ideas 09:52 < snejk> ? 09:58 -!- SilenceGold [n=chris@70.232.107.190] has quit [Connection timed out] 10:23 -!- snejk [n=snejk@f213-89-26-212.bredband.comhem.se] has quit ["Leaving"] 11:09 -!- dr_dex [n=robin@62.101.205.56] has joined ##openvpn 11:12 < dr_dex> I have a some machines hidden behind a nat router (ipcop 1.4.x). I have an external server somewhere. How can I make some of the traffic from my local machines seem like it is originating from the external server (that is, let the external server act as a proxy, but not just for http)? 11:28 < ecrist> dr_dex: you need to setup nat on that machine and configure proper routing. 11:40 < dr_dex> ecrist: do you have an example/howto that shows something like this? 11:41 < dr_dex> ecrist: it's been a while since I've done this - do you have some pointers? 11:41 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 11:42 < ecrist> dr_dex: no. It's standard routing. route traffic to the host you want to 'appear as' and nat outbound from there. 11:42 < ecrist> simple to do with FreeBSD and pf, but I'm not sure about linux/windows/etc. 11:44 < dr_dex> ecrist: okay, so basically, if I want all my traffic from my internal network machines to masqurade as the external server, I setup a rule on the internal nat router that traps all traffic to the destination and sends it to the external proxy machine - and there I setup an outbound nat for all traffic that comes from my internal nat router (it's public address) - do I have it right? 11:51 < ecrist> yep 11:51 < dr_dex> ecrist: are you any good with iptables? 11:52 < dr_dex> ecrist: haven't fiddled with it in lots of years 11:54 < ecrist> dr_dex: I thought I was clear above that I'm not good with iptables. 11:54 < dr_dex> ecrist: okay, thanks a lot for the suggestions! I'll go an RTFM some now ;) 11:55 < ecrist> ty 11:56 -!- wacky_ [n=abourget@mtl.savoirfairelinux.net] has left ##openvpn [] 12:19 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:59 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:00 -!- dr_dex [n=robin@62.101.205.56] has left ##openvpn [] 13:41 -!- jfkw [n=jtk@static-64-65-249-140.buf.choiceone.net] has quit [Remote closed the connection] 13:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 13:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 13:58 -!- jfkw [n=jtk@static-64-65-249-140.buf.choiceone.net] has joined ##openvpn 14:22 -!- rubydiamond [n=rubydiam@123.236.177.211] has joined ##openvpn 14:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:46 -!- ZaVoid [n=zavoid@75.147.121.177] has joined ##openvpn 15:53 -!- rubydiamond [n=rubydiam@123.236.177.211] has quit [Read error: 110 (Connection timed out)] 15:56 -!- ChUbB [n=IceChat7@62.31.213.230] has joined ##openvpn 16:00 < ChUbB> hi can someone tell me thats going rong here http://tchubb.co.uk/pictures/openvpn-error.bmp 16:00 < nDuff> ChUbB, could you paste the text of an error into a pastebin? 16:01 < nDuff> s/an error/the error/ 16:01 < nDuff> ChUbB, us UNIXy types aren't big on screenshots. :P 16:01 < ChUbB> sorry it was easy that xp machine is a vm machine 16:04 < nDuff> hmm; it doesn't ring an immediate bell. 16:04 < nDuff> what verbosity level are you on? 16:05 < ChUbB> 3 16:06 < nDuff> does 4 add anything new between the initial packet and the timeout? 16:18 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:18 < Dougy> hey ya'll 16:20 < ChUbB> hi 16:21 < Dougy> sup 16:30 < ZaVoid> hey anyone got any idea what would cause my push routes to basically fail 16:30 < ZaVoid> i made a change to a push in my .conf file.. it didn't work.. reverted back to original. and now i can't reacha nything 16:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:40 < nDuff> ZaVoid, that's way too vague of a question to be able to give an answer. What do you mean, "can't reach anything"? Is your whole system's Internet down, or just the VPN? What does the routing table look like? What do your config files look like? Etc. 16:42 < ZaVoid> vpn still connects 16:42 < ZaVoid> dns resolves etc etc 16:43 < ZaVoid> but i can't actually reach any server on the IP's that the vpn shold route too 16:43 < ZaVoid> the only change was removing a line like this: push "route 10.120.0.0 255.255.255.0" 16:43 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has joined ##openvpn 16:44 < nDuff> how's your route getting set up now? 16:44 < nDuff> (I take it 10.120.0.0/24 is what's on the other side of the VPN?) 16:44 < nDuff> ...because yar, if you aren't pushing it from the server, you'll need to set it on the client 16:45 < nDuff> s/other side/server side/ 16:45 -!- mkay [n=mkay@gentoo/user/mkay] has joined ##openvpn 16:45 < ZaVoid> yeah its pushed on the company.conf file 16:45 < mkay> hi 16:45 < ZaVoid> other side of vpn yeah.. 16:46 < ZaVoid> and we took out the offending push line and restored our config file 16:46 < ZaVoid> and its still not working 16:46 < nDuff> ZaVoid, erm, *pushed*? On the client side, it shouldn't be pushed, just a raw route statement 16:46 < ZaVoid> through various restarts of the service it worked once 16:46 < ZaVoid> the push line is in the company.conf file 16:46 < ZaVoid> in /etc/openvpn 16:46 < nDuff> "company.conf" doesn't tell me anything at all 16:46 < nDuff> is that client or server? 16:46 < mkay> i've got a question. how can i automaticaly execute my script after openvpn estabilish connection (and after connection is lost)? 16:46 < ZaVoid> the file is on the openvpn server in /etc/openvpn 16:47 < ZaVoid> does that make more sense? 16:47 < nDuff> mkay, see up and down directives in http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html#lbAP 16:47 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 16:48 < mkay> nDuff: thanks;) 16:48 < ZaVoid> its really strange nduff 16:48 < nDuff> ZaVoid, okay. If you remove the push command from the server, you'll need to have the route command in the client, presuming (of course) that's even the right route to begin with, which I don't know (as you haven't described your network topology). 16:49 < ZaVoid> nono let me rephrase 16:49 < ZaVoid> one of my guys added a NEW PUSH command today 16:49 < ZaVoid> it for whatever reason broke the config 16:49 < ZaVoid> so i pulled it out and returned to our old .conf file that worked fine 16:49 < ZaVoid> now i can't reach any servers even though the vpn connects fine the and .conf is back to its original state 16:49 < nDuff> okay, that's helpful. What does the routing table on a connected client look like? 16:50 < ZaVoid> i see the routes on my route -print on the windows client 16:50 < ZaVoid> can't ping or trace to servers on the other side of the vpn though 16:50 < nDuff> openvpn also has --show-net; it'd be helpful if you pastebinned its output 16:50 < ZaVoid> ok so /etc/init.d/openvpn --show-net ? 16:50 < nDuff> "I see the routes" doesn't tell if there's anything else in the routing table that's coming before them, for instance. 16:51 < nDuff> no, openvpn --show-net *on the windows side*. 16:51 < ZaVoid> oh sorry 16:52 < ZaVoid> hmm thats kinda a badly formated output in the cmd window 16:53 < nDuff> so redirect to a file and pastebin the file. 16:53 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has quit [] 16:56 < nDuff> I'm going home soon, so let me just mention the next several debugging steps: 16:56 < ZaVoid> ok thanks 16:57 < nDuff> see if packets from the client are showing up on the server's tun interface using a tool such as tcpdump. 16:57 < mkay> nDuff: hmm - can i simply add 'up command' to ma client-config file? 16:58 < nDuff> mkay, no, these are global settings, not client-specific ones. 16:58 < nDuff> mkay, if you want to run a script when individual clients connect/disconnect, use the learn-address hook. 16:59 < mkay> nDuff: i want to execute the script on the client-side. i mean on computer, whiich connects as client 16:59 < nDuff> mkay, the server can't specify that, for should-be-obvious security reasons. 16:59 < nDuff> mkay, ...oh, when you say client-config, I've been assuming you mean client-config-dir, do you? 16:59 < mkay> nDuff: sure, but i want to specify that in client conf;) 17:00 < nDuff> mkay, oh; "client-config file" sounds a lot like a file you'd put in a client-config-dir, and that's something on the server. 17:00 < mkay> yep - i mean config file on client's system 17:00 < nDuff> mkay, gotcha. the only thing I'd be worried about there is arguments 17:00 < mkay> small misunderstunding;) 17:00 < nDuff> mkay, if your command doesn't take any, it should be fine 17:00 < nDuff> mkay, ...otherwise, I'd go with writing a script. 17:01 < nDuff> s/doesn't take any/takes the same arguments as the up script itself, as specified in the man page/ 17:02 < mkay> nDuff: i don't care about arguments in my script. i'll simply ignore them. however, i've add "up 'touch /tmp/asdfg'" to my config (just for test) and the file was not created;/ 17:03 < nDuff> /tmp/asdfg is an argument 17:03 < nDuff> can't do that. use a script. 17:04 < mkay> nDuffthere's example in the link you gave me: openvpn --dev tun --port 9999 --verb 4 --ping-restart 10 --up 'echo up' --down 'echo down' --persist-tun --up-restart 17:04 < mkay> with argument;) 17:04 < nDuff> *shrug*. 17:04 * nDuff hasn't used OpenVPN for years. 17:05 < mkay> hehe;] 17:06 < Dougy> i want to use openvpn 17:06 < Dougy> nowhere to host 17:07 < Dougy> jeev, sup 17:07 -!- ZaVoid [n=zavoid@75.147.121.177] has quit [] 17:27 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has joined ##openvpn 17:43 < Wyk3d> if i'm connecting with the openvpn gui to an openvpn daemon in the current LAN, how can I check if it's working ? it says connected and i local area connection 6 gets the right IP address but everything else seems the same 17:57 < ChUbB> whats does TLS handshake failed mean ...... 18:00 < Dougy> google it ChUbB 18:01 < ChUbB> just doing that lol 18:01 < Dougy> ChUbB: TLS Error: TLS key negotiation failed to occur 18:01 < Dougy> within 60 seconds (check your network connectivity) 18:01 < Dougy> ? 18:01 < ChUbB> yer 18:01 < ChUbB> common error ? 18:01 < Dougy> yep 18:01 < Dougy> http://openvpn.net/archive/openvpn-users/2004-12/msg00088.html 18:01 < vpnHelper> Title: RE: [Openvpn-users] TLS handshake failed (at openvpn.net) 18:01 < Dougy> may or may not be of use 18:02 < Dougy> http://fixunix.com/openssl/156978-i-am-getting-tls-error-tls-handshake-failed-failed-openvpn-package.html 18:02 < vpnHelper> Title: I am getting "TLS error: TLS handshake failed" failed with OpenVPN package - Unix Linux Forum (at fixunix.com) 18:02 < Dougy> seocnd link is a dud 18:02 < Dougy> disregard 18:03 < Dougy> ChUbB, http://openvpn.net/index.php/documentation/howto.html#trouble 18:03 < vpnHelper> Title: HOWTO (at openvpn.net) 18:05 < krzie> there should be another error before that 18:06 < krzie> if not, you prolly arent even starting to make a connection 18:06 < krzie> !logs 18:06 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:07 < Dougy> sup krzie 18:08 < krzie> hey 18:10 < Dougy> hiya 18:10 < Dougy> how goes it 18:10 < krzie> a lot better than yesterday 18:18 < Dougy> good 18:18 < Dougy> what was up yeteraday 18:18 < Dougy> yesterday 18:23 < krzie> just some stuff i had to take care of 18:24 < krzie> but i researched everything and handled it 18:31 < Dougy> oh 18:31 < Dougy> cool 18:42 < krzie> yup 18:42 < krzie> hows everything going for you? 18:43 < Dougy> ok 18:43 < Dougy> i have viral meningitis 18:44 < Dougy> otherwise, ok 18:45 < krzie> weaksauce 18:45 < Dougy> =[ 18:49 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has quit [Read error: 113 (No route to host)] 18:56 -!- ChUbB [n=IceChat7@62.31.213.230] has quit [Read error: 104 (Connection reset by peer)] 19:58 -!- ZaVoid [n=zavoid@nj-76-6-39-193.dhcp.embarqhsd.net] has joined ##openvpn 20:03 -!- ZaVoid [n=zavoid@nj-76-6-39-193.dhcp.embarqhsd.net] has quit [] 20:14 < ecrist> evening, kids 20:16 < krzie> werd 20:20 < Dougy> ecrist, ! 20:20 < Dougy> there? 20:20 < ecrist> yes 20:20 < ecrist> what's up? 20:21 < Dougy> how is your wife? 20:21 < ecrist> fine, crabby/irritable/wtf-ever. : 20:22 < Dougy> haha 20:22 < Dougy> recovering ok? 20:22 < ecrist> yes 20:22 < Dougy> good stuff 20:22 < krzie> recovering? 20:22 < krzie> what happened? 20:23 < Dougy> he can tell you 20:23 < Dougy> :p 20:23 < krzie> no kidding 20:23 < krzie> i was asking him 20:23 < krzie> heh 20:23 < ecrist> she fell off a horse two weeks ago tomorrow, fractured her skull twice and broker her T12 vertbrae. 20:23 < krzie> omfg 20:23 < krzie> i hope everything is ok 20:24 < ecrist> yeah, she'll be fine, close to 100%, I'm guessing. 20:24 < Dougy> Chanserv is hiding again =o 20:24 < krzie> awesome 20:24 < ecrist> chanserv talks to me. 20:24 < Dougy> lucky 20:25 < Dougy> he just says Access Denied to me 20:25 < krzie> sucks that it happened but hey if she fully recovers im glad 20:25 -!- mode/##openvpn [+o Dougy] by ChanServ 20:25 <@Dougy> haha w00t 20:25 * Dougy flexes 20:25 <@Dougy> HAHA 20:25 -!- mode/##openvpn [-o Dougy] by ChanServ 20:25 < Dougy> lame. 20:25 * Dougy pouts 20:28 < Dougy> either way 20:28 < Dougy> glad to hear she's doing well ecrist 20:28 < ecrist> tx 20:46 * jeev smacks Dougy 20:46 < Dougy> yo 20:46 < Dougy> sup jeev 20:47 < jeev> nothing 20:48 * jeev loves openvpn 20:48 < Dougy> haha 20:48 < Dougy> i want a vpn 20:48 < Dougy> but i cant have one 20:48 < jeev> how come 20:48 < Dougy> nowhere to host it 20:48 < Dougy> really 20:48 < jeev> what happened to your server 20:48 < Dougy> the one at where i work? 20:48 < jeev> yea 20:48 < Dougy> ecrist's basement dsl was more stable 20:48 < Dougy> i ditched the server 20:49 < jeev> lol 20:49 < jeev> how much were you paying 20:49 < Dougy> 70/mo 20:49 < Dougy> for a p4 3.0 with 1 gb ram 20:50 < jeev> ahh 20:50 < Dougy> sigh 20:50 < krzie> thats not even a special price 20:50 < Dougy> nope 20:50 < Dougy> . 20:50 < Dougy> i pay retail 20:50 < Dougy> sweet isnt it? 20:50 < krzie> you can get that many places 20:50 < Dougy> i could get it cheaper elsewhere 20:50 < Dougy> but i liked the hands on 20:51 < krzie> ipkvm 20:51 < Dougy> extra 20:51 < Dougy> 4 20:51 < Dougy> $* 20:51 < Dougy> I think Im gonna get a few U colo at Equinix 20:52 < jeev> colo for free 20:52 < jeev> for me 20:52 < krzie> a few U 20:52 < krzie> free? 20:52 < krzie> please go on... 20:52 < jeev> 1U 20:52 < jeev> i'll set up openvpn and let you use it 20:52 < jeev> ;D 20:52 < krzie> lol 20:53 < krzie> i have 1u's... 20:53 < krzie> but whats this colo 4 free thing you mention... 20:53 < Dougy> haha 20:53 < Dougy> i know a bunch of people at equinix 20:53 < jeev> lol 20:53 < Dougy> but 20:53 < jeev> i'll send a server 20:53 < jeev> you host it for me 20:53 < jeev> for free 20:53 < Dougy> not sure if i can get free stuff 20:53 < krzie> oh, lol 20:53 < krzie> i just lost 2 free colos 20:53 < Dougy> i gotta see 20:53 < krzie> =[ 20:53 < krzie> so i have extra boxen that need a home 20:54 < jeev> lol 20:54 < krzie> but i know where im gunna put them if something better doesnt come along 20:54 < krzie> a buddys DC in canada and a friends fios in NY 20:54 < Dougy> nice 20:54 < Dougy> well 20:54 < Dougy> i know people in NY2 (equinix) 20:55 < Dougy> i may just pay retail thru my friend Nik at Timesway 20:55 < krzie> well if you get some kinda sweet deal pls lemme know (assuming you dont mind me piggybacking on it) 20:55 < krzie> i never pay retail for colo 20:55 < jeev> .. 20:55 < krzie> wouldnt be able to afford my servers if i did,m i dont use them to make $ anymore 20:55 < jeev> i'm waitign for hook up 20:56 < Dougy> haha 20:56 < Dougy> well 20:56 < Dougy> idk how much i can get you people 20:56 < krzie> ya dont worry bout us 20:56 < Dougy> my friend is starting a colo company 20:56 < Dougy> in equinix 20:57 < Dougy> imma be head techie 20:57 < Dougy> so 20:57 < Dougy> well 20:57 < Dougy> co-head techie 20:57 < krzie> just saying if it happens, ild be excited to get another hookup ;] 20:57 < Dougy> if there is enough space ill hook you guys up 20:57 < krzie> nice 20:57 < krzie> maybe you get employee cage 20:57 < Dougy> yeah hahaha no 20:57 < Dougy> i would be happy for 6U 20:57 < krzie> thats where my 2 servers were 20:57 < krzie> right, thats what i mean 20:58 < Dougy> i have nothing to colo 20:58 < Dougy> so if i get 6u 20:58 < Dougy> you guys are welcome to it 20:58 < krzie> werd 20:58 < Dougy> all i ahve 20:58 < krzie> well if that happens you'll be admin on it too 20:58 < Dougy> is a p3 533 mhz with 128 mb ram 20:58 < Dougy> in an old sirex tower 20:59 < Dougy> thats not even worth dusting off 20:59 < krzie> haha mine arent powerful or anything, but they are nice 20:59 < krzie> like 2.something ghz and 1 or 2 gigs ram 20:59 < Dougy> thats nice 20:59 < krzie> on pretty much all of them 20:59 < krzie> ya 20:59 < Dougy> i might build an old one 20:59 < Dougy> but the chassis are expensive 20:59 < krzie> nothing beastie but beefy enough for anything i use them for 20:59 < Dougy> its a $50 difference 20:59 < Dougy> between a prescott 2.8 20:59 < Dougy> and a bigger c2d 20:59 < Dougy> mobo is $20 difference 21:00 < krzie> i priced out a setup for under 700 21:00 < krzie> quad core intel 21:00 < krzie> 8gig ram 21:00 < krzie> 500gig sata2 21:00 < krzie> (hd with xfer rates measured in gigabit) 21:01 < krzie> but i wouldnt use that for a colo 21:01 < krzie> too much beef for anything any of my servers do 21:02 < Dougy> ya i could build those parts fo rthat 21:02 < Dougy> chassis and mobo not so much 21:02 < Dougy> haha 21:03 < krzie> that includes mobo price 21:03 < Dougy> yeah 21:03 < Dougy> even mobo 21:03 < Dougy> but chassi no 21:03 < Dougy> chassis is $2100 21:03 < Dougy> 20* 21:03 < Dougy> 200* 21:03 < krzie> not chasis tho, i can always find those layin around 21:03 < krzie> $200!? 21:04 < krzie> for a computer case??? 21:04 < Dougy> no 21:04 < Dougy> a rackmount chassis 21:05 < krzie> talkin bout the rackmount case, rails, or rack itself? 21:06 < Dougy> the 1U case 21:07 < Dougy> depends on which one if it comes with rails or not 21:07 < krzie> ya i usually just score those 21:07 < Dougy> yeah i wish i did 21:07 < Dougy> they are a solid 200 21:07 < Dougy> usually thats without psu 21:07 < krzie> thing is finding the mobo and all that will work in the 1u case 21:07 < krzie> takes planning 21:07 < Dougy> not at all 21:07 < Dougy> ive had all sorts of mobos 21:07 < Dougy> never had one not fit in a 1U 21:07 < Dougy> i lied.. one 21:07 < krzie> heh 21:07 < Dougy> NCCH-DR 21:08 < Dougy> asus 21:20 < Dougy> bbl 21:20 < Dougy> calling my lady 21:21 < jeev> who is she 21:21 < jeev> is she cute 21:21 < Dougy> ehh 21:21 < Dougy> not realy 21:21 < Dougy> she's a biggggggggun 21:21 < Dougy> 6'1 21:22 < jeev> wtf 21:22 < jeev> pics or i dont believe it 21:22 < Dougy> lol 21:22 < Dougy> http://photos-b.ak.facebook.com/photos-ak-sf2p/v336/158/42/506597984/n506597984_1479281_920.jpg 21:22 < Dougy> on left 21:22 < Dougy> @ jeev 21:22 < jeev> jesus 21:22 < jeev> that's big 21:22 < jeev> what did she do 21:23 < jeev> threaten you ? 21:23 < Dougy> lmfao 21:23 < Dougy> no 21:23 < jeev> thennnnnnnnn 21:23 < Dougy> hey man 21:23 < Dougy> we're tight 21:23 < jeev> lol 21:23 < Dougy> nuff said 21:23 < jeev> nice 21:24 < Dougy> haha 21:24 < Dougy> she is big 21:24 < Dougy> not fat 21:24 < Dougy> just big 21:24 < jeev> hehe 21:25 < Dougy> jeev, http://photos-a.ak.facebook.com/photos-ak-sf2p/v336/158/42/506597984/n506597984_1479256_4666.jpg 21:25 < Dougy> she was texting me in that (or at least thats how its tagged ) hh 21:25 < Dougy> haha 21:25 < jeev> damn 21:25 < jeev> how big are you 21:25 < jeev> she looks like she killed 13 people 21:25 < jeev> no offense 21:26 < Dougy> lol 21:26 < Dougy> im 6' 21:26 < jeev> cool 21:26 < jeev> i'm 6'1, my girl is 5'3 21:26 < Dougy> yeah 21:26 < Dougy> i usually dont do big girls 21:26 < Dougy> no pun intended 21:26 < jeev> lol 21:27 < jeev> is she rich ? 21:27 < jeev> i hope she's rich 21:27 < Dougy> no 21:27 < Dougy> country girl 21:27 < Dougy> rofl 21:27 < jeev> damn 21:27 < Dougy> her dad said he'll shoot me if i go near hear 21:27 < jeev> lol 21:27 < jeev> are you a behemath ? 21:27 < Dougy> hell no 21:27 < Dougy> 6'1 140 21:28 < jeev> damn 21:28 < jeev> you're one skinny child 21:28 < Dougy> im a little kid 21:28 < Dougy> hahaha 21:28 < jeev> my fart would blow you away 21:28 < Dougy> no muscle 21:28 < Dougy> ROFL 21:28 < Dougy> AHAHAH 21:53 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 23:06 -!- igalmarino [n=igalmari@201.198.19.166] has joined ##openvpn 23:06 < igalmarino> Hi ... any good openvpn client for linux ???? 23:11 < igalmarino> any good script to update the dns on a linux client ? 23:18 -!- igalmarino [n=igalmari@201.198.19.166] has left ##openvpn ["Leaving"] 23:33 < jeev> heh 23:49 < krzee> update the dns... 23:49 < krzee> wtf was he talkin bout 23:49 < krzee> lol 23:49 < jeev> lol 23:49 < jeev> a good openvpn client for linux 23:49 < jeev> lol 23:49 < krzee> even better, an openvpn client for linux 23:49 < krzee> ya 23:49 < krzee> haha 23:49 < jeev> lol 23:49 < jeev> we need a quote system 23:49 < krzee> i know a good one... 23:49 < krzee> its called... 23:49 < krzee> "openvpn" 23:51 < krzee> [00:51] aq Hi ... any good openvpn client for linux ???? i know a good one... its called... "openvpn" 23:51 < krzee> [00:51] Inserted quote #4679. 23:58 < jeev> lol 23:58 < jeev> that's forged though! 23:58 < jeev> where is bsdcoder ? 23:58 < jeev> i wanna see the quotes 23:59 < jeev> Need another reason to get angry at your next cell phone bill? Turn to Nigel Bannister, a space scientist at the University of Leicester in Britain, who has concluded that sending a mundane, ubiquitous text message costs at least four times as much as transmitting scientific data from the Hubble telescope. --- Day changed Thu Sep 25 2008 00:06 < krzee> its on efnet 00:07 < krzee> hq for help 00:07 < krzee> fq to find quotes with the string in them 00:08 < krzee> sq to say them 00:08 < jeev> heh 00:50 -!- pred2k3 [n=pred2k3@85.131.190.47] has joined ##openvpn 00:50 < pred2k3> hi, I always get Bogus IP header length (0, must be at least 20) when using openvpn as internet gateway and for example visit a website 00:50 < pred2k3> (using socks as proxy) 00:51 < pred2k3> whats that? 01:29 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 02:00 -!- jack|ass [n=jack@c-67-189-104-112.hsd1.or.comcast.net] has left ##openvpn ["Leaving"] 02:06 -!- andrei1089 [n=andrei@79.116.246.249] has joined ##openvpn 02:09 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 02:09 -!- onre [i=esp@static.fi] has quit [Remote closed the connection] 02:19 < krzee> so you run socks on the vpn ip of the server? 02:20 < krzee> cause ive done that and never got an error 02:27 < pred2k3> ? 02:28 < krzee> that error appears in the openvpn logfiles? 02:31 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 02:50 < andrei1089> hello 02:51 < andrei1089> how can i create more client certificates ? 02:51 < andrei1089> when i try build-key client6 02:51 < andrei1089> it says "could not find c:\*.old" 03:00 < krzee> you need to run vars first 03:01 -!- dan__t [n=dant@ip68-110-121-53.ph.ph.cox.net] has joined ##openvpn 03:01 < dan__t> Good morning. 03:01 < andrei1089> it works.. thanks:D 03:02 < krzee> mornin 03:02 < krzee> andrei1089, yw 03:03 < dan__t> Is there any way that I can record traffic utilization per user, or per certificate pair, or something like that? I think that I can use iptables' "long" view to display simple statistics, but I'd rather use something built in to OpenVPN 03:03 < dan__t> Basically I want to be able to identify how much traffic was consumed and tack that to a specific user, or connection, or like I said - key pair. 03:04 < krzee> no 03:04 < krzee> not unless you code it 03:04 < dan__t> Yeah, that's what I figured. 03:04 < krzee> easiest is something like mrtg 03:04 < krzee> by vpn ip 03:04 < krzee> with static ips that'll work 03:05 < krzee> static based on cert 03:05 < krzee> you could even label each ip as its cert name 03:06 < dan__t> yeah 03:08 < dan__t> Suppose I should investigate a plugin eh 03:08 < krzee> i dont see why 03:08 < krzee> its just adding code where it doesnt belong imo 03:08 < krzee> kinda like adding nat to openvpn 03:10 < dan__t> I'd find it hard to believe that other people wouldn't be interested in bandwidth statistics of their users. 03:11 < dan__t> I'd say some other mechanism is where it belongs for sure if the users is accessing outside resources from the VPN 03:11 < dan__t> But they could be accessing inside resources 03:20 < krzee> i just told you how 03:20 < krzee> what traffic besides openvpn is using the internal vpn ip 03:20 < krzee> all traffic going over that ip goes over vpn 03:20 < krzee> so go setup mrtg or something else like it and you are done 03:21 < krzee> you say you find it hard to believe they dont want to 03:21 < krzee> i say they do want to, and are doing it using existing tools 03:21 < dan__t> Yep, but then I have to cross-reference an IP established by the OpenVPN client, against a user identifier such as the key itself. 03:22 < dan__t> I understand. 03:22 < krzee> client dont establish ip 03:22 < krzee> server does 03:22 < krzee> you use tun? 03:22 < dan__t> Uh, yes, sorry. Its late heh. 03:22 < krzee> ok you're fine 03:22 < krzee> setup ccd 03:22 < krzee> with static ips for clients 03:22 < dan__t> Ok, cross-reference the IP established by the server, per a particular connection - and with that, marry it to a user identifier. 03:22 < krzee> then you cross reference nada 03:22 < dan__t> Yeah that's what I was planning. 03:23 < krzee> you just setup 03:23 < dan__t> Then using iptables to do my accounting. 03:23 < krzee> then in your accounting 03:23 < krzee> name each ip the common name of cert 03:23 < krzee> booya, exactly what you wanted 03:23 < dan__t> word. 03:23 < krzee> you can graph that stuff too 03:23 < krzee> but im sure you know what i mean 03:23 < dan__t> yeah. 03:24 < krzee> clients wont even have the ability to change their ip 03:24 < dan__t> fact. 03:24 < krzee> if they try to, no connection for them 03:24 < krzee> so you're good 03:24 < krzee> with tap they could 03:26 < AukeF> Hi! It seems that the environments of the ipchange-scripts is slightly different from versions 2.0.9 to 2.1rc9. (specifically, the tap/tun device used for the connection ('dev') isn't available. Does anyone know if this is expected behaviour? I didnt find anything in the changelog 03:26 < AukeF> It is a bit weird, as according to the manual page the variable is only available from -up and -down scripts. The point is that our situation uses the 'dev' variable from the ipchange-script, so if it is going away in the next version of openvpn it'd be great to know so we can adapt our systems. 03:27 < krzee> never seen the ipchange-scripts 03:28 < krzee> AukeF, i suggest the openvpn-dev mail list for that one 03:28 < krzee> !mail 03:28 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 03:28 < AukeF> Ok krzee, I'll fire off some mail to there 03:29 < krzee> possibly bring it to openvpn-users asking if its a question for dev list, theres some people on there that know a ton 03:29 < AukeF> Ow, in case you're interested: I've succeeded in tunneling multiple vlans worth of traffic over one single openvpn connection - we spoke briefly about this a few days ago ;) 03:29 < krzee> ahh howd you do it? 03:30 < AukeF> on the clientside, bridge the trunk-interface with the tap interface provided by openvpn 03:30 < AukeF> on the serverside, create vlan interfaces (through vconfig) on the tap interface provided by openvpn 03:30 < krzee> ahh thats dope 03:31 < AukeF> the trick is to have a secondary interface on the client over which the openvpn tunnel is set up 03:31 < krzee> if you get any time a small writeup on the wiki would rock for future people 03:31 < krzee> !wiki 03:31 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 03:32 < AukeF> (since apparently stuff breaks if you both bridge an interface (say eth0) to tap0 AND create vlan-devices of the same eth0 03:32 < krzee> you're the first i met that wanted to, but i bet that one comes up again at some point 03:33 < AukeF> hehe i admit the setup is tricky :) 03:49 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has joined ##openvpn 04:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:33 -!- alienn [n=nicki@sphinx.link-m.de] has joined ##openvpn 05:37 < alienn> Hi. I have a working openvpn server with my own ca. Now I'd like to start a second instance based on the same ca. But some people should only gain access to OpenVPN instance one (Port 1194) but not to the second one (Port 1195) and vice versa. Has anyone an idea how to accomplish this? 05:41 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has quit [Read error: 104 (Connection reset by peer)] 05:42 -!- ChUbB [n=IceChat7@62.31.213.230] has joined ##openvpn 05:42 < ChUbB> morning 05:50 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has joined ##openvpn 05:51 < ChUbB> hi can someone help we with a iptables router i got setup i got openvpn setup and it connects but dont get the network ips atm 05:55 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has quit [Read error: 104 (Connection reset by peer)] 06:03 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has joined ##openvpn 06:14 < dan__t> Don't get which network IPs, ChUbB? 06:30 < ChUbB> i got my router with subnet 192.168.10.0 (lan) the wan is 192.168.2.60 i connect using openvpn i get the ip 192.168.10.6 but a different subnetmash and cant talk to the router 192.168.10.1 what iptables stuff do i need to do 06:31 < dan__t> Depends - are you using the OpenVPN server as the default route? 06:36 < mkay> hmm. i've got similar problem. i travel a lot with my laptop, on which i've got vpn configured to a server at company router. when i connect laptop in company lan i do not have access to internet. i just stop vpn then. is there a way to get it work without stoping vpn? 06:37 < dan__t> ip forwarding 06:37 < dan__t> I need to sleep, have a good one, sorry. 06:39 -!- SilenceGold [n=chris@71.143.178.16] has joined ##openvpn 06:44 -!- andrei1089 [n=andrei@79.116.246.249] has quit [Read error: 113 (No route to host)] 07:02 -!- Qantourisc [n=Qantouri@d54C49D91.access.telenet.be] has joined ##openvpn 07:02 < Qantourisc> Is openvpn a decent solution ? (poptop seems impossible to configure correcty, loads of combinations don't work and litle or no output of what goes wrong) 07:03 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 07:09 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 07:09 < ChUbB> well i just go the connect setup just working on iptables but seems easy 07:21 < ecrist> Qantourisc: yes, it's pretty simple, if you understand how to route. 07:21 < Qantourisc> so it's a "static" vpn soluition ? 07:28 * Qantourisc tries openvpn 07:28 < Qantourisc> this better be configured in 5 mins ! 07:36 < ChUbB> could someone get me with my iptables config so openvpn can take to the router/server and lan clients 07:40 -!- SUSaiyan` [n=SUSaiyan@cc84863-b.zwoll1.ov.home.nl] has joined ##openvpn 07:42 < ecrist> krzee: you should write wiki page for up/down scripts, so I don't have to read the howto 07:55 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 08:09 < ecrist> wtf. why won't openvpn route my network? 08:09 * ecrist punches something 08:12 < alienn> ecrist: Just a hint as I'm nearly out the door. Did you have look at both "route" and "iroute" command in your openvpn.conf and is ip_forwarding enabled? 08:13 < ecrist> alienn: you bet. 08:14 < alienn> ecrist: Usually it is one of those three things even if looking at them for the thrid time. 08:16 < ecrist> well, I've got an OpenVPN server, with a cliet I call mtka, with has a clientconfig with iroute 10.0/16 08:17 < ecrist> routes are in place on the same LAN as the VPN server, so they can ping/talk to clients on 10.0/16 without issue, and clients on the 10.0/16 subnet can talk through the vpn to the vpn server's lan. 08:17 < ecrist> what can't seem to talk to 10.0/16 is other vpn clients. 08:18 < ecrist> even though I've got a push 10.0/16 in my server config, and I can see the route in my client routing table (in this case, a mac) 08:55 -!- pred2k3 [n=pred2k3@85.131.190.47] has quit [Read error: 110 (Connection timed out)] 09:00 -!- SUSaiyan` [n=SUSaiyan@cc84863-b.zwoll1.ov.home.nl] has quit [] 09:12 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 09:14 < alienn> ecrist: Do you use the "client-to-client" Option in your config? 09:16 -!- sente [n=stu@216.93.247.56] has joined ##openvpn 09:20 < ecrist> yes 09:24 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 09:25 < alienn> ecrist: Has mtka a backroute to your mac? 09:27 < ecrist> yes, it's on the vpn. 09:27 < ecrist> I thought it was a firewall issue, but, alas, it is not. 09:27 < ecrist> :( 09:28 * ecrist finds his Wired mag so he can take a crap. 09:29 * cpm chuckles 09:33 < pumkinhed> hello #openvpn, we run a vpn here, when clients connect directly to our LAN, their network deadlocks because its assigned an address 192.168.15.100 (for instance), then attempts to connect to our openvpn server (via public ip, not name), gets the address 10.9.0.x, and openvpn attempts to add the route to 192.168.15.0/24 via 10.9.0.x-1, it should be pretty obvious what the problem is at that point 09:33 < pumkinhed> does anyone use IPF firewall? how can i block that traffic? 09:34 < pumkinhed> ie, i want to block the vpn so its unable to connect 09:37 < pumkinhed> currently my rule (which doesnt work, says) block in log quick proto udp from 192.168.15.0/24 to 1.2.3.4/32 port = 1194 keep state 09:38 -!- AukeF [n=auke@x154.flex.surfnet.nl] has left ##openvpn ["Leaving"] 09:38 < pumkinhed> it successfully connects.... :( 09:53 < ChUbB> can some help me get openvpn tun access to my network http://pastebin.com/m3ab6af6d << iptables config 09:54 < ecrist> pumkinhed: not sure I understand fully your problem. 09:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:56 < ecrist> pumkinhed: if your clients are on the LAN, why are they connecting to the vpn? 09:56 < pumkinhed> because they are road warriors, and occassionaly they come into the office 09:57 < pumkinhed> so on the road openvpn works great 09:57 < pumkinhed> automatically connects etc 09:57 < ecrist> ah, so you want to prevent them from even trying. 09:57 < pumkinhed> yes, when they are connected to our lan, i dont want the vpn to be able to successfully connect 09:58 < ecrist> in pf, I'd write something such as block in quick proto udp on $lan_if to self port 1194 09:58 < pumkinhed> ah so don't even involve ips, just the interface its coming through 09:58 < pumkinhed> that may work 09:58 < ecrist> erm, block in quick on $lan_if proto udp to self port 1194 09:59 < pumkinhed> yep, i understand what you mean, i have to transcribe it to ipf syntax anyway 09:59 < pumkinhed> now i just need to determine if ipf supports the SELF semantic 10:00 < ecrist> ipfw refers to self as me 10:00 < ecrist> I'm sure ipf has something similar 10:01 < pumkinhed> yeah, i'm trying to make the switch to pf at some point, it has a boat-load of feautres i want to use (like altq) 10:02 < ecrist> that, and you get a real OS with it. :) 10:04 < ChUbB> anyideas on how to let vpn onto my lan http://pastebin.com/m3ab6af6d 10:06 < pumkinhed> ecrist: was that a shot at freebsd? 10:06 < pumkinhed> ;p 10:07 < ecrist> you bet. 10:13 < ecrist> but, even openbsd is superior to linux. 10:16 -!- alienn [n=nicki@sphinx.link-m.de] has quit ["Leaving"] 10:31 -!- ChUbB [n=IceChat7@62.31.213.230] has quit [Read error: 104 (Connection reset by peer)] 10:37 -!- andycas [n=Andy@35.88.191.90.dyn.estpak.ee] has joined ##openvpn 10:40 < andycas> No one will probably help me about this, but im gonna try and ask it anyway. I want to test if its possible to use vpn with my xbox 360 - to spoof my ip address so that i could access U.S content. If someone is willing to help me, let me know. The server should have US or UK ip. 10:43 < jeev> hmm 10:43 < jeev> i dont know if you could do it OFF your xbox, i dont own one 10:43 < jeev> but i'm sure if you had an openvpn capable router 10:44 < jeev> adie: pfsense 10:44 < jeev> for example, pfsense... 10:44 < jeev> you would be able to 10:44 < andycas> Im thinking about using vpn in my pc and then use ICS to share that vpn on to xbox 10:45 < jeev> do you haev an extra system you could use as a router? 10:45 < andycas> Yes, i think so.. 10:48 < jeev> so 10:48 < jeev> you build a computer with 2 ethernet cards 10:48 < jeev> read about pfsense 10:48 < jeev> they have openvpn support 10:48 < jeev> first verify that you could do that, as in, connect to your openvpn server and have everything go out properly, cause i have it but i dont do it from pfsense 10:51 < andycas> Well.. What i was trying to ask really was that maybe someone could host a vpn server for me? Because Im located in Estonia, but xbox wants me to be a united stats or united kingdom citizen for downloadable content. 10:52 < jeev> you would have to pay for smething like that, 10:53 < andycas> Yes, but i want to test this out before i pay for the service 10:54 < andycas> And i wouldnt be using a lot of bandwidth anyway, 2-3 arcade games in a month is like 100-200mb worth of download. 10:55 < jeev> yea 10:58 < jeev> there are vpn services i think 10:58 < jeev> you can try 10:59 < andycas> which ones? 10:59 < jeev> no idea 10:59 < jeev> heh 11:01 -!- n3kl [n=n3kl@c-24-8-165-101.hsd1.co.comcast.net] has quit [Remote closed the connection] 11:03 < andycas> :( 11:04 < jeev> http://blacklogic.com/ 11:04 < vpnHelper> Title: VPN Service, Unblock Skype :: Blacklogic paid VPN accounts, UAE, Dubai, Anonymous Surfing (at blacklogic.com) 11:04 < jeev> http://alivevpn.com/ 11:04 < jeev> trial 11:04 < vpnHelper> Title: PPTP VPN / L2TP Service with MPPC compression and MPPE / IPSec ESP 3DES up to 168-bit encryption | AliveVPN.com - PPTP VPN and L2TP VPN (at alivevpn.com) 11:13 -!- jeev [n=email@unaffiliated/jeev] has quit [Nick collision from services.] 11:15 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 11:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:44 -!- xattack [i=xattack@132.248.108.233] has joined ##openvpn 11:56 -!- andycas [n=Andy@35.88.191.90.dyn.estpak.ee] has quit [Read error: 110 (Connection timed out)] 12:05 < ecrist> too bad he left, SilenceGold offers a service for just such a thing. 12:05 < ecrist> iirc, he's got a server with IPs in massachusets. 12:08 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Remote closed the connection] 12:11 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 12:47 < Wyk3d> how do i configure routed vpn with openvpn/iptables/route if i want to connect with only one client at a time and restrict its access to everything in the lan except one internet gateway ? 12:47 < ecrist> what? 12:49 < Wyk3d> i connect via vpn to a lan where there is an internet gateway 12:49 < Wyk3d> i want to use that gateway 12:49 < Wyk3d> but restrict access to everything else in the lan 12:50 < ecrist> oh, firewall + nat + push "redirect-gateway" 12:51 < Wyk3d> yes .. 12:52 < Wyk3d> i got it working with bridged vpn, but i'd like routed because i want to isolate this vpn client from the rest of machines in the lan 12:55 < Wyk3d> so i configured both server and client to use dev tun, ifconfig with two ips in a different subnet .. 12:56 < Wyk3d> it hangs when connecting to the vpn server, but strangely, if i ping the client's ip from the server, it connects immediately, but doesn't really seem to work 13:00 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 13:01 < Wyk3d> i manage to get the ping working from either side of the TUN tunnel 13:01 < Wyk3d> *managed 13:02 < Wyk3d> do i need more routing on the server side to allow the client to use the gateway ? 13:07 < ecrist> push "redirect-gateway" on the server 13:07 < ecrist> the a firewall to deny vpn clients access to the lan 13:08 < ecrist> s/the a/then a/ 13:09 < Wyk3d> i already have "redirect-gateway" in the client config, so i need to add it to the server config too ? 13:10 < ecrist> no, it should be in the server config, not the client config, unless by client config, you mean ccd/client config. 13:11 < Wyk3d> well by client i mean the machine i'm connecting from .. 13:13 < Wyk3d> and it worked for dev TAP with redirect-gateway in the client .. so TUN is different ? 13:13 < ecrist> I've only seen it recommended in the server config, but I'm hardly an expert. 13:14 < ecrist> with it in the client config, does it work? 13:14 < Wyk3d> with dev TAP yes 13:14 < ecrist> if not, if I were you, I'd try something else. 13:14 < ecrist> are you using TAP? 13:14 < Wyk3d> no, i'm trying to switch to TUN 13:14 < ecrist> no, you're using TUN. does it work with TUN? 13:14 < Wyk3d> with little success so far :) 13:15 < Wyk3d> not with TUN .. i'm going to try moving it to the server now 13:18 < Wyk3d> one more thing first, i'm testing if it works from inside the same lan as the gateway, so the way I tested TAP was to set up iptables -I FORWARD -s virtual client IP -d www.google.com -j DROP and then i knew it worked when google stopped working :) 13:18 < Wyk3d> when i do the same for TUN there are two endpoints 13:18 < Wyk3d> which IP should I test ? 13:19 < Wyk3d> which one will be the source of the packets going through the gateway ? 13:23 < ecrist> Wyk3d: depends on a lot of things. With proper routing, the IP the client has is what will be seen on the gateway. If you're doing NAT somewhere, the NAT address is what will be seen. 13:24 < ChUbB> hi can some help with my iptables config somy vpn can access the lan http://pastebin.com/md7743f 13:25 * ecrist wonders when this became ##help-me-with-my-firewall 13:29 < Wyk3d> ecrist: it's a small lan with 3 machines and a router, the router is the only thing that does NAT i think, and the router is doing the iptables stuff too so i don't think I have any NAT going on _before_ the packet gets to the router 13:30 < ChUbB> Wyk3d: u trying to get openvpn working on a iptables based nat router ? 13:30 < Wyk3d> well i already got it working but i want to get it working differently, in a more secure way :) 13:31 < ecrist> Wyk3d: you need to make sure your gateway knows how to route the VPN subnet, which I'm guessing is your problem. 13:31 < ChUbB> could u give ur iptables config mine >> http://pastebin.com/md7743f i can ping through .... :( 13:31 < ecrist> Wyk3d: it's not more secure, really. 13:31 < ecrist> just need a firewall. 13:32 < ChUbB> cant* 13:32 < Wyk3d> ecrist: for the vpn subnet i have 172.16.0.0 * 255.255.255.0 U 0 0 0 tun0 13:33 < Wyk3d> in the routing table 13:33 < Wyk3d> is that ok ? 13:33 < Wyk3d> (the router is 192.168.1.1) 13:34 < ecrist> is the VPN server also the network gateway to the internet? 13:34 -!- dan__t [n=dant@ip68-110-121-53.ph.ph.cox.net] has quit [Connection timed out] 13:34 < Wyk3d> yes 13:34 < Wyk3d> router = network gateway = vpn server 13:35 < ecrist> and, does your nat rule allow for the additional subnet? 13:36 < Wyk3d> hmm nat rules .. how do i check them ? :) 13:36 < ecrist> with iptables, no idea 13:36 -!- xattack [i=xattack@132.248.108.233] has quit [] 13:36 < ecrist> switch to freebsd and pf, and I can help. 13:37 < Wyk3d> so i should look for the nat rules in iptables ? 13:38 < ecrist> *shrug* no idea, literally, none. 13:39 < Wyk3d> what is "allowing an additional subnet" formally ? 13:40 < Wyk3d> how would it look in freebsd ? :) 13:40 < Wyk3d> maybe i can translate that to iptables somehow 13:42 < ecrist> well, in pf, it's something like: 13:42 < ecrist> nat on $inet_if from $lan_net to any -> $ext_nat_ip 13:42 < ecrist> where, in your case, I'd make: 13:42 < ecrist> nat on $inet_if from {$lan_net, $vpn_net} to any -> $ext_nat_ip 13:43 * Wyk3d googles 13:45 < Wyk3d> btw moving the redirect-gateway to the server didn't help, same symptoms .. hang until pinged from the server 13:48 < ecrist> you've got some other issue then. 14:15 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:04 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:08 -!- sente [n=stu@216.93.247.56] has left ##openvpn [] 16:20 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has quit [Read error: 60 (Operation timed out)] 16:32 < ChUbB> hi i just tryed bridging tap0 to eth0 and now the client says connecting has failed... any ideas 16:36 < ecrist> ah, I figured out my problem, now I just have to figure out how to fix it. 16:36 < ecrist> how can I push "10.0/16" to all clients EXCEPT a certain one? 16:37 < ecrist> you're not giving us a lot to go on. 16:37 * ecrist goes away. 16:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:47 < ChUbB> hi, must be common when i connect to my vpn internet stops working i guess its using the tunnel how do i fix this ? 16:50 < ChUbB> dw fixxed :D 16:51 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:56 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has joined ##openvpn 17:08 -!- hkais [n=dpalic@p4FEBF3C5.dip.t-dialin.net] has joined ##openvpn 17:08 -!- hkais [n=dpalic@p4FEBF3C5.dip.t-dialin.net] has left ##openvpn [] 17:08 -!- Qantourisc [n=Qantouri@d54C49D91.access.telenet.be] has quit ["night"] 17:24 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has quit [Read error: 104 (Connection reset by peer)] 17:48 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit [Read error: 104 (Connection reset by peer)] 17:49 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has joined ##openvpn 18:07 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has quit [Read error: 110 (Connection timed out)] 18:12 < ecrist> what the fuck 18:12 < ecrist> why won't my network route. 18:12 < ecrist> netstat -rn shows: 18:12 < ecrist> 10/16 172.30.1.22 UGSc 0 0 tun0 18:13 < ecrist> same as all the other subnets on the VPN (there about 15 routes I'm pushing) 18:13 < ecrist> I can traceroute all them just fine, but this one fails. 18:13 < ecrist> :\ 18:40 < jeev> wow 18:40 < jeev> fail 19:12 < ecrist> then fix it for me. ;) 19:14 < SilenceGold> I noticed the same thing 19:14 < SilenceGold> suddenly my workstation isn't getting the routes from the vpn server 21:37 -!- near [n=near@83-153-88-11.rev.libertysurf.net] has joined ##openvpn 22:42 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Remote closed the connection] 22:47 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 23:10 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Remote closed the connection] 23:27 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 23:43 -!- plik [i=gorph@phalse.2600.COM] has quit [Connection timed out] --- Day changed Fri Sep 26 2008 03:09 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has joined ##openvpn 03:27 -!- thomas [i=tm@tm.muc.de] has joined ##openvpn 03:27 < thomas> hello! 03:27 < thomas> hello? 03:40 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:49 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:49 < krzee> !route 03:49 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 03:53 < thomas> krzee: hello. 03:56 < krzee> hey 03:56 < krzee> needed that link for an email... 03:56 < krzee> hows it goin? 04:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 04:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:10 < krzee> oops 05:13 -!- mookii [n=mookii@p50989b86.dip0.t-ipconnect.de] has joined ##openvpn 05:17 < mookii> hi there, is there a good reason why the connections in my openvpn network broke when I am installing new certificates (because I need to add a new client to it and have no ca key anymore) ?? 05:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:16 < ecrist> mookii: all of your client certificates need to match the server certificate. 08:33 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Read error: 110 (Connection timed out)] 08:43 -!- Wyk3d [n=Wyk3d@cl-86-125-183-11.cablelink.mures.rdsnet.ro] has quit [Read error: 60 (Operation timed out)] 09:11 < ecrist> it quiet in here. 09:16 -!- ikevin [n=kevin@ANancy-256-1-118-42.w90-33.abo.wanadoo.fr] has joined ##openvpn 09:16 < ikevin> hello 09:17 < ikevin> i'm new with vpn system and in would to make a reliability between 2 network 09:18 < ikevin> network like that: http://kevin.illux.org/reseau.png 09:18 < ikevin> actualy, firewall 1 can contact firewall 2 using the vpn 09:19 < ikevin> so, i would to make all client who try to contact other client using the vpn too 09:19 < ikevin> anyone can help me with the route and firewall rules to add for making it working? 09:26 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 09:35 -!- dob1 [n=dob@host-84-221-66-31.cust-adsl.tiscali.it] has joined ##openvpn 10:29 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Remote closed the connection] 10:39 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 10:44 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Remote closed the connection] 11:17 -!- mookii [n=mookii@p50989b86.dip0.t-ipconnect.de] has quit [] 11:22 -!- ChUbB [n=IceChat7@62.31.213.230] has joined ##openvpn 11:33 -!- hadux [n=ttaranto@cmg.codar.com.br] has joined ##openvpn 11:33 < hadux> hi 11:35 < hadux> when I use openvpn all traffics betwen 2 clients pass through the server? 11:36 -!- hadux [n=ttaranto@cmg.codar.com.br] has quit [Client Quit] 12:05 -!- skxpl [n=skx@217.17.32.190] has quit ["changing servers"] 12:26 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:54 < ecrist> yes 12:58 < krzee> he left 12:58 < krzee> (1 min after answering his question) 12:58 < krzee> [13:18] [12:33] * hadux (n=ttaranto@cmg.codar.com.br) has joined ##openvpn 12:58 < krzee> [13:18] [12:33] hi 12:58 < krzee> [13:18] [12:35] when I use openvpn all traffics betwen 2 clients pass through the server? 12:58 < krzee> [13:18] [12:36] * hadux has quit (Client Quit) 12:58 < krzee> [13:18] lol 12:58 < krzee> [13:18] you have 1 minute to answer, GO! 12:58 < krzee> [13:18] lol 12:58 < krzee> [13:20] lol nice 13:00 < jeev> krzee 13:02 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 13:02 < krzee> jeev 13:02 < krzee> oh and i meant 13:02 < krzee> (1 min after ASKING his question) 13:04 < jeev> hdh 13:04 < jeev> heh 13:07 -!- kreg [n=kreg@208-98-188-95.directcom.com] has quit [Connection reset by peer] 13:11 < ChUbB> hi, i got bridged tap0 i can ping from a lan pc the vpn client but cant ping the lan client i did the firewall setting in the manual but no luck.... anyone can help ? 13:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:37 < ecrist> krzie: your time stamps look funny, and why didn't I get the other comments from you and Dean on my client here? 14:01 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 14:11 -!- Wanderer [i=nomad@c-98-245-32-157.hsd1.co.comcast.net] has joined ##openvpn 14:12 < ecrist> well, look who wandered in... 14:12 < Wanderer> Can anyone help with a server issue? My system just started refusing connections and is speweing: "Expected Remote Options hash (VER=V4): '504e774e'" 14:12 < Wanderer> google had alot of hits, but nothing useful 14:12 < ecrist> can you pastebin your log file/ 14:13 < Wanderer> http://pastebin.com/d13aecd93 14:13 < Wanderer> should be right 14:13 < Wanderer> (don't use pastebin often) 14:14 < ecrist> ok, can we see the server config as well as the client config from the client that's throwing the errors? 14:15 < Wanderer> sec 14:16 < Wanderer> Server: http://pastebin.com/mb6a9157 14:17 < Wanderer> client: http://pastebin.com/m39fb1d58 14:18 < Wanderer> it was working great til today 14:18 < Wanderer> except for regular disconnects but that's because the firewall isn't allowing pings thorough (on the agenda to get fixed) 14:19 < Wanderer> hmm, gettting a new error in the log now: 14:19 < Wanderer> Fri Sep 26 13:19:10 2008 75.174.42.98:4638 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity 14:19 < Wanderer> Fri Sep 26 13:19:10 2008 75.174.42.98:4638 TLS Error: TLS handshake failed 14:20 < ecrist> flakey network connection? 14:21 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 14:21 < Wanderer> shouldn't be 14:21 < Wanderer> it's been rock solid, hosted in a local datacenter 14:21 < ecrist> I'm sure it shouldn't be, most people prefer non-flakey ones. 14:22 < Wanderer> mtr from my machine to the remote site shows zero packet loss, good ping times 14:22 < ecrist> kk 14:25 < Wanderer> any other ideas? 14:27 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:49 < ecrist> not really. 14:49 < ecrist> I'm kinda of a newb when it comes to openvpn. 14:49 < ecrist> you're using some options in you config that I've not run across, so my ability to trouble-shoot goes doewn. 14:50 < ecrist> down* 14:51 < jeev> lol 15:02 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [No route to host] 15:03 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:06 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 104 (Connection reset by peer)] 15:09 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:21 -!- Irssi: ##openvpn: Total of 37 nicks [0 ops, 0 halfops, 0 voices, 37 normal] 17:08 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:23 < ecrist> make up your mind, ompaul 17:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:51 -!- dob1 [n=dob@host-84-221-66-31.cust-adsl.tiscali.it] has quit ["leaving"] 18:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:35 < ChUbB> does brigding with if u only have 1 network card ? 18:40 -!- ChUbB [n=IceChat7@62.31.213.230] has quit [Read error: 104 (Connection reset by peer)] 19:09 < jeev> huh 19:10 < ecrist> wtf is up with people asking a question, then leaving? 19:10 < jeev> lol 19:10 < ecrist> next person that does it gets a kickban 19:10 < jeev> i thought i was impatient 19:10 < ecrist> then they come back, 'well, nobody answered me.' 19:11 < ecrist> me: 'that's because you were here for about .04 seconds you ass.' 19:50 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 21:22 -!- near [n=near@83-153-88-11.rev.libertysurf.net] has quit [Read error: 60 (Operation timed out)] 21:39 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 22:40 < ecrist> how do you like colorado? 22:43 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Remote closed the connection] 22:51 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 22:51 < ecrist> wb 22:51 < ecrist> how do you like colorado? 22:56 < ecrist> fine, be that way 22:58 < ecrist> never spoken since 9/9 eh 22:58 < ecrist> ? 22:58 < ecrist> wtf --- Day changed Sat Sep 27 2008 01:30 -!- dan__t [n=dant@ip68-110-121-53.ph.ph.cox.net] has joined ##openvpn 01:30 < dan__t> Good evening. 01:50 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:02 < jeev> hi 02:06 < dan__t> HOw goe sit 02:06 < jeev> it's goin 02:07 < dan__t> Word. 02:07 < dan__t> So I made a package out of that openvpn-gui, which is bad-ass. 02:07 < dan__t> I was attempting the same thing to make a distributable package for os x 02:12 < dan__t> Haven't had much luck yet heh 02:13 < dan__t> So I think that gives me tunnelblick to play around with 02:14 < jeev> heh 02:14 < dan__t> So I hope to be able to make the same type of package. 02:14 < jeev> would be good for the community 02:14 < dan__t> tunnelblick already exists out there 02:15 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 02:15 < jeev> i dunno what that is, i just got into openvpn a few weeks ago 02:15 < jeev> ahh 02:15 < jeev> i see 02:15 < dan__t> os x client 04:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:26 < krzee> i never had luck with tunnelblick 04:26 < krzee> it would just crash 04:26 < krzee> but it was pointless anyways 04:26 < krzee> i just made a .command to start it 04:29 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 06:09 -!- dan__t [n=dant@ip68-110-121-53.ph.ph.cox.net] has quit [Read error: 113 (No route to host)] 07:06 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 07:11 < krzee> mornin Dougy 07:12 < Dougy> yoyoyo 07:12 < Dougy> whats up krzee 07:12 < krzee> chillen 07:12 < Dougy> nice 07:12 < Dougy> im grumpy already 07:12 < Dougy> its 8 freakin am 07:12 < krzee> lol 07:12 < Dougy> been up since 6 -.- 07:12 < krzee> at least you slept 07:12 < Dougy> i went to bed at 1 so thats not helping me 07:13 < Dougy> yeah but i have to work 07:13 < Dougy> today 07:13 < krzee> as do i 07:13 < Dougy> you didn't sleep? 07:13 < krzee> thats why man made coffee ;] 07:13 < Dougy> the hell is wrong with you 07:13 < Dougy> haha 07:13 < Dougy> i dont do coffee, sorry 07:14 < Dougy> =p 07:14 < Dougy> man tuesday is going to stink 07:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 07:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:50 < Dougy> wb 07:50 < Dougy> @ krzee 07:52 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 08:09 -!- ctx144k [n=administ@195.50.137.196] has joined ##openvpn 08:09 < ctx144k> hello all 08:10 < ctx144k> i wanna create new vpn-keys automaticly without giving values like password/RETURN and so on... i wanna give only a config-file for that 08:10 < ctx144k> is there a way todo that? 08:15 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 08:44 < krzee> not that i know of, but you should be able to script up something ild think 08:54 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 08:57 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 09:05 < ecrist> sup, peeps? 09:06 < ecrist> ctx144k: you, but you need to script it. 09:06 < ecrist> there are perl modules which can handle most, if not everything for you. 09:06 < ecrist> I've got a script that does quite a bit of the work, but there is still user intervention required. 09:11 < ecrist> wooo, I have moderator point, again, on /. 09:11 < ecrist> :\ 09:21 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:46 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 11:31 -!- ctx144k [n=administ@195.50.137.196] has quit ["Verlassend"] 11:38 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Read error: 110 (Connection timed out)] 11:45 < krzee> i miss kraut's daily "moin" now 11:45 < krzee> !kraut 11:45 < vpnHelper> krzee: "kraut" is moin 12:15 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 12:21 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 12:36 -!- Dougy[Work] [n=doug@64.18.159.247] has joined ##openvpn 12:36 < Dougy[Work]> heyo 12:58 -!- gallatin [n=gallatin@dslb-092-073-119-200.pools.arcor-ip.net] has joined ##OpenVPN 13:02 < jeev> hio 13:07 < Dougy[Work]> hio jeev 13:21 -!- jack|ass [n=jack@c-67-189-104-112.hsd1.or.comcast.net] has joined ##openvpn 13:55 -!- gallatin [n=gallatin@dslb-092-073-119-200.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 14:15 < jeev> ok 14:15 < jeev> i desperately need to awke up 14:17 < Dougy[Work]> haha 14:17 * Dougy[Work] kicks jeev in the balls 14:17 * Dougy[Work] runs 14:17 < Dougy[Work]> bbiaf 14:20 -!- Wanderer [i=nomad@c-98-245-32-157.hsd1.co.comcast.net] has quit ["leaving"] 14:21 -!- Wanderer [i=nomad@c-98-245-32-157.hsd1.co.comcast.net] has joined ##openvpn 14:21 < Wanderer> anyone who can help with keys/certs? 14:22 < Wanderer> I've eliminated network issues, and thought I had eliminated ca/key issues 14:22 < Wanderer> but it's pointing back that way 14:22 < jeev> what's the issue 14:22 < Wanderer> restarted my openvpn and it's dead 14:22 < Wanderer> let me find an error 14:23 < Wanderer> Sat Sep 27 13:23:30 2008 98.245.32.157:33008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ] 14:23 < Wanderer> but I got one saying to check certs/keys also (scrolled off already) 14:24 < Wanderer> know how I can verify keys/certs? 14:25 < jeev> i'm a pretty big noob 14:25 < jeev> why dont you recreate the keys 14:25 < Wanderer> this is for work, have production users 14:25 < Wanderer> found this: 14:26 < Wanderer> openssl verify -CAfile ca.crt -purpose sslclient crestone.crt 14:35 < Wanderer> ok, 14:36 < Wanderer> need to find a very simple 'howto' on recreating all the keys 14:36 < Wanderer> ugh 14:39 < Dougy[Work]> that's very easy 14:39 < Dougy[Work]> sup jeev 14:39 < Wanderer> Dougy: got a HOWTO I can trace/ 14:39 < Dougy[Work]> !howto 14:39 < vpnHelper> Dougy[Work]: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:39 < Dougy[Work]> it's on there 14:39 < Wanderer> or a way to verify my certs aren't bad? 14:40 < Wanderer> yeah, I see the openvpn.net howto, has linux and windows intermingled which is a pita 14:40 < Wanderer> this has been working great for a year and boom, dead 14:40 < Dougy[Work]> http://openvpn.net/howto.html#pki 14:40 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 14:41 < Wanderer> ok, back to reading 14:41 < Wanderer> glad it's a weekend and it broke friday aftenroon, not monday 14:42 < Wanderer> is there a way to see how long the certs/keys are good for? 14:42 < Wanderer> damnit... in openssl.conf.... 365 days 14:42 -!- jack|ass [n=jack@c-67-189-104-112.hsd1.or.comcast.net] has quit [Read error: 113 (No route to host)] 14:43 < Wanderer> ok, do I have to create keys for everyone again or is there a way to update the crt and not have to walk users through re-creating keys 14:43 < Wanderer> err, re-installing keys 14:43 < Wanderer> (got somet that give me migranes) 14:46 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 14:50 < Wanderer> ok, Dougy: any suggestions or am I rebuilding? 14:51 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 14:52 < Dougy[Work]> Er 14:52 < Dougy[Work]> I suck with openvpn 14:52 < Dougy[Work]> ask krzee or ecrist 14:52 < Wanderer> both idle for quite some time 14:52 < Wanderer> ok, backed up dirs with tar, guess I'll create new in the mean time 14:53 < Wanderer> dont suuppose dyou know how to change a .crt/.key pair to a .pem I can use in a config instead of having to send all the files to users 14:53 < Wanderer> trying to simplify things so the ydon't get confused 15:02 < Wanderer> hmm 15:02 < Wanderer> doing the "build-key-server" from the HOWTO I get an error, "Error Loading extension section server" 15:09 < Dougy[Work]> hm 15:09 < Dougy[Work]> i fail at everything 15:09 < Dougy[Work]> did you try googling that? 15:10 < Wanderer> yeah, nothing overyly useful yet 15:11 < Wanderer> found one that said to set an option in openssl.cnf but that didn't help 15:11 < Dougy[Work]> the mailing list is borked 15:11 < Dougy[Work]> =/ 15:11 < Dougy[Work]> http://openvpn.net/archive/openvpn-users/2005-08/msg00210.html 15:11 < vpnHelper> Title: [Openvpn-users] Error Loading Extension Section Server!!!! (at openvpn.net) 15:12 < Dougy[Work]> http://readlist.com/lists/lists.sourceforge.net/openvpn-users/1/6916.html 15:12 < vpnHelper> Title: Error Loading extension section server - ReadList.com (at readlist.com) 15:12 < Dougy[Work]> @ Wanderer 15:13 < Dougy[Work]> http://translate.google.com/translate?u=http%3A%2F%2Fwww.vpnforum.de%2Fopenvpn-forum%2Fviewtopic.php%3Fp%3D16230&sl=de&tl=en&hl=en&ie=UTF-8 15:13 < Wanderer> (reading) 15:13 < vpnHelper> Title: Translated version of http://www.vpnforum.de/openvpn-forum/viewtopic.php?p=16230 (at translate.google.com) 15:13 < Wanderer> and thanks for all your help Dougy 15:13 < Dougy[Work]> i haven't helped at all 15:13 < Dougy[Work]> if oyu wany 15:13 < Dougy[Work]> you want* 15:13 < Dougy[Work]> post it on 15:14 < Dougy[Work]> !forum 15:14 < vpnHelper> Dougy[Work]: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 15:14 < Dougy[Work]> your problem that is 15:14 < Wanderer> first one is typical 15:14 < Dougy[Work]> and someone will get to it 15:14 < Dougy[Work]> i'm trying to get the forum going 15:16 < Wanderer> I have a problem followed by "look into it and you'll find the problem" .... 15:16 < Wanderer> first one is borked, can't follow the thread 15:16 < Wanderer> (found it a couple times) 15:16 < Dougy[Work]> ah 15:17 < Wanderer> one thread though had an openssl command tha tmay do the same thing 15:17 < Wanderer> trying to get args right 15:17 < Dougy[Work]> k 15:17 < Dougy[Work]> if it doesn't work i'll put ecrist to work when he shows up 15:17 < Dougy[Work]> if you put it on the forum 15:17 < Dougy[Work]> haha =] 15:17 < Wanderer> will do asap 15:17 * Dougy[Work] nods 15:18 < Dougy[Work]> tell your openvpn using friends about it too 15:18 < Wanderer> don't want to cause devs probls, I love openvpn, saves me alot of trouble 15:18 < Wanderer> hehe, I'm one of the more knowledgable of my friends :> 15:18 < Dougy[Work]> yeah 15:18 < Dougy[Work]> well.. 15:18 < Wanderer> the problem is it's been up and running for a year 15:18 < Dougy[Work]> my in real life friends i'm more knowledgable 15:18 < Dougy[Work]> but 15:18 < Dougy[Work]> online 15:18 < Wanderer> other than running a script to add a new uers a while back, I haven't ahd to touch it 15:18 < Dougy[Work]> ecrist, krzee, and just about everyone else i talk to rip me 15:18 < Wanderer> rock solid 15:18 < Dougy[Work]> did you by chance update anything>? 15:19 < Wanderer> nope, first thing I checked 15:19 < Wanderer> (after driving my ISP nuts) 15:24 < Dougy[Work]> hm 15:24 < Dougy[Work]> Not sure. 15:25 < Dougy[Work]> Updating something sounds like the most likely cause of it to just break 15:25 < Wanderer> yeah, the packages are over 4+ months old 15:26 < Wanderer> hmm, I actually may not have made a key since then 15:33 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 15:35 < Wanderer> ugh 15:35 < Wanderer> openssl req -days 3650 -nodes -new -keyout ca1.key -out ca1.csr -extensions server -config ../openssl.cnf 15:35 < Wanderer> Error Loading extension section server 15:35 < Dougy[Work]> that's a server error 15:35 < Dougy[Work]> sounds like 15:35 < Dougy[Work]> like something is missing 15:35 < Wanderer> yup 15:36 < Wanderer> hmm, wonder if I can make it on another server and sep over 15:36 < Dougy[Work]> try #openssl 15:36 < Dougy[Work]> oh 15:36 < Dougy[Work]> nobodys there 15:36 < Dougy[Work]> lol 15:43 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 15:43 < Dougy[Work]> hey ChUbB 15:45 < ChUbB> hi 15:46 < Wanderer> 'lo 15:46 < Wanderer> ugh, still not getting anywhere 15:47 < Dougy[Work]> :/ 15:47 < Wanderer> google being completely useless 15:47 < Dougy[Work]> What OS is the server running on? 15:47 < Dougy[Work]> Don't say DEian 15:47 < Dougy[Work]> Debian* 15:48 < ChUbB> CentOS FTW! 15:48 < Dougy[Work]> ChUbB, for linux yeah 15:48 < Dougy[Work]> for *nix no 15:49 < ChUbB> yer linux ftw then :P 15:52 < Dougy[Work]> haha 15:53 < ChUbB> Dougy: what u using openvpn for atm work or home ? 15:53 < Dougy[Work]> personal 15:53 < Dougy[Work]> well 15:53 < Dougy[Work]> i would be using it for personal if i had a place to have it 15:53 < Dougy[Work]> hah 15:54 < ChUbB> k lol 15:54 < Wanderer> Debian Sarge 15:55 < Dougy[Work]> Wanderer, that may be part of the issue 15:55 < Dougy[Work]> may 15:56 < Wanderer> it's scheduled to be replaced/upgraded but will be a month or two 15:57 < Dougy[Work]> i wasn't referring to the version 15:57 < Dougy[Work]> debian and openssl have not been playing nicely 15:57 < Wanderer> replacement is ubuntu 15:58 < Dougy[Work]> remind me to find you and cut you 15:58 < Dougy[Work]> :) 15:59 < Wanderer> heh 15:59 < Wanderer> hey, it's secure and stable 15:59 < Wanderer> these are servers, not gaming systems 16:03 < Dougy[Work]> yeah 16:03 < Dougy[Work]> still 16:07 < ChUbB> could norton stop ping to a work station ? 16:07 < Wanderer> would it be real bad to try tinyca instead of openvpn? 16:08 < Wanderer> crap, tinyca wants a bunch of X and gtk stuff 16:13 < Wanderer> openvpn stopped pckging easy-rsa? 16:40 < Wanderer> what a pain in the ass 16:40 < Wanderer> but I think I have progress 16:50 < ecrist> Wanderer: easy-rsa sucks balls, anyway 16:51 < Dougy[Work]> ECRIST! :) 16:51 < Dougy[Work]> going home. bbl. 16:51 < ecrist> hi, Dougy[Work] 16:52 < Wanderer> it may but I have a bunch of scripts wrapped around it to create client configs, etc 16:55 < ecrist> what is there to create with the client config? aren't most of your users using the same config? 16:56 < Wanderer> scripts to create keys, create ccd, zip it up and send to the user 16:56 < Wanderer> I messed with tinyca but it didnt put the server key anywhere I could find it 16:56 < Wanderer> keep in mind I just installed it for the first time 16:57 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:57 < ecrist> hrm, I wrote a script to do much of that, minus the send to user - I left that to the admin. 16:57 < Wanderer> have to get this all setup and running first thing monday to spend the day re-keying users 16:58 < ecrist> email isn't good, at work we have a secure ftp server for such things. 16:58 < ecrist> http://www.secure-computing.net/trac 16:58 < vpnHelper> Title: SCN Open Source - Trac (at www.secure-computing.net) 16:58 < Wanderer> I only email to the internal server 16:58 < Wanderer> nothing external 16:58 < ecrist> look into there for ssl-admin 16:58 < Wanderer> so they have to connect to the ssl email server to get the files 16:58 < ecrist> a bit of that code is written for freebsd, but it wouldn't be hard to massage it for linux. 16:58 < Wanderer> hahaha 16:59 < ecrist> ? 16:59 < Wanderer> I went to that page and it says it's using an invalid security cert 16:59 < ecrist> yes, it's a self-signed certificate. 16:59 < Wanderer> yeah, firefox doesn't like it 16:59 < ecrist> if you want to give me the money for a non-self signed cert, you're welcome to. 16:59 < Wanderer> just struck me as funny :> 16:59 < ecrist> one of these days I'm going to stop requiring SSL on my site. 17:00 < Wanderer> firefox won't load the page 17:00 < ecrist> yes it will, 17:00 < ecrist> add an exception. 17:01 < ecrist> or don't I dont' really care. 17:01 < Wanderer> thats the odd part, normally firefox gives the option to add an execption, not doing it now 17:01 * ecrist shrugs. 17:01 < ChUbB> anyone use openvpn for gaming ? 17:02 < Wanderer> did at one point 17:02 < ecrist> that's a prety common use, ChUbB 17:02 < Wanderer> has a multinode vpn set up for playing xbox's on localnet without xbox live 17:03 < ChUbB> yer setting it up for CnC 3 pptp dont do broadcasts 17:03 < ChUbB> is there a big vpn for xbox gaming ?? or u on about what has been done 17:05 < ecrist> openvpn isn't pptp 17:06 < ChUbB> yer i no 17:09 < ChUbB> is there any issus with samba shares loading very slow over vpn ? 17:12 < ecrist> only due to connection speed. 17:12 < ChUbB> kk 17:18 < ChUbB> nice got a pdf download of openvpn book :P 17:18 < Wanderer> hmmm, ok, my openvpn conf has a line "ca keys/cacert.pem" but I don't have that pem 17:19 < Wanderer> how do I make that from the CA files? 17:19 < Wanderer> howto doesn't cover it 17:19 < Wanderer> or waht can I replace the "ca" option with? 17:20 < Wanderer> ah, found that 17:39 < Wanderer> ugh, trying to start my client it fails, no reason 17:39 < Wanderer> with "verb = 10" 17:43 * ecrist isn't clairvoyent. 17:44 < ChUbB> shouldnt it be "verb 10" 17:45 < ecrist> yes 17:47 < ChUbB> anyone got openvpn working on vista 64bit ? 17:50 < Wanderer> err, ok it was "verb 10' 17:50 < Wanderer> ecrist: can I give you my server and client configs via pastebin? 17:51 < Wanderer> I'm missing something dumb 17:51 < ecrist> sure 17:51 < Wanderer> thanks 17:52 < ecrist> it's just not starting? 17:52 < ecrist> the client or the server? 17:52 < ecrist> what're the symptoms? 17:52 < Wanderer> I did the genkey from the HOWTO for the tlskey and scp'd it down 17:53 < Wanderer> the server seems to be starting fine 17:53 < Wanderer> the client fails to start 17:53 < Wanderer> no output 17:53 < Wanderer> no output other than the port warning 17:53 < ecrist> none at all? 17:53 < Wanderer> cec, I'll pastebin it 17:53 < ecrist> nothing in the logs? 17:55 -!- funky [n=repulse@unaffiliated/funky] has joined ##openvpn 17:55 < funky> hello people 17:55 < Wanderer> hello 17:58 < ecrist> Wanderer: why do you have 'pull' in your client config? 17:58 < Wanderer> I don't remember off the top of my head, that config's about a year old 17:58 < Wanderer> I think it was related to getting routes and ips 17:59 < ecrist> Wanderer: tls-auth key is the same on client and server, correct? 17:59 < Wanderer> yup, verified with md5sum to make sure 18:00 < ecrist> well, try removing that part of the config from the server and client, see if it starts OK. 18:00 < ecrist> hi, funky 18:00 < Wanderer> which part? 18:01 < ecrist> remove tls-auth from both. 18:01 < ecrist> and remove pull from client config 18:01 < Wanderer> ok, server starts 18:01 < ChUbB> whats ur localtime people ? 18:01 < ecrist> 18:01 18:02 < Wanderer> client fails to start, same lack of error 18:02 < ChUbB> 00:00 here 18:02 < ecrist> re-paste your server logs, please. 18:02 < ecrist> ChUbB: why does it matter? 18:03 < Wanderer> ecrist: server log is identicle. doesn't say anything about the client connecting 18:03 < ecrist> also, what's with tls-server and tls-client? 18:03 < Wanderer> its like the client never makes it to the server 18:03 < Wanderer> again, that was done a year ago, not 100% sure anymore 18:03 < ecrist> Wanderer: how're you starting openvpn on the client? 18:03 < Wanderer> part of what I loved about openvpn is I had it up and runnning and was able to forget about it 18:03 < Wanderer> "/etc/init.d/openvpn restart" 18:04 < ecrist> Wanderer: try starting it manually, with openvpn -config 18:04 < ecrist> as root 18:05 < Wanderer> Options error: I'm trying to parse "-config" as an --option parameter but I don't see a leading '--' 18:05 < Wanderer> thats the output 18:05 < ecrist> openvpn --config 18:06 < Wanderer> ok, missed a - 18:06 < Wanderer> hmm, says it can't find the ca file 18:06 < ecrist> ;) 18:07 < ecrist> just a tip, when trouble-shooting, it's generally a good idea to start things manually. 18:10 < Wanderer> never done that before, thanks 18:10 < Wanderer> alot more info than I get in the logs :> 18:10 < Wanderer> ok, now to check out those settings :> 18:10 < ecrist> it's being put in a log somewhere, usually, you just have to figure out which one. This way, it's all on the console. 18:11 < ecrist> usually, on FreeBSD, those startup messages go to /var/log/messages 18:13 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 18:13 < Wanderer> hmm 18:13 < Wanderer> new error: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=US/ST=Co/O=Corona_Solutions/CN=crestone.coronasolutions.com/emailAddress=support@coronasolutions.com 18:14 < ecrist> try removing that line from your client config, requiring the specific CN/ 18:17 < Wanderer> ok, looks like I'm connecting, but not getting routes 18:17 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 18:18 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:18 < Dougy> hiyo 18:18 < ecrist> wb 18:31 < Dougy> thx ecrist 18:31 < Dougy> :) 18:31 < Dougy> btw if i'm here, just highlight me if want to say something to me 18:31 < Dougy> because then ill look 18:31 < Dougy> otherwise i might missi 18:31 < Dougy> miss it 18:34 < ChUbB> hi, when i access a windows share across the vpn it takes a while to load if this normal (the vpn is bridged setup and on behide a second router at home so connect is lan speed) 18:35 < ecrist> ChUbB: you're not doing this across the internet? 18:36 < ecrist> also, you're going to be limited by the processor of the slowest VPN endpoint. 18:36 * ecrist goes to the bar. 18:37 < Dougy> haha 18:39 < ChUbB> ecrist: yer its on lan at the mo for testing, share loads up instantly but over vpn takes some time 18:44 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit ["Depression is merely anger without enthusiasm"] 19:23 < Wanderer> bah, back 19:23 < Wanderer> impromtu visitors bite 19:27 < Dougy> lol 19:28 < Wanderer> hmm 19:28 < Wanderer> server giving a new error 19:28 < Wanderer> Authenticate/Decrypt packet error: packet HMAC authentication failed 19:28 < Wanderer> Sat Sep 27 18:28:07 2008 TLS Error: incoming packet authentication failed from 19:29 < Wanderer> ever seen that one? 19:29 < Dougy> No 19:29 < Dougy> wait 19:29 < Dougy> yes 19:29 < Wanderer> hahaha 19:29 < Wanderer> come on, give me a "maybe" in there :> 19:30 < Dougy> http://osdir.com/ml/network.openvpn.user/2004-08/msg00447.html 19:30 < vpnHelper> Title: Re: Authenticate/Decrypt packet error: packet HMAC: msg#00447 (at osdir.com) 19:30 < Dougy> http://openvpn.net/archive/openvpn-users/2004-05/msg00289.html 19:30 < vpnHelper> Title: Re: [Openvpn-users] Authenticate/Decrypt packet error: packet HMAC authentication failed (at openvpn.net) 19:30 < Wanderer> yeah, found similar with google 19:30 -!- r00tintheb0x [n=r00tinth@firewall.ctssys.com] has joined ##openvpn 19:30 < Wanderer> but I did an md5sum on the key twice and it's the same 19:32 < Wanderer> what's real interesting is it's still streaming that error 19:32 < Wanderer> but I've stopped the client 19:38 < Wanderer> ok, figured that one out 19:40 -!- r00tintheb0x [n=r00tinth@firewall.ctssys.com] has quit [Read error: 104 (Connection reset by peer)] 19:47 < Wanderer> hmm 19:47 < Wanderer> server certificate verify failed 19:47 < Wanderer> files are identicle though 19:55 < Wanderer> ugh 19:55 < Wanderer> just ran this: 19:55 < Wanderer> openssl verify -CAfile ca.crt server.crt 19:55 < Wanderer> got an error it was unable to get local issuer certificate 19:59 < Wanderer> wtf 19:59 < Wanderer> just did a clean, build-ca, build-key-server server 19:59 < Wanderer> re-ran the verify and it fails 19:59 < Wanderer> ls 19:59 < Dougy> ouch 19:59 < Wanderer> how the hell does that happen 20:00 < Wanderer> {0}:/etc/openvpn/easy-rsa/keys>openssl verify -CAfile ca.crt server.crt 20:00 < Wanderer> server.crt: /C=US/ST=Co/O=Corona Solutions/CN=crestone.coronasolutions.com/emailAddress=support@coronasolutions.com 20:00 < Wanderer> error 20 at 0 depth lookup:unable to get local issuer certificate 20:00 < Dougy> o.O 20:00 < Dougy> !notopenvpn 20:00 < vpnHelper> Dougy: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 20:00 * Dougy runs 20:00 < Wanderer> hehe 20:00 < Wanderer> yeah, thats a valid answer 20:00 < Dougy> krzee made up that reply 20:00 < Dougy> iirc 20:00 < Dougy> its his bot 20:00 < Wanderer> it's a quiet channel, I know I may be talking to myself 20:01 < Wanderer> let me see if anyone in #openssl yet 20:01 < Wanderer> heh, nope 20:05 < Wanderer> hmm, when I do the "build-ca" it doesn't ask for a passphrase 20:36 < Wanderer> dougy: got progress 20:36 < Dougy> yo yo yo 20:36 < Dougy> what happened? 20:36 < Wanderer> remade the CA files completely 20:36 < Wanderer> evne though the passphrase was right 20:37 < Wanderer> something was out of sync, or expired also 20:37 < Wanderer> but now I'm back to needing the right setting for tls-remote 20:37 < Wanderer> it's failing to verify the certificate 20:37 < Wanderer> I grepped the string out of server.crt but it doesn't like that 20:38 < Wanderer> so I need to find the right string somehow 20:38 < Dougy> you're above me now 20:38 < Dougy> heh 20:38 < Dougy> talking above my level 20:45 < Wanderer> slowly piecing this together 20:45 < Wanderer> and I set the key to expire in 10 years 20:45 < Dougy> nice 20:45 * ecrist is back. 20:46 < Dougy> wb ecrist 20:46 < ecrist> Wanderer: I've already told you, easy-rsa sucks. Don't use it. Use ssl-admin. 20:50 < Wanderer> ok, you said it sucks, you didn't say "ssl-admin" 20:50 < Wanderer> I'm past the easy-rsa part 20:51 < Wanderer> now I'm at the "why isn't the key verifying under openvpn" part 20:51 < Wanderer> I can do the openssl verify and it's good 20:52 < Wanderer> ecrist: got a sec to look at a client conf and log? 20:54 < Wanderer> doh 20:54 < Wanderer> I think I got it 20:54 -!- grendal_prime [n=grendal_@dsl-12-44-166-053.arpa2.caltel.com] has joined ##openvpn 20:56 < Wanderer> oh hell, new error 20:56 < Wanderer> but it connects 20:57 < grendal_prime> hey guys. Listen we have an appliance that uses openvpn to connect to our central office. alot of these units were deployed prior to the discovery of the week key bug on debian systems. If i upgrade openvpn on the server, these boxes will still be able to connect...correct? 20:57 < Wanderer> ok, tunnel is up but no IP or net routes 20:58 < Wanderer> grendal_prime: openvpn will connect 20:58 < Wanderer> ssh will have issues though 20:58 < Wanderer> (I have a similar setup) 20:58 < grendal_prime> the way i understand it everything will continue to work but it is best to change out those keys as soon as possible. is that also correct? 20:58 < Wanderer> when you do the upgrade it will change the ssh keys on the server 20:59 < Wanderer> any remote hosts that have the keys in ~/.ssh/known_hosts will throw errors that the keys are not valid anymore 20:59 < Wanderer> but the vpn won't be affected, just ssh based connections 20:59 < grendal_prime> ya the ssh process i understand. have had to deal with it allot already. i just was under the impression this problem cascaded down to openvpn as well. 21:00 < Wanderer> no, it's openssh 21:00 < Wanderer> didn't affect any of my openvpn connections 21:00 < grendal_prime> interesting, we ran the checking script and it listed alot of the keys that were created for each one of these appliances. 21:01 < ecrist> Wanderer: everything crypto is affected by the debian bug. 21:01 < ecrist> it was an all-around bug involved with the random number generator have an 8 bit threshold where there were only 65535 possible random numbers. 21:02 < grendal_prime> yep thats the one 21:02 < ecrist> grendal_prime: all the keys are affected by the bug, which you've created. You need to start from scratch. 21:03 < grendal_prime> but it will still work...i just need to script something out that will generate new keys for each of these clients and then swap them out on both the server and the client next time they connect would that be correct as well? 21:04 < ecrist> yeah, you could do that. 21:04 < ecrist> you need a new ca, thus new sub-keys 21:05 < grendal_prime> well it would be impossible for use to do it any other way. I think what they have in mind is a new server, with all the new certs and keys, then when the box logs in, we install one package that points it to the new server with the new keys. 21:05 < ecrist> there you go. 21:05 < grendal_prime> new ca and everything. 21:06 < ecrist> sounds like a solid plan to me. 21:06 < grendal_prime> right on. thanks for the info guys. 21:07 < Dougy> i want to be smart like ecrist one day 21:07 < grendal_prime> well..you will have to fit crist in there somewhere. 21:07 < grendal_prime> hehehe 21:08 < grendal_prime> like Dcrist.. 21:08 < ecrist> lol 21:08 < grendal_prime> you you could really go the extra mile and go with Dchrist 21:09 < grendal_prime> but if you do that ill have to change my nic to i'll-be-Gchrist 21:10 < Dougy> bit 21:10 < Dougy> but 21:10 < Dougy> ecrist's last name is crist 21:11 < Dougy> mine is haber 21:11 < Dougy> haber != crist 21:11 < ecrist> haber < crist. :) 21:11 < Dougy> i do not like it written that way 21:11 < Dougy> crist > haber 21:12 < ecrist> lol, I'm just being funny. 21:13 < grendal_prime> ya, well...mabe just get real smart and not worry about the nic change...that could have been a bad idea. 21:14 < ecrist> I'm not really any smarter than anyone else, fwiw. I just read docs. 21:15 < Wanderer> ecrist: initialization sequence completes but it doesn't seem the tunnel comes all the way up 21:15 < ecrist> client/server config? 21:15 < Wanderer> yeah 21:15 < Wanderer> sec 21:18 < Wanderer> ok, client server 21:18 < Wanderer> Sat Sep 27 20:18:13 2008 Initialization Sequence Completed 21:18 < Wanderer> ifconfig -a doesn't have an ip on the tun though 21:19 < Wanderer> hmm, "pull" fixed it 21:19 < ecrist> what version of openvpn? 21:20 < Wanderer> server is 2.0-1sarge4 21:20 < ecrist> you should upgrade to 2.0.9 21:21 < Wanderer> that's the latest on sarge 21:21 < Wanderer> this machine is going away in about a month and a half 21:21 < ecrist> don't use their packages. 21:21 < Wanderer> just need this working until then 21:22 < ecrist> ok 21:22 < ecrist> you could just download and compile the source. 21:22 < ecrist> I do it on my mac. 21:22 < Wanderer> ok, I can ping the remote IP 21:22 < Wanderer> but not past it 21:22 < ecrist> you need IP forwarding on the server. 21:24 < Wanderer> it is 21:24 < Wanderer> checking my ccd 21:25 < Wanderer> bingo 21:25 < Wanderer> ccd was horked 21:25 < Dougy> horked? 21:26 < Dougy> whoa 21:26 < Dougy> wtf 21:26 < Dougy> now there's two 21:26 < Dougy> borked + horked 21:26 < Wanderer> heh 21:26 < Wanderer> you've never used those? 21:26 < Dougy> I use borked 21:26 < Dougy> but never heard horked 21:27 < Wanderer> horked is like borked, but it's more slimy/sloppy 21:27 < Wanderer> versus just broken 21:27 < ecrist> kinda like sex with your mother. 21:28 < Wanderer> oh, that's another whole term I've never thought ough 21:28 < Wanderer> be something like alabama-orked 21:32 < Dougy> ecrist, no 21:32 < Dougy> just no 21:32 < Dougy> wow.. 21:32 < Dougy> i just found an award i got years ago 21:32 < Dougy> wth 21:32 < Dougy> lol 21:34 * ecrist goes to bed. 21:56 < grendal_prime> wow...e to the crist has to sleep? 21:56 < grendal_prime> hehehe night bro and thanks again 21:57 < Dougy> lol 22:32 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 22:43 < grendal_prime> hey when you generate key pairs with ssh-keygen, it asks you for a passphrase, is that just for retrieving the private key in the event it gets lost, or is it actually another level of authentication for connection? 23:26 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 23:33 < Wanderer> topic for monday... how to swap out ca and keys for a different server and it's clietns 23:33 < Wanderer> when the only connectivity is ssh from the server to th clients 23:55 -!- grendal_prime [n=grendal_@dsl-12-44-166-053.arpa2.caltel.com] has quit [Remote closed the connection] --- Day changed Sun Sep 28 2008 00:05 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 00:53 -!- rubydiamond [n=rubydiam@123.236.177.211] has joined ##openvpn 01:52 -!- bandini [n=bandini@host250-6-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 02:27 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 03:34 -!- ropetin [n=ropetin@mail.sohoemailsolutions.com] has joined ##openvpn 03:35 < ropetin> Hey, quick question, I have a Linux client connecting via OpenVPN, I'd like it to run a script after connection, but I can't figure out where/how to do it. The only help google seems to give me is for Windows clients :( 03:37 < krzee> !man 03:37 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 03:37 < krzee> search for --up 03:37 < ropetin> krzee: thank you! 03:37 < krzee> its n ice and built in to do what you are asking 03:37 < krzee> np =] 03:38 < ropetin> Since Google I always forget the man pages! 03:38 < krzee> ya, you'll find this one is mandatory to understanding whats up 03:38 < krzee> between !man and !howto you learn mostly everything 03:40 < ropetin> :) 03:40 < krzee> usually i say google for learning things 03:40 < krzee> but i find that many of the sites on openvpn confuse things 03:41 < krzee> they try to tell people what to do instead of why in many cases 03:41 < ropetin> And there ya go, it works like a champ! 03:41 < ropetin> krzee: That's definitely true 03:42 < krzee> [23:43] hey when you generate key pairs with ssh-keygen, it asks you for a passphrase, is that just for retrieving the private key in the event it gets lost, or is it actually another level of authentication for connection? 03:42 < krzee> that passphrase would be needed to access the real key which would be used to connect 03:42 < krzee> so the local file would need a passphrase before being usable to connect to the machine 03:43 < krzee> [00:33] topic for monday... how to swap out ca and keys for a different server and it's clietns 03:43 < krzee> [00:33] when the only connectivity is ssh from the server to th clients 03:43 < krzee> Wanderer, man ssh, its built to run commands remotely, works in shell script 03:44 < krzee> so you can scp them over, then use ssh to chmod, restart openvpn, whatever 03:46 < krzee> [21:00] {0}:/etc/openvpn/easy-rsa/keys>openssl verify -CAfile ca.crt server.crt 03:46 < krzee> [21:00] server.crt: /C=US/ST=Co/O=Corona Solutions/CN=crestone.coronasolutions.com/emailAddress=support@coronasolutions.com 03:46 < krzee> [21:00] error 20 at 0 depth lookup:unable to get local issuer certificate 03:46 < krzee> [21:00] o.O 03:46 < krzee> [21:00] !notopenvpn 03:46 < krzee> Dougy[Work], i disagree, thats pretty openvpn related (correct building of openvpn certs) 03:47 < krzee> things like firewall config, how to trick out nat, understanding basic routing, etc are !notopenvpn 03:47 < krzee> things that openvpn stays out of, and belongs to their specific OS 03:49 < krzee> it exists cause the person will be more likely to find help in a chan dedicated to their OS or whatever they wanna achieve, versus waiting for someone here who ie: knows solaris to show up 03:59 -!- dan__t [n=dant@ip68-110-121-53.ph.ph.cox.net] has joined ##openvpn 03:59 < dan__t> Good morning. 04:00 < dan__t> I know this sounds kind of ridiculous, but conceivably, how many routes would one be able to push to a client? 04:06 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 04:13 < ropetin> dan__t: I don't know, but I have a current setup with 20 routes, and it works like a champ 04:13 < dan__t> I'm talking like 500 04:13 < dan__t> :/ 04:14 < ropetin> Wow! Not sure 04:14 < ropetin> I'd say give it a go :) 04:14 < dan__t> haha 04:14 < dan__t> I shall. 04:14 < ropetin> And dare I ask why'd you need that many routes? 04:14 < dan__t> An ass-backwards way of doing ACLs, kind of. 04:14 < dan__t> Forcing specific destinations of varying IP space down the tunnel, but only ones explicitly allowed. 04:15 < ropetin> Ahh, user Joey can get to subnets 1 and 2, Stan can get to 1 and 4? 04:15 < ropetin> Close ;) 04:15 < dan__t> Well no, user Joey can go to site1.com, site2.com, site3.com, if they try to force a route for site4.com down the VPN, they will not be able to 04:15 < dan__t> ala iptables 04:16 < ropetin> Excellent 04:16 < dan__t> I know, not ideal. 04:16 < dan__t> But for the sake of bandwidth, I don't want all traffic going through the tunnel - just ones explicitly defined. 04:18 < ropetin> Which is sensible 04:19 < dan__t> And again, if someone tries to push a route through to a site not explicitly defined, iptables blocks it in PREROUTING 04:19 < ropetin> Hey krzee, are you still here and being helpful? 05:18 -!- rubydiamond [n=rubydiam@123.236.177.211] has quit [Read error: 110 (Connection timed out)] 07:52 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 104 (Connection reset by peer)] 07:53 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 09:05 -!- Henkie__ [n=basneder@212-123-184-177.ip.telfort.nl] has joined ##openvpn 09:06 < Henkie__> how difficult is it to add a different authentication method in openvpn? (or extend) 09:08 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 09:44 -!- [twisti] [n=fuckyou@u-0-015.vpn.RWTH-Aachen.DE] has joined ##openvpn 09:44 < [twisti]> hi, i got a confused question: when i install openVPN as a service in windows, how does it know what parameters to use ? 09:44 < [twisti]> since there seems to be no config file, just cli parameters 09:50 < Dougy[Work]> yo yo yo yo yo yo yo yo was good 09:51 < Dougy[Work]> ropetin 10:02 -!- Henkie__ [n=basneder@212-123-184-177.ip.telfort.nl] has quit [Remote closed the connection] 10:03 < ecrist> g'morning, peeps 10:03 < Dougy[Work]> what is UP my man 10:03 < Dougy[Work]> haha 10:04 * Dougy[Work] is over tired 10:06 -!- [twistii] [n=fuckyou@u-7-059.vpn.RWTH-Aachen.DE] has joined ##openvpn 10:06 < [twistii]> isnt anyone awake ? :( 10:06 < ecrist> yes 10:06 < ecrist> you've been here about half a second. 10:06 < ecrist> :\ 10:07 < Dougy[Work]> lol 10:07 < ecrist> and then he doesn't respond. what an ass 10:07 < Dougy[Work]> Haha. 10:07 < SilenceGold> must be an irc newbie 10:07 < Dougy[Work]> hey SilenceGold :) 10:07 < Dougy[Work]> what's up? 10:07 < SilenceGold> taking a big break 10:07 < SilenceGold> you? 10:07 < SilenceGold> btw, I fixed my routing problem 10:07 < Dougy[Work]> being lazy at work 10:08 < SilenceGold> didn't realize that it was accidently switched from tun to tap in the server's config 10:08 < Dougy[Work]> lol 10:08 < Dougy[Work]> oops 10:08 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 10:08 < SilenceGold> yea I probably will have to use WAN to WAN via openvpn 10:08 < SilenceGold> at work 10:08 -!- [twisti] [n=fuckyou@u-0-015.vpn.RWTH-Aachen.DE] has quit [Read error: 113 (No route to host)] 10:09 < Dougy[Work]> I dont have a vpn 10:09 < Dougy[Work]> =[ 10:09 < Dougy[Work]> ecrist, question for you 10:09 < [twistii]> oh, i was here earlier 10:09 < ecrist> hurry, I'm on my way out for a bit. 10:09 < Dougy[Work]> if i host openvpn on an old pair of dual xeons and an IDE drive 10:09 < Dougy[Work]> old old xeons 10:09 < [twistii]> and nobody answered or talked 10:09 < Dougy[Work]> 533 mhz fsb 10:09 < Dougy[Work]> will it lag like hell? 10:09 < [twistii]> must have gotten disced 10:09 < Dougy[Work]> my friend says it will be awful 10:09 < [twistii]> how do i specify login/pass when trying to run penVPN as a service in windows ? 10:10 < ecrist> Dougy[Work]: not really, won't be super fast, but should be able to keep up with most internet connection, I would thin. 10:10 < ecrist> think* 10:10 < Dougy[Work]> ecrist, it would just be me on it really 10:10 < Dougy[Work]> maybe a couple others, but even so no more than 2 at a time 10:10 < Dougy[Work]> I just picked one up on ebay 10:10 < Dougy[Work]> an old HP Proliant G3 10:10 < Dougy[Work]> dual xeon 2.8s, 533 mhz fsb 10:10 < Dougy[Work]> 3 gb ram 10:10 < Dougy[Work]> $51 10:10 < ecrist> Dougy[Work]: that should work just fine. 10:10 < Dougy[Work]> Im mainly buying it for the chassis 10:11 < Dougy[Work]> For $51 that is a STEAL 10:11 < Dougy[Work]> heh 10:11 < Dougy[Work]> i have the drives at home, it doesnt come with caddies or drives, but still a steal 10:12 < ecrist> Dougy[Work]: keep in mind, it's a proprietary piece of hardware, you're probably not going to be able to put another mother board in it. Also, server hardware, especially rack hardware, is loud as fuck. 10:13 < Dougy[Work]> It's not staying in my house 10:13 < Dougy[Work]> heh 10:13 < [twistii]> i cant believe somehting so obvious and simple and essential doesnt work and isnt documented in any obvious place 10:13 < ecrist> I have a dedicated room in my basement, which I've insulated, to support rack hardware. 10:13 < Dougy[Work]> ecrist, mine is going in 60 William in NYC 10:13 < Dougy[Work]> ffs 10:13 < Dougy[Work]> i al ways typo the address 10:13 < ecrist> [twistii]: it *is* documented. 10:13 < Dougy[Work]> 100 william 10:13 < Dougy[Work]> my bad 10:13 < Dougy[Work]> =] 10:13 < [twistii]> ecrist: neither i nor google has found it yet, hence me saying its not in an obvious place 10:14 < ecrist> 60 or 100, makes no difference to me. 10:14 < ecrist> openvpn.net/howto 10:14 < Dougy[Work]> ecrist, my friend is hooking me up 10:14 < Dougy[Work]> 1U colo with 15 Mbps bw on 100 Mb port for $45 10:14 < ecrist> monthly cap? 10:14 < Dougy[Work]> 15 Mbps 10:14 < Dougy[Work]> so like 4.7 TB 10:14 < Dougy[Work]> ~ 10:14 < [twistii]> you cant set it in the connection config files, you cant send it as parameters to openvpn.exe (not that you could do that when it runs as a service anyways) and there seems to be no opensvn config file 10:14 < ecrist> ah 10:14 < [twistii]> yes ecrist, ive been reading that for the last hour or so 10:14 < Dougy[Work]> wow 10:15 < Dougy[Work]> i cant believe i guessed that.. 10:15 < Dougy[Work]> i was just doing numbers in my head 10:15 < Dougy[Work]> 4.70234841 terabytes 10:17 -!- kaushal [n=kaushal@bbs.webaroo.com] has joined ##openvpn 10:17 < kaushal> hi 10:17 < [twistii]> wow, hidden regkeys that have to be changed manually to even get the options, that sure is convenient and obvious 10:17 < ecrist> [twistii]: http://openvpn.net/howto.html#auth 10:17 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 10:18 < [twistii]> ecrist: To use this authentication method, first add the auth-user-pass directive to the client configuration <- thats not possible, since as i said, im trying to run it as a service 10:19 < ecrist> [twistii]: it still uses a configuration file 10:19 < [twistii]> it does ? 10:19 < ecrist> of course 10:19 < [twistii]> i didnt find any mention of that so far 10:19 < [twistii]> other than the connection config, which doesnt seem to have such an option 10:19 < ecrist> how the fuck else is it going to get the fucking connection information? 10:20 < ecrist> [twistii]: perhaps you should read the documentation, then come back with questions? 10:21 < [twistii]> auth-user-pass isnt mentioned anywhere on that page but there, and its not in the connection config default file either, but it does look like a command line parameter, --auth-user-pass 10:22 < ecrist> if you'd been reading that page for an hour, I'm sure you would have found the option. 10:22 < ecrist> I found it by searching the page for 'password' 10:22 < [twistii]> i did. as a command line option. 10:22 < Dougy[Work]> owned 10:23 < ecrist> [twistii]: it's also valid for the config file. 10:23 < ecrist> all a config file is, for openvpn, is a list of command-line options and their params 10:23 < ecrist> nothing too fancy about that. 10:24 < [twistii]> oh 10:24 -!- mode/##openvpn [+o ecrist] by ChanServ 10:24 < [twistii]> must have missed that part 10:24 < [twistii]> that explains A LOT 10:24 -!- mode/##openvpn [+b *!*@*.RWTH-Aachen.DE] by ecrist 10:24 -!- mode/##openvpn [-o ecrist] by ecrist 10:27 < Dougy[Work]> rofl 10:27 < Dougy[Work]> ecrist 10:27 < Dougy[Work]> you rock 10:27 < Dougy[Work]> haha 10:29 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 10:30 < Dougy[Work]> hey pa 10:30 < Dougy[Work]> ecrist, does freenode have halfop 10:31 < Dougy[Work]> what a prick 10:31 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Remote closed the connection] 10:33 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 10:34 < ecrist> Dougy[Work]: don't know 10:35 < Dougy[Work]> ecrist, he's pm'ing me 10:35 < Dougy[Work]> whiny brat 10:37 < ecrist> :\ 10:38 < Dougy[Work]> <[twistii]> if you suck up just a little more, im sure he will give you voice at least 10:38 < Dougy[Work]> hmm 10:39 < ecrist> [twistii]: I don't operate that way. 10:41 -!- Xen^ [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 10:41 < Dougy[Work]> hey Xen^ 10:42 < Xen^> hey 10:42 < Xen^> :) 10:42 < Xen^> long time 10:42 < Dougy[Work]> say what? 10:43 < Xen^> nothing 10:43 < Xen^> you tell me 10:43 < Xen^> what are you doing now a days 10:44 < Xen^> i should say GOD save me from USA :) 10:44 < Xen^> because i live in PAKISTAN 10:44 < Dougy[Work]> oh god 10:45 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit [Read error: 60 (Operation timed out)] 10:51 < Xen^> what happen 10:51 < Xen^> :) 10:55 -!- Xen^ is now known as L|NUx 10:55 -!- L|NUx is now known as L|NUX 10:56 -!- mode/##openvpn [+o ecrist] by ChanServ 10:56 -!- mode/##openvpn [-b *!*@*.RWTH-Aachen.DE] by ecrist 10:56 -!- mode/##openvpn [-o ecrist] by ecrist 11:01 < L|NUX> O_o 11:08 < Wanderer> If a crt has expired (365 days), is there a way to re-enable it for a short period of time, say a week or so? 11:08 < Wanderer> I have 3 remote machines that expired and I need to generate new keys for them 11:09 < ecrist> Wanderer: no, there isn't. 11:09 < Wanderer> crap 11:09 < ecrist> once expired, it's expired. 11:09 < Wanderer> and dates can't be set back of course 11:11 < ecrist> you'd have to set the date back on the server. 11:11 < [twistii]> im trying to follow http://openvpn.net/index.php/documentation/install.html?start=1 the section building from source 11:11 < vpnHelper> Title: Installation (Win32) - Page 2 (at openvpn.net) 11:11 < [twistii]> it says to edit makefile.32 and run makefile.w32 11:12 < [twistii]> but neither of these files exist 11:12 < [twistii]> any advice ? 11:12 < ecrist> [twistii]: did you download the source from the openvpn.net website? 11:12 < [twistii]> yes 11:13 * ecrist looks 11:13 < [twistii]> http://openvpn.net/release/openvpn-2.1_rc12.zip <- thats the one i took 11:13 < Wanderer> ecrist: I can set the date back on the server, what will that do to the clients/ 11:13 < Wanderer> it's the clients I can't get to 11:13 < Wanderer> crap, gotta run an errand, back in 2hrs 11:14 < ecrist> l8r 11:14 < Wanderer> if I set the server back 2 weeks though, will the clients work? 11:14 < ecrist> Wanderer: they should. 11:14 < Wanderer> cool, thanks man, I owe you a couple beers 11:15 < Dougy[Work]> hmm 11:15 < Dougy[Work]> i think im gonna compile nginx 11:16 -!- [twistii] [n=fuckyou@u-7-059.vpn.RWTH-Aachen.DE] has quit [] 11:17 -!- [twisti] [n=fuckyou@u-7-059.vpn.RWTH-Aachen.DE] has joined ##openvpn 11:17 < [twisti]> ecrist: did you find anything ? i got disced 11:18 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit ["Leaving"] 11:19 < ecrist> [twisti]: no, nothing yet, I've never tried compiling on windows, so I'm not familiar with it. 11:19 < ecrist> [twisti]: have you looked to see if the OpenVPN GUI version has the option pre-compiled? 11:20 < [twisti]> it doesnt appear to 11:21 < [twisti]> yeah, thats a negative 11:23 < ecrist> I'm out for a while. 11:42 < [twisti]> well 11:42 < [twisti]> looks like im screwed 11:42 < [twisti]> im not pay $2000 USD just to recompile openVPN under windows just to change something that should have been an option from the start 11:42 < [twisti]> and it doesnt look like there is any other way to get part of what you need to compile it under windows 11:43 < Dougy[Work]> you could *try* cygwin 11:43 < Dougy[Work]> i dont recommend it 11:44 < [twisti]> yeah, that wouldnt help at all 11:45 < [twisti]> you cant very well run cygwin as a service 11:45 < [twisti]> not that i would want to in the first place 11:55 -!- kaushal [n=kaushal@bbs.webaroo.com] has quit ["Ex-Chat"] 12:04 < [twisti]> so, has anyone here built openVPN on windows ? or is able to ? 12:23 -!- jeev [n=email@unaffiliated/jeev] has quit ["alabama sucks"] 12:24 -!- [twisti] [n=fuckyou@u-7-059.vpn.RWTH-Aachen.DE] has quit [] 12:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:34 -!- [twisti] [n=fuckyou@u-6-165.vpn.RWTH-Aachen.DE] has joined ##openvpn 13:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 13:29 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 13:38 -!- bandini [n=bandini@host250-6-dynamic.6-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 13:41 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:46 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 13:50 < krzee> ropetin, 13:50 < krzee> !ask 13:50 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/ 13:50 < krzee> if you just ask, then when people arent idle you'll get an answer instead of just a 'ya im here' 13:51 < krzee> plus theres others here that know a lot about openvpn =] 13:52 < krzee> [13:04] <[twisti]> so, has anyone here built openVPN on windows ? or is able to ? 13:52 < krzee> ive seen instructions on it 13:52 < krzee> i dont run windows 13:52 < [twisti]> mind linking me ? 13:52 < krzee> ill look 13:53 < [twisti]> the instructions on the main page require me to spend several hundred dollars in software subscriptions 13:54 < krzee> you bought windows? 13:55 < krzee> http://ehsanakhgari.org/blog/2008-05-04/compiling-openvpn-windows 13:55 < vpnHelper> Title: Compiling OpenVPN on Windows | Ehsan Akhgari (at ehsanakhgari.org) 13:55 < krzee> dunno if thats using free software or not 13:56 < krzee> you gotta understand that the availability of compilers for windows is more of a windows problem than openvpn one 13:56 < krzee> but ild bet theres ways around paying for the people who partake in that stuff ;] 13:56 < Dougy[Work]> krzee! 13:57 < krzee> http://article.gmane.org/gmane.network.openvpn.user/22590 13:57 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org) 13:57 < krzee> sup dougy 13:58 < Dougy[Work]> nm 13:58 < Dougy[Work]> you? 13:58 < krzee> bout to step out 13:58 < krzee> tired of hearing all my UPSs beeping 13:58 < Dougy[Work]> ouch 13:58 < Dougy[Work]> power out? 13:58 < krzee> ya 13:58 < krzee> 3rd world country 13:58 < Dougy[Work]> ouch 13:58 < krzee> thats why i have so many UPSs 13:59 < Dougy[Work]> haha 13:59 < Dougy[Work]> nice to have connectivity to stuff when NOBODY else does 13:59 < Dougy[Work]> hah 13:59 < krzee> that and power conditioning is important here 13:59 < [twisti]> i didnt need to buy windows 13:59 < [twisti]> and i havent seen a pirated version of WDK anywhere 14:00 < krzee> before i realized just how important i figured my laptop was safe... well the battery ended up puffing up to 3x it's size 14:00 < [twisti]> thanks for the links, ill try them 14:00 < krzee> now everything i care about is on UPSs 14:00 < krzee> i even charge my phone off a ups 14:00 < Dougy[Work]> lol 14:01 < Dougy[Work]> krzee what country 14:01 < krzee> caribbean 14:01 < krzee> bbl 14:18 < jeev> i cant wait 14:18 < jeev> i'm gong to london 14:18 < jeev> in like 2 weeks 14:18 < jeev> all expenses paid, first cass 14:18 < jeev> class 14:23 * [twisti] is still looking for anyone able to build openVPN on windows 14:23 < [twisti]> for starters, id like to know where this makefile.w32 is 14:28 -!- ChUbB [n=IceChat7@62.31.213.230] has joined ##openvpn 14:31 < Dougy[Work]> lol 14:31 < Dougy[Work]> jeeeeeeeeeev 14:31 < Dougy[Work]> i hate you 14:31 < Dougy[Work]> die die die die die die die die 14:42 < jeev> wwhy 14:49 < ecrist> [twisti]: check out the openvpn mailing list - see if they've got any info on how to compile on windows. 14:50 < [twisti]> without DDK there seems to be no way 15:02 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [No route to host] 15:04 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:23 < Dougy[Work]> jeev 15:23 < Dougy[Work]> envy 15:25 < jeev> ? 15:25 < jeev> heh 15:26 < Dougy[Work]> lol 15:26 < Dougy[Work]> wanna trade? 15:26 < Dougy[Work]> you can sit here for a week and do my job 15:26 < Dougy[Work]> ill go to England 15:26 < jeev> lol 15:26 < jeev> i get my own driver 15:26 < jeev> paid food 15:26 < jeev> paid hotel 15:26 < Dougy[Work]> I HATE YOU 15:26 < jeev> hang out with everyone 15:26 < jeev> that whore christina aguilara will be there 15:26 < jeev> i'll jizz on her face 15:26 < Dougy[Work]> lmao 15:27 < jeev> a bunch of nba players 15:27 < Dougy[Work]> only one question comes to mind 15:27 < Dougy[Work]> *why*? 15:27 < Dougy[Work]> why are you going 15:27 < jeev> my friend is taking me 15:43 < ecrist> Christina Aguilara is nice, in person. 15:44 < jeev> my friend said she's weird. 15:45 < ecrist> jeev: put yourself in the lime light for 12+ years with all the crazies stalking you, poparazzi, etc. Everyone would be a *little* crazy at that point. 15:45 < jeev> he met her a long time ago too 15:45 < jeev> ! 15:45 < jeev> ecrist, i'm in the limelight too! 15:45 < ecrist> However, having met her, in person, and had the chance to converse with her for a while, she seemed pretty normal and nice to me. 15:45 < jeev> i've met a lot of people 15:45 < ecrist> ecrist: ? 15:45 < ecrist> erm, jeev ? 15:45 < jeev> a lot of celebrities 15:45 < jeev> athletes are the ish 15:46 < jeev> david ortiz = nicest 15:46 < ecrist> I agree, athletes suck. 15:46 < jeev> forest whittaker = nicest 15:46 < jeev> i've been to forest's house many many times 15:46 < ecrist> I installed a few former MN Viking home-theatre systems (upwards of $100K in equipment/labor) 15:46 < jeev> vikings suck 15:46 -!- mode/##openvpn [+o ecrist] by ChanServ 15:46 <@ecrist> o.O 15:46 * jeev runs 15:47 <@ecrist> let me help you 15:47 -!- jeev was kicked from ##openvpn by ecrist [ecrist] 15:47 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 15:47 < jeev> bastard 15:47 <@ecrist> heh 15:47 < jeev> :> 15:47 < jeev> damn 15:47 < jeev> it's hot 15:47 -!- mode/##openvpn [-o ecrist] by ecrist 15:47 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 54 (Connection reset by peer)] 15:47 < ecrist> I installed home theatre for Randy Moss, Chris Hovan, Dante Culpepper, amongst a few others. 15:48 < jeev> i go to their houses to eat and drink 15:48 < jeev> haha 15:48 < jeev> (juice) 15:48 < jeev> since i dont booze 15:49 < ecrist> oh, I'm not chummy with anyone like that. 15:49 < ecrist> just do work for them. 15:49 * ecrist is lowly blue-collar 15:49 < jeev> lol 15:49 < ecrist> and like it 15:49 < jeev> http://starbucks.mirror.waffleimages.com/files/d1/d1efed2f234232195f77b9fb7c264ed6af1fb69b.jpg 15:49 < ecrist> actually, I have a white-collar IT job, but own a blue-collar business. 15:49 < jeev> heh 15:49 < jeev> i own an it business 15:49 < jeev> and work with some companies that will hopefully get huge soon 15:49 < jeev> they're both gonna take me with them 15:50 < Dougy[Work]> lol 15:51 < Dougy[Work]> vikings lmfao 15:51 < Dougy[Work]> GIANTS 15:51 < jeev> giants suck too 15:51 < jeev> kansas city 15:51 < jeev> baby 15:51 < Dougy[Work]> oh 15:51 < Dougy[Work]> no 15:51 < Dougy[Work]> you fail 15:51 < Dougy[Work]> infact you failed so hard you sank the failboat 15:52 < jeev> ? 15:52 < Dougy[Work]> kansas city is the worst team ever 15:52 < Dougy[Work]> behind arizona 15:53 < [twisti]> http://i245.photobucket.com/albums/gg55/Dookiac/AbandonFailboat.jpg 15:53 < Dougy[Work]> dude 15:53 < Dougy[Work]> the jets REAMED the cardinals 15:53 < Dougy[Work]> 56-something 15:53 < Dougy[Work]> jesus christ 15:53 < ecrist> photoshop 15:53 < jeev> lol 15:56 < jeev> openvpn is the greatest thing i've ever encountered 15:57 < [twisti]> openvpn is the most horrible failure i ever had the bad luck to have to use 15:57 < Dougy[Work]> well then 15:57 < Dougy[Work]> the door is over there 15:57 < Dougy[Work]> GET THE FUCK OUT 15:57 < Dougy[Work]> :) 15:58 < ecrist> [twisti]: please keep your flamebait out of here. 15:59 < ecrist> Dougy[Work]: you could be a little nicer 15:59 < [twisti]> it wasnt flamebait. jeev stated his opinion of it, i figured i was free to as well 15:59 < Dougy[Work]> ecrist: alright 16:03 * ecrist goes away 16:12 < Dougy[Work]> lol 16:12 < Dougy[Work]> ciao ecrist 16:27 < krzie> [twisti] then why are you here 16:28 < [twisti]> krzie: because i have no other option 16:29 < krzie> may i ask what you prefer and why? 16:29 < [twisti]> well, theres the cisco vpn client, but it sucks 16:29 < [twisti]> thats the problem 16:29 < [twisti]> theres nothing better as far as i can tell 16:29 < krzie> ok well we agree there 16:29 < krzie> need help with anything? 16:30 < [twisti]> a windows compiled version of openSVN with no criple option compiled in (aka with the STORE_AUTH option enabled) 16:31 < krzie> oh right that was you i gave links to earlier 16:31 < Dougy[Work]> i guess power is back? 16:31 < [twisti]> yeah, i spent about the last six hours getting it to work 16:31 < [twisti]> i compiled about a dozen libraries, downloaded almost 3gb of compilers and crap like that, etc 16:31 < [twisti]> so i gave up 16:32 < krzie> Dougy[Work] yup, but im not home 16:32 < krzie> i dont get enough nfl channels at home 16:32 < krzie> =] 16:32 < jeev> they've reached a bill! 16:32 < [twisti]> who has 16:32 < krzie> [twisti], ya windows is nice like that *eyeroll* 16:32 < jeev> eh, this isn't politics 16:32 < jeev> nevermind 16:32 < [twisti]> no, windows is fine 16:33 < Dougy[Work]> lol krzee 16:33 < Dougy[Work]> er krzie 16:33 < Dougy[Work]> windows is trash btw 16:33 < krzie> your problem is getting a nice free windows compiler 16:33 < [twisti]> windows is awesome 16:33 < krzie> which all os's i run come with standard 16:34 < Dougy[Work]> dude wtf 16:34 < Dougy[Work]> my friend is holding a human brain 16:34 < [twisti]> i dont want to troll, but the reason windows doesnt come with a compiler is because it can afford to. windows is standardized enough to allow people to ship compiled, ready to use software 16:34 < Dougy[Work]> http://photos-f.ak.facebook.com/photos-ak-snc1/v344/118/57/1416129819/n1416129819_88853_6301.jpg 16:34 < Dougy[Work]> sick 16:34 < jeev> that's not human 16:35 < Dougy[Work]> she said it is o.O 16:35 < krzie> so is osx, yet you can still compile stuff on it for free 16:35 < Dougy[Work]> "fresh from some old lady :] " 16:35 < jeev> liar 16:35 < ecrist> [twisti]: if you don't like it, use another product, like Cisco Pix or something. 16:35 < jeev> that's fake, like windows + security 16:35 * jeev holds ecrist back 16:36 < Dougy[Work]> [twisti]: get an actual vpn piece of hardware 16:36 < [twisti]> yeah, thats too small to be a human brain 16:36 < Dougy[Work]> eg a sonicwall 16:36 < ecrist> or PPTP 16:36 < jeev> i haven't looked at it.. but what is your issue, you can't compile ? 16:36 < [twisti]> jeev: check any bug tracker, theres more exploits for linux than for all windows versions combined every year 16:36 < krzie> ecrist pptp has issues lst i looked 16:36 < [twisti]> and with that, im ending this holy war 16:36 < krzie> last 16:36 < jeev> twisti, do you want to know why ? 16:37 < jeev> are you talking about in general, operating system ? 16:37 < [twisti]> if youd like to discuss windows vs linux further, feel free to pm me 16:37 < jeev> if windows was open source, you'd be using linux now. 16:37 < [twisti]> no, mac 16:37 < jeev> what is your issue here 16:37 < jeev> i'm lost 16:37 < [twisti]> that you arent pming me 16:37 < jeev> not interseted 16:38 < krzie> aq <[twisti]> openvpn is the most horrible failure i ever had the 16:38 < krzie> bad luck to have to use <[twisti]> windows is awesome 16:38 < krzie> Inserted quote #4681. 16:38 < krzie> that had to be archived 16:38 < [twisti]> you are welcome to 16:38 < [twisti]> yet, for me ? spending a whole day trying to get some piece of OS software to run ? total exception. 16:38 < [twisti]> i spend most of my days doing actual productive work 16:38 < jeev> twisti, first of all, if you dont like it.. dont use it, why do you troll around ? 16:39 < [twisti]> not working on making my system capable of that 16:39 < jeev> i've used many software i didn't like but i didn't go insult them. 16:39 < [twisti]> thats weird 16:39 < krzie> jeev, i think im responsible for having kept the subject alive 16:39 < [twisti]> wouldnt that mean they continue to be bad ? 16:39 < jeev> aah 16:39 < krzie> jeev, he's willing to drop it i believe 16:39 < [twisti]> i feel that voicing criticism improves a product 16:39 < jeev> twisti, my opinion doesn't matter to developers 16:39 < jeev> i'm dropping it, this is a waste of time 16:39 < [twisti]> agreed 16:40 < krzie> your problem is NOT openvpn, it is getting a nice free windows compiler to work because you dont want the default build options of the precompiled packaged product 16:41 < krzie> so 3 options exist: 16:41 < krzie> 1) find the compiler to use 16:41 < krzie> 2) use other software instead of openvpn 16:41 < krzie> 3) use the default build options 16:42 < krzie> !notopenvpn 16:42 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 16:42 < [twisti]> no, i have like 7 windows compilers 16:42 < [twisti]> and a ton of libraries 16:42 < [twisti]> and of course theres all the windows build docs, which are all out of date 16:42 < [twisti]> and then there is the openvpn source package, which doesnt actually contain all you need to compile it 16:43 < [twisti]> so you need to scour svn, and apply patch files 16:43 < [twisti]> but the root point, the reason i am so confrontational and agressive 16:43 < [twisti]> is that all this ? its about a simple option 16:43 < [twisti]> heck, something that should have never even BEEN an option 16:44 < [twisti]> an intentional piece of code, designed to do nothing but criple the product and enforce the personal beliefs of the person who added it 16:44 < [twisti]> thats what makes me angry and bitchy 16:45 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:49 < krzie> what is the option anyways? 16:49 < [twisti]> storing passwords 16:49 < [twisti]> or reading them from a file, rather 16:51 < krzie> if you are reading the password from a file, why have passwords? 16:51 < krzie> they become no better than just having certs 16:52 < krzie> (which is a good reason to not have it by default) 16:52 < [twisti]> yeah, let me get right on that and get my national isp with over a million customers to change their entire system, just because some dev of some software decided that no, his software would not allow you to store passwords, thats evil! 16:52 < [twisti]> we are talking about a vpn CLIENT here 16:52 < [twisti]> not server 16:53 < [twisti]> how many typical clients can dictate what whatever server they use does ? 16:53 < [twisti]> having the server to set by default not to allow anything but certs, that makes sense, as it hits the people actually capable of changing it 16:54 < [twisti]> having the client does this is like having the default firefox unable to store cookies 16:54 < [twisti]> "cookies are evil. if you want firefox to store cookies, you have to recompile it. and thunderbird. and the windows libraries. and you need to learn assembler, too." 16:54 < [twisti]> its just retarded 16:56 < [twisti]> i guess what makes me so angry about it is that someone out there thought that his password policy was so esteemed and brilliant and enlightened that he felt he had the right and need to force it upon me against my will 16:56 < [twisti]> like those annoying people who make super complex password confirmation scripts 16:57 < [twisti]> "must be at least 29 characters, two numbers, lower and upper case, five special characters, two german umlauts and one traditional mandarin letter to be a valid password. also has to be changed every 4 hours." 16:57 < ecrist> [twisti]: have you read http://tkhere.blogspot.com/2006/03/auto-authenticate-program-for-openvpn.html 16:57 < vpnHelper> Title: Auto authenticate program for OpenVPN gui @ tk here on Saturday, March 25, 2006 1:46 PM (at tkhere.blogspot.com) 16:58 < [twisti]> And so I thought, hey, this is a gui, so there must be a way to save those details. Except there isn't any way to do that. The only way is to download around 5 packages and recompile the whole damn thing! 16:58 < [twisti]> haha 16:58 < [twisti]> welcome to my sunday 16:58 < krzie> they were right to not allow passwords to be stored in a file 16:58 < krzie> because it nullifies having passwords 16:59 < krzie> and as an admin, if i say i want passwords, i wish i had a way to enforce it wasnt being read from a file 16:59 < krzie> i wish i could enforce something to kick people in the balls when they store passwords to my systems in cleartext too 16:59 < [twisti]> yeah, thats you, not the real world 17:00 < [twisti]> in fact my isp specifically hosts a download with cisco vpn which has your password preentered 17:00 < [twisti]> you dont even need to enter it once 17:00 < krzie> if you admin didnt want passwords, he wouldnt have set the system to need them 17:00 < [twisti]> from what ive heard today, most isps are like that 17:00 < [twisti]> then everyone could surf for free 17:00 < krzie> and since he runs openvpn, he had the option 17:01 < [twisti]> in any case, its my account 17:02 < [twisti]> i pay for it, and im held accountable if its abused 17:02 < [twisti]> it bloody well should be my call whether i store the password or not 17:02 < krzie> evidently not your network tho =] 17:02 < [twisti]> and be honest 17:02 < [twisti]> do you enter your internet password every morning ? 17:02 < krzie> i dont have an internet password 17:02 < [twisti]> well, im sure you had at a time 17:02 < krzie> not all systems work that way 17:03 < krzie> but i dont type in my modems mac address every morning to most closely answer your question 17:03 < [twisti]> but thats so insecure! 17:03 < krzie> yes, it is 17:03 < krzie> i take advantage of it 17:03 < [twisti]> if they didnt want you to have a mac address, they wouldnt have given you one! 17:03 < krzie> use someone else's mac address 17:03 < krzie> and speed up the inet 17:03 < krzie> its pretty nice 17:04 < [twisti]> (i know they didnt give you a mac address, btw) 17:04 < krzie> (good) 17:05 < [twisti]> now please excuse me for just a moment 17:06 -!- [twistii] [n=fuckyou@u-0-005.vpn.RWTH-Aachen.DE] has joined ##openvpn 17:06 < [twistii]> go me 17:06 < [twistii]> or rather, go sumedha 17:06 < [twistii]> which is the guy at my isp who managed to recompile this stuff for me 17:06 < [twistii]> said it took him over a week to get right 17:11 -!- ChUbB [n=IceChat7@62.31.213.230] has quit [Read error: 104 (Connection reset by peer)] 17:12 < krzie> what version is it? 17:17 < krzie> maybe ill archive it for the next guy with your problem 17:24 -!- [twisti] [n=fuckyou@u-6-165.vpn.RWTH-Aachen.DE] has quit [Read error: 110 (Connection timed out)] 17:24 -!- [twisti] [n=fuckyou@u-0-005.vpn.RWTH-Aachen.DE] has joined ##openvpn 17:24 < [twisti]> [2008/09/29 00:23:19] <[twistii]> sorry, it contains the servers and ports for our internal vpn servers and was sent to me by personal email, so i dont feel comfortable sending it around 17:24 < [twisti]> [2008/09/29 00:23:33] <[twistii]> its only rc9 anyways 17:24 < [twisti]> [2008/09/29 00:23:55] * Disconnected 17:25 < krzie> werd 17:31 < jeev> !cert 17:31 < vpnHelper> jeev: Error: "cert" is not a valid command. 17:32 < jeev> !certificate 17:32 < vpnHelper> jeev: Error: "certificate" is not a valid command. 17:33 < jeev> # Increase this to 2048 if you 17:33 < jeev> # are paranoid. This will slow 17:33 < jeev> # down TLS negotiation performance 17:34 < jeev> is that just the negotiation process or EVERYTHING else ? 17:34 < krzie> !menu 17:34 < vpnHelper> krzie: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum, !ifconfig, !custom, !push-reset, !def1 17:34 < krzie> depends where 17:34 < krzie> for certs, negotiation process 17:34 < krzie> ild figure the tls static key being large would impact performance since it is used for HMAC sigs 17:35 < krzie> but i still use 4096 anyways 17:38 < jeev> hold up 17:40 < roentgen> When using client-to-client is it possible to block certain clients from accessing others (thru iptables)? 17:40 -!- [twistii] [n=fuckyou@u-0-005.vpn.RWTH-Aachen.DE] has quit [Read error: 110 (Connection timed out)] 17:40 < roentgen> If so -- anyone cares to share? 17:43 < jeev> krzee, i keep forgetting to document shit man 17:43 < jeev> now i have to recreate everything for new server 17:43 < jeev> incase other server is down 17:43 < jeev> .. 17:48 -!- dan__t [n=dant@ip68-110-121-53.ph.ph.cox.net] has quit [Read error: 113 (No route to host)] 17:50 < krzie> roentgen, tbh im not sure, but ild expect that would work 17:50 < krzie> using iptables like you said 17:50 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Remote closed the connection] 17:50 < krzie> you'll wanna set each clients ip using ccd entries 17:51 < krzie> that way it cant change and your iptables rules can be static 17:51 < jeev> you know 17:51 < jeev> what if i'm client1 17:51 < jeev> and i bounce from place to place 17:51 < roentgen> krzee I have ccd but whatever iptables DROP rule I have still doesn't block them 17:51 < jeev> what do i do about iroute if LAN ip is different? 17:52 < krzie> jeev, how do you know you always even want to share the lan behind the road warrior client...? 17:52 < krzie> or that there will even be a lan to share 17:52 < krzie> but also, no idea ;] 17:52 < jeev> no 17:53 < jeev> krzie, either way.. it gives me a MULTI error 17:53 < jeev> and i have to add either 192.168.1/24 or 2/24 17:53 < jeev> those are the ones that i've testd 17:53 < krzie> ahh 17:53 < krzie> could make 2 certs 17:53 < krzie> 1 for each 17:53 < krzie> when at one location, use 1, other use other 17:53 < krzie> i take it you bounce between 2 known locations 17:53 < jeev> yea 17:53 < jeev> :/ 17:53 < jeev> more than 2 17:53 < jeev> i'm in london in 2 weeks, no idea what it'll be like 17:54 < [twisti]> jeev: good music/clubs, lots of people with bad teeth, rainy 17:54 < [twisti]> at least thats what i remember from my relatively short time in london 17:54 < jeev> i dont dance or club 17:54 < jeev> but when i go out with my friend i have to go with him 17:54 < jeev> we'll be with a bunch of celebs 17:55 < jeev> and athletes 17:55 < krzie> roentgen, something that will work for you is to have 2 servers running on same machine, (diff ports) those clients that should have client-to-client connect to 1, others to the other 17:55 < [twisti]> id say most "upper class" people who go to london will go there for the drugs 17:56 < [twisti]> london is like the amsterdam for people who can afford to get a haircut 17:56 < krzie> roentgen, with diff cert setups so they can only connect to theirs 17:56 < roentgen> krzee I need to connect to all, they don't need to see each other 17:56 < krzie> roentgen and you are a client i take it 17:56 < roentgen> yes :) 17:59 < krzie> Note that there is no method to selectively block traffic 17:59 < krzie> > between clients, it's an All-or-Nothing option. 17:59 < krzie> =/ 18:01 < roentgen> I disabled client-to-client for now, I need to figure out a a special route for me only to see other clients 18:01 < krzie> not gunna happen 18:02 < krzie> client-to-client doesnt happen in the kernel routing table 18:02 < krzie> its internal 18:04 < roentgen> According to http://openvpn.net/index.php/documentation/howto.html#policy it's very much possible 18:04 < vpnHelper> Title: HOWTO (at openvpn.net) 18:04 < roentgen> With client-to-client I guess 18:04 < roentgen> But HOW?? 18:06 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 18:07 < krzie> ohhh 18:07 < krzie> thats crafty 18:08 < krzie> it completely spells out how on the link you gave 18:09 < krzie> !learn someclient2client as http://openvpn.net/howto.html#policy 18:09 < vpnHelper> krzie: The operation succeeded. 18:09 < krzie> !menu 18:09 < vpnHelper> krzie: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum, !ifconfig, !custom, !push-reset, !def1 18:10 < krzie> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum,!ifconfig, !custom, !push-reset, !def1, !someclient2client 18:10 < vpnHelper> krzie: The operation succeeded. 18:10 < krzie> !forget menu 1 18:10 < vpnHelper> krzie: The operation succeeded. 18:10 < ecrist> krzie: what, exactly, do we do with the bot? 18:11 < krzie> i dont understand the question 18:11 < ecrist> um, what, exactly, is the bot used for? 18:11 < ecrist> what features do we use? 18:12 < krzie> saving me a few thousand keystrokes and remembering links 18:12 < jeev> that's a good bot 18:12 < jeev> !tls-verify 18:12 < vpnHelper> jeev: "tls-verify" is seems to be broken in 2.1rc9 and working in 2.1rc8 https://bugzilla.redhat.com/show_bug.cgi?id=458600 18:12 < krzie> as for you, up to you 18:12 < ecrist> nothing else too fancy, right? 18:12 < krzie> nah 18:12 < krzie> its pretty cimple 18:12 < krzie> simple 18:12 * ecrist is going to rewrite it for proper menu support 18:12 < krzie> it announces title from urls too 18:13 < krzie> cool, it should be a small mod to supybot's python plugin 18:13 < krzie> i forget the name of the plugin but ill check if you want 18:13 < ecrist> no, I'll write it from scratch. Should be a hundred lines or less of code. 18:13 < krzie> that would be great 18:13 < krzie> i prefer it to just be a mod 18:13 < krzie> i like my supybot 18:14 < jeev> !push 18:14 < vpnHelper> jeev: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 18:14 < krzie> and that should be far less code than writing a bot from scratch 18:14 < jeev> !push-reset 18:14 < vpnHelper> jeev: "push-reset" is Don't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level. 18:14 < ecrist> I'm not a fan of bloat-code. if these couple things are all we do, no reason to plugin to supybot 18:14 < krzie> maybe we'll start using rss and whatnot as well 18:14 < ecrist> krzie: I can write an entire bot, with our features in around a hundred lines of perl 18:14 < krzie> not sure why it isnt working with the forum 18:15 < ecrist> with support for rss 18:15 < krzie> and fixing !menu would be far under 100 lines of code 18:15 < krzie> i bet you can bust it in like 10 18:15 < ecrist> not if I'm not a python coder. 18:15 < ecrist> which I'm not 18:16 -!- xororand [n=6obryian@unaffiliated/xororand] has joined ##openvpn 18:17 < xororand> hello. can i tell openvpn to use a specific network device for a connection? 18:17 < ecrist> no 18:17 < ecrist> if I understand you correctly 18:17 < xororand> the problem: i have one client machine with multiple internet connections and one endpoint. i'd like to create a vpn tunnel over each internet connection 18:17 < xororand> the endpoint only has 1 single ip 18:18 < xororand> thus i can't use the routing table for this purpose 18:19 < xororand> will this be possible at all? 18:21 < ecrist> not easily, unless you can do source-based routing through your firewall and run openvpn from three separate IPs. 18:22 < krzie> ya no way to do it that im familiar with 18:36 < krzie> !list alias 18:36 < vpnHelper> krzie: Error: 'alias' is not a valid plugin. 18:38 < krzie> !factoids search * 18:38 < vpnHelper> krzie: 'krzee', 'howto', 'tcp', 'nat', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'liar', 'ask', 'winroute', 'kraut', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'wiki', 'lan', 'freebsd', 'lans', 'routeing', '1918', 'router', 'netman', 'notopenvpn', 'path', 'paths', 'keys', 'ssl-admin', 'push', 'route', 'routes', (1 more message) 18:38 < krzie> !more 18:38 < vpnHelper> krzie: 'tls-cipher', 'multi', 'configs', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', 'assumption', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'menu', 'def1', 'tap', 'mac', and 'someclient2client' 18:38 < krzie> !forget menu 18:38 < vpnHelper> krzie: The operation succeeded. 18:38 < krzie> !learn menu as pls use !factoids search * 18:38 < vpnHelper> krzie: The operation succeeded. 18:39 < krzie> !menu 18:39 < vpnHelper> krzie: "menu" is pls use !factoids search * 18:40 < krzie> there ya go ecrist 18:44 < xororand> ok thanks ecrist & krzie. then i'll just have to sacrifice one of my few public ips for that 18:51 < krzie> np but sorry i couldnt help 19:00 < xororand> it works with 2 public ips on the endpoint :) 19:03 -!- [twisti] [n=fuckyou@u-0-005.vpn.RWTH-Aachen.DE] has quit [] 19:05 < krzie> xororand can i ask what you are accomplishing with that? 19:07 < jeev> wow 19:07 < jeev> how long does it take to generate dh 19:07 < jeev> 4096 19:07 < krzie> depends on your box 19:07 < krzie> it can take awhile tho 19:08 < krzie> i screen the process and forget bout it for awhile 19:08 < xororand> krzie: i want to bond two dsl connection to one big pipe 19:08 < krzie> my mac generated it too fast for my comfort, so i used the ones from my bsd box 19:08 < krzie> it was so fast i was scared there was a problem, lol 19:08 < xororand> krzie: the 2 client connections have 6000/800 kbit/s bandwidth each. the end point has 100mbit/s. the goal is to have 12000/1600 on the clients 19:09 < krzie> you wont be able to 19:09 < krzie> well 19:09 < krzie> lemme rephrase that 19:09 < krzie> you will never have a single xfer going over 6000/800 19:09 < krzie> but you may have 2 going that fast 19:10 < xororand> that's better than nothing :) 19:10 < krzie> as for doing it with openvpn, i will wait for you to say whether you made it work or not =] 19:12 < krzie> i would expect something more like this tho 19:12 < krzie> http://tetro.net/misc/multilink.html 19:12 < vpnHelper> Title: Balancing Connections Over Multiple Links (at tetro.net) 19:12 < krzie> doesnt seem like something to solve with openvpn setup to me 19:13 < krzie> but i dunno how that would work, its possible with what i said openvpn would only work on 1 of them 19:14 < jeev> root 33701 99.9 0.2 7896 3220 p0 R+ 4:09PM 64:37.97 openssl dhparam -out keys/dh4096.pem 4096 19:14 < krzie> ya ive had it take like 1/2 a day 19:15 < jeev> lol 19:15 < krzie> my whole setup uses 4096 keys everywhere, took a full day for certs and whatnot 19:30 < xororand> krzie: i have a bonded interface on the client machine but can't continue on the server because openvz doesn't support bonding inside virtual machines :S 19:32 < xororand> limitations like this make me want to switch from OpenVZ to Xen 19:34 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 19:49 < krzie> ahh i see 20:34 < ecrist> xororand: you can't easily bond two dsl connections. 20:34 < ecrist> BGP is required. 20:34 < SilenceGold> still can't 20:34 < SilenceGold> the target server will not know which ip to send data back 20:34 < ecrist> SilenceGold: if it's all internal routing, he sure can. 20:34 < SilenceGold> have to have cooperation of the ISP to bond a connection (t1 is best for that) 20:35 < ecrist> not over vpn 20:35 < SilenceGold> still can't 20:35 < ecrist> in theory, it could work, but he'd need internal BGP with proper routing and NAT for external connections 20:35 < SilenceGold> maybe for two seperate connections for an application 20:36 < SilenceGold> example, I use sabnzbd and route to newshosting servers via dsl while over cable to easynews 20:36 < SilenceGold> usenet files are all small enough :) 20:36 < ecrist> he won't ever get true bonding where he gets full bandwidth for a single connection, but krzie said that above. 20:36 < SilenceGold> if it's a huge chunk single file...impossible to use both connections 20:36 < ecrist> we already established that. 20:36 < ecrist> :\ 20:36 < SilenceGold> but really I have seen that you can have two SDSL bonded provided the ISP cooperates 20:37 < SilenceGold> I really don't see why BGP is required for internal network 20:39 < ecrist> that's not really your decision. Just because you don't see why, doesn't mean someone else doesn't. 20:39 < ecrist> RIP would work too, I suppose. 20:39 * ecrist goes away 20:42 < jeev> Sun Sep 28 18:36:04 PDT 2008 20:42 < jeev> it took 20:42 < jeev> around 2 hours for 4096 20:57 < Wanderer> ecrist: /m ecrist question on the date-rollback 21:01 < jeev> !menu 21:01 < vpnHelper> jeev: "menu" is pls use !factoids search * 21:01 < jeev> !factoids search ta 21:01 < vpnHelper> jeev: 'betaman' and 'tap' 21:01 < jeev> huh 21:16 < krzie> !forget menu 21:16 < vpnHelper> krzie: The operation succeeded. 21:16 < xororand> ecrist, SilenceGold: it works, albeit slow 21:16 < krzie> !learn menu as please use "!factoids search *" 21:16 < vpnHelper> krzie: The operation succeeded. 21:17 < xororand> i connect from the client bond0 interface to the server's bond0 interface 21:18 < xororand> 2x OpenVPN over 2 DSL lines. the ping times on bond0 alter between the slower dsl line's ping and the faster dsl's ping 21:19 < xororand> the remaining problem is that data transfers are much slower than on a single line ;) 21:46 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 22:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:41 < jeev> shit man 22:41 < jeev> i killed one of my boxes 22:41 < jeev> ipfw del 1 and killall -9 natd 22:41 < jeev> no more access 22:42 < jeev> how did that kill it ? 22:42 < jeev> it was never running like that 22:42 < jeev> damn man 22:51 < krzee> you remote? 22:52 < jeev> yea 22:52 < jeev> great 22:52 < jeev> i've never been to the datacenter 22:52 < krzee> you learned a valuable lesson today 22:52 < jeev> yea 22:52 < jeev> i've done it before 22:52 < jeev> but never like this 22:52 < jeev> where there is nobody that goes there 22:52 < jeev> maybe in a week or two 22:52 < krzee> whenever you play with firewall rules remotely, run something to reboot the box and test everything live not in config files 22:52 < jeev> yea 22:52 < jeev> i dunno how 22:52 < krzee> the something could be a script that sleeps 5 min, then reboots 22:53 < jeev> 8it started to use divert anyway 22:53 < jeev> i enabled everything in rc.local 22:53 < jeev> god i shodln't have done that 22:53 < jeev> now if they reboot it 22:53 < jeev> i have 5 minutes or even less 22:53 < jeev> to kill the cron 22:53 < jeev> or it'll do it again 22:53 < krzee> hah 22:53 < krzee> oops 22:53 < jeev> fuck 22:53 < jeev> i dont use the server much 22:53 < jeev> but i was doin openvpn no it 22:53 < krzee> then when you are successful you kill the script which was sleeping 22:54 < jeev> i had natd running 22:54 < jeev> ipfw divert 22:54 < krzee> and when not, you wait for script to reboot (or fix firewall, whatever you have it doing) 22:54 < jeev> i set a crontab, every 5 22:54 < jeev> to killall -9 natd;ipfw del 1 22:54 < jeev> and that took it down 22:54 < jeev> why were my initial packets going through divert? 22:54 < krzee> why would you crontab that? 22:54 < jeev> i dont know 22:54 < jeev> incase it broke 22:54 < jeev> bah 22:54 < krzee> i dunno i havnt used ipfw and nat in so long 22:55 < krzee> and im workin on making my xdm autologin so my lan nfs / tv tuner will auto-login so it can auto run synergy and i wont need to walk across the house to type login/pass 22:55 < krzee> i have cables run over the roof 22:55 < krzee> the box is in the livingroom cause it sounds like a jet engine 22:56 < krzee> but it runs my tv tuner and 400 disc dvd player in my room 22:56 < krzee> with a 23" monitor 22:56 < jeev> heh 22:56 < krzee> and a 5.1 dolby surround setup 22:56 < jeev> what i need 22:56 < jeev> is a very cheap low end out of band system 22:56 < jeev> it's two servers 22:56 < jeev> one is VERY important 22:56 < krzee> with synergy i can control mouse / kb over the network like i was using the systems kb/m 22:57 < krzee> but not until AFTER xdm auths 22:57 < krzee> so i gotta have xdm not auto and just go right to login --- Day changed Mon Sep 29 2008 00:04 -!- paruchuri [n=paruchur@61.16.248.247] has joined ##openvpn 00:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:58 -!- jeev_ [n=email@unaffiliated/jeev] has joined ##openvpn 00:59 -!- jeev [n=email@unaffiliated/jeev] has quit [Read error: 54 (Connection reset by peer)] 01:00 -!- jeev_ is now known as jeev 01:00 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 01:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:39 < krzee> !search * 03:39 < vpnHelper> krzee: There were no matching configuration variables. 03:42 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 04:47 -!- Ushnishavijaya [i=platyna@platinum.edu.pl] has joined ##openvpn 04:47 < Ushnishavijaya> Hi. 04:47 < Ushnishavijaya> I am trying to connect two networks via shared key - which works fine. 04:48 < Ushnishavijaya> But I would like to give users outside these networks access by usercerts.' 04:48 < Ushnishavijaya> And this isn't working... 04:48 < Ushnishavijaya> http://phpfi.com/358241 04:48 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 04:48 < Ushnishavijaya> Can you help? 05:08 -!- ikevin [n=kevin@ANancy-256-1-118-42.w90-33.abo.wanadoo.fr] has quit [Nick collision from services.] 05:09 -!- ikevin [n=Informat@ANancy-256-1-37-41.w90-26.abo.wanadoo.fr] has joined ##openvpn 05:09 -!- ikevin_ [n=kevin@ANancy-256-1-118-42.w90-33.abo.wanadoo.fr] has joined ##openvpn 05:09 < ikevin> morning 05:09 < ikevin> anyone availlable for help me to link 2 network with openvpn please? 05:15 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:18 < Ushnishavijaya> Ok. I managed to connect two networks, now I can't connect clients. 05:18 < Ushnishavijaya> TLS Error: cannot locate HMAC in incoming packet from 05:27 -!- paruchuri [n=paruchur@61.16.248.247] has quit [Read error: 113 (No route to host)] 05:36 < Ushnishavijaya> Is anyone alive here? 05:52 < krzee> ikevin, 05:52 < krzee> !howto 05:52 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:53 < krzee> Ushnishavijaya, the tls.key is not on the machine with invalid HMAC 05:53 < krzee> as pointed out in: 05:53 < krzee> !secure 05:53 < vpnHelper> krzee: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 05:53 < krzee> the overview 05:54 < krzee> One notable security improvement that OpenVPN provides over vanilla TLS is that it gives the user the opportunity to use a pre-shared passphrase (or static key) in conjunction with the --tls-auth directive to generate an HMAC key to authenticate the packets that are themselves part of the TLS handshake sequence. This protects against buffer overflows in the OpenSSL TLS implementation, because an attacker cannot even initiate a TLS handshake without b 05:54 < krzee> eing able to generate packets with the currect HMAC signature. 05:56 < Ushnishavijaya> krzee: Ok. I managed to fix it. 05:57 < Ushnishavijaya> Now I a trying to figure out how to make clients obtain the IP configuration automagically. 05:57 < Ushnishavijaya> I do not wish to create for each of then a config file. ;9 05:57 < Ushnishavijaya> And I can't use server option with remote option. 06:02 < Ushnishavijaya> :( 06:05 < krzee> !sample 06:05 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 06:05 < krzee> remote is for client 06:05 < krzee> server is for server 06:10 < Ushnishavijaya> But I want to have clients + ptp. 06:10 < Ushnishavijaya> That's the whole problem. 06:11 < Ushnishavijaya> I have two LAN-s connected with each other using P-t-P link. 06:11 < Ushnishavijaya> And now I would like to connect clients from the Internet to these two networks. 06:11 < Ushnishavijaya> Using certs../ 06:18 < Ushnishavijaya> Ok, I do underestand now. 06:28 < thomas> krzee: hello :-) 06:29 < thomas> krzee: have in my openvpn.conf: 06:29 < thomas> client-connect "./traffic.php verbunden '' '' '' $trusted_ip $ifconfig_pool_remote_ip $common_name" 06:29 < thomas> client-disconnect "./traffic.php getrennt '' $bytes_received $bytes_sent '' '' $common_name" 06:29 < thomas> works with 2.0.9-8 06:29 < thomas> with 2.1 not. 06:30 < thomas> the variable "$common_name" is not example "Thomas" but "$common_name" :-( 06:30 < thomas> krzee: any ideas why? 06:55 < thomas> krzee: huhu? 07:08 < ecrist> Wanderer: you're going to have to re-issue certs. 07:19 < roentgen> thomas, check --script-security level 07:19 -!- ikevin [n=Informat@ANancy-256-1-37-41.w90-26.abo.wanadoo.fr] has quit [Nick collision from services.] 07:19 -!- ikevin [n=Informat@ANancy-256-1-37-41.w90-26.abo.wanadoo.fr] has joined ##openvpn 07:20 < thomas> roentgen: jo, set to 3... if i have no script-sec then i can't run anymore a script. but the script is running, but my parameter is "$common_name" and not the real value, the same with trusted_ip etc... 07:21 < ecrist> thomas: why, oh why, would you code that script in PHP? 07:21 < ecrist> o.O 07:22 < thomas> ecrist: only a check if the user has access to the time X allow for login. 07:23 < thomas> ecrist: with the versin openvpn 2.0X no problem, with version 2.1X is the script run but the parameter is the name of parameter instead the real value. 07:24 < ecrist> *shrug* I won't get into it, but PHP is the wrong language to use. sh would be more appropriate. 07:24 < thomas> wrong? 07:24 < thomas> sh == shell ? 07:24 < ecrist> regardless, I've not done a lot of scripting with OpenVPN, so I can't tell you what your problem is. 07:24 < ecrist> yes 07:24 < ecrist> ys 07:25 -!- bjartis [n=bjartis@195.1.73.1] has joined ##openvpn 07:26 < bjartis> I have set up a openvpn server with bridging. But i need access to both 192.168.4.0/24.. and 192.168.5.0/24.. currently i'm only able to connect to one network. Anyone know how i can solve this? :) 07:28 < ecrist> bjartis: you need a router. 07:28 < ecrist> somewhere. 07:28 * cpm routes ecrist 07:28 < ecrist> you don't really give us enough information 07:28 * ecrist routed cpm's mom before work this am. 07:29 < cpm> there, see how you are? 07:29 < bjartis> well my gateway on the LAN routes the networks. but i don't how to connect to that gateway when i use openvpn. because the client uses it's own gateway 07:31 < bjartis> Client recieves ip 192.168.4.150 from OpenVPN server.. normally if i was inside the lan where openvpn server i set up. i could easily ping and connect to 192.168.5.0/24 network. 07:31 -!- Nejk0 [n=franz@lk.84.20.249.154.dc.cable.static.lj-kabel.net] has joined ##openvpn 07:32 < bjartis> I was thinking i perhaps need to with two TAP interfaces on the windows host. But i don't think i can bridge eth0 to both tap0 and tap1 at the same time. 07:33 < ikevin> ikevin, 07:33 < ikevin> !howto 07:33 < ikevin> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:33 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 07:33 < ikevin> that don't help me 07:33 < ikevin> the vpn tunnel still work, i've problem with route 07:34 < ikevin> pc who host vpn server can ping the client, and client can ping the server, so machin behind the client can't ping server and machin behind the server can't ping the client 07:38 < ikevin> network like that: http://kevin.illux.org/reseau.png , i would to make client 1, 2 and 3 can communicate with "intra 2" 07:39 < ecrist> bjartis: look for help on push route 07:41 < bjartis> okay tahnks 07:53 < ikevin> does interfaces "tun" are always the netmask 255.255.255.255 ? 08:00 < ecrist> ikevin: no, I think it can also have a 255.255.255.252 08:00 < ecrist> or 255.255.255.250 08:00 < ecrist> depending on your subnet. 08:04 < bjartis> okay so i added push "route 192.168.4.0 255.255.255.0" and copied that line but only with 192.168.5.0 instead of 4. 08:04 < ikevin> i try to link 2 networks, one use netmask 255.255.0.0 and th e second use 255.255.255.0; i think that strange that the tunnel use netmask 255.255.255.255 :x 08:07 < Tykling> ikevin your subnets are overlapping, 192.168.1.0/255.255.255.0 is part of 192.168.3.0/255.255.0.0 (or said in another way, 192.168.1/24 is part of 192.168/16) 08:08 < Tykling> but other than that, 255.255.255.255 or /32 is normal for a point to point link which is what your tunnel is, it has no effect on the tunnels ability to forward traffic 08:08 < Ushnishavijaya> I have used the iroute option, however I am still getting; 08:08 < Ushnishavijaya> "MULTI: bad source address from client" 08:09 < Ushnishavijaya> krzee: Would you take a look? 08:09 < bjartis> Hmm. i can't connect to the clients. but the clients can connect to me.. :: 08:12 < Tykling> ikevin: either your drawing is off, or your network design is off, are both firewalls connected to a different local subnet (green lines in your drawing) called 192.168.1.0/24 ? because identical subnets on either side of a tunnel will require some sort of translation or you will end up with conflicts.. 08:12 < Ushnishavijaya> I just want to have server and p-t-p, darn it. 08:12 < Ushnishavijaya> ;9 08:16 < ikevin> Tykling, i don't understand what you would to said (my english is bad :s) 08:16 < Tykling> ok well sorry then I can't help you, maybe you can find someone who speaks french who can help 08:17 < Tykling> but I suspect that your understanding of ip networks and subnetting is a larger problem than your understanding of english :) 08:18 < Tykling> anyway, good luck with it 08:18 < ikevin> but I suspect that your understanding of ip networks and subnetting is a larger problem than your understanding of english :) <---- i think too 08:24 < Ushnishavijaya> *sigh* now the client can ping the network behind the server, but not vice versa. :( 08:25 -!- nDuff [n=cduffy@rrcs-71-41-149-67.sw.biz.rr.com] has quit [Remote closed the connection] 08:33 < Ushnishavijaya> krzee: Are you there? :} 08:35 -!- bjartis [n=bjartis@195.1.73.1] has left ##openvpn [] 08:45 < Ushnishavijaya> Darn it. 08:45 < Ushnishavijaya> Can someone help me? 08:45 < Ushnishavijaya> I am fighting with it for a whole day. 08:45 < Ushnishavijaya> That iroute command doesn't work. 09:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:34 < Wanderer> ecrist: or another openvpn guru around? 09:35 < Wanderer> Ushnishavijaya: you have push commands on your server and a pull on your client? 09:38 < Ushnishavijaya> Yes. 09:38 < Ushnishavijaya> I can show you. 09:41 < Wanderer> no need, if those are in place, not much I can do 09:41 < Wanderer> I just know I use those 09:41 < Wanderer> well, paste your server and client configs to pastebin, it won't hurt me to strech my brain a little 09:41 < Wanderer> guys in here put up with A LOT of spam from me this weekend 09:43 < Ushnishavijaya> http://phpfi.com/358299 09:43 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 09:43 < Ushnishavijaya> I can ping any host behind server's network. 09:43 < Ushnishavijaya> But from server I can't ping any host fron the client network. 09:43 < Ushnishavijaya> So I can ping 192.168.0.1 but I can't ping 192.168.1.1 09:44 < Wanderer> is the server a Linux box? If so, did you enable IP forwarding? 09:44 < Wanderer> the clients can ping behind the server but not other way around? 09:44 < Ushnishavijaya> http://phpfi.com/358302 09:44 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 09:44 < Ushnishavijaya> Log. 09:45 < Ushnishavijaya> Yes, both has ip forwarding enabled. 09:45 < Ushnishavijaya> and both are runninfg nat that works. 09:45 < Ushnishavijaya> And both are linux boxes. 09:45 < Wanderer> does the server have a route to the client's network since the client can't push a route to it? 09:46 < Ushnishavijaya> http://phpfi.com/358304 09:46 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 09:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:47 < Ushnishavijaya> It worked fine when it was p-t-p config, but I need the darn server mode. 09:49 < Wanderer> one min, work call 09:50 < Ushnishavijaya> OK. 09:55 < Wanderer> ok, back 09:55 < Wanderer> looking at your last paste 09:55 < Ushnishavijaya> Ok. 10:05 < Wanderer> don't see anythong blatantly wrong 10:11 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 10:13 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has left ##openvpn [] 10:14 < Wanderer> do you have firewall rules up on either machine? 10:15 < Wanderer> may be preventing traffic flow 10:19 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has quit [Read error: 110 (Connection timed out)] 11:29 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 11:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:15 -!- Dougy[Work] [n=doug@64.18.159.247] has quit [] 12:18 -!- Kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:26 -!- near [n=near@88-122-18-154.rev.libertysurf.net] has joined ##openvpn 13:06 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:18 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 13:21 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:53 < krzee> [09:24] *sigh* now the client can ping the network behind the server, but not vice versa. :( 13:53 < krzee> !route 13:53 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:54 < krzee> im thinking yours is the note at the bottom 13:54 < krzee> a route back to the vpn 13:54 < krzee> follow the packets through each routing table in your mind 13:55 < krzee> ikevin, that goes for you too, read !route 13:56 < krzee> thomas, note that you are rebuilding the wheel if that script is only for tracking BW, just use mrtg and have it nice and graphed for you 14:18 < thomas> krzee: me? 14:21 < ecrist> :( I have all the Cisco VPN client software but don't remember where I put it. 14:21 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 14:35 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:51 -!- Wanderer [i=nomad@c-98-245-32-157.hsd1.co.comcast.net] has quit [Broken pipe] 14:59 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 15:00 < Dougy> hi 15:03 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 15:03 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:29 < Dougy> god damn 15:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:05 < krzie> hey 16:06 < krzie> thomas, yes you, thats why i said thomas 16:08 < krzie> thomas, you were making a script to keep track of bandwidth right? 16:08 < thomas> krzie: wrong. 16:09 < krzie> ok, then sorry 16:09 < thomas> krzie: have a script which insert login/logout 16:09 < thomas> but before insert a login is checking for "is the user allowed for login in the time X" 16:09 < thomas> krzie: you know php? is it ok when i show you this script? 16:10 < krzie> nah i dont do php 16:10 < thomas> oh, ok. 16:31 < Dougy> hey krzie 16:51 < krzie> hey 16:52 < krzie> dude im bored 16:54 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:54 -!- Irssi: ##openvpn: Total of 41 nicks [0 ops, 0 halfops, 0 voices, 41 normal] 16:55 < ecrist> why do so many people have multiple IRC sessions? 16:56 < ecrist> ahem, ikevin, krzee, well, ok, those are the only two right now, but that's substantial. 16:57 < jeev> ecrist 16:57 < jeev> you should pump up the jam, man 16:58 < ecrist> I just ordered two LG W2453T-TF and one Matrox Triple-Head2Go http://www.newegg.com/Product/Product.aspx?Item=N82E16824005113&Tpk=W2452T and http://www.newegg.com/Product/Product.aspx?Item=N82E16815106011, respectively 16:58 < vpnHelper> Title: Newegg.com - LG W2452T-TF Black 24 2msGTG Widescreen LCD Monitor 400 cdm2 100001 DCR with HDCP support - LCD Monitors (at www.newegg.com) 16:58 < ecrist> muahahahahah 16:58 < ecrist> to connect my macbook pro to 16:58 * ecrist dances. 16:58 < jeev> ecrist 16:58 < jeev> i'm lookin for a chepa out of band 16:58 < jeev> cheap out of band solution 16:58 < jeev> kvm over ip 16:58 < jeev> avocent told me that i need a license to conect to their shit 16:58 < jeev> fuckers 16:58 < ecrist> jeev: KVM over IP is not cheap. 16:58 < jeev> i know 16:58 < ecrist> and, expensive ones suck. 16:59 < ecrist> but, google for Lara Eco 16:59 < Dougy> sup guys 16:59 < ecrist> can't remember who makes it, rariton 16:59 < ecrist> I think 16:59 < ecrist> that's what I got for our colo racks. 16:59 < ecrist> should be yours for ~$500 US 16:59 < Dougy> KVM over IP units a pretty good one is maybe 400-600 16:59 < Dougy> we have about 150 17:00 < Dougy> at work 17:00 < ecrist> jeev: I've got that hooked up to the Dell KVM, which is pretty tight. 17:01 < ecrist> KVM/IP + mouse = suckage. KVM/IP + console = pwnage 17:02 -!- mkay [n=mkay@gentoo/user/mkay] has quit [Read error: 113 (No route to host)] 17:05 < jeev> Dougy 17:05 < jeev> steal me one 17:06 < Dougy> jeev, no 17:06 < Dougy> thats more than a month's pay 17:06 < Dougy> infact that's more like 2 months 17:06 < Dougy> even more 17:06 < Dougy> closer to 3 17:07 < jeev> i'll give you 100 bux 17:07 < jeev> includes shipping 17:07 < jeev> ;) 17:08 < Dougy> no 17:08 < Dougy> they are all in use 17:08 < Dougy> every last one 17:08 < jeev> hmm 17:08 < jeev> wack 17:08 < Dougy> not really 17:08 < jeev> http://accessories.us.dell.com/sna/products/KVM_Analog/productdetail.aspx?c=us&l=en&s=bsd&cs=04&sku=A0754331 17:08 < vpnHelper> Title: Dell : ATEN Technology CN5000 KVM on the NET Remote IP Console : KVMs : Small & Medium Business (at accessories.us.dell.com) 17:08 < jeev> i could get that 17:08 < Dougy> we have like 4 racks 17:08 < jeev> from somewhere else i guess 17:08 < Dougy> every server has a kvm 17:09 < jeev> for around 290 17:09 < jeev> and hook up a kvm to it 17:09 < jeev> it's just for 2 servers 17:09 < jeev> at this one dataceter i dont want to drive to 17:09 < Dougy> we have an old one in the office 17:09 < Dougy> from dell 17:09 < jeev> this is an ATEN 17:09 < Dougy> its a 4 server one 17:09 < jeev> that's what they use in holland 17:09 < jeev> for like 150+ servers 17:24 < krzie> ecrist ive told you why i have multiple a few times 17:24 < krzie> but ill go ahead and tell ya again 17:24 < krzie> 1 is a screen for when im not home 17:24 < krzie> 1 is my home client 17:25 < krzie> ecrist, you saw !menu ? 17:25 < Dougy> !menu 17:25 < vpnHelper> Dougy: "menu" is please use !factoids search * 17:25 < Dougy> gross 17:25 < Dougy> !factoids search * 17:25 < vpnHelper> Dougy: 'krzee', 'howto', 'tcp', 'nat', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'liar', 'ask', 'winroute', 'kraut', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'wiki', 'lan', 'freebsd', 'lans', 'routeing', '1918', 'router', 'netman', 'notopenvpn', 'path', 'paths', 'keys', 'ssl-admin', 'push', 'route', 'routes', (1 more message) 17:25 < Dougy> !forum 17:25 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 17:25 < Dougy> oh 17:26 < Dougy> hmm. 17:27 < krzie> dougy, now type !more 17:27 < Dougy> !more 17:27 < vpnHelper> Dougy: 'tls-cipher', 'multi', 'configs', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', 'assumption', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'someclient2client', and 'menu' 17:27 < Dougy> gah that is fail 17:27 < Dougy> haha 17:27 < Dougy> im always gonna forget about more 17:33 < krzie> ..., 'routes', (1 more message) 17:33 < krzie> thats how you know theres !more 17:33 < Dougy> yeah 17:33 < Dougy> but i see that and think 17:33 < Dougy> "well its gonna say another one now" 17:34 < krzie> i could make it do that 17:34 < krzie> i just wanted to take it easy on the flooding 17:34 < Dougy> well in theory 17:34 < Dougy> a !more would make it worse 17:34 < Dougy> no? 17:34 < Dougy> an extra line 17:34 < Dougy> !more 17:34 < vpnHelper> Dougy: Error: That's all, there is no more. 17:41 < krzie> well 17:41 < krzie> you dont always need whats in !more 17:53 < Dougy> yeah 18:09 < ecrist> krzie: yes, I saw that. 18:09 < ecrist> krzie: why not just use the screen one everywhere? 18:10 < krzie> cause i dont wanna 18:11 < krzie> i dont like text based clients for many channels 18:11 < krzie> this one is only in here 18:11 < ecrist> ah 18:12 < krzie> my efnet screen only in 2 chans 18:12 < krzie> my home client is on both networks, around 10 chans each 18:13 < ecrist> screen + irssi = awesome 18:13 < krzie> BitchX-1.1-final+ by panasync - FreeBSD 6.3-RELEASE-p3 18:18 < ecrist> FreeBSD chunk.secure-computing.net 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sat Mar 8 03:48:22 CST 2008 root@chunk.secure-computing.net:/usr/obj/usr/src/sys/GENERIC i386 18:34 < Dougy> i feel like a pansy 18:34 < Dougy> being on ubuntu 18:36 < Dougy> crap 18:36 < Dougy> i forgot all of my mth stuff 18:36 < Dougy> math 18:37 * Dougy feels stupid 18:41 < ecrist> Dougy: get rid of that Ubuntu, unless it's your desktop, and go freebsd. 18:41 < Dougy> this is my desktop 18:41 < Dougy> all i do is go on pidgin, xchat and firefox 18:41 < Dougy> and ssh 18:42 < Dougy> well my laptop 18:43 < krzie> ya ubuntu isnt that bad for desktop 18:43 < krzie> i have it dual boot on my macbook pro 18:43 < krzie> i never ever use it, but its alright 18:51 < ecrist> krzie: on mac, dual-boot is for lewsers 18:51 < ecrist> virtualbox ftw 18:51 < Dougy> haha 18:51 < Dougy> yeah virtualbox rocks 18:51 < krzie> false 18:51 < krzie> i use virt machines too 18:51 < krzie> i wanted to get the internal atheros wifi cracking wep 18:52 < krzie> also wnated to play with beryl 18:52 < krzie> try to do either of those in a virtual machine 18:52 < ecrist> krzie: you can do that with os x 18:52 < ecrist> the cracking web stuff, that is. 18:53 < krzie> also false 18:53 < krzie> kismac doesnt do injection 18:53 < krzie> and aircrack runs, but not airodump 18:53 < ecrist> what version of kismac you using? 18:53 < krzie> so you can crack it after sniffing, but cant do a good sniff with reinjection 18:54 < krzie> kismac can only reinject on B networks 18:55 < ecrist> eh, I bought a USB wifi card for cracking wifi networks 18:55 < krzie> i have a few 18:56 < krzie> but my fav is the 500mW alfa 18:59 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 18:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 19:33 -!- Nejk0 [n=franz@lk.84.20.249.154.dc.cable.static.lj-kabel.net] has quit [Read error: 110 (Connection timed out)] 20:17 < ecrist> ssh 20:17 * ecrist wonders if 2x(1920x1200) will work with wow OK 20:46 < jeev> heh 20:46 < jeev> what server yu on 20:55 < krzie> GO BALTIMORE! 20:55 < ecrist> jeev: about 4 of them, not an avid WoWer, though. 20:57 < ecrist> thunderlord, mostly 20:57 < ecrist> my highest is a 62 20:57 * ecrist goes away 21:13 < jeev> heh 21:37 -!- near [n=near@88-122-18-154.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 22:04 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 22:34 -!- starsong [n=starsong@200-47-17-123.comsat.net.ar] has joined ##openvpn 22:34 < starsong> hi, im running openvpn with a single nic, and i would like every client connecting to my server to use my connection 22:35 < ecrist> push 'redirect-gateway' 22:36 < ecrist> it's covered in the howto 22:36 < starsong> ecrist: im very sorry, im in a rush, thanks 22:36 < ecrist> !route 22:37 < vpnHelper> ecrist: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 22:38 < starsong> thank you 22:38 < starsong> good bye 22:38 -!- starsong [n=starsong@200-47-17-123.comsat.net.ar] has quit [Client Quit] 22:39 < ecrist> ping krzie 22:40 < jeev> ping 22:54 -!- The_MAZZTer [n=mzzt@pool-70-17-60-54.pskn.east.verizon.net] has joined ##openvpn 22:54 < The_MAZZTer> hi, I'm having problems getting the TAP driver to work on Windows XP 22:55 < The_MAZZTer> OpenVPN can't see it 23:04 < ecrist> krzie: I've got route 10.0.0.0 255.255.0.0, push "route 10.0.0.0 255.255.0.0", both in server config, and iroute 10.0.0.0 255.255.0.0 in the client CCD config. 23:04 < ecrist> server lan and client lan, talking OK 23:04 < ecrist> other vpn clients and that one client lan, no worky 23:05 < ecrist> what am I missing? 23:05 -!- The_MAZZTer [n=mzzt@pool-70-17-60-54.pskn.east.verizon.net] has quit [Nick collision from services.] 23:05 -!- The_MAZZTer [n=mzzt@pool-70-17-60-54.pskn.east.verizon.net] has joined ##openvpn 23:10 -!- The_MAZZTer [n=mzzt@pool-70-17-60-54.pskn.east.verizon.net] has quit [Client Quit] 23:11 -!- The_MAZZTer [n=mzzt@pool-70-17-60-54.pskn.east.verizon.net] has joined ##openvpn 23:13 < ecrist> krzie: think I figured it out 23:23 -!- LumberCartel [n=local_42@24.86.160.252] has joined ##openvpn 23:24 < LumberCartel> Hello folks. Is there a way to get OpenVPN to not try to connect until after at least one other network adapter has connected? Client OS is WinXP SP3, and OpenVPN 2.1 RC 12. Thanks in advance. 23:24 < ecrist> LumberCartel: directly, no, I don't believe so. 23:25 < LumberCartel> Hmm. Like a group of dependencies. That would be nice. 23:25 < ecrist> in the unix world, there are things you can do with the automated rc scripts to account for such a thing, however. 23:25 < LumberCartel> The problem I'm having is that OpenVPN tries to connect infintely. 23:25 < ecrist> LumberCartel: that can be changed in the client config file. 23:25 < LumberCartel> Oh yeah, I know. Unix works great for this stuff. 23:25 < LumberCartel> ecrist: Oh yeah? What would you suggest? 23:25 < ecrist> tbh, though, the problem you're having is a Windows shortcoming, not an OpenVPN one. 23:26 < LumberCartel> I know. 23:26 < LumberCartel> Windows has a lot of short-comings. 23:26 * LumberCartel has converted many of his clients over to Unix servers in the past 12 months. 23:26 < ecrist> well, if you're only gripe is that it tries forever, change resolv-retry 23:27 < LumberCartel> Hmm. I'll take a look at that one, but if it relies on DNS then the Windows cache could be a problem. 23:27 < LumberCartel> Well, it's not a problem for me because I can easily restart the OpenVPN service, but end-users get lost too easily. 23:27 -!- The_MAZZTer [n=mzzt@pool-70-17-60-54.pskn.east.verizon.net] has quit ["Jumping from high ledges without anticipation of fatal impact is commonly known to be an unwise activity and is not recommend] 23:28 < LumberCartel> I see the parameter there, but I'm curious about its parameters. Does it take a number of seconds in place of "infinite?" 23:29 < ecrist> LumberCartel: read http://www.boyce.us/windows/servertipcontent.asp?ID=7 23:29 < vpnHelper> Title: Jim Boyce - Windows Tips (at www.boyce.us) 23:29 < ecrist> there might be something you can do there. 23:29 < ecrist> yes, it does 23:29 < LumberCartel> Great! I'll pick something like 10. 23:30 < ecrist> also, google for "windows service start dependencies" and see if you can't tweak things that way 23:30 < LumberCartel> Thanks for the tips. 23:31 < ecrist> np 23:31 < LumberCartel> I'm going to try "resolv-retry 10" first. I'm just rebooting the laptop now -- it needs a few seconds to get connected to the wireless network first, which makes for a great test of this. 23:31 < ecrist> this one might be best: http://support.microsoft.com/kb/193888 23:31 < vpnHelper> Title: How to delay loading of specific services (at support.microsoft.com) 23:32 < LumberCartel> Unfortunately, delaying a service start is only a kludge at best because if the wireless connection takes longer, then I'll still be stuck. 23:32 -!- The_MAZZTer [n=mzzt@pool-70-17-60-54.pskn.east.verizon.net] has joined ##openvpn 23:33 < LumberCartel> Well, it looks like that resolved the problem: resolv-retry 10 23:33 < ecrist> well, actually, read that last windows support article I pasted. 23:33 < The_MAZZTer> can anyone help with my problem? 23:33 < ecrist> what's your problem? 23:33 < The_MAZZTer> the TAP adapter isn't appearing in openvpn --show-adapters list 23:33 < LumberCartel> I see. 23:34 < The_MAZZTer> also openssl seems to be completely broken in aevery app that tries to use it, I espect openvpn will run into that problem if I get TAP to work 23:34 < The_MAZZTer> this is a fresh XP SP3 install 23:34 < The_MAZZTer> but, one problem at a time 23:34 < ecrist> The_MAZZTer: did the tap install go smoothly? 23:35 < The_MAZZTer> no 23:35 < ecrist> where did it fail? 23:35 < The_MAZZTer> it didn't fail 23:35 < The_MAZZTer> it just didn't install drivers 23:35 < ecrist> I don't know how much testing has been done with SP3 23:35 < The_MAZZTer> had to go into device manager and browse for them 23:35 < ecrist> did it ask to? 23:35 < The_MAZZTer> no 23:35 < The_MAZZTer> showed up as unknown device 23:35 < ecrist> I don't think you selected to install them. 23:35 < The_MAZZTer> I think I did, sinc eit now shows up as a TAP device 23:36 * The_MAZZTer screenshots 23:36 < The_MAZZTer> http://x.mzzt.net/2008.09.30.00.36.32.png 23:37 < The_MAZZTer> I was having a really weird error before I reinstalled XP... something about windows not being able to find the hardware for the driver (?!?!) 23:37 < The_MAZZTer> I'm a bit annoyed a complete reinstall didn't help much 23:37 < The_MAZZTer> *annoyed at windows 23:37 < LumberCartel> The_MAZZTer: DId you start the "OpenVPN" service? 23:37 < The_MAZZTer> that service is the openvpn server 23:37 < The_MAZZTer> I don't need it 23:38 < The_MAZZTer> I've never needed it in the past 23:38 < The_MAZZTer> also, it doesn't start anyway (just tried it) 23:38 < The_MAZZTer> errors out 23:38 < The_MAZZTer> claims a dependancy didn't start 23:39 < The_MAZZTer> (only dependancy it has is the tap adapter) 23:39 < LumberCartel> The_MAZZTer: Please type this command at the DOS prompt: net start "OpenVPN Service" 23:39 < The_MAZZTer> which is already running, according to sc.exe 23:39 < The_MAZZTer> ok 23:39 < LumberCartel> Oh, an error? Check your logs. 23:39 < The_MAZZTer> System error 1068 has occurred. 23:39 < The_MAZZTer> The dependency service or group failed to start. 23:39 < ecrist> The_MAZZTer: openvpn service is not just for a server. 23:39 < The_MAZZTer> ok, well, I've never needed it before 23:39 < LumberCartel> I'm using OpenVPN v2.1 RC12 on WinXP SP3 right now. 23:39 < The_MAZZTer> I think 23:39 < ecrist> what is the logs? 23:39 < The_MAZZTer> me too 23:39 < The_MAZZTer> which logs 23:40 < The_MAZZTer> event viewer logs? 23:40 < ecrist> The_MAZZTer: have you tried 2.0.9? 23:40 < ecrist> yes, event viewer logs 23:40 < ecrist> bah 23:40 * ecrist goes to bed. 23:40 < The_MAZZTer> The OpenVPN Service service depends on the TAP-Win32 Adapter service which failed to start because of the following error: 23:40 < The_MAZZTer> The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 23:40 < The_MAZZTer> no, I was thinking of that 23:40 < The_MAZZTer> but I guess i got sidetracked 23:41 < LumberCartel> See the log files here: C:/Program Files/OpenVPN/log/ 23:41 < The_MAZZTer> yeah well, openvpn never gets far enough to generate logs 23:41 < The_MAZZTer> in there 23:41 < LumberCartel> Okay, then you've got a Windows problem. 23:41 < LumberCartel> Event logs will hopefully provide the needed clues. 23:41 < LumberCartel> ecrist: Thanks for your help. 23:42 < The_MAZZTer> woot 23:42 < The_MAZZTer> 2.0.9 works 23:42 < The_MAZZTer> it uses the 0801 tap 23:43 < The_MAZZTer> Tue Sep 30 00:43:08 2008 Initialization Sequence Completed With Errors ( see htt 23:43 < The_MAZZTer> p://openvpn.net/faq.html#dhcpclientserv ) 23:43 < The_MAZZTer> gah 23:43 < The_MAZZTer> I don't like the sound of that 23:43 < The_MAZZTer> aaand no IP address assigned to TAP 23:43 < The_MAZZTer> back to where I was before I started fiddling around with tAP ans screwed my windows install 23:44 < LumberCartel> I recommend renaming the TAP network adapter to: OpenVPN 23:44 < LumberCartel> It really simplifies future administration. 23:45 < The_MAZZTer> whee fixed that 23:45 < The_MAZZTer> still not gettign an IP though FEH 23:45 < The_MAZZTer> wait 23:45 < The_MAZZTer> getting the "wrong" ip 23:45 * The_MAZZTer talks it over with VPN admin 23:49 -!- LumberCartel [n=local_42@24.86.160.252] has quit [Read error: 104 (Connection reset by peer)] 23:49 < The_MAZZTer> whee 23:49 < The_MAZZTer> all working now 23:49 < The_MAZZTer> thanks 23:49 < The_MAZZTer> 2.1 has been giving me problems since XPSP3 23:50 -!- LumberCartel [n=local_42@24.86.160.252] has joined ##openvpn 23:50 < LumberCartel> Damned wireless conection. 23:51 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn --- Day changed Tue Sep 30 2008 00:19 -!- The_MAZZTer [n=mzzt@pool-70-17-60-54.pskn.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 00:38 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 00:59 -!- LumberCartel [n=local_42@24.86.160.252] has quit [Read error: 104 (Connection reset by peer)] 01:04 -!- LumberCartel [n=local_42@24.86.160.252] has joined ##openvpn 01:26 -!- LumberCartel [n=local_42@24.86.160.252] has left ##openvpn [] 01:27 -!- bjartis [n=bjartis@195.1.73.1] has joined ##openvpn 01:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:47 -!- bjartis [n=bjartis@195.1.73.1] has left ##openvpn [] 01:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:10 < ikevin> why do so many people have multiple IRC sessions? 02:10 < ikevin> ahem, ikevin, krzee, well, ok, those are the only two right now, but that's substantial. 02:10 < ikevin> 1 at work, 1 at home :) 02:22 -!- jeev [n=email@unaffiliated/jeev] has quit [Read error: 104 (Connection reset by peer)] 02:44 -!- ikevin [n=Informat@ANancy-256-1-37-41.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 02:49 -!- ikevin [n=Informat@ANancy-256-1-53-45.w90-26.abo.wanadoo.fr] has joined ##openvpn 03:44 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: mcp, krzie, disco-, SWAT, paruchuri, SilenceGold, nopcode, jfkw, Typone, ikevin_, (+10 more, use /NETSPLIT to show all of them) 03:45 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: justdave, dogmeat, djs, zamba, troy-, ropetin, thomas 03:46 -!- Netsplit over, joins: aia, paruchuri, bronson, Ushnishavijaya, xororand, ropetin, thomas, SilenceGold, krzie, jfkw (+10 more) 03:51 -!- ikevin [n=Informat@ANancy-256-1-53-45.w90-26.abo.wanadoo.fr] has joined ##openvpn 03:51 -!- Kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 03:51 -!- ikevin_ [n=kevin@ANancy-256-1-118-42.w90-33.abo.wanadoo.fr] has joined ##openvpn 03:51 -!- funky [n=repulse@unaffiliated/funky] has joined ##openvpn 03:51 -!- squirrelpimp [n=squirrel@HSI-KBW-091-089-006-049.hsi2.kabelbw.de] has joined ##openvpn 03:51 -!- daemon [n=daemon@mail.daemoncore.org] has joined ##openvpn 04:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: xororand, SilenceGold, aia, kala, jfkw, nopcode, SWAT, disco-, mcp, Typone, (+1 more, use /NETSPLIT to show all of them) 04:05 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 04:05 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 04:10 < Ushnishavijaya> krzee: I don't underestand. 04:11 < Ushnishavijaya> What I have wrong in my route? 04:11 < Ushnishavijaya> I would like to have one big LAN, so I am pushing the traffic via the tunnel. 04:16 < Ushnishavijaya> http://phpfi.com/358668 04:16 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: funky, squirrelpimp, ikevin, ikevin_, Kreg, daemon 04:16 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 04:17 < krzee> i dont have our conversation in my buffer 04:17 -!- Netsplit over, joins: aia, bronson, xororand 04:17 -!- SilenceGold [n=chris@71.143.178.16] has joined ##openvpn 04:17 -!- Netsplit over, joins: mcp, disco-, SWAT, kala, nopcode, Typone, jfkw 04:17 < Ushnishavijaya> My routing table on both machines. 04:17 < Ushnishavijaya> I am completly lost here. S:S 04:17 < Ushnishavijaya> You have pasted me a link: 04:17 < krzee> ohh 04:17 < krzee> you had a lan behind one of the machines 04:17 < krzee> right? 04:17 < krzee> and i gave you: 04:17 < krzee> !route 04:17 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:17 < Ushnishavijaya> i have a LAN behind both machines. 04:17 < krzee> ok... 04:18 < krzee> are the machines that run openvpn the default gateways for the LANs on their network> 04:18 < krzee> ? 04:18 < Ushnishavijaya> And from machine 192.168.1.1 I can ping any 192.168.0.x machine. 04:18 < Ushnishavijaya> Yes. 04:18 < Ushnishavijaya> But from machine 192,168.0.0 I can't ping anything 192.168.1.x 04:18 < Ushnishavijaya> Not even 192.168.1.1 04:19 < krzee> both machines are the default routers for their lans? 04:19 < Ushnishavijaya> However I can ping the VPN gw just fine. 04:20 < Ushnishavijaya> i have pasted you the ip route output. 04:20 -!- madpenguin7 [n=dnsmafia@202.78.228.12] has joined ##openvpn 04:20 < Ushnishavijaya> The same setup worked for ptp mode, but doesn't work with mode server. 04:21 < madpenguin7> Hi everyone, I got question, for openVPN net-to-net is it possible to enable compression on that ? 04:21 < krzee> Ushnishavijaya, im with a girl right now so answer my questions 04:21 < krzee> cause im not staying online long 04:22 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: pa 04:22 < Ushnishavijaya> But I don't underestand you question. 04:22 < krzee> ok... 04:22 < Ushnishavijaya> There is a standard nat on bth machines. 04:22 < krzee> the openvpn server is running on a machine which is the default router for the whole lan? 04:22 < Ushnishavijaya> It is running on two machines, and each of them is a router for its LAN. 04:23 -!- Netsplit over, joins: pa 04:23 < krzee> ok 04:24 < krzee> and you followed !route? 04:24 < Ushnishavijaya> I think so. 04:24 < Ushnishavijaya> I added iroute for the 192.168.1.1 network 04:25 < Ushnishavijaya> http://phpfi.com/358672 04:25 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 04:25 < Ushnishavijaya> this is my client's configuration in ccd. 04:25 < krzee> im not asking for your routing table 04:25 < Ushnishavijaya> And from client I can ping the server's network. 04:25 < krzee> ya show me configs and ccd's 04:26 < krzee> via pastebin 04:26 < krzee> or phpfi or whatever 04:26 < Ushnishavijaya> http://phpfi.com/358299 04:26 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 04:27 < Ushnishavijaya> Config files. 04:27 < Ushnishavijaya> And ccd. 04:27 < Ushnishavijaya> I am also using iptables. 04:28 < Ushnishavijaya> http://phpfi.com/358674 04:28 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 04:29 < Ushnishavijaya> Besides these rules I have a standard LAN, and default policy ACCEPT. 04:31 < krzee> ifconfig-push 10.0.0.2 10.0.0.1 04:31 < krzee> that shouldnt even work 04:31 -!- joh [i=johannj@caracal.stud.ntnu.no] has joined ##openvpn 04:31 < krzee> oh nm yes it should 04:31 < krzee> my bad 04:31 < Ushnishavijaya> ;} 04:32 < joh> Hi, is there no way to push DNS settings to the client other than dhcp-option? 04:32 < joh> It seems dhcp-option also requires some extra configuration for non-Windows clients? 04:34 -!- ikevin [n=Informat@ANancy-256-1-53-45.w90-26.abo.wanadoo.fr] has joined ##openvpn 04:34 -!- Kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 04:34 -!- ikevin_ [n=kevin@ANancy-256-1-118-42.w90-33.abo.wanadoo.fr] has joined ##openvpn 04:34 -!- funky [n=repulse@unaffiliated/funky] has joined ##openvpn 04:34 -!- squirrelpimp [n=squirrel@HSI-KBW-091-089-006-049.hsi2.kabelbw.de] has joined ##openvpn 04:34 -!- daemon [n=daemon@mail.daemoncore.org] has joined ##openvpn 04:36 < krzee> joh, not that i know of 04:36 < Ushnishavijaya> krzee: So, do you know what I am doing wrong? 04:36 < joh> krzee: Ok, thanks 04:36 < Ushnishavijaya> i thought I want to do a simple task - connect two networks via VPN. 04:38 < krzee> ifconfig 10.0.0.1 10.0.0.2 # first one local end-point, second one remote end-point 04:38 < krzee> that should not be in the server config 04:38 < krzee> you kept your p2p setup 04:38 < krzee> !sample 04:38 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:39 < krzee> for server you want more like that 04:39 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: squirrelpimp, ikevin_, Kreg, daemon, funky, ikevin 04:39 < krzee> route 192.168.1.0 255.255.255.0 # route everything to remote net over 10.0.0.1 04:39 < krzee> 1.0 is behind the server, right? 04:40 < Ushnishavijaya> So should I just remove this option and it will work? :> 04:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:41 < Ushnishavijaya> No. 04:41 < Ushnishavijaya> 0.0 is behind the server. 04:41 < Ushnishavijaya> I removed the ifconfig option and it still doesn't work. 04:41 < krzee> then your setup is wrong 04:42 < krzee> read !route 04:42 < Ushnishavijaya> But then how is the server supposed to know where to push the packet for the client network? 04:42 < Ushnishavijaya> I did. Nothing relevant is there. 04:42 < krzee> i dont wanna sit here explaining something i already typed out 04:42 < krzee> bullshit 04:43 < krzee> 1sec 04:43 < krzee> The route entries are telling his server to add a route for each of 192.168.1.0, 192.168.3.0, and 192.168.4.0 to its kernel's routing table, which will go through the tunnel interface. The server's kernel now has an entry for 3 LANs to both go through the vpn interface, but when that happens how will openvpn know what client to send each network to? The answer is iroute! 04:44 < krzee> actually, lemme talk to you tomorrow 04:44 < krzee> gotta go 04:44 < Ushnishavijaya> root@hm:/etc/openvpn# cat openvpn.conf | grep route 04:44 < Ushnishavijaya> route 192.168.1.0 255.255.255.0 # route everything to remote net over 10.0.0.1 04:44 < Ushnishavijaya> and what I have in my config file/ 04:44 < krzee> but ya, everything hyou need to know is in !sample and !route 04:44 < Ushnishavijaya> Can you read? 04:44 < Ushnishavijaya> I already have it in my config and it doesn't work. 04:44 < krzee> if you havnt figured it out ill help tomorrow 04:45 < Ushnishavijaya> And you instead of reading my configs are sending me to howtos I have read dozen times. 04:47 < Ushnishavijaya> Darn it. ;( 04:48 < Ushnishavijaya> The fucking setup worked fine with p-t-p setup, but someone had a brilliant idea that you can't use ptp and server mode. 04:48 < Ushnishavijaya> So I had to do server mode to allow the darn clients with certificated. 04:48 < Ushnishavijaya> What a fucked up software it is. 04:49 -!- ikevin [n=Informat@ANancy-256-1-53-45.w90-26.abo.wanadoo.fr] has joined ##openvpn 04:49 -!- Kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 04:49 -!- ikevin_ [n=kevin@ANancy-256-1-118-42.w90-33.abo.wanadoo.fr] has joined ##openvpn 04:49 -!- funky [n=repulse@unaffiliated/funky] has joined ##openvpn 04:49 -!- squirrelpimp [n=squirrel@HSI-KBW-091-089-006-049.hsi2.kabelbw.de] has joined ##openvpn 04:49 -!- daemon [n=daemon@mail.daemoncore.org] has joined ##openvpn 05:09 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: funky, squirrelpimp, ikevin, ikevin_, Kreg, daemon 05:21 -!- ikevin [n=Informat@ANancy-256-1-53-45.w90-26.abo.wanadoo.fr] has joined ##openvpn 05:21 -!- Kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 05:21 -!- ikevin_ [n=kevin@ANancy-256-1-118-42.w90-33.abo.wanadoo.fr] has joined ##openvpn 05:21 -!- funky [n=repulse@unaffiliated/funky] has joined ##openvpn 05:21 -!- squirrelpimp [n=squirrel@HSI-KBW-091-089-006-049.hsi2.kabelbw.de] has joined ##openvpn 05:21 -!- daemon [n=daemon@mail.daemoncore.org] has joined ##openvpn 05:32 -!- paruchuri [n=qvantel@61.16.248.247] has quit ["Ex-Chat"] 05:32 -!- ompaul [n=boss@gnewsense/friend/ompaul] has joined ##openvpn 05:35 -!- madpenguin7 [n=dnsmafia@202.78.228.12] has quit [] 05:37 < ompaul> why would I be seeing one side of a network from the client and not see the client from the server, for example *.*.4.16 is a client of *.*.1.17 the vpn works on the client side I can do anything I want to the server side network but I don't see the server side network from the client (if that makes sense) it is a routing issue but frankly I am stumpped 05:39 < ompaul> so traffic can traverse both ways, I send a http request from the client to the server side network and I get the expected behaviour but I can't connect the other way with ping ssh or anything else for that matter 05:45 < Ushnishavijaya> /c 06:44 -!- bjartis [n=bjartis@195.1.73.1] has joined ##openvpn 06:44 < bjartis> If i set OpenVPN server to listen on TCP 443. Can i connect to it through corporate firewalls that allow HTTPS traffic? 06:46 < bjartis> Or is there a special setting to make it "talk" https? 06:48 < xororand> bjartis: you can use any ssl service through https proxies. i used to tunnel over ssh on port 443 through my company's https proxy 06:49 < xororand> it's not easily possible to distinguish between ssl + anything and ssl + https 06:50 < xororand> s/https/http/ 06:50 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 06:50 < bjartis> ah. nice.. thanks alot xororand :) 06:50 < ompaul> does this mean anything given the info above 06:50 < xororand> bjartis: if everything fails, there's still TCP-over-DNS :) 06:51 < bjartis> TCP-over-DNS? 06:51 < ompaul> I do a tcpdump -ni tun0 and get nothing back when I am trying to ping *.*.4.16 06:51 < bjartis> Sounds mad slow. 06:52 < ompaul> bjartis, 53 times slower 06:52 < xororand> bjartis: probably, but it works in some closed wi-fi networks which allow dns before you have logged in ;) 06:53 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 06:53 < bjartis> Hehe. cool. 06:54 < ompaul> route add 192.168.4.16 gw 192.168.1.17 and I start getting this (remember the ping has been running for a couple of hours From hostname-hidden(192.168.1.17) icmp_seq=2778 Destination Host Unreachable 06:55 < cpm> ompaul, what is the netmask for 192.168.4.16? 06:55 < ompaul> nice one /me looks 06:56 < ompaul> inet addr:192.168.4.16 Bcast:192.168.4.255 Mask:255.255.255.0 06:56 < ompaul> cpm, ^^ there we go 06:56 < cpm> k, 192.168.1 is way outside of 06:56 < cpm> heh, okay. 06:56 < ompaul> yeap 06:56 < ompaul> I am adding to 1.17 06:56 < ompaul> I can do anything I want from inside .4 06:57 < ompaul> but I can't touch .4 from .1 06:59 < ompaul> inet addr:192.168.1.17 Bcast:192.168.1.255 Mask:255.255.255.0 06:59 * ompaul thinks about lunch 06:59 < ompaul> something might occur to me when I am not looking at the screen - any ideas hit me with them please (I am cracking up :-() 07:08 < cpm> change that mask to 255.255.252.0 07:08 < cpm> whoops, that won't work. 07:08 < cpm> it'll need to be 255.255.248.0 07:09 < cpm> okay, I'm not paying attention. 07:09 < cpm> Sorry 07:13 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 07:14 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 07:18 -!- SuD [n=Ask@89.140.32.2.static.user.ono.com] has joined ##openvpn 07:19 < SuD> hi, can i use windows "default" vpn client to connect to an openvpn server 07:22 < cpm> nope. 07:23 < cpm> you mean the native vpn client that ships with windows, yes? 07:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:28 -!- ikevin [n=Informat@ANancy-256-1-53-45.w90-26.abo.wanadoo.fr] has quit [Read error: 113 (No route to host)] 07:35 < ecrist> SuD: no, that's PPTP, OpenVPN is a different beast. 07:48 -!- bjartis [n=bjartis@195.1.73.1] has left ##openvpn [] 07:55 < ompaul> cpm, I should say I am using 10.8.0.0 network to talk Server to Client 07:55 < cpm> pastebin the output of route -n 07:56 < Ushnishavijaya> Can anyone help me with my routing problem? 07:56 < Ushnishavijaya> I really can't see where I am doing wrong. 08:00 < cpm> since you haven't bothered to tell us what routing problem you are having, then no. No one can help you. However, if you describe what's going on, perhaps someone can. 08:01 < cpm> Wait a sec. Are you the same fellow who was here all day yesterday? 08:01 < Ushnishavijaya> yes. 08:01 < Ushnishavijaya> The boosted one. 08:01 < Ushnishavijaya> I have connected two networks as client-server. 08:01 < Ushnishavijaya> And I can ping the server's network from the client, but i can't ping client's network from server. 08:02 < ompaul> cpm, pmed you url and pass 08:02 < Ushnishavijaya> And it is so important for me to make it work. 08:03 < ecrist> twistii? 08:03 < Ushnishavijaya> Hmm? 08:04 < ompaul> cpm, and just for fun this is in production :-( 08:04 < Ushnishavijaya> Come one people. A channel with a bunch of VPN hackers, and no one can help me/ 08:04 < Ushnishavijaya> ? 08:04 < Ushnishavijaya> ;9 08:05 < ecrist> Ushnishavijaya: I know not what your problem is, describe it 08:05 < Ushnishavijaya> 15:01 < Ushnishavijaya> I have connected two networks as client-server. 08:05 < Ushnishavijaya> 15:01 < Ushnishavijaya> And I can ping the server's network from the client, but i can't ping client's network from server. 08:06 < ecrist> Oh, I'll answer accordingly. You have a bad route. NEXT? 08:09 < Ushnishavijaya> http://phpfi.com/358734 08:09 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 08:09 < Ushnishavijaya> Here is whole info. 08:09 < Ushnishavijaya> You could need. 08:10 < Ushnishavijaya> Including the firewall rules. 08:10 < cpm> ompaul, you're intent is to send everything through the vpn tunnel? 08:10 < ecrist> does it work if you disable the firewall? 08:11 < ompaul> cpm, it is not, it is to connect all offices and then they can go to the internet themselves 08:12 < cpm> ompaul, you should do this one at a time. 08:12 < ompaul> cpm, we have different services in each place and internal dns on 1.16 08:12 < Ushnishavijaya> ecrist: You are speaking to me? 08:12 < ecrist> yes 08:12 < cpm> tricky to do on a production box. 08:12 < cpm> or rather, tricky to sort out on a production box. 08:13 < ompaul> cpm .1.* is the centre of the known universe :) 08:13 < cpm> heh 08:13 < ompaul> cpm, I can work on it after hours 08:13 < ompaul> no problem there 08:13 < ompaul> I have remote access to all buildings and physical access to most :) 08:13 < ecrist> ompaul: wrong. ::1 is the center of the known universe 08:13 < Ushnishavijaya> ecrist: No. 08:14 < ompaul> ecrist, when this problem is done I will be moving to that 08:14 < ecrist> :) 08:14 -!- [SURFnet]Kees [n=kees@x229.flex.surfnet.nl] has joined ##openvpn 08:14 < ompaul> cpm, in fact when this problem is knocked on the head we are planning to move to layer2 killing the need for 80% of this crack 08:15 < [SURFnet]Kees> What could be the cause of TX packets being dropped on a tap interface? 08:15 < ompaul> cpm, ohh to be someone else somewhere else :) 08:16 < ompaul> cpm, I'm going to hit some old data which was around and pbin that too 08:16 < ompaul> cpm, I should point out we had a critical failure on the network a couple of weeks ago 08:17 < cpm> I'm presuming that this routing table is from your server, yes? 08:17 < Ushnishavijaya> ecrist: With firewall or not the same problem persists. 08:20 < ompaul> cpm, the bottom one is the server the top one is the client 08:22 < Ushnishavijaya> ecrist: So any idea? 08:22 < Ushnishavijaya> I have followed the darn howtos. :> 08:23 < ompaul> cpm, I better repaste that if you close the browser :) short lifespans etc 08:24 < ecrist> Ushnishavijaya: Ill look at your problem in a few minutes. 08:24 < Ushnishavijaya> i would be very grateful. 08:36 < ompaul> cpm, reading more detail on ovpn site -- I see iroute not had to use that before looks like what I need - one network redesign and reset coming up in the next 30 minutes :) 08:39 < krzie> ok im back 08:39 < krzie> sorry i had to go 08:40 < krzie> Ushnishavijaya, wanna link that pastebin to your configs again? 08:40 < Ushnishavijaya> Sure. 08:40 < Ushnishavijaya> http://phpfi.com/358734 08:40 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 08:41 < Ushnishavijaya> Here is a complete info. 08:41 < Ushnishavijaya> Configs, firewall settings and routing table. 08:41 < krzie> you've turned off the firewall for testing? 08:41 < Ushnishavijaya> Yes. 08:41 < Ushnishavijaya> All except NAT. 08:42 < Ushnishavijaya> But NAT has policy accept. 08:43 < Ushnishavijaya> Ok, flushed the fw completly, and also the same problem. 08:44 < krzie> (this command is for my reference while i read your configs) 08:44 < krzie> !route 08:44 < vpnHelper> krzie: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 08:44 < Ushnishavijaya> Ok. 08:44 < krzie> i didnt sleep so reference is good 08:44 < krzie> heheh 08:45 < Ushnishavijaya> Hehe. ;} 08:45 < krzie> you only have 1 client with a lan behind it? 08:45 < Ushnishavijaya> Yes. But the server has a LAN behind too. 08:45 < krzie> right 08:46 < Ushnishavijaya> So there are two networks. 08:46 < krzie> and server lan is 0.0 08:46 < krzie> right? 08:46 < Ushnishavijaya> yes. 08:46 < krzie> and you want that lan reachable by ALL clients? 08:46 < krzie> k, remove push "route 192.168.0.0 255.255.255.0" 08:46 < krzie> from ccd entry 08:46 < krzie> and put in server.conf 08:46 < Ushnishavijaya> Currently I would like these two LANs to see each other like they were one. 08:47 < krzie> that would have been correct if 0.0 was behind another client and the route needed to be pushed to a client but obviously not to the client who it is behind 08:47 < krzie> since it needs to be pushed to all clients, it goes in server.conf 08:48 < krzie> (not your problem, but im going step by step 08:48 < krzie> 1.0 is behind lenwit, right? 08:48 < Ushnishavijaya> Yes. 08:48 < Ushnishavijaya> I have removed the oush route and now I can't ping the server's network too. 08:48 < krzie> hrm 08:49 < krzie> ifconfig-push 10.0.0.2 10.0.0.1 08:49 < krzie> i dont believe that is right 08:49 < krzie> the server will be taking .1 / .2 08:49 < krzie> !/30 08:49 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 08:49 < Ushnishavijaya> I can ping 10.0.0.2. 08:49 < krzie> .2 is the server as well 08:50 < krzie> read #slash30 08:50 < Ushnishavijaya> Ok. 08:50 < krzie> for an understanding of why 08:50 < Ushnishavijaya> So I should give the client IP of 10.0.0.6? 08:51 < krzie> is there a reason you need static ips for clients? 08:51 < krzie> (there are valid reasons to do it) 08:51 < Ushnishavijaya> Well, for the others probably I will be ok with dynamic IP. 08:51 < Ushnishavijaya> But this client is a network. 08:51 < krzie> that dont matter 08:52 < krzie> thats all done based on commonname 08:52 < krzie> using ccd/ entries... 08:52 < ompaul> cpm, 64 bytes from 192.168.4.16: icmp_seq=5 ttl=64 time=40.9 ms thank you for helping me think 08:52 < Ushnishavijaya> Then how I am supposed to tset the routing table on the server if the client has a dynamic IP? 08:52 < cpm> always glad to help folks think 08:52 < Ushnishavijaya> :> 08:52 < ompaul> cpm, :) 08:52 < cpm> Ushnishavijaya, you push from the server 08:52 < cpm> as per the docs 08:53 < krzie> correct =] 08:53 < Ushnishavijaya> But I want the both networks to see each other, so i have to configure the server's routing table too. 08:53 < krzie> you shouldnt be setting that stuff manually, openvpn sets it based on common name 08:53 < krzie> no, you dont 08:53 < krzie> openvpn does 08:53 < Ushnishavijaya> I want all the clients in both lans to see each other. 08:53 < krzie> right 08:53 < Ushnishavijaya> That's my aim. :> 08:54 < Ushnishavijaya> So I have to change client's IP to .6 and it will work? 08:54 < krzie> and since each openvpn endpoint is the default router, you set NO routes manually 08:54 < krzie> just comment out the ifconfig push 08:54 < krzie> you dont need it 08:54 -!- ChUbB [n=IceChat7@62.31.213.230] has joined ##openvpn 08:55 < Ushnishavijaya> Ok, removed ifconfig and route push from ccd. 08:56 < krzie> the route push went to server config right? 08:56 < krzie> since you want it pushed to ALL clients 08:57 < Ushnishavijaya> I have in my config: 08:57 < Ushnishavijaya> route 192.168.1.0 255.255.255.0 # route everything to remote net over 10.0.0.1 08:58 < Ushnishavijaya> I should add another route entry or something? 08:58 < krzie> well 08:58 -!- joeyk [n=joeyk@pdpc/supporter/active/zer0python] has joined ##openvpn 08:59 < joeyk> anyone here had problems generating a blank certificate? 08:59 < ompaul> Ushnishavijaya, I am up to my eyes trying to change a production environment and open an new office at the same time so I will give you this as your possible solution-- there is an iroute directive which you use with a "ccd" i.e. a client directory and files and so forth check that out, I was having very similar problems to you but the other way around - the server would not ping the client - worth a look 08:59 < krzie> he has iroute per my writeup in !route 09:00 < joeyk> using the build-ca scripts, the server.crt file generated is blank 09:00 < joeyk> so openvpn wont start 09:00 < Ushnishavijaya> ... 09:00 < ompaul> krzie, not reading back scroll too happy after fixing this one :) 09:00 < krzie> ok your route statement is right 09:00 < krzie> but you need your push route for .0.0 in server config 09:01 < krzie> hehe nice ompaul =] 09:01 < Ushnishavijaya> krzie: So i should add another route entry? 09:01 < krzie> push "route 192.168.0.0 255.255.255.0" 09:01 < krzie> goes in server config and not ccd 09:01 < Ushnishavijaya> OK 09:01 < krzie> only time it goes in ccd is when the lan is behind a client, then the push goes in the other clients ccd entries 09:02 < krzie> (as seen in my writeup) 09:02 < krzie> but my writeup is a more complex setup than yours so i understand the confusion 09:02 < Ushnishavijaya> Ok, I added push route to server config. 09:03 < ChUbB> anyone find the vpn slow when using bridge config 09:03 < Ushnishavijaya> I still can't ping the client. 09:03 < Ushnishavijaya> (1.1 network). 09:03 < krzie> k, and you removed the static ifconfig pushing? 09:04 < Ushnishavijaya> Yes. 09:04 < krzie> you can ping .6 from server? 09:05 < krzie> and can ping .1 from client? 09:05 < Ushnishavijaya> Yes. 09:05 < krzie> and you have not set ANY routes related to openvpn manually? 09:06 < Ushnishavijaya> Nope. 09:06 < krzie> can a client in .1.x network ping 10.8.0.1? 09:07 < krzie> err not client 09:07 < krzie> can a machine in 1.x network.... 09:07 < Ushnishavijaya> However on the server I still have: 09:07 < Ushnishavijaya> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.0.0.1 P-t-P:10.0.0.2 Mask:255.255.255.255 09:07 < krzie> thats fine 09:07 < krzie> as per !/30 thats nhow it works 09:07 < Ushnishavijaya> Why 10.8.0.1? 09:07 < Ushnishavijaya> ;. 09:08 < krzie> 10.8.0.1 is the server vpn endpoint 09:08 < Ushnishavijaya> Hmm? 09:08 < krzie> can it? 09:08 < Ushnishavijaya> I don't have anything like that in my config. 09:08 < Ushnishavijaya> Server's endpoint is 10.0.0.1 09:09 < krzie> oh my bad 09:09 < krzie> that may end up conflicting for road warriors 09:09 < krzie> i prefer to use the ip from docs 10.8.0.0 255.255.255.0 09:09 < Ushnishavijaya> And yes, i can ping it from the client. 09:09 < krzie> for that reason 09:09 < krzie> ok, now... 09:10 < krzie> wait, you said from the client 09:10 < krzie> im talking about another machine on the client's lan 09:10 < Ushnishavijaya> I don't know, there are all windozes. 09:10 < Ushnishavijaya> ;> 09:10 < krzie> windows can ping... 09:10 < Ushnishavijaya> But I don't have access to them. 09:11 < krzie> heh 09:11 < Ushnishavijaya> I want ping 192.168.1.1 from the server. ;> 09:11 < krzie> umm, i dunno if that even should work 09:11 < Ushnishavijaya> I want connect TWO LANS, so it has to work. 09:11 < krzie> ping another box in 1.x from server 09:12 < krzie> you can already ping 1.1 using vpn ip, same machine 09:12 < krzie> ping another in 1.x 09:12 < Ushnishavijaya> I did, and it is dead. 09:13 < krzie> but 1.1 can ping it? 09:13 < Ushnishavijaya> Yes. 09:13 < krzie> that was a quick answer, you checked? 09:14 < Ushnishavijaya> I checked when you asked to ping any host from the 1.x network. 09:14 < Ushnishavijaya> I wouldn't ping a host that is down. ;] 09:14 < krzie> ok, show me logs from client and server 09:14 < Ushnishavijaya> OK. 09:14 < ecrist> it's hard to help someone that thinks they know everything. just an observation 09:15 < krzie> mornin eric 09:16 < Ushnishavijaya> http://phpfi.com/358767 09:16 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 09:16 < Ushnishavijaya> ecrist: ? 09:16 < Ushnishavijaya> I am not telling I know everything. I am just amazed that the same routes worked in ptp config. 09:16 < ecrist> krzie: morning - ignore all my 'thinking' from last night. I got my problem fixed. too late, not enough Jack Daniels. :) 09:17 < Ushnishavijaya> Which i am moving from. 09:17 < ompaul> cpm, cheers time to restart some stuff 09:17 -!- ompaul [n=boss@gnewsense/friend/ompaul] has quit ["bye"] 09:18 < Ushnishavijaya> krzie: I pasted logs above. 09:20 < krzie> Ushnishavijaya ahh earlier i caught you confused about why ptp and server dont work together 09:20 < krzie> the reason is because server is the method for handing out ips 09:20 < Ushnishavijaya> Yes, because I tried to use certificates with ptp. 09:20 < krzie> ptp that wouldnt happen 09:20 < krzie> easy to understand if you look in !man for --server 09:20 < krzie> it explains how it expands to a bunch of commands 09:21 < krzie> which would punch your ptp setup in the balls 09:21 < krzie> so the coders were nice enough to stop you from taking the nut shot and wondering why it dont work 09:21 < Ushnishavijaya> Problem why I am now changing configuration is to let the clients not from these two networks to access them using certs, but this is a different story. 09:21 < krzie> right, in ptp there wouldnt be other clients 09:21 < Ushnishavijaya> Now I am using client-server, and I have no connection between the networks. 09:22 < krzie> thered be 2 boxes connecting to eachother 09:22 < krzie> and no server to accept other connections 09:22 < Ushnishavijaya> I know now. ;> 09:23 < krzie> Tue Sep 30 16:06:56 2008 us=931911 /sbin/ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2 mtu 1500 09:23 < krzie> Tue Sep 30 16:06:56 2008 us=941443 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.2 09:23 < krzie> Tue Sep 30 16:06:56 2008 us=948418 /sbin/route add -net 10.0.0.0 netmask 255.255.0.0 gw 10.0.0.2 09:23 < krzie> that looks right to me 09:24 < krzie> Tue Sep 30 16:09:23 2008 us=1958 lenwit/78.131.137.250:1194 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/lenwit 09:24 < krzie> Tue Sep 30 16:09:23 2008 us=2293 lenwit/78.131.137.250:1194 MULTI: Learn: 10.0.0.6 -> lenwit/78.131.137.250:1194 09:24 < krzie> Tue Sep 30 16:09:23 2008 us=2338 lenwit/78.131.137.250:1194 MULTI: primary virtual IP for lenwit/78.131.137.250:1194: 10.0.0.6 09:24 < krzie> Tue Sep 30 16:09:23 2008 us=2360 lenwit/78.131.137.250:1194 MULTI: internal route 192.168.1.0 -> lenwit/78.131.137.250:1194 09:24 < krzie> Tue Sep 30 16:09:23 2008 us=2383 lenwit/78.131.137.250:1194 MULTI: Learn: 192.168.1.0 -> lenwit/78.131.137.250:1194 09:24 < Ushnishavijaya> I can't ping 10.0.0.2 IP 09:24 < krzie> as does that 09:24 < krzie> dude 09:24 < krzie> there is no .2 ip 09:24 < krzie> its internal 09:24 < krzie> forget about it 09:24 < krzie> theres .1 for server and .6 for client 09:24 < krzie> did you even read !/30 ? 09:24 < Ushnishavijaya> I have read it, I am just wondering why you think that a routing by a non existent IP is ok? 09:25 < krzie> lol 09:25 < Ushnishavijaya> ? 09:25 < Ushnishavijaya> I am completly lost. 09:25 < krzie> if you didnt understand the doc, just understand that thats how it works for everyone 09:25 -!- joeyk [n=joeyk@pdpc/supporter/active/zer0python] has quit [Read error: 54 (Connection reset by peer)] 09:25 < krzie> and as long as you arent doing anything manually, openvpn will do it right 09:26 < Ushnishavijaya> I am not doing anything manualy. 09:26 < krzie> k 09:26 < krzie> then forget about .2 09:26 < krzie> it does exist, internally to make /30's work 09:26 < krzie> as a way of getting around windows gayness 09:27 < Ushnishavijaya> Ok we just moved one route directive from ccd to server config, and we pushed the routing to the non existent IP. OK. 09:27 < krzie> topology subnet gets rid of that need in latest dev branch, as mentioned in !/30 09:27 < Ushnishavijaya> But it still doesn't work. 09:27 < krzie> pushed the routing to a non existant ip? lol 09:27 < krzie> i bet you try to ping your .255 and .0 at home too 09:28 < krzie> hehe 09:28 < Ushnishavijaya> Ok, can we do less philosphy and more fixing? It is really a serious issue for me. 09:28 < krzie> how bout less talkin back and more listening? :-p 09:28 < Ushnishavijaya> I am trying so. :> 09:29 < Ushnishavijaya> So what do you advise me to do now then? 09:29 < Ushnishavijaya> ;> 09:29 < krzie> still not done reading 09:29 < Ushnishavijaya> I have read the darn /30 thing. 09:29 < krzie> IM still not done reading 09:29 < krzie> as in, your log 09:30 < Ushnishavijaya> Ah ok. 09:30 < krzie> WRRWRTue Sep 30 16:09:24 2008 us=302584 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.0.0.0 255.255.0.0,ifconfig 10.0.0.6 10.0.0.5' 09:30 < krzie> that looks right to me 09:30 < krzie> does this log contain the time you were pinging? 09:31 < Ushnishavijaya> Yes. 09:31 < Ushnishavijaya> It is the most fresh one. 09:31 < krzie> damn, no errors about it 09:31 < krzie> so openvpn was fine with the pings passing through 09:32 < Ushnishavijaya> Wait a moment. I skipped the wrwr things. 09:32 < Ushnishavijaya> So there is something more. 09:32 < krzie> well 09:32 < krzie> is it just wrwrwr 09:32 < krzie> or other stuffs 09:32 < Ushnishavijaya> Tue Sep 30 16:15:34 2008 us=486092 lenwit/78.131.137.250:1194 MULTI: bad source address from client [192.168.1.5], packet dropped 09:32 < krzie> AHHH 09:32 < krzie> now thats useful! 09:32 < krzie> except, wtf 09:32 < krzie> your iroute was learned 09:33 < krzie> there shouldnt be a multi error 09:33 < Ushnishavijaya> Sorry, I wanted to skip the gibberish and didn't noticed this one. 09:33 < krzie> erm wait wait 09:33 < krzie> 1.5 09:33 < ecrist> it's hard to help someone that thinks they know everything. just an observation 09:33 < krzie> i thought you didnt have access to 1.5 right now 09:33 < krzie> lol eric ;] 09:33 < Ushnishavijaya> Because I didn't. 09:33 < Ushnishavijaya> I pinged 1.2... 09:33 < Ushnishavijaya> ;o 09:33 < krzie> ecrist, that should be a !command 09:33 < krzie> haha 09:34 < krzie> well where the hell did 1.5 come into play... 09:34 < ecrist> !learn fool as it's hard to help someone that thinks they know everything. just an observation 09:34 < vpnHelper> ecrist: The operation succeeded. 09:34 < krzie> openvpn doesnt just make that up 09:34 < krzie> lenwit tried passing packets over the vpn with source address of 1.5 09:35 < Ushnishavijaya> When i pinged the 1.2 another time this message did not appeared. 09:35 < krzie> lenwit is 1.1, right? 09:35 < krzie> is it possible you tried to ping 1.5 from the server? 09:35 < krzie> 1.5 came into play somehow... 09:36 < Ushnishavijaya> Yes lenwit is 1.1. I will check the history if i pinged 1.5. 09:36 < [SURFnet]Kees> What could be the cause of TX packets being dropped on a tap interface? 09:36 < krzie> for some reason packets with source address of 1.5 were passed over the vpn 09:36 < Ushnishavijaya> I did not pinged 1.5. 09:36 < krzie> [SURFnet]Kees, a common one is firewall 09:37 < ecrist> [SURFnet]Kees: firewall 09:37 < krzie> [SURFnet]Kees or possibly no ip_forwarding 09:37 < [SURFnet]Kees> iptables DROP rules would show up as TX dropped? 09:37 < ecrist> yes 09:37 < Ushnishavijaya> I tried to get the message about bad packet again by pinging 1.2 and 1.5 but it did not appeared. 09:37 < [SURFnet]Kees> ok, thanks 09:38 < krzie> in fact 09:38 < krzie> Ushnishavijaya, you have ip forwarding enabled, right? 09:38 < Ushnishavijaya> Yes. 09:38 < Ushnishavijaya> On both machines. 09:38 < krzie> k 09:39 < krzie> once you do get this working, i highly suggest moving your internal vpn network 09:40 < krzie> you will have issues with any clients being on 10.0.x.x on their internal network 09:40 < krzie> which is a rather large amount of networks... pretty common 09:40 < krzie> you should aim for something never seen in real worls 09:40 < krzie> world 09:40 < Ushnishavijaya> Ok. I will think about changing IPs to something weird later on. 09:41 < krzie> which is the often unspoken reason why the docs all use 10.8.0.x 255.255.255.0 09:41 < Ushnishavijaya> Ok. 09:41 < krzie> ok well lets see then... 09:41 < krzie> time to start using tcpdump 09:41 < Ushnishavijaya> For now I just want the LAN people in both networks to see each other. 09:41 < Ushnishavijaya> Ok. 09:41 < krzie> start sniffing tun on server 09:42 < krzie> use client to ping an ip in lan behind server 09:42 < krzie> see what happens 09:42 < krzie> can filter for icmp if you like 09:43 < krzie> if you see the packets comin through, start sniffing on the target box of the pings 09:43 < krzie> or sniff both simultaneous 09:43 < krzie> whatever turns ya on 09:43 < krzie> hehe 09:44 < Ushnishavijaya> http://phpfi.com/358778 09:44 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 09:44 < Ushnishavijaya> Here is when I am pinging client ip from the server. 09:45 < Ushnishavijaya> One moment for the other way. 09:46 < Ushnishavijaya> http://phpfi.com/358779 09:46 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 09:46 < Ushnishavijaya> And here is when I am pinging some IP behind the server's NAT. 09:48 < Ushnishavijaya> serwerterminal is the machine I was pinging from lenwit. 09:49 < Ushnishavijaya> It is 192.168.0.2 09:50 < krzie> k well the first 2 are useless 09:52 < krzie> i wanna see pinging from openvpn endpoint to machine on lan not running openvpn, sniff tun interface on machine in the middle 09:52 < krzie> so if pinging from client to machine behind server, sniff on server 09:52 < Ushnishavijaya> I don't underestand... 09:52 < krzie> and same for machine behind server pinging client (vpn ip) 09:53 < krzie> k... 09:53 < krzie> sniff tun on the server 09:53 < krzie> then ping from lan machine on server's lan, to 10.0.0.6 09:53 < krzie> show me the sniff 09:53 < krzie> then ping from client to lan machine on server's lan 09:54 < krzie> show me the sniff 09:54 < Ushnishavijaya> I have no access to the machines behind these lans. :> 09:54 < krzie> well then we cant test 09:54 < krzie> its kinda expected you can access machines for troubleshooting 09:55 < krzie> come back when you can to go to next level 09:55 < krzie> then we can figure out where packets are stopping 09:55 < Ushnishavijaya> It is not possible for me to get access to them. 09:55 < krzie> then it is not possible for you to troubleshoot 09:55 < Ushnishavijaya> But I can't even ping 192.168.1.1 09:55 < krzie> dude 09:55 < krzie> i told you twice 09:55 < krzie> thats not what you;re supposed to be testing 09:56 < Ushnishavijaya> Ok, let's assume I don't have any LANs there. I still should be able to ping both hosts from each other. 09:56 < Ushnishavijaya> And I can't. 09:57 < krzie> you can, using vpn ips 09:57 < ChUbB> can u use bridge configuration with one nic ? 09:57 < Ushnishavijaya> Yes, but not the LAN ones. 09:57 < krzie> ChUbB, yup... thats the most common 09:57 < krzie> the nic gets bridged with tap interface 09:58 < krzie> Ushnishavijaya, who says you should? i remember telling you not to worry bout that 09:58 < Ushnishavijaya> Hmm? 09:58 < ChUbB> krzie: kk kl cheers, i try openvpn on my router with nic but is lagy 09:59 < Ushnishavijaya> krzie: Look, if this would work I would be able to ping any machines in both networks, routing you said is fine, firewall is fine, config is fine, so what is wrong? 09:59 < Ushnishavijaya> A bug in VPN? 09:59 < krzie> Ushnishavijaya, go get access to a machine in the lans and come back for further troubleshooting help 09:59 < krzie> !fool 09:59 < vpnHelper> krzie: "fool" is it's hard to help someone that thinks they know everything. just an observation 09:59 < krzie> i cant vouch for firewall being fine 09:59 < krzie> config looks good (which contains the routing) 10:01 < krzie> serwerterminal = ? 10:01 < krzie> i forget, i know you said it 10:04 < Ushnishavijaya> It is 192.168.0.2 10:04 < Ushnishavijaya> And in firewall I have just a standard NAT. 10:04 < krzie> ok, a machine behind the server 10:04 < krzie> well 10:04 < krzie> 16:45:57.801997 IP 10.0.0.6 > serwerterminal: icmp 64: echo request seq 2 10:04 < krzie> 16:45:57.802221 IP serwerterminal > 10.0.0.6: icmp 64: echo reply seq 2 10:04 < krzie> the pings are going through both ways 10:04 < Ushnishavijaya> I can wipe the firewall and test again. 10:04 < krzie> if not recieved, firewall problem 10:05 < krzie> serwerterminal is recieving echo request from vpn client, and responding 10:05 < krzie> no error (that you mentioned) from openvpn 10:05 < Ushnishavijaya> Ok, let's wipe the firewall on both machines. 10:06 < krzie> so if no ping response, firewall problem 10:06 < krzie> even once this works, you wont know if your setup works right til you can access machines on lans 10:06 < Ushnishavijaya> Ok, firewall wiped clean, and no ping response. 10:06 < krzie> since your goal is for those machines to communicate 10:07 < krzie> well, firewall problem 10:07 < krzie> i dont use iptables 10:07 < krzie> and am not gunna be reading docs on it 10:07 < Ushnishavijaya> If i wipe the firewall completly clean, I still can ping server from client but not the other way. 10:07 < krzie> but tcpdump reports the pings going both ways through it 10:07 < Ushnishavijaya> So how can it be a firewall problem if firewall on both machines is WIPED OUT? :> 10:07 < krzie> through openvpn that is 10:08 < krzie> i know if i wipe any firewalls i run it will block stuff 10:08 < krzie> but i dopnt run iptables so dunno 10:08 < Ushnishavijaya> All chains are set to ACCEPT. 10:08 < ecrist> iptables ftl 10:09 < Ushnishavijaya> Well, as I said. All chains on both machines has policy ACCEPT. 10:09 < krzie> but, you have confirmed that the packets travel through openvpn 10:09 < krzie> so... !notopenvpn 10:09 < krzie> aka... 10:09 < krzie> !notopenvpn 10:09 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 10:09 < krzie> hehe 10:10 < krzie> no openvpn error and tcpdump reports packets being recieved and responded to over the tunnel 10:10 < Ushnishavijaya> Well, you said the routing is fine. 10:10 -!- AukeF [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 10:10 < Ushnishavijaya> So if not firewall, and not vpn then what? 10:10 < krzie> so if you could sniff serwerterminal youd see it was getting and responding to pings 10:10 < krzie> YOUR FIREWALL 10:10 < ecrist> PEBKAC 10:11 < Ushnishavijaya> My firewall? can't you underestand I wiped out the firewall? 10:11 -!- AukeF is now known as [SURFnet]Auke 10:11 < Ushnishavijaya> So there are NO FIREWALL darn it. 10:11 < krzie> as for how to fix, i have no clue cause i dont run iptables 10:11 < krzie> cant you understand that the packets are going over the tunnel as you showed me with tcpdump? 10:11 < krzie> if they go over the tunnel out, go over the tunnel coming back... 10:12 < krzie> then its not a routing problem or an openvpn problem 10:12 < Ushnishavijaya> It proves nothing. Since were are taling about 192.168.x connectivity not 10.x one. 10:12 < krzie> but for some reason they get blocked (enter firewall) 10:12 < krzie> *shrug* that is all from me 10:12 < Ushnishavijaya> I can't ping the 10.x just fine, I can't ping the 192.168.1.x ones. 10:12 < krzie> if someone else wants to run in circles with you, they can 10:13 < Ushnishavijaya> What firewall they enter? In iptables if you wipe out all the rules and policy is set to accept there fireall blocks NOTHING. 10:13 < krzie> *shrug* enjoy troubleshooting with no access to clients 10:13 < krzie> im done with it 10:14 < Ushnishavijaya> Well, the only thing you adviced me to do is move a directive from ccd to the global config. You simply can't solve the problem so you are bitching. 10:14 < Ushnishavijaya> :> 10:14 < krzie> sure 10:15 * Ushnishavijaya scratches her head. 10:16 < Ushnishavijaya> Incredible things. :S 10:17 < Ushnishavijaya> Turned off firewall is blocking stuff. Very nice of you krzie. 10:19 < krzie> stop linux from even loading iptables on boot to prove its not firewall 10:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:23 < Ushnishavijaya> krzie: Bah, I think I don't have to. I know how are iptables working. :> 10:25 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 10:27 < krzie> Ushnishavijaya, i suggest taking your problem to the mailing list 10:27 < krzie> !mail 10:27 < vpnHelper> krzie: "mail" is http://sourceforge.net/mail/?group_id=48978 10:29 < Ushnishavijaya> Ok. Whathever. 10:30 < Ushnishavijaya> krzie: If I connect a client who uses certificate, can I configure it so he will get an IP from the network DHCP? 10:30 < Ushnishavijaya> The 192.168.0.x IP not 10.x 10:34 < krzie> that would be a tap bridge 10:34 < krzie> !bridge 10:34 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 10:34 < krzie> !more 10:34 < vpnHelper> krzie: the protocol uses MAC addresses instead of IP addresses. 10:36 -!- SuD [n=Ask@89.140.32.2.static.user.ono.com] has quit ["Leaving."] 10:36 < Ushnishavijaya> Well. There are two dhcp servers - one in one network and second on other. 10:36 < Ushnishavijaya> but I would like the clients only use the dhcp server in network A. 10:37 < krzie> aka, you wantg to turn off one of them and bridge the networks 10:38 < Ushnishavijaya> No. I want the native clients in network B use their dhcp server. 10:39 < Ushnishavijaya> And the foreign clients connecting to network A VPN server to use its DHCP server. 10:40 -!- int [n=quassel@wikia/int] has quit [Read error: 104 (Connection reset by peer)] 10:45 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:48 < krzie> !learn bridge-dhcp as http://openvpn.net/faq.html#bridge-addressing for making clients grab dhcp ip over the bridge but not over-riding dhcp ip from local dhcp server 10:48 < vpnHelper> krzie: The operation succeeded. 10:52 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:00 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 11:03 -!- ctx144k [n=andre@p5B0DD074.dip.t-dialin.net] has joined ##openvpn 11:03 < ctx144k> hello all 11:04 < ctx144k> i wanna create automaticly via script an openvpn-server... when iam calling "./build-ca 11:04 < ctx144k> " i get many questions.... - is there a way to get that data from a file? 11:04 < ctx144k> same question for creating certifikates 11:04 < krzie> it could be scripted 11:05 < ctx144k> how can i do? 11:05 < krzie> and if you decide to do it, please share with the group =] 11:05 < ctx144k> how do u mean? 11:05 < krzie> look at how the existing scripts work 11:05 < krzie> then rewrite them to not need input, but rather grab it from a config 11:06 < krzie> as far as sharing, if you script it pls let us copy your work for the next person who wants that 11:11 < krzie> and if openssl itself is asking questions (been awhile since i made certs, and on 0 sleep) then look for a way to pass the answers via commandline 11:11 < [SURFnet]Kees> there's a -config switch for openssl that allows you to pass a config file 11:12 < krzie> nice, that should help it 11:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:14 < ctx144k> krzie, i founded it... ./build-ca ./build-key-server ./build-key are calling "pkitool" --interact ^^ 11:14 < ctx144k> thnx 11:15 * krzie cant take any credit 11:15 -!- zer0python [n=zer0pyth@pdpc/supporter/active/zer0python] has joined ##openvpn 11:16 < krzie> one day im gunna script an alternative to easy-rsa i think, im not a big fan of easy-rsa 11:16 < krzie> ecrist made an alternative for fbsd that looks nice, havnt used it yet 11:16 < krzie> !freebsd 11:16 < vpnHelper> krzie: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 11:16 < krzie> its mentioned in there iirc 11:19 < [SURFnet]Kees> How hard would it be to make that work on linux? 11:20 < krzie> tbh i havnt looked at the code, but i cant think of a single thing that would be OS specific 11:20 < krzie> if ecrist is around he'ld know offhand 11:21 < krzie> (which we'll find out soon since i said his name) 11:21 < [SURFnet]Kees> hehe 11:21 < [SURFnet]Kees> making the generation of certificates easier then the easy-rsa stuff would be awesome for me 11:21 < krzie> well its perl 11:21 < ctx144k> but one question.... in interact-mode "pkitool" is asking for "Sign the certificate? [y/n]: 11:21 < ctx144k> " - which value willit be with batch-mode? 11:21 < [SURFnet]Kees> True, how hard can it be ;) 11:21 < krzie> and looks like nothing like paths is hardcoded 11:22 < zer0python> configuring openvpn for the first time, and I managed to get my client vpn to ping everything on the server side, but the computer that the openvpn server is running on can't ping anything on the client side, anyone have any good pointers? 11:22 < krzie> so it should already work on linux 11:22 < zer0python> it's probably a configuration error on my part 11:22 < krzie> zer0python, you have an iroute>? 11:22 < zer0python> yes 11:22 < krzie> what and where? 11:22 < zer0python> ccd/client1 has iroute 10.10.0.0 255.255.0.0 11:22 < krzie> ahh 11:23 < krzie> so 10.10.0.0 255.255.0.0 is the lan behind client1? 11:23 < zer0python> yes 11:23 < krzie> is the openvpn client the default router for its lan? 11:24 < zer0python> no 11:24 < krzie> there we go! 11:24 < Ushnishavijaya> zer0python: Welcome in the club, I have exactly the same problem. 11:24 < Ushnishavijaya> ;) 11:24 -!- unperson [n=nickc@dsl092-149-232.wdc2.dsl.speakeasy.net] has joined ##openvpn 11:24 < krzie> you have 2 options zer0python 11:24 < krzie> 1: Manually add the route back to the vpn to the gateway for the openvpn client's lan. 11:24 < krzie> 2: Manually add the route back to the vpn to each machine on the lan 11:25 < zer0python> I _have_ to be on the outside in order to use openvpn? 11:25 < krzie> what do you mean? 11:25 < zer0python> basically I'm using my computer at work to connect to my server at home 11:25 < krzie> so you want home to have access to your work lan while at work? 11:26 < zer0python> buy my server at home (with openvpn running on it) can't ping 10.10.192.123, which is actually the computer running the client 11:26 < krzie> err, while connected rather 11:26 < zer0python> yes 11:26 < zer0python> is that possible? 11:26 < zer0python> or 11:26 < zer0python> there's not firewall or anything, so that shouldn't be the problem 11:26 < krzie> right 11:27 < krzie> the machines on the lan behind client dont know how to route back to vpn internal ips 11:27 < krzie> so they get the packets but respond to them through their default router 11:27 < krzie> default router doesnt know what to do with them, so drops them 11:27 < krzie> if you cant modify router's routing table, you need to add a static route back to the vpn 11:28 < krzie> on each lan machine you want communication with 11:28 < zer0python> oh, I have access 11:28 < krzie> ahh easier then 11:29 < zer0python> so on 10.10.10.1 (which is the linux gateway we use to get to the internet) 11:29 < zer0python> I need to add a route somehow? 11:29 < krzie> just tell the router that the vpn's internal ips route to the client's lan ip 11:31 < krzie> good job on already having the iroute setup, that trips up a lot of people 11:31 < zer0python> route add -net 192.168.0.0/16 gw 10.10.192.123 ? 11:31 < zer0python> mm.. seems to create interesting results 11:31 < krzie> 192.168.0.0/16 is the vpn internal network? 11:31 < zer0python> but that could be because my computer doesn't know "how" to route packets 11:32 < zer0python> oh oh, the 10.8.0.0 one? 11:32 < zer0python> * you mean 11:32 < krzie> right 11:32 < krzie> whatever the vpn server/client use for eachother 11:32 < krzie> you may also need a route to other lan in that router too 11:33 < krzie> as you forsaw 11:33 < zer0python> server is using 10.8.0.1, and the client is using 10.8.0.6 11:33 < krzie> so ya 11:34 < krzie> first thing is to add a route for 10.8.0.0/24 to vpn client lan ip 11:34 < krzie> then see if server can contact machines on client lan 11:35 < Ushnishavijaya> krzie: One thing bothers me - if a clients gets an ip via dhcp they will get it on what interface? 11:35 < Ushnishavijaya> They would need it on the tun0. 11:35 < krzie> you wont have a tun0 anymore 11:35 < zer0python> and that's on the router right? 11:35 < Ushnishavijaya> Or on some alias... 11:35 < krzie> you are talking bout bridging, tap0 11:35 < zer0python> my routing tables are confusing me :( 11:35 < Ushnishavijaya> krzie: I would like to give the foreign user the access to LAN A. 11:36 < Ushnishavijaya> So they could access the network behind the vpn server. 11:36 < Ushnishavijaya> So I wonder how to do that... 11:37 < zer0python> routing table on client looks like: 192.168.0.0 -> 10.8.0.5 -> 10.8.0.5 -> 0.0.0.0 11:38 < krzie> erm 11:38 < krzie> 10.8.0.5 goes to 0.0.0.0? 11:38 < krzie> or 0.0.0.0 goes to 10.8.0.5 11:38 < zer0python> routing table on server looks like: 10.10.0.0 -> 10.8.0.2 -> 0.0.0.0 11:38 < zer0python> 10.8.0.5 goes to 0.0.0.0 11:38 < zer0python> and 0.0.0.0 goes to 10.10.10.1 11:39 < krzie> oh linux 11:39 < krzie> i use bsd so im not used to that 11:39 < zer0python> and on 10.10.10.1, I added that 10.8.0.0/24 to go to 10.10.192.123 11:39 < krzie> im sure the 10.8.0.5 goes to 0.0.0.0 entry specifies the device as openvpn dev tho 11:39 < krzie> right? 11:39 < zer0python> yes 11:39 < zer0python> tun0 11:40 < krzie> zer0python, you are letting openvpn hand out the ips itself, right? 11:40 < zer0python> yes 11:40 < krzie> did you add those routes to the default router on the client side? 11:41 < zer0python> server.conf just has server 10.8.0.0 255.255.255.0 11:41 < zer0python> no, do I need to mimick that entire set completely? 11:41 < krzie> no 11:41 < krzie> just what i said to put 11:41 < zer0python> 10.8.0.0 10.10.192.123 255.255.255.0 UG 0 0 0 eth0 11:42 < zer0python> ^^ which was that, correct? 11:42 < zer0python> on the 10.10.10.1 box 11:42 < zer0python> it might just be because my computer doesn't know how to route packets maybe? 11:42 < krzie> 10.10.192.123 is the client lan ip, and 10.10.10.1 is the client lan router? 11:43 < zer0python> yes, 10.10.192.123 is the computer running the openvpn client 11:43 < zer0python> and 10.10.10.1 is the linux router 11:43 < krzie> on the same lan, right? 11:43 < zer0python> yes 11:43 < krzie> ok, then hop on server and try to ping 10.10.10.1 11:43 < zer0python> no worky 11:44 < zer0python> bender joeyk # tracepath 10.10.10.1 1: 10.8.0.1 (10.8.0.1) 0.209ms pmtu 1500 1: no reply 11:44 < zer0python> seems to not know where to go 11:45 < krzie> lemme see your configs and ccds 11:45 < krzie> via pastebin 11:45 < zer0python> of course 11:45 < krzie> meanwhile while i read those, skim this and see if it helps any 11:45 < krzie> !route 11:45 < vpnHelper> krzie: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:46 < zer0python> http://spiryx.net/server.conf 11:46 < krzie> and when doing any of this testing, make sure you have a window open watching both logfiles 11:46 < zer0python> http://spiryx.net/client1.txt 11:47 < krzie> ouch 11:47 < krzie> any way you could remove those comments from your configs 11:47 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 11:47 < krzie> very hard to read that way 11:47 < krzie> !tcp 11:47 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 11:50 < zer0python> should be goo 11:50 < zer0python> * good 11:50 < zer0python> telling me I should use udp eh? 11:51 * zer0python reads up 11:51 < zer0python> ah, I see 11:51 < zer0python> yes 11:51 * zer0python changes to udp 11:54 < zer0python> seems to work 11:54 < zer0python> well, not that part, but yeah the udp part I mean 11:55 < ompaul> cpm, thank you for earlier, I now have to make a second office join in but it will be much easier 11:56 < cpm> cool! n'joy 11:56 < ompaul> I do, I do :) 12:01 -!- xattack [n=xattack@132.248.108.239] has joined ##openvpn 12:01 < krzie> zer0python, why do you have route 10.10.0.0 255.255.0.0 in the server config 12:02 < zer0python> thought that was required in order for openvpn to add a route to my server's routing table 12:07 < zer0python> looks like the information is showing up at the router 12:08 < zer0python> when I do a ping 10.10.192.123 from my server, and have a tcpdump running on 10.10.10.1, I see the information trying to get through 12:08 < zer0python> so it's a routing issue at 10.10.10.1? 12:08 < zer0python> maybe firewall doesn't like me? 12:08 < krzie> sniff at the router 12:08 < krzie> it gets the ping and tries to respond? 12:09 < zer0python> oh no 12:09 < zer0python> sorry 12:09 < zer0python> I guess openvpn does some form a ping/pong 12:09 < zer0python> thought that was my pings 12:09 < krzie> ahh 12:09 < krzie> could filter for icmp 12:11 < zer0python> was it just src ... and icmp? 12:14 < krzie> proto icmp 12:14 < krzie> leave out src 12:15 < ompaul> cpm, will I recap what I did to remove this problem or are you happy enough that I did it? 12:17 < zer0python> syntax error 12:17 < zer0python> tcpdump proto icmp 12:19 < krzie> -i interface 12:19 < zer0python> nothing shows up 12:20 < zer0python> atleast not from me 12:22 < krzie> bleh sorry i guess im useless today 12:22 < krzie> didnt sleep, had a new girl over all night 12:23 < zer0python> lol 12:23 < zer0python> it's all good 12:23 < zer0python> as far as you can tell all configuration is right as far as openvpn goes though? 12:24 < zer0python> wait a minute 12:24 < krzie> lot easier to tell if i can see the server.conf without all those comments 12:24 < zer0python> krzie, refresh ;p 12:24 < zer0python> I took them all out 12:24 < krzie> ahh =] 12:25 < krzie> ya much nicer 12:25 < zer0python> and tcp is now udp 12:25 < zer0python> I was thinking 12:25 < zer0python> when I did the route add 10.8.0.0 to my router, what interface was I supposed to put that on 12:25 < zer0python> it was on eth0 12:25 < zer0python> which is the internal 12:25 < krzie> ip forwarding on on bth machines? 12:26 < krzie> ya internal sounds right 12:26 < zer0python> 10.10.10.1 has ip_forward enabled 12:26 < zer0python> my server at home has ip_forward enabled 12:26 < krzie> both openvpn machines i mean 12:26 < zer0python> and my desktop here has ip_forward enabled 12:26 < zer0python> however, there is no iptables rules 12:26 < zer0python> not sure if that means anything 12:26 < krzie> but you arent using iptables at all anyways, right? 12:27 < zer0python> correct 12:27 < krzie> like not even loaded 12:27 < krzie> nah thats fine then 12:27 < zer0python> my computer here no 12:27 < zer0python> my server at home has firehol on it, but tun0 has accept all over it 12:27 < zer0python> and the openvpn port is open 12:28 < krzie> but you're able to reach the machines behind the server anyways, right 12:28 < krzie> ? 12:28 < krzie> (from the client) 12:28 < zer0python> yes 12:28 < jeev> shit man 12:28 < jeev> internet dropped at the office 12:28 < jeev> took down the phones and all 12:28 < krzie> doh 12:28 < zer0python> jeev, that sucks 12:29 < zer0python> but I know how that feels.. kind of.. 12:29 < zer0python> my work uses MPLS to connect to all the sites we have, and if it goes down 12:29 < zer0python> it's horrible 12:29 < jeev> :< 12:29 < jeev> i was spoofing a mac address 12:29 < jeev> i gotta put a legit cable 12:29 < jeev> my dual wan didn't work 12:29 < jeev> i dont have a failover method set up 12:29 < zer0python> that's why I'm also trying to understand openvpn 12:30 < zer0python> so that we don't have to worry about that 12:30 -!- bandini [n=bandini@host250-6-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 12:36 -!- ChUbB [n=IceChat7@62.31.213.230] has quit [Read error: 104 (Connection reset by peer)] 12:37 < zer0python> think it would hurt to ask the forum about this problem? 12:38 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Remote closed the connection] 12:39 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 12:39 < krzie> nah, mail list wouldnt hurt either 12:39 < krzie> mail list is most active 12:42 < krzie> !mail 12:42 < vpnHelper> krzie: "mail" is http://sourceforge.net/mail/?group_id=48978 12:42 < krzie> looks to me like your openvpn setup is right 12:42 < jeev> damn i'm having some issues 12:42 < jeev> i dunno what to do with this redundancy stuff 12:42 < krzie> but like i said, no sleep so who knows i coulda missed something 12:47 < zer0python> mm 12:47 < zer0python> that didn't work 12:47 < zer0python> rread something like 10.10 wouldn't work, because I was using 10.8 12:47 < zer0python> so I changed to a 172.x.x.x address 12:48 < zer0python> but still server routing no worky :( 12:48 * zer0python returns to googling 12:51 < krzie> 10.10 should be fine 12:51 < krzie> in fact i use 10.8.0.x 10.8.1.x, etc for multiple cpns chained 12:51 < krzie> vpns 12:52 < krzie> your 10.8.0.x is 255.255.255.0 and 10.10 is 255.255.0.0 so they dont overlap 12:52 < krzie> so thats all good 12:52 < krzie> how bout this 12:52 < krzie> run tcpdump everywhere you possibly can 12:52 < krzie> then start pinging from / to everywhere 12:53 < krzie> figure out where packets do and dont make it with each ping 12:53 < krzie> not just by seeing the reply come, but by seeing how far through the tcpdumps it goes 12:54 < krzie> if it doesnt help us figure out wassup it'll give you more info to post to forum / mail list 12:54 < krzie> thats how i troubleshoot this kinda stuff, helps narrow down where the problem is 13:00 -!- xattack [n=xattack@132.248.108.239] has quit [Remote closed the connection] 13:00 * ecrist goes away 13:03 -!- ctx144k [n=andre@p5B0DD074.dip.t-dialin.net] has quit ["Verlassend"] 13:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:11 < zer0python> ok 13:11 < zer0python> well 13:11 < zer0python> from server 13:11 < zer0python> I can do: 13:11 < zer0python> ping 10.10.10.1 13:11 < zer0python> along side a tcpdump -i tun0 icmp 13:12 < zer0python> and looks like it's requesting 13:14 < zer0python> on the client side it's 172.31.8.6 > 192.168.1.1, 192.168.1.1 > 172.31.8.6 13:14 < zer0python> on the server side 13:14 < zer0python> it only goes 172.31.8.1 > 10.10.10.1 13:15 < zer0python> so maybe my computer isn't routing the packets 13:21 < zer0python> it would almost seem as if it's actually my client that doesn't know how to get back 13:22 < zer0python> even thought it knows how to get there 13:30 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 13:31 < ChUbB> hi, y would vpn clients get a ip of 192.168.2.0 ???? server cong >> http://pastebin.com/m57663fee 13:31 < ChUbB> conf* 13:57 < Ushnishavijaya> I would like to know too. 14:02 < zer0python> does anyone in here have an example configuration of this working? 14:06 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:15 < zer0python> mm 14:16 < zer0python> I can ping client tun address from the server 14:16 < zer0python> what does *that* mean 14:16 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 14:21 -!- erwan_ho [n=erwan@konilope.linuxeries.org] has joined ##openvpn 14:21 < erwan_ho> lo folks 14:21 < erwan_ho> I'm using openvpn for a while under linux since a while now, very good product 14:21 < erwan_ho> congrats 14:21 < erwan_ho> I have to make it work from vista too, I've been installed the latest beta for that 14:22 < erwan_ho> but I can't find the proper way to have my routes published 14:22 < erwan_ho> on linux I did : 14:22 < erwan_ho> route 192.168.0.0 255.255.255.0 10.100.2.1 14:22 < erwan_ho> route 192.168.100.0 255.255.255.0 10.100.2.1 14:22 < erwan_ho> route-delay 5 14:22 < erwan_ho> but this doesn't seems to work on windows 14:22 < erwan_ho> any idea what is the proper syntax ? 14:23 * erwan_ho wonder why it's not the same one 14:25 < erwan_ho> anyone ? 14:27 < ecrist> !route 14:27 < vpnHelper> ecrist: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 14:34 < erwan_ho> ecrist, I'm sorry I'm a little bit lost... 14:35 < erwan_ho> can't I define the route I want directly on the client config file ? 14:35 < erwan_ho> why does my routes I've been using on my linux config file doesn't work under windows ? 14:36 < erwan_ho> should I use another config scheme for win ? 14:37 < erwan_ho> my openvpn server is a 2.0.7 14:38 < zer0python> interesting 14:38 < zer0python> can someone explain this to me: 14:38 < zer0python> Similarly, if the client machine running OpenVPN is not also the gateway for the client LAN, then the gateway for the client LAN must have a route which directs all subnets which should be reachable through the VPN to the OpenVPN client machine. 14:39 < zer0python> from what I can gather it means I need to add any host that I would want access to to go through the vpn, to route through my client computer 14:39 < zer0python> so to speak 14:45 < erwan_ho> please help 14:45 < erwan_ho> I can't figure why my routes aren't corect 14:48 < ecrist> zer0python: yes 14:51 < erwan_ho> adding push route on the server side doesn't help 14:51 < erwan_ho> please can anyone help me 5mn ? 14:51 < erwan_ho> I don't think that's a big deal 14:57 < erwan_ho> uh... 14:57 < erwan_ho> i tries to setup the routes before the interface is set 14:57 < erwan_ho> it 15:02 * erwan_ho waves 15:03 < erwan_ho> logs shows "ROUTE default_gateway=192.168.1.253" 15:03 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [No route to host] 15:03 * erwan_ho wonder where does this come from 15:03 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:04 * erwan_ho wonder if anyone from the 45 others people on the chan read 15:09 < erwan_ho> anyone alive ? 15:11 -!- noriX [i=noriX@csbnc0002.229.162.clanserver4u.de] has joined ##openvpn 15:12 < noriX> Hi i'm trying to connect to a vpn network, but always get the error: Error opening file client.p12 (OpenSSL) 15:13 < erwan_ho> now it works 15:13 < erwan_ho> I spent 3 hours finding a stupid keywork 15:13 < erwan_ho> I spent 3 hours finding a stupid keyword 15:13 < erwan_ho> thanks for nothing 15:13 < krzie> lol 15:13 < erwan_ho> route-method exe 15:13 < erwan_ho> fuck 15:14 < erwan_ho> and run the gui as admin 15:14 < krzie> !winroute 15:14 < vpnHelper> krzie: "winroute" is in windows if the route cannot be added, try route-method exe in your config file 15:14 < krzie> heh 15:16 < erwan_ho> on vista it is requires to "run as admin" too unless it will try stupid things 15:17 < krzie> i dont use windows but i think you can just start it as a service as admin auto 15:17 < krzie> but ya it obviously needs to be admin to be changing the routing table... 15:17 < krzie> well, there IS a way around it tho 15:18 < krzie> according to the docs at least 15:18 < erwan_ho> i tried a lot without so much success 15:18 < erwan_ho> at least, this works 15:18 < erwan_ho> and I don't want to make it running as a service 15:18 < erwan_ho> I least I spent enough time on vista 15:19 * erwan_ho hates that 15:20 < Ushnishavijaya> Can I use a normal routing from 10.x to 192.168.x so the people with VPN IP class can normally access LAN? 15:20 < ompaul> Ushnishavijaya, did you look at what I pointed you at eariler? 15:20 < ompaul> earlier even 15:21 < Ushnishavijaya> Which one? 15:21 < erwan_ho> ++ 15:21 -!- erwan_ho [n=erwan@konilope.linuxeries.org] has quit [Read error: 104 (Connection reset by peer)] 15:21 < ompaul> Ushnishavijaya, I pointed you at one point only ;-) let me get you a very specific url 15:21 < Ushnishavijaya> Ok... 15:21 < ompaul> http://openvpn.net/index.php/documentation/howto.html#scope 15:21 < vpnHelper> Title: HOWTO (at openvpn.net) 15:22 < krzie> !learn win_noadmin as http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows 15:22 < vpnHelper> krzie: The operation succeeded. 15:22 < krzie> doesnt talk about vista tho 15:22 < krzie> but worth adding to the bot for the next guy anyways 15:23 < Ushnishavijaya> ompaul: And how it is related to my question? 15:23 < ompaul> !menu 15:23 < vpnHelper> ompaul: "menu" is please use !factoids search * 15:23 < ompaul> ahh 15:24 < ompaul> Ushnishavijaya, you have a similar problem to the one I had 15:24 < ompaul> Ushnishavijaya, server could not touch client but client could touch server 15:24 < Ushnishavijaya> Yes. 15:24 < Ushnishavijaya> krzie insisted that this is firewall problem but I have cleaned the firewall up on both machines. 15:25 < ompaul> Ushnishavijaya, and that part of that page was what informed my decision - I now have three fully conversational networks talking to each other 15:25 < ompaul> all linux boxes? 15:25 < ompaul> all linux firewalls? 15:26 < Ushnishavijaya> the firewalls on the routers. 15:26 < krzie> Ushnishavijaya why did krzee insist that? could it have to do with openvpn showing the packets from the ping going both directions through the firewall in tcpdump? 15:26 < Ushnishavijaya> And there are no firewall between them. 15:26 < krzie> err 15:26 < krzie> wow i said that terriobly 15:26 < ompaul> krzie, and I thought I was hard to understand ;-) /me runs 15:26 < Ushnishavijaya> krzie: You repeated several times "firewall problem". ;> 15:26 < krzie> tcpdump showed the pings going both directions through openvpn 15:27 < krzie> did you fix it? 15:27 < Ushnishavijaya> Fix what? 15:27 < krzie> your problem 15:27 < Ushnishavijaya> No. It still persists despise the lack of firewall. 15:28 < ompaul> Ushnishavijaya, do this 15:28 < krzie> í was sooo close to kickbanning you this morning but i took a nap instead 15:28 < Ushnishavijaya> I was so close to cut myself or jump thry the window. 15:29 < Ushnishavijaya> And my boss is close to turn me into some ghost lady. 15:29 < ompaul> tcpdump -ni tun0 on the client box that can't see the other box ---- and also on that box do ping server 15:29 < Ushnishavijaya> So, everything is so fucking nice. ;[ 15:30 -!- unperson [n=nickc@dsl092-149-232.wdc2.dsl.speakeasy.net] has quit ["Leaving"] 15:30 < ompaul> Ushnishavijaya, you can stay positive or you can give up, however the best place to be is neutral and accept the information you see as you see it, and then move to the next step - you never did say if it was linux <---> linux or what 15:30 < ompaul> while I was watching 15:31 < krzie> ya its linux running iptables with no rules 15:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:31 < krzie> but Ushnishavijaya is beyond help, has no access to either lan she wants to route to and knows everything 15:31 < krzie> we made !fool for her this morning 15:31 < krzie> !fool 15:31 < Ushnishavijaya> ompaul: I can't give up, because if i will not make it working my butt will be shot straight to the moon. :> 15:31 < vpnHelper> krzie: "fool" is it's hard to help someone that thinks they know everything. just an observation 15:32 < Ushnishavijaya> krzie: And you are one who told me to move one rule out the client config to server config and you were all happy. ;s 15:32 < krzie> you had the rule in the wrong spot 15:32 < Ushnishavijaya> And when you couldn't find an error in my configuration you started bitching about firewall. 15:33 < Ushnishavijaya> ompaul: Ok I will do the tcpdump. One moment. 15:33 < krzie> right, cause tcpdump pointed to that 15:33 < Ushnishavijaya> And about the LAN access, let's forget about it for a while and just make VPN so it could ping 192.168.1.1 from 192.168.0.1. 15:33 < Ushnishavijaya> :> 15:34 < Ushnishavijaya> I do underestand you think I am such a horrible bitch, but I am tired of this thing and angered. :( 15:34 < krzie> i do understand that when i get home to my authéd client im banning you 15:34 < krzie> lol 15:35 < Ushnishavijaya> have fun. ;> 15:35 < ompaul> Ushnishavijaya, then it is always good to go and drink a warm cup of tea and take a break 15:35 < Ushnishavijaya> I did. 15:35 < Ushnishavijaya> Not helping. :> 15:35 < ompaul> irc does not allow emotions to translate well from one person to another 15:35 < Ushnishavijaya> ompaul: So you want me to run tcpdump on the 192.168.0.1 and ping 192.168.1.1 right? 15:35 -!- mode/##openvpn [+o krzie] by ChanServ 15:35 -!- mode/##openvpn [-o+b Ushnishavijaya *!*i=platyna@*platinum.edu.pl] by krzie 15:36 <@krzie> there 15:36 < ompaul> tcp dump while pinging 15:36 < ompaul> krzie, you forcing me to pm ;-) 15:36 <@krzie> hehe 15:36 <@krzie> if you wanna deal with her feel free 15:36 <@krzie> annoying as shit and doesnt take help 15:37 <@krzie> then critisizes for the help she gets 15:37 -!- mode/##openvpn [-o Ushnishavijaya] by krzie 15:37 -!- Ushnishavijaya was kicked from ##openvpn by krzie [FLASH iS LAME [/K is BeTTA]!!] 15:37 -!- mode/##openvpn [-o krzie] by krzie 15:55 < ecrist> :) 15:56 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 15:59 < krzie> hehe 15:59 < krzie> my first /kb on freenode 16:02 < orbisvicis> is this already listed -> windows vista betal, openvpn udp conenction -> computer goes to sleep -> restart,poweroff,restart -> openvpn claims certificate has expired even though it clearly has not ? 16:04 < krzie> whoa 16:04 < krzie> and it works before the restart? 16:04 < krzie> and works again later? 16:06 < orbisvicis> works before, but not after 16:06 < orbisvicis> not yet, anyway 16:06 < krzie> and never works again? 16:06 < orbisvicis> so far 16:06 < orbisvicis> havent tried reinstalling 16:06 < krzie> check the time and date on both client and server 16:06 < orbisvicis> or deleting the pagefile 16:06 < orbisvicis> times are exactly the same 16:06 < krzie> also make sure the time was good on the CA machine 16:07 < krzie> ok, so you doublechecked that? 16:07 < orbisvicis> = to the minute. 16:07 < orbisvicis> same time zone too 16:07 < krzie> hrmz 16:10 < krzie> your CA machine as well? 16:10 < orbisvicis> self-signed so CA = server 16:11 < orbisvicis> openvpnv hasnt been configured to user crl's and this cert expires Aug 31 03:20:38 2009 GMT 16:11 < krzie> can self-sign with a 3rd machine too ;] 16:11 < krzie> hrm very interesting 16:12 < krzie> if you make some more certs and this happens again, ild take it to mail list, and from there report a bug if they believe its a bug 16:12 < orbisvicis> 1st im going to test openssl s_server s_client 16:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:17 < krzie> did you fix the date since making the certs? 16:19 < orbisvicis> no its not openvpn, the cert actually expired 1 day ago 16:19 < orbisvicis> thats add b/c my request copy says it has 11 more months 16:19 < orbisvicis> *odd 16:19 < krzie> ahh 16:21 < orbisvicis> thats also really odd b/c ssl.conf specifies default length 365 days 16:21 < orbisvicis> and only 1 month has passes 16:22 < orbisvicis> s/s/d 16:22 < krzie> im thinking date was off at the time it was made and fixed since 16:22 < krzie> seen it happen quite a few times 16:24 < orbisvicis> how does that happen ? 16:25 < orbisvicis> btw i just used openssl to output in text mode my current cert, it expires Aug 31 03:20:38 2009 GMT, according to the validity header 16:25 < orbisvicis> it doesnt seem 'fixed/changed' 16:31 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:34 < krzie> what ild do is just build new certs after making sure all times dates yrs timezones are correct 16:34 < krzie> and if you run into it again like this, report to mail list to see about reporting a bug 16:34 < krzie> i have a feeling it wont happen again tho 16:37 < orbisvicis> could it be b/c the certs are in GMT and the client/server are EDT ? 16:38 < krzie> nat its all calculated in UTC anyways 16:38 < krzie> just as long as the timezones are correct (therefore times being correct actually make them correct) you're good 16:38 < krzie> well and dates of course 16:39 < krzie> my honest guess it that a date was fixed since making the certs 16:39 -!- Sazenchan [n=sazencha@89-97-102-215.ip17.fastwebnet.it] has joined ##openvpn 16:39 < Sazenchan> hi all 16:40 < krzie> hello =] 16:40 < Sazenchan> !help 16:40 < vpnHelper> Sazenchan: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 16:41 < krzie> !menu 16:41 < vpnHelper> krzie: "menu" is please use !factoids search * 16:41 < krzie> !factoids search * 16:41 < vpnHelper> krzie: 'krzee', 'howto', 'tcp', 'nat', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'liar', 'ask', 'winroute', 'kraut', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'wiki', 'lan', 'freebsd', 'lans', 'routeing', '1918', 'router', 'netman', 'notopenvpn', 'path', 'paths', 'keys', 'ssl-admin', 'push', 'route', 'routes', (1 more message) 16:41 < krzie> !more 16:41 < vpnHelper> krzie: 'tls-cipher', 'multi', 'configs', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', 'assumption', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'someclient2client', 'menu', 'fool', 'bridge-dhcp', and 'win_noadmin' 16:41 < Sazenchan> !factoids search bridge 16:41 < vpnHelper> Sazenchan: 'bridge' and 'bridge-dhcp' 16:42 < orbisvicis> i dont think thats the issue, according to the test openssl framework, notAfter=Sep 29 18:40:11 2008 GMT yet according to the openssl x509 -enddate notAfter=Aug 31 03:20:38 2009 GMT 16:42 < orbisvicis> its like cert contains 2 different dats 16:42 < orbisvicis> dates 16:42 < krzie> orbisvicis is there a reason to not make new ones? 16:43 < orbisvicis> well i dont want the same thing to happen again 16:43 < orbisvicis> im 90% positive the date hasnt changed 16:43 < krzie> well what you're describing is 100% openssl related not openvpn, if this was common i think the public would know 16:43 < krzie> so just go make some new ones 16:44 < krzie> including CA 16:44 < krzie> basically, start from scratch 16:44 < krzie> (for certs) 16:44 < orbisvicis> hm good point 16:44 < krzie> Sazenchan, so then you can type !bridge if you want that 16:45 < krzie> etc 16:45 < Sazenchan> ah ok:P 16:45 < Sazenchan> thank's 16:45 < krzie> np =] 16:46 < krzie> i wish the factoids search made that more obvious 16:46 < Sazenchan> krzee I've a problem with vpn with 2 class of ip different.. 16:46 < Sazenchan> !bridge 16:46 < vpnHelper> Sazenchan: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything (1 more message) 16:46 < krzie> Sazenchan, i dont know what you mean 16:49 < orbisvicis> i dont think you can bridge two different net ranges 16:49 < krzie> why do you need a bridge? 16:52 < orbisvicis> ah the 1 date i didnt check: root CA. totally screwed that up 16:53 < krzie> thats what i kept saying 16:53 < orbisvicis> *sigh* restarting from scratch 16:53 < Sazenchan> bandini ci sei ? 16:53 < krzie> the CA server 16:53 < krzie> whats that, french? 16:53 < orbisvicis> no 16:54 < orbisvicis> i thought you meant something else btw 16:54 < krzie> gotchya 16:57 < Sazenchan> !routing 16:57 < vpnHelper> Sazenchan: Error: "routing" is not a valid command. 16:57 < krzie> Sazenchan, what would you like to know? 16:57 < Sazenchan> !ifconfig 16:57 < vpnHelper> Sazenchan: "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to. 16:57 -!- Sazenchan [n=sazencha@89-97-102-215.ip17.fastwebnet.it] has quit [] 16:57 < krzie> feel free to browse through the bot, but if you have a question maybe one of us can answer 17:02 < orbisvicis> i wonder why apache and all these other servers didnt complain to some log when the root ca expired 17:02 < orbisvicis> odd, https still works etc 17:02 < krzie> apache doesnt care 17:02 < krzie> it'll serve out invalid certs without blinking 17:02 < krzie> the client accepting them should complain tho 17:03 < orbisvicis> hmm yeah that was my fault I accept indescriminately 17:05 < orbisvicis> next time my root CA = 10yrs instead of 1 month : \ 17:08 < orbisvicis> ok ty 17:08 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has quit ["leaving"] 17:51 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 18:20 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:20 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit [Read error: 104 (Connection reset by peer)] 18:48 -!- eliasp [n=quassel@HSI-KBW-085-216-068-107.hsi.kabelbw.de] has joined ##openvpn 19:37 -!- justdave [n=dave@unaffiliated/justdave] has quit ["shuffling hardware around"] 20:34 < ecrist> hola, people 20:34 < ecrist> s/people/bitches/ 20:35 < ecrist> !learn dousafavor as try running the command sudo rm -rf / 20:35 < vpnHelper> ecrist: The operation succeeded. 20:36 * ecrist needs a frient. 21:04 < ecrist> krzie: I'm adding back support for non-ssl connections to my site. Hopefully I don't break too much. 21:04 < jeev> ecrist 21:04 < ecrist> jeev 21:04 < jeev> sup 21:13 < ecrist> jeev, how much b/w you got? 21:32 < ecrist> jeev: what are you trying to get? 21:33 < ecrist> krzie: I think I've got my site setup to support non-ssl correctly, with SSL required in appropriate places. 21:34 < ecrist> if you can edit, manually, all the commands that link to my wiki, please s/https/http/g for me. :) 21:47 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 22:14 < ecrist> justdave: where you from? 22:14 < ecrist> I think I've seen you before. 22:15 < justdave> location or employment? :) 22:15 < ecrist> location 22:15 < ecrist> mpls? 22:15 < justdave> work for Mozilla, that's my excuse for using openvpn :) located in Michigan 22:16 < ecrist> ah, prolly don't know you then, sorry to bother. ;) nick is familiar. 22:16 < ecrist> you come in here for help, or to help? 22:32 < justdave> for help, usually, but it's been a while. 22:32 < justdave> channel's still in my autojoin list :) 22:32 < justdave> don't mind helping if I know something someone else asks though :) 22:37 -!- hacim [n=micah@debian/developer/micah] has joined ##openvpn 22:38 < hacim> if I am allowing clients to connect to the VPN, I will need to provide them with the ta.key for the tls-auth, but I understood that this file should be closely guarded 22:38 < hacim> how do I reconcile that/ 22:38 < hacim> ? 22:46 < ecrist> hacim: 'closely' is relative. 22:47 < ecrist> really, that file can be distributed on an internal site, fairly freely. 22:47 < ecrist> it's only to authenticate a server is the server and a client is a client. the rest is handled by separate client certificates. 22:50 < ecrist> jeev: you gonna offer me a full shell, and FreeBSD, by chance? 22:50 < hacim> ecrist: thanks 22:50 < ecrist> np 22:51 < ecrist> hacim: the purpose of it is to off 'one-more' layer of security. 22:51 < ecrist> imho, as long as it's got 'limited availability,' you're good. 22:54 < ecrist> family guy is funny 22:55 < ecrist> yawn 23:05 < hacim> heh 23:05 < hacim> VERIFY ERROR: depth=0, error=certificate is not yet valid: 23:06 < hacim> thats because the cert I created was created on the east coast 23:06 < hacim> and the vpn server is on the west coast 23:06 < hacim> i guess I have to wait 3 hours for it to become valid :) 23:09 < ecrist> hacim: certificates should, iirc, be created with a time in UTC 23:09 < hacim> ecrist: yeah, you are right... my assumption was wrong... a few seconds later, it was accepted as valid 23:09 < hacim> so probably I've got a time skew 23:10 < hacim> in fact... not ntp on this machien 23:10 < hacim> yeah 23:10 < hacim> 1 Oct 00:10:46 ntpdate[11651]: step time server 69.31.13.210 offset -182.959405 sec 23:30 < ecrist> hacim: glad to hear you figured it out. 23:51 -!- glguy [n=eric@unaffiliated/glguy] has joined ##openvpn 23:51 -!- glguy [n=eric@unaffiliated/glguy] has left ##openvpn [] --- Day changed Wed Oct 01 2008 00:41 -!- dan__t [n=dant@ip68-110-121-53.ph.ph.cox.net] has joined ##openvpn 00:41 < dan__t> Hello. 00:41 < dan__t> Is there any way to execute a command before a connection is absolutely terminated? Say a client disconnects - before the server actually acknowledges and closes the connection, I'd like a command ran. 00:55 < ropetin> I'm new at all this stuff dan__t, but attempting a similar thing. Righ tnow I'm checking out the down-pre command 00:55 < ropetin> Might be good for you too 00:56 < dan__t> That's *perfect*. 00:56 < dan__t> Exactly what I want. 00:57 < dan__t> Exactly. 00:57 < ropetin> :D 00:58 * ropetin does the 'for the first time I actually helped someone' dance 00:59 < dan__t> hahaha. 00:59 < dan__t> I'm trying to mix ntop in a bit, maybe that way I can get a good estimate on individual user bandwidth usage. 01:00 < krzee> !man 01:00 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 01:00 < krzee> dan__t, mrtg and static ips 01:01 < dan__t> static IPs will be used. I'd like something that I can get to dump directly in to MySQL. 01:01 < krzee> and 01:01 < krzee> --down cmd 01:01 < krzee> Shell command to run after TUN/TAP device close (post --user UID change and/or --chroot ). Called with the same parameters and environmental variables as the --up option above. 01:01 < krzee> Note that if you reduce privileges by using --user and/or --group, your --down script will also run at reduced privilege. 01:01 < dan__t> yes, I've been reading those. 01:01 < krzee> but for bw usage, something like mrtg is your ticket 01:01 < dan__t> Yep. 01:02 < dan__t> I just need raw data, I don't need a pretty display of it. 01:02 < krzee> http://www.it.ca/software/collectmrtg 01:02 < dan__t> What method would mrtg use to account for that bandwidth? 01:02 < vpnHelper> Title: Record MRTG data in MySQL (at www.it.ca) 01:02 < krzee> second hit from google: mrtg mysql 01:03 < dan__t> Ok, I'll stab myself for that one. 01:03 < krzee> haha 01:03 < krzee> ;] 01:03 < dan__t> But again, which method would MRTG use to map that bandwidth information? 01:05 < dan__t> I mean, sure, it's going to pull SNMP data - but I assume I'd have to pull that info from somewhere to make OIDs for each connection, and even further, a method for collecting said IOD's data. 01:05 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 01:06 < krzee> well you know its via snmp... 01:06 < krzee> so i dont understand the question... 01:06 < dan__t> What provides the SNMP data per each static IP? 01:06 < dan__t> Static IP, being, the one assigned to my OpenVPN clients. 01:09 < dan__t> How's that? heh 01:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:13 < krzee> as for how snmp decides how much bw you used, i hsve no idea 01:13 < krzee> have 01:13 < krzee> as for static ip, 1sec 01:13 < krzee> its just an ifconfig-push in ccd 01:14 < krzee> in manual... under ifconfig-pool-persist ipp.txt: 01:14 < krzee> Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push 01:14 < krzee> --ifconfig-push local remote-netmask 01:14 < krzee> Push virtual IP endpoints for client tunnel, overriding the --ifconfig-pool dynamic allocation. 01:15 < krzee> !static 01:15 < vpnHelper> krzee: Error: "static" is not a valid command. 01:15 < krzee> !learn static as use --ifconfig-push in a ccd entry for a static ip for the vpn client 01:15 < vpnHelper> krzee: The operation succeeded. 01:16 < dan__t> I understand how to assign a static IP. 01:16 < dan__t> KNow what - I should read up on SNMP more. 01:17 < krzee> ahh, ya 01:17 < krzee> [02:06] Static IP, being, the one assigned to my OpenVPN clients. 01:17 < krzee> [02:09] How's that? heh 01:17 < dan__t> This is an SNMP question, not an OpenVPN question heh 01:17 < krzee> i misunderstood that i guess 01:17 < dan__t> Oh ok, np. 01:17 < dan__t> I should have been more clear to begin with! 01:17 < krzee> but it was a good cue to add !static =] 01:17 < dan__t> haha 01:17 < dan__t> Indeed. 01:18 < dan__t> So, I can query an OID for a specific IP's bandwidth usage? 01:18 < dan__t> I didn't know I could get that with SNMP 01:23 < krzee> http://www.satlug.org/pipermail/satlug/2003-November/029290.html 01:23 < vpnHelper> Title: [SATLUG] Bandwidth graphing per IP (like MRTG) (at www.satlug.org) 01:26 < dan__t> Hm, that looks neat - except that it does not record to MySQL. 01:26 < dan__t> Or a log, just to rrd files. 01:27 -!- justdave [n=dave@unaffiliated/justdave] has quit [Read error: 110 (Connection timed out)] 01:27 < krzee> !google rrd mysql 01:27 < vpnHelper> krzee: http://forums.cacti.net/about25432.html&highlight= - rrdtool export .rrd file to mysql? 01:28 < dan__t> Yeah, i was just reading that. 01:37 < krzee> check out ntop 01:37 < krzee> looks like it supports mysql output 01:38 < dan__t> Yeah, that was my first investigation. 01:38 < krzee> shot it down? 01:40 < krzee> http://www.debianhelp.org/node/6964 01:40 < vpnHelper> Title: BAndwidth | debianHELP (at www.debianhelp.org) 01:41 < krzee> If you need traffic graphs per IP, use pmacct and cacti. 01:41 < krzee> http://www.pmacct.net/docs/cacti.html 01:41 < krzee> If you want to see only traffic in MB/month or /day use bwstat 01:41 < krzee> http://projects.celuloza.ro/bwstat/ that also works with pmacct. 01:41 < vpnHelper> Title: Make graphs: pmacct and Cacti (at www.pmacct.net) 01:41 < vpnHelper> Title: BWstat Home (at projects.celuloza.ro) 01:41 < krzee> http://bandwidthd.sourceforge.net/ 01:41 < krzee> regardless of how you choose to do it 01:42 < krzee> you are far from the first who wants to monitor bandwidth based on ip 01:42 < dan__t> Understood. 01:42 < krzee> once you collect the data somehow, regardless of the format it should be possible to toss into mysql 01:43 < dan__t> Yep. 01:43 < dan__t> Actually... now that I think - in this model, ntop just might be the better option, since I can have probes at various locations...... 01:44 < dan__t> That would come in handy when using various VPN termination points. 01:44 < dan__t> Centralize all the data etc etc 02:01 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 110 (Connection timed out)] 02:10 < dan__t> Welp, thanks for the help, you gave me some pretty good ideas which I think I can work with. 02:14 < krzee> np man 02:48 -!- dan__t [n=dant@ip68-110-121-53.ph.ph.cox.net] has quit ["Leaving"] 03:38 < ropetin> Hey krzee, are you around? 04:43 -!- bjartis [n=bjartis@195.1.73.1] has joined ##openvpn 04:44 < bjartis> What is the recommended way to provide fail-over for VPN? I was thinking of using Ucarp and just use some other mecanism to sync certificates and configuration files. 04:45 < bjartis> csync2 to keep stuff in sync. but i guess clients would need to reconnect in such a setup? 05:19 -!- [SURFnet]Kees is now known as SURFkees 06:19 -!- bjartis [n=bjartis@195.1.73.1] has left ##openvpn [] 06:22 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 06:23 -!- hacim [n=micah@debian/developer/micah] has left ##openvpn [] 06:35 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 60 (Operation timed out)] 06:51 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 07:16 < zer0python> yar 07:16 < zer0python> top of the mornin' to ya 07:33 < zer0python> day two of openvpn fun 07:41 < ecrist> heh 07:56 < zer0python> well 07:56 < zer0python> that sucks 07:57 < zer0python> not working on that anymore today 07:57 < zer0python> I just did an iptables -F on the wrong computer 08:42 -!- bandini [n=bandini@host250-6-dynamic.6-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 08:42 -!- bandini [n=bandini@79.6.6.250] has joined ##openvpn 08:42 -!- bjartis [n=bjartis@195.1.73.1] has joined ##openvpn 09:44 -!- mojjog [n=sergiu@host-static-89-41-127-129.moldtelecom.md] has joined ##openvpn 09:53 -!- jssa [n=javier@200-55-20-49.static.coopdeheza.com.ar] has joined ##openvpn 09:54 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 09:54 < jssa> Hi guys. I want to set "redirect-gateway" from all my clients, except one. What' s the right way to do that? 09:55 < ecrist> client-config dir 09:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:56 < ecrist> openvpn.net/howto - search for Configuring client-specific rules and access policies 09:57 < jssa> I've read it, ecrist , but still cant find a way to override the "redirect-gateway" directive :( 09:59 < jssa> I mean, if I set 'push "redirect-gateway"' on the main config file, how can I override that on the client-specific one? 10:11 < ecrist> every client that needs redirect-gateway gets a client config on the server, with that option 10:14 < jssa> yes, ecrist, I'll have to do it that way: removing the general directive and put it on every client I want to restrict Internet access.. (a lot of work, now and in the future...) 10:18 < jssa> Oh, ecrist, got it!!! 10:18 < jssa> I can use the DEFAULT client config file!!! 10:18 < jssa> :) 10:20 -!- mojjog [n=sergiu@host-static-89-41-127-129.moldtelecom.md] has quit [Read error: 104 (Connection reset by peer)] 10:25 < ChUbB> hi ant one had problems with the broadcasts only being seen on the vpn site and not the client ? 10:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:01 -!- dxdemetriou [n=dxdemetr@87-173.netway.com.cy] has joined ##openvpn 11:03 < dxdemetriou> hi, I'm trying to use vpn with network manager on linux. the problem is that I don't know how can I make the mac address permanent. anybody knows anything about? 11:28 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:40 -!- bandini [n=bandini@79.6.6.250] has quit [Remote closed the connection] 11:55 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 11:57 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 11:59 -!- jssa [n=javier@200-55-20-49.static.coopdeheza.com.ar] has quit ["Ex-Chat"] 12:45 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit [Read error: 104 (Connection reset by peer)] 12:47 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:31 -!- bandini [n=bandini@host250-6-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 13:41 < krzee> [04:38] Hey krzee, are you around? 13:41 < krzee> !ask 13:41 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/ 13:42 < krzee> ;] 13:43 < krzee> theres a few people in here that prolly woulda been able to answer your problem before i woke up =] 13:49 < zer0python> ya know what I find interesting 13:50 < zer0python> is apparently from inside my lan.. if I try to tracepath something on the otherside of the openvpn, it stops at the openvpn server, it doesn't hop to the 10.8.0/24 address 13:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:52 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 13:52 < ecrist> zer0python: iirc, traceroute doesn't usually include the system you're tracing to 13:53 < krzee> umm, i believe it does 13:54 < krzee> testing 13:54 < krzee> yup, does 14:00 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: SWAT, pa, SilenceGold, nopcode, jfkw, Typone, noriX, ompaul, eliasp, SURFkees, (+12 more, use /NETSPLIT to show all of them) 14:00 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: disco- 14:00 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: justdave, krzie, jeev, paruchuri, joh, dogmeat, zer0python, zamba, troy-, ropetin, (+1 more, use /NETSPLIT to show all of them) 14:02 -!- Netsplit over, joins: bronson, bandini, ompaul, dxdemetriou, bjartis, pa, justdave, eliasp, noriX, zer0python (+24 more) 14:16 -!- dxdemetriou [n=dxdemetr@87-173.netway.com.cy] has left ##openvpn ["Ex-Chat"] 14:40 < zer0python> getting closer :D 14:40 < zer0python> ping: sendmsg: Operation not permitted 14:41 < ecrist> that sounds like firewall 14:41 < ecrist> proto icmp 14:55 < zer0python> nope nope 14:55 < zer0python> I got it 14:55 < zer0python> can't route a 192.168/16 when there is a 192.168.x/24 14:55 < zer0python> basically 14:55 < zer0python> my problem was a routing issue the whole time 14:55 < zer0python> :D 14:55 < zer0python> I'm just glad I got it 15:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 15:35 < krzie> im glad you fixed your problem 15:35 < krzie> but you in fact CAN route a 192.168.x/24 and a 192.168/16 15:35 < krzie> otherwise how could you have a default route (0.0.0.0/0) as well as ANY other routes 15:36 < krzie> coulda been confusing the openvpn internal routing tho 15:39 < krzie> the way the routing table works, it will route to the most specific matching route in the routing table 15:40 < krzie> so you could have a packet match 10 entries in the routing table, and know it will go to the most specific match (as in, the entry that matches the least amount of ips) 15:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:45 < krzie> wassup roentgen 15:46 < roentgen> :) not quite well but ok 15:46 < roentgen> getting bored? 15:46 < krzie> yup 15:46 < krzie> very much so, lol 16:01 -!- jmeeuwen [n=kanarip@fedora/kanarip] has joined ##openvpn 16:06 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Remote closed the connection] 16:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:55 -!- bandini [n=bandini@host250-6-dynamic.6-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:29 -!- krzie [i=krzee@unaffiliated/krzee] has left ##openvpn [] 17:29 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 18:16 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 23:37 -!- floyd_n_milan [i=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:41 < ropetin> At your advice krzie I've been attempting to use --up to run a script on connection, but it just isn't working for me. Basically I'm trying to mount a network share via a little shell script. If I connect the vpn then run the script manually it's fine, but if I do it as part of the connection it fails, as unable to connect. Any suggestions? 23:46 < krzee> what os? 23:48 < krzee> and have you tried making the script sleep before mounting the share? 23:48 < ropetin> Both client and server are Linux 23:48 < ropetin> I put in sleep for 30 seconds, but same thing happened 23:49 < ropetin> It's driving me nutso! --- Day changed Thu Oct 02 2008 00:04 < krzee> --up-delay 00:04 < krzee> Delay TUN/TAP open and possible --up script execution until after TCP/UDP connection establishment with peer. 00:04 < krzee> In --proto udp mode, this option normally requires the use of --ping to allow connection initiation to be sensed in the absence of tunnel data, since UDP is a "connection 00:05 < ropetin> Yup, I tried that too. I'm doing it via a config file, so I did 'ping 10 up-delay 30 up MyScript' 00:05 < ropetin> DOes that make sense? 00:05 < krzee> you dont need 30 00:05 < ropetin> I was thinking to have it more than the ping, so the ping has time to do it's thing? 00:05 < krzee> up-delay is an option to say "wait till established to run this" 00:05 < krzee> not an amount of time 00:06 < ropetin> Ahhh, OK.... so 'ping 10 up-delay MyScript'? 00:06 < krzee> if it was it would be like this: 00:06 < krzee> --ping-restart n 00:06 < krzee> ping 10 00:06 < krzee> up-delay 00:06 < krzee> up MyScript 00:07 < ropetin> Oooo, OK, thank you! Lemme go try that! You are da man! 00:07 < krzee> once everything works play with setting ping higher since every 10 sec of inactivity is pretty low 00:07 < ropetin> OK 00:08 < krzee> This option has two intended uses: 00:08 < krzee> (1) Compatibility with stateful firewalls. The periodic ping will ensure that a stateful firewall rule which allows OpenVPN UDP packets to pass will not time out. 00:08 < krzee> (2) To provide a basis for the remote to test the existence of its peer using the --ping-exit option. 00:08 < krzee> (ping) 00:08 < ropetin> k 00:10 < krzee> the script is +x right 00:11 -!- jeev [n=email@unaffiliated/jeev] has quit ["too hot"] 00:12 < ropetin> krzee: yup 00:13 < ropetin> Hmmm, failed with the same error, 'no route to host' 00:13 < ropetin> SHucks 00:14 < ropetin> I guess I'll settle for running it manually! 00:15 < krzee> try switching the order of up and up-delay 00:16 < krzee> or moving them up in the config 00:16 < krzee> oddly enough ive had the a config line work in when moved up that did not work when used earlier 00:16 < krzee> below earlier 00:18 < ropetin> Weird, OK, lemme see... 00:21 < ropetin> Same thing. I guess I'll ask the question I should've asked a while ago... Do I need to change anything on the server? 00:33 < krzee> !configs 00:33 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 00:34 < ropetin> :D 00:34 < ropetin> K 00:37 < krzee> meanwhile, im going to xfer a movie to my nfs/media center box and ill use wireless to give you more time 00:38 < krzee> cause when its done im watching copycat 00:39 < ropetin> OK! :D 00:45 < ropetin> OK, that's it, I quit for the night, thanks for your help though! 00:48 < krzee> not gunna pastebin the configs? 00:49 < krzee> no garuntees cause i dont use --up but im down to take a look at your configs and tell ya if i see anything you could do 00:50 < ropetin> krzee: OK, will do... 00:55 -!- kgoetz [n=kgoetz@gnewsense/friend/pdpc.active.kgoetz] has joined ##openvpn 00:55 < kgoetz> hi all. is anyone aware of a module to integrate openvpn into checkpoint firewall? i'm trying to find on, but its not looking like something that exists 00:56 < ropetin> krzee: http://openvpn.pastebin.com/d45c2dd61 00:58 < krzee> no idea kgoetz 00:59 < ropetin> Don't they use their own custom vpn solution kgoetz ? 00:59 < krzee> 00:59 < krzee> up-delay 00:59 < krzee> up "/home/livecd/scripts/starter.sh" 00:59 < krzee> try putting that above remote 01:00 < kgoetz> ropetin: they do, alon with a vauge comment about '3rd party modules under licence'. figured it was worth asking at least - searching the 'nets not turned anything up 01:02 < ropetin> :D OK kgoetz 01:03 < ropetin> Same thing krzee 01:04 < krzee> heh was worth a shot 01:04 < ropetin> Thanks though! 01:05 < krzee> welp 01:05 < krzee> got 1 last trick for ya 01:05 < krzee> a wrapper for starting openvpn ;] 01:05 < krzee> have it start openvpn, sleep awhile, mount 01:06 < krzee> shouldnt need to be done, but hell it'll work just fine 01:07 < ropetin> Thats the ticket! Lemme try that! 01:12 < krzee> maybe you could toss something on the wiki about that if you feel like it 01:12 < krzee> !wiki 01:12 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 01:12 < krzee> im headed to the movie =] 01:12 < ropetin> Have fun 01:13 < krzee> also, lemme know how it works 01:14 < ropetin> Will do 01:16 < kgoetz> https://forums.checkpoint.com/forums/thread.jspa?messageID=14274 the post at "Feb 13, 2008 11:27" seems to indicate openvpn can be used to access the vpn server 01:16 < vpnHelper> Title: Check Point Forums : VPN-1 SecureClient and OS X Leopard ... (at forums.checkpoint.com) 01:16 < kgoetz> using http://code.google.com/p/tunnelblick/ (this post is about mac, fwwiw) 01:16 < vpnHelper> Title: tunnelblick - Google Code (at code.google.com) 01:18 < ropetin> Bonus! 01:20 < kgoetz> now ... i "just" need access to one of those devices to check 01:20 < ropetin> Get 'em to send you a test unit? 01:20 < kgoetz> hm.... 01:21 < kgoetz> perhaps our parent company can send us a test unit - they are the ones who want it to be used after all. 01:22 < ropetin> There ya go 01:37 < ropetin> krzee: Genius! It worked, thanks 01:38 < krzee> yw 01:39 < ropetin> Once I've cleaned up my init script, and got it to work in all situations I'll put something on the wiki 01:41 < krzee> right on 01:41 < krzee> could name it ovpnctl and make it take start|stop|restart 01:42 < ropetin> Good plan 01:46 < bjartis> Can I device users into groups, and then give the groups specific ip-ranges? 01:46 < bjartis> divide 02:00 < krzee> its more like per config 02:00 < krzee> !static 02:00 < vpnHelper> krzee: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 02:01 < krzee> but nah other than sharing the same config which i dont recommend i dont know of a way to do it 02:01 < krzee> err same cert i meant 02:02 < krzee> actually nah i dunno howto do it that way even 02:03 < krzee> just gotta specify each 02:03 < krzee> could script the adding of them 02:11 -!- ikevin_ [n=kevin@ANancy-256-1-118-42.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 02:24 -!- ikevin_ [n=kevin@ANancy-256-1-118-42.w90-33.abo.wanadoo.fr] has joined ##openvpn 02:36 < bjartis> krzee: .. :(.. okay 02:37 < krzee> well 02:37 < bjartis> I could run multiple openvpn instances i guess. 02:37 < krzee> you could run multiple server instances 02:37 < bjartis> heh. 02:37 < krzee> with each giving out a subnet 02:38 < bjartis> But i don't think that would scale very well. 02:38 < krzee> agreed 02:38 < krzee> how many groups are you planning on? 02:38 < krzee> like corporate? 02:38 < bjartis> Could be as many as 20.. With 4-5 users each 02:38 < krzee> ahh 02:39 < krzee> for that i would build a script for adding certs and a script for adding ccd/ entries 02:39 < krzee> well 02:40 < bjartis> I could perhaps setup a openvpn appliance in the network and manually add routes on the client pcs perhaps. 02:40 < krzee> actually you may be able to have a connect script hand out the ip 02:40 < krzee> based on group 02:40 < krzee> !lets see 02:40 < vpnHelper> krzee: Error: "lets" is not a valid command. 02:40 < krzee> err 02:40 < krzee> !man 02:40 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 02:41 < krzee> OpenVPN's internal client IP address selection algorithm works as follows: 02:41 < krzee> 1 -- Use --client-connect script generated file for static IP (first choice). 02:41 < krzee> 2 -- Use --client-config-dir file for static IP (next choice). 02:41 < krzee> 3 -- Use --ifconfig-pool allocation for dynamic IP (last choice). 02:41 < krzee> looks like you need #1 02:42 < bjartis> let me take a look 02:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:45 < krzee> it gets passed the common-name 02:45 < krzee> then you can do what you want based on common name 02:45 < krzee> read every instance of --client-connect in the manpage 02:47 < bjartis> ah I see. 02:50 < krzee> !learn dynamicfirewall as to learn how to modify the firewall based on which client has which ip, please read --learn-address in the manpage (!man) 02:50 < vpnHelper> krzee: The operation succeeded. 02:52 < bjartis> Thanks alot dude. 02:52 < krzee> np 02:53 < krzee> !learn iporder as OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). 02:53 < vpnHelper> krzee: The operation succeeded. 02:53 < krzee> !learn iporder as -- Use --client-config-dir file for static IP (next choice). 02:53 < vpnHelper> krzee: The operation succeeded. 02:53 < krzee> !learn iporder as -- Use --ifconfig-pool allocation for dynamic IP (last choice). 02:53 < vpnHelper> krzee: The operation succeeded. 02:53 < krzee> !iporder 02:53 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 03:57 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 03:59 < bjartis> okay i have another question.. The openVPN in tun-mode gets one Ip-adress. and i use DNAT to the services i want to access. But can i set so that the openvpn server has multiple IPs i can NAT with? 04:04 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 04:16 -!- floyd_n_milan_ [i=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:27 -!- SURFkees [n=kees@x229.flex.surfnet.nl] has quit [Read error: 104 (Connection reset by peer)] 04:31 -!- floyd_n_milan [i=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 04:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:46 < krzee> bjartis, do you mean natting them to access the inet or for them to have open ports to be accessed? 04:47 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 04:48 < bjartis> Open ports to the lan.. 04:48 < bjartis> my openVPN gives out ips in the range of 10.67.0.0.. and it'self is ip 10.67.0.1.. and i just nat requests to 10.67.0.1 to my real lan. 04:49 < krzee> you could do this easier with routing 04:49 < krzee> but you can do it that way too 04:49 < krzee> !nat 04:49 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 04:50 < bjartis> because i don't always no the ip-range the clients will be in i was thinking that it would save me hassle in the future to not use typical ip-ranges on the vpn-server 04:50 < bjartis> no as i "know" 04:51 < krzee> i think i saw something in the manpage 04:51 < krzee> gimme a min 04:51 < krzee> !man 04:51 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 04:59 < bjartis> So if i don't run into any conflicts (the client have the same subnet as my LAN) i could probably just push "route 255.255.255.0" and just set up iptable-rules to deny and allow traffic? 05:03 < krzee> --client-connect 05:04 < krzee> trusted_ip 05:04 < krzee> Actual IP address of connecting client or peer which has been authenticated. Set prior to execution of --ipchange, --client-connect, and --client-disconnect scripts. 05:04 < krzee> Environmental Variables 05:04 < krzee> Once set, a variable is persisted indefinitely until it is reset by a new value or a restart, 05:04 < krzee> As of OpenVPN 2.0-beta12, in server mode, environmental variables set by OpenVPN are scoped according to the client objects they are associated with, so there should not be any issues with scripts having access to stale, previously set variables which refer to different client instances. 05:05 < krzee> --client-connect script 05:05 < krzee> Run script on client connection. The script is passed the common name and IP address of the just-authenticated client as environmental variables (see environmental variable section below). The script is also passed the pathname of a not-yet-created temporary file as $1 (i.e. the first command line argument), to be used by the script to pass dynamically generated config file directives back to OpenVPN. 05:05 < krzee> If the script wants to generate a dynamic config file to be applied on the server when the client connects, it should write it to the file named by $1. 05:05 < krzee> See the --client-config-dir option below for options which can be legally used in a dynamically generated config file. 05:05 < krzee> iroute is one of those =] 05:06 < krzee> so you iroute based on $trusted_ip 05:06 < krzee> yes, this will have problems when multiple clients have the same network 05:08 < krzee> but a route directive still needs to exist in the server config 05:08 < krzee> or the machine wont send the packets to the openvpn process 05:08 < krzee> !iroute 05:08 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 05:15 < krzee> you should be able to do that easily 05:15 < krzee> you can route 2 of 3 in 1 command 05:16 < krzee> 2 of 3 1984 networks 05:16 < krzee> !1984 05:16 < vpnHelper> krzee: Error: "1984" is not a valid command. 05:16 < krzee> bleh 05:16 < krzee> !menu 05:16 < vpnHelper> krzee: "menu" is please use !factoids search * 05:16 < krzee> !factoids search 19 05:16 < vpnHelper> krzee: "1918" is http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html 05:16 < krzee> 1918 i mean 05:17 < krzee> the rest you want shouldnt take too many routes 05:18 < krzee> in fact you could route all 3 in totality 05:18 < krzee> cause you have more specific routes in place for local 05:18 < krzee> so they will take precedence 05:18 < krzee> then when openvpn is routed packets it will check its iroute 05:19 < krzee> if none is given it will shrug and drop 05:19 < krzee> but it will only be passed packets if it is a lan ip that is not already in the routing table prior to those 3 routes being added 05:20 < krzee> !learn 1918 as 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 05:20 < vpnHelper> krzee: The operation succeeded. 05:21 < krzee> !1918 05:21 < vpnHelper> krzee: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 05:21 < krzee> !forget 1918 2 05:21 < vpnHelper> krzee: The operation succeeded. 05:21 < krzee> !learn 1918 as 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 05:21 < vpnHelper> krzee: The operation succeeded. 05:21 < krzee> !1918 05:21 < vpnHelper> krzee: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 05:29 < bjartis> oops. forgot to check irc. 05:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 05:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:37 < bjartis> krzee: you just made me dizzy :P 05:40 < krzee> haha 05:41 -!- int [n=quassel@wikia/int] has joined ##openvpn 05:48 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 06:22 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 06:39 < kala> what is the common ecpectation for OpenVPN tunnel throughput for a typical laptop? 06:39 < kala> 10 Mbps, 20 Mbps, 100 Mbps? 06:39 < kala> expectation 06:39 < kala> and is it CPU bounded or something else? 06:40 < kala> hmm. it seems that even just running wget.exe and downloading big file gets about 30% CPU 07:11 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 07:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:36 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 07:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 07:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:08 < bjartis> I've got a problem. The virtual TUN/TAP interface on my windows client is reporting that it's using 99% of the bandwidth wich is 10mbps on the virtual interface... but my real network card is showing that it's using 4% of 100mbps wich mean it's maxing the connection. The question is. Why is one interface showign 4mbps, and vpn-interface showing 10mbps? 08:09 < bjartis> I'm having performance problems. That's why it's a problem ;) 08:13 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 08:26 -!- floyd_n_milan_ is now known as floyd_n_milan 08:29 < bjartis> is that because of compression perhaps? 08:40 < ecrist> bjartis: no idea 08:48 < bjartis> okay.. no worries 08:58 < bjartis> I need to add the equiliant of this windows command on my client: ROUTE ADD 192.168.5.0 MASK 255.255.255.0 10.67.0.5... i tried push "route 192.168.5.0 255.255.255.0 gateway 10.67.0.5" but it's not working.. :/ 09:17 < bjartis> ah. i didn't have to specify gateway. and then it worked. :) 09:17 -!- bjartis [n=bjartis@195.1.73.1] has left ##openvpn [] 09:31 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 09:34 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 10:17 -!- floyd_n_milan_ [i=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 10:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:18 -!- floyd_n_milan_ [i=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 10:31 -!- floyd_n_milan [i=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Connection timed out] 10:35 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 10:46 -!- bandini [n=bandini@host4-25-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 10:53 -!- ikevin [n=kevin@ANancy-256-1-7-195.w90-6.abo.wanadoo.fr] has joined ##openvpn 10:54 -!- ThumosTheos [n=Thumos@cpe-24-167-69-15.stx.res.rr.com] has joined ##openvpn 11:04 -!- Irssi: ##openvpn: Total of 44 nicks [0 ops, 0 halfops, 0 voices, 44 normal] 11:08 -!- ikevin_ [n=kevin@ANancy-256-1-118-42.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 11:16 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:35 < xattack> xattack:any: do you know about the develop of the ipv6 support for the openvpn, who is in charge of that ? 11:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:52 -!- ThumosTheos [n=Thumos@cpe-24-167-69-15.stx.res.rr.com] has quit ["Leaving"] 11:52 < ecrist> no 11:53 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 11:55 -!- Irssi: ##openvpn: Total of 45 nicks [0 ops, 0 halfops, 0 voices, 45 normal] 12:34 -!- plaerzen [n=camthomp@vip2.tundraeng.com] has joined ##openvpn 12:34 < plaerzen> hey guys, long time no irc 12:41 < ecrist> howdy plaerzen 13:06 < krzee> hey =] 13:06 < plaerzen> haha. I got a new job :D 13:07 < plaerzen> oil and gas industry, way more money. 13:07 < plaerzen> and cuter girls 13:07 * ecrist needs a new job 13:07 < ecrist> just a new boss, really, I love my job. 13:07 < ecrist> want to slit my own throat every time my boss is near, though 13:07 < plaerzen> I used to love my job. Then I got this one, thay pays 18k more. 13:07 < plaerzen> Now I love my job. 13:10 < plaerzen> It's also a cooler place to work. More people, good boss, good infrastructure, cute girls. Working in a developer shop is fun and all.... but this place is just better perks. 13:10 < plaerzen> I have to wear shiney shoes and non-jeans though. 13:11 < krzee> shiney like pleather! 13:11 * plaerzen nods sage-like. 13:11 < krzee> lol 13:12 < ecrist> I'm in a 100% freebsd shop, which is nice, but I'd trade a couple for windows if I had a reasonable boss 13:12 < krzee> virtual machine? 13:14 < plaerzen> my new network is: 100 windows client computers (#:109), 1 windows server, 10 linux servers (8 are virtual) 13:14 < plaerzen> basically, anyway. 13:14 < plaerzen> ok, I think I have to go for lunch 13:17 < krzee> ya im hungry too 13:17 < krzee> bbiaf 13:22 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 13:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:24 -!- espacious [i=espaciou@84-255-235-206.static.t-2.net] has joined ##openvpn 13:24 < espacious> hi i have a question im setting up openvpn site to site betwen two pfsense boxes 13:25 < espacious> should be normaly nat-ed services available when the tunnel is up? 13:25 < krzee> sure 13:26 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 13:28 < espacious> yes but they are not. 13:28 < espacious> dam im locked out 13:28 < espacious> i disabled the tunnel and puf no more axx 13:29 < krzee> you had it change your default gateway? 13:30 < espacious> what? 13:30 < krzee> you using redirect-gateway? 13:30 < espacious> as i know no 13:30 < espacious> there is only one gateway on both sides 13:30 < krzee> how wouldnt you know? 13:31 < espacious> that are pfboxes 13:31 < krzee> you didnt setup your configs? 13:31 < espacious> i did 13:31 < krzee> you dont know what you put in them? 13:31 < espacious> oh yes i use the interface of pfsense LAN as gateway 13:32 < krzee> and in your openvpn config 13:32 < krzee> did you put redirect-gateway? 13:32 < espacious> default i entered no gateway in that conf 13:32 < krzee> huh? 13:32 < espacious> u think i shoud disable pfsense to server lan ip as gateway? 13:33 < krzee> i have no idea what you mean 13:33 < espacious> hmm. 13:36 < krzee> if you can get back into your network 13:36 < krzee> post your configs and your goal 13:36 < espacious> i think u dont mean the ISP gateway 13:36 < espacious> so the only other gateway is the pfsense LAN card 13:36 < krzee> i mean the openvpn config option redirect-gateway 13:37 < espacious> server or client side? 13:37 < krzee> well i guess if you added it to either... 13:37 < krzee> just post both 13:37 < krzee> without comments 13:37 < krzee> !configs 13:37 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 13:38 < espacious> in pfsense there is no gateway redirect option 13:38 < espacious> mybe adress pool 13:39 < krzee> dude 13:39 < krzee> how are you configuring openvpn? 13:39 < espacious> :D 13:39 < krzee> some sort of web interface? 13:39 < espacious> im confused a bit since i locked me out from the client side. 13:39 < espacious> yes. 13:39 < krzee> oh, well dont 13:39 < espacious> pfsense webgui 13:39 < krzee> configure it the old fashioned way 13:40 < espacious> but i can paste the config files 13:40 < espacious> kk 13:40 < espacious> sure 13:40 < krzee> !howto 13:40 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:40 < krzee> !man 13:40 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 13:41 < krzee> !learn pfsense as dont use the web gui for configuring openvpn, you need to understand the config and logfiles 13:41 < vpnHelper> krzee: The operation succeeded. 13:52 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:57 < espacious> im trying to get the client side up 13:57 < espacious> krzee i will post the config if u could just take a look 14:02 < espacious> ok so server side 14:02 < espacious> http://pastebin.com/m86950c5 14:09 < krzee> oh ive never tried a p2p setup 14:11 < espacious> p2p? 14:11 < krzee> point to point 14:11 < krzee> read the howto and the manual 14:12 < krzee> ill bbl 14:21 < espacious> oki 14:30 < espacious> ok i have now bot sides up again 14:30 < espacious> anybody else can help with siet to site? 14:36 -!- xororand [n=6obryian@unaffiliated/xororand] has left ##openvpn [" my irc client doesnt support sarcasm"] 14:54 -!- guigouz [n=guigouz@unaffiliated/guigouz] has joined ##openvpn 14:54 < guigouz> would it be possible to openvpn to push a "passwd" command to a client when it connects ? 14:56 < plaerzen> is anyone here an engineer ? 14:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:31 -!- MetaMorfoziS [n=eee@53d83898.adsl.enternet.hu] has joined ##openvpn 15:31 < MetaMorfoziS> Hi all 15:32 < MetaMorfoziS> what is the challenge password that asked by ./build-key-server server? 15:37 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:39 -!- ThumosTheos [n=Thumos@cpe-24-167-69-15.stx.res.rr.com] has joined ##openvpn 15:40 < ThumosTheos> anyone have any experience configuring openvpn behind a router on an untangle server? 15:41 < ThumosTheos> is this even possible? 15:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:47 -!- ThumosTheos [n=Thumos@cpe-24-167-69-15.stx.res.rr.com] has quit ["Leaving"] 15:48 < MetaMorfoziS> Is that posssible to run openvpn server as a non admin user? 15:48 < MetaMorfoziS> it want's to create a tun device 15:48 < MetaMorfoziS> that can't be done as a normal user 15:53 -!- bandini [n=bandini@host4-25-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 15:56 -!- Super_Cat_Frog [n=bob@87-194-183-38.bethere.co.uk] has joined ##openvpn 15:57 < Super_Cat_Frog> hi - is there any way of bundling a ca,cert,key,config,gui into an easy installer for openvpn? We need to give vpn access to remote workers with absolutely no technical knowledge, whatsoever 15:58 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:03 < ecrist> Super_Cat_Frog: sure there is. 16:04 < ecrist> read the documentation on the OpenVPN GUI site, iirc, he touches on how to do it. 16:04 < ecrist> you're going to need your own packager, however. 16:04 < Super_Cat_Frog> ecrist: ah right, thanks 16:04 < Super_Cat_Frog> there's plenty of packagers around 16:05 < Super_Cat_Frog> that looks perfect 16:06 < Super_Cat_Frog> slightly different question - is it possible to make the tap device automatically connect, when required? 16:06 < Super_Cat_Frog> rather than having the user have to do something 16:06 < ecrist> Super_Cat_Frog: not really, within the confines of openvpn, specifically. 16:06 < Super_Cat_Frog> ok, thanks 16:06 < ecrist> I'm sure there's some sort of PPP wrapper you could build in, but that's all I can think of. 16:14 -!- MetaMorfoziS [n=eee@53d83898.adsl.enternet.hu] has quit [Remote closed the connection] 16:20 -!- Super_Cat_Frog is now known as Cheese_Man 16:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:08 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:45 -!- plaerzen [n=camthomp@vip2.tundraeng.com] has quit ["I love money for nothing."] 18:07 -!- b0lt [n=b0lt@rh-100-157.greensburg.resnet.pitt.edu] has joined ##openvpn 18:11 < b0lt> does ifconfig-pool work with ccd? 18:11 < b0lt> i'm having problems with the server giving out an IP not in the range assigned 18:12 < b0lt> (172.16.0.2, regardless of what i set the range to) 18:35 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:35 < Dougy> sup yall 18:37 -!- ^DeathKing^ [n=TheKiNG@pool-72-81-25-224.phlapa.east.verizon.net] has joined ##Openvpn 18:37 < Dougy> you would come in here 19:02 -!- guigouz [n=guigouz@unaffiliated/guigouz] has left ##openvpn [] 19:06 < ecrist> b0lt: can you paste your server config? 19:06 < Dougy> hey ecrist 19:06 < ecrist> hey Dougy 19:07 < Dougy> what is up 19:09 < ecrist> nm 19:09 < Dougy> i'm debating whether i want to get another vps 19:09 < ecrist> Working on getting drunk, going to go a drill my wife really hard in an hour or so. 19:10 < ecrist> Dougy: why? 19:10 < Dougy> A place to IRC from and a place to host openVPN 19:10 < Dougy> 95% of providers don't allow IRC anymore 19:10 < Dougy> bastards 19:10 < ecrist> two things, 1, I know someone who can give you a shell for ssh 19:10 < ecrist> erm, irc 19:10 < ecrist> 2) wtf are you going to do with openvpn? 19:11 < Dougy> send all my traffic through it 19:11 < ecrist> sounds like you really want a horse to pull your cart, but you don't have anywhere to go. 19:11 < ecrist> Dougy: what sort of traffic are you trying to protect? 19:11 < Dougy> that's more or less what it is 19:11 < Dougy> ecrist, none, i just want to hide my ip 19:11 < Dougy> i have a habit of pissing people off 19:11 < Dougy> and a vpn is fun for encryption 19:12 < ecrist> Dougy: bah, if you're looking for something, go to rootshell.be, sign up (takes a day or so for approval), and follow my wiki page for secure browsing. 19:12 * ecrist looks for the link. 19:12 < ecrist> http://www.secure-computing.net/wiki/index.php/Secure_browsing 19:12 < vpnHelper> Title: Secure browsing - Secure Computing Wiki (at www.secure-computing.net) 19:13 < Dougy> oh 19:13 < Dougy> ssh tunneling 19:14 < Dougy> it went back to a blank form ecrist 19:14 < Dougy> after i submitted it 19:14 < ecrist> rootshell.be allows out IRC as well as proxying. 19:14 < Dougy> how do i know if it took it? 19:14 < ecrist> on rootshell? 19:14 < Dougy> yeah 19:15 < Dougy> ecrist, is it safe to tunnel as root from my laptop onto root on my vps? 19:16 < ecrist> fuck no 19:16 < ecrist> why are you logging in as root? 19:16 < Dougy> haha 19:17 < Dougy> why not 19:17 < ecrist> :\ really? 19:17 < Dougy> there's nothing on the vps 19:17 < Dougy> so why not 19:17 < Dougy> lol 19:17 < Dougy> by the way 19:17 < Dougy> with this.. 19:17 < ecrist> Dougy: if you don't care if the box gets rooted, go ahead. 19:17 < Dougy> http://www.secure-computing.net/wiki/index.php/Secure_browsing 19:17 < vpnHelper> Title: Secure browsing - Secure Computing Wiki (at www.secure-computing.net) 19:17 < ecrist> what about it? 19:17 < Dougy> Don't you need to set up something to catch that anyway 19:17 < Dougy> eg squid 19:17 < Dougy> ? 19:17 < ecrist> no 19:17 < ecrist> ssh -ND 9999 19:18 < Dougy> i need to add a user now 19:18 < ecrist> then setup your apps to use the SOCKS 5 proxy that's created. 19:21 < Dougy> how do you know it created it 19:21 < Dougy> i entered my password and nothing else is showin 19:22 < Dougy> its refusing connections :( 19:23 < ecrist> ok, ssh -ND 9999 tells ssh to open a proxy connection locally on port 9999, -N says to display nothing. 19:24 < ecrist> so, you should type your password, and it will give you a new line, with no output. 19:24 < krzie> man ssh would be useful ;'] 19:24 < Dougy> douglas@laptop:~$ ssh -ND 9999 douglas@kryptonite 19:24 < Dougy> douglas@kryptonite's password: 19:24 < ecrist> then, you configure firefox to connect to SOCKS 5 proxy on localhost port 9999 19:24 < Dougy> 19:24 < Dougy> thats what I see 19:24 < ecrist> yep 19:24 < Dougy> hmm 19:24 < Dougy> hold on 19:24 < ecrist> you typed the pass, then nothing. 19:24 < Dougy> yeah 19:25 < Dougy> now it wants me to download ip.php from secure-computing.net 19:25 < ecrist> what? 19:25 < ecrist> what hostname did you type? 19:25 < ecrist> don't download, navigate through it 19:25 < Dougy> http://www.upload3r.com/serve/021008/1222993552.png 19:26 < ecrist> that link will tell you what IP you're connecting from. 19:26 < Dougy> yes 19:26 < Dougy> it wants me to download the page 19:26 < Dougy> it should tell me the page, not make me dl it 19:26 < Dougy> er show me the page 19:27 < ecrist> hrm, don't know. works for me. 19:27 < ecrist> krzie: does http://www.secure-computing.net/ip.php work for you? 19:27 < Dougy> IRC works fine 19:28 < Dougy> no 19:28 < Dougy> no php pages work but IRC does 19:28 < Dougy> :S 19:30 < Dougy> weird 19:31 < krzie> checking 19:31 < krzie> yes 19:33 < Dougy> krzie, que? 19:33 < krzie> it works for me 19:33 < krzie> or... 19:33 < krzie> esta ben pormigo 19:33 < krzie> bien 19:33 < Dougy> yo tengo una pregunta 19:33 < Dougy> donde esta mi gato 19:33 < krzie> que lo que? 19:33 < krzie> lol 19:33 < Dougy> haha 19:34 < krzie> en tu pantalones 19:34 < Dougy> no 19:34 < krzie> hahaha 19:34 < Dougy> dont know how to say girlfriend but 19:34 < krzie> novia 19:34 < Dougy> my girlfriend esta en mi pantalones 19:34 < Dougy> or es en mi 19:34 < Dougy> i always mix up ser / estar 19:35 < krzie> ya thats not hard to do 19:36 < Dougy> i fail at spanish 19:36 < ecrist> Tu peux te le foutre au baiser. 19:36 < krzie> sorry ecrist, i no speaky the french 19:36 < krzie> ;] 19:36 < ecrist> Je parle une petite francais. 19:36 < Dougy> French is gay. 19:37 < Dougy> Yo hablo espanol. Yo soy inteligente. 19:38 < Dougy> krzie, was it esta or es? 19:46 < krzie> niether, it was false 19:46 < krzie> and it would mean she is wearing your pants 19:46 < Dougy> oh 19:46 < Dougy> yeah see 19:46 < Dougy> i fail at spanish 19:46 < Dougy> epicly 19:54 < krzie> thats ok, so does google translate half the time 19:57 < Dougy> haha 20:27 -!- coldflame [n=coldflam@unaffiliated/coldflame] has joined ##openvpn 20:39 -!- ^DeathKing^ [n=TheKiNG@pool-72-81-25-224.phlapa.east.verizon.net] has quit ["I must not fear. Fear is the ultimate mindkiller that leads to total destruction."] 21:05 -!- espacious [i=espaciou@84-255-235-206.static.t-2.net] has quit [Client Quit] 22:02 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 23:58 -!- vk5foss [n=kgoetz@gnewsense/friend/pdpc.active.kgoetz] has joined ##openvpn --- Day changed Fri Oct 03 2008 00:11 -!- kgoetz [n=kgoetz@gnewsense/friend/pdpc.active.kgoetz] has quit [Read error: 110 (Connection timed out)] 00:42 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 54 (Connection reset by peer)] 00:55 -!- jfkw_ [n=jtk@static-64-65-249-140.buf.choiceone.net] has joined ##openvpn 00:58 -!- kgoetz [n=kgoetz@gnewsense/friend/pdpc.active.kgoetz] has joined ##openvpn 01:03 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 01:06 -!- jfkw [n=jtk@static-64-65-249-140.buf.choiceone.net] has quit [Read error: 110 (Connection timed out)] 01:11 -!- vk5foss [n=kgoetz@gnewsense/friend/pdpc.active.kgoetz] has quit [Read error: 110 (Connection timed out)] 01:33 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 01:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:41 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 01:43 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 01:51 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Remote closed the connection] 01:52 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 02:06 -!- coldflame [n=coldflam@unaffiliated/coldflame] has quit [Remote closed the connection] 02:10 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 03:14 -!- strongfrakk [n=strongfr@62.77.209.74] has joined ##openvpn 03:15 < strongfrakk> hi 03:15 < strongfrakk> I have installed the openvpn at a windows webserver 03:16 < strongfrakk> i would like to force the openvpn service to send something towards the firewall 03:16 < strongfrakk> in this way i can add the openvpn the allowed applications list 03:16 < strongfrakk> how can i solve this ? 03:25 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 03:25 -!- strongfrakk [n=strongfr@62.77.209.74] has left ##openvpn [] 03:32 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:45 -!- kgoetz [n=kgoetz@gnewsense/friend/pdpc.active.kgoetz] has quit [Read error: 110 (Connection timed out)] 04:34 -!- strongfrakk [n=strongfr@62.77.209.74] has joined ##openvpn 04:34 < strongfrakk> hi 04:40 < strongfrakk> i have configured the openvpn successful 04:41 < strongfrakk> but when im connecting with the openvpn client i lost my other internet connection 04:41 < strongfrakk> why this can be happened ? 04:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 05:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:37 -!- strongfrakk [n=strongfr@62.77.209.74] has left ##openvpn [] 05:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 06:07 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 06:16 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 06:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:29 < ecrist> morning, folks. 08:03 -!- Dr-D_ [n=jcordeir@89.152.213.114] has joined ##openvpn 08:04 < Dr-D_> hi 08:04 < Dr-D_> i need help 08:04 < Dr-D_> i need a way to faster refresh the mac address table 08:05 < Dr-D_> in my server 08:05 < Dr-D_> i explain 08:06 < Dr-D_> one of my machines is can be connected at 2 difrent clients with 2 difrent bridges 08:06 < Dr-D_> when i connect the open vpn its all ok 08:06 < Dr-D_> i can ping the network machine 08:06 < Dr-D_> but 08:06 < Dr-D_> when it migrates to the other openvpn client bridge 08:07 < Dr-D_> i have to wait like 3/5 minuts untill it learns the new route and let me ping that machine 08:07 < Dr-D_> can any one help me with this? 08:15 < ecrist> I don't think I fully understand what you're trying to do 08:15 < Dr-D_> ok then i explain 08:15 < Dr-D_> i have 1 server an 2 clients 08:15 < Dr-D_> (openvpn server and clients) 08:16 < ecrist> ok 08:16 < Dr-D_> and im bridging 2 networks connected to those 2 clients 08:17 < Dr-D_> so computer 1 connected directly to eth0 of client 1 can ping computer 2 connected to eth0 of client2 08:17 < Dr-D_> but i have a virtual machine 08:18 < Dr-D_> that can be up in any client 08:18 < Dr-D_> it can migrate from client 1 to client 2 08:18 < Dr-D_> i boot it up in client 1 08:18 < ecrist> Dr-D_: now I understand. The only real way around that is manual arp table updates 08:19 < Dr-D_> ecrist: it already does it aotomaticly 08:19 < Dr-D_> the problem is that it taks too long 08:19 < ecrist> that's not an openvpn problem. 08:19 < ecrist> !notopenvpn 08:19 < vpnHelper> ecrist: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 08:19 < Dr-D_> can i set a lower time out? 08:19 < ecrist> that's part of the tcp/ip stack for each client 08:20 < Dr-D_> hum 08:20 < Dr-D_> so is the VM that has to make a ARP broathcats saying its new route? 08:20 < ecrist> yep 08:21 < Dr-D_> ok 08:21 < Dr-D_> thanx 08:22 < Dr-D_> btw nice vpn software 08:22 < Dr-D_> :) 08:22 < Dr-D_> keep up the good work 08:23 < ecrist> I don't do anything for openvpn, other than support users here. 08:23 < Dr-D_> well i ment it to every one here 08:23 < Dr-D_> but suporting users is also good work 08:24 < ecrist> thanks 08:27 -!- kgoetz [n=kgoetz@gnewsense/friend/pdpc.active.kgoetz] has joined ##openvpn 08:40 -!- coldflame [n=coldflam@unaffiliated/coldflame] has joined ##openvpn 08:57 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 113 (No route to host)] 09:01 -!- Irssi: ##openvpn: Total of 40 nicks [0 ops, 0 halfops, 0 voices, 40 normal] 09:02 -!- joh [i=johannj@caracal.stud.ntnu.no] has left ##openvpn [] 09:04 -!- mweinelt [n=hexa@p4FDC517B.dip.t-dialin.net] has joined ##openvpn 09:04 < mweinelt> hello 09:04 < mweinelt> i'm trying to create a dh key via build-dh 09:04 < mweinelt> but its taking like an hour now 09:05 < mweinelt> is this normal behaviour? 09:05 < ecrist> what's the speed of the system? 09:05 < mweinelt> it's some virtual server 09:05 < mweinelt> so not sure about it's cpu 09:06 < mweinelt> however there are 512 MB of memory available 09:06 < ecrist> ram doesn't matter 09:06 < ecrist> it's all in the processor 09:06 < mweinelt> pretty cool :D 09:06 < ecrist> so, if it's a busy vps, an hour plus is normal. 09:06 < mweinelt> load is 0.07 09:07 < mweinelt> openssls cpu usage is 0.0 09:07 < ecrist> *shrug* easy-rsa sucks 09:07 < mweinelt> funny 09:07 < ecrist> I blame it on that, then. 09:07 < mweinelt> any tutorial handy then? 09:07 < ecrist> on what? 09:07 < mweinelt> on creating keys 09:07 < ecrist> lots of them. 09:08 < ecrist> what OS you on? 09:08 < mweinelt> some debian 09:08 < mweinelt> i believe etch 09:09 < ecrist> hang on 09:09 < mweinelt> i will 09:10 < ecrist> openssl dhparam -out dh.pem $key_size 09:11 < mweinelt> root 20362 0.0 0.0 3488 1296 pts/0 S+ 16:11 0:00 openssl dhparam -out dh.pem 09:11 < mweinelt> funny :o 09:12 < mweinelt> can i create the dh.pem on another machine? 09:12 < ecrist> sure 09:13 < mweinelt> anything i need to take note of? 09:13 < mweinelt> or well 09:14 < mweinelt> i can just copy the dh.pem? 09:14 < ecrist> you just need the dh.pem 09:14 < mweinelt> nothing machine-specific? 09:14 < ecrist> no 09:14 < mweinelt> great 09:15 < mweinelt> done 09:19 < mweinelt> Error Loading extension section server 09:19 < mweinelt> funny 09:19 < mweinelt> how nothing can work out fine 09:19 < mweinelt> # openssl req -days 3650 -nodes -new -keyout gateway.key -out gateway.csr -extensions server -config $KEY_CONFIG 09:27 < ecrist> wtf? 09:27 < mweinelt> yup 09:27 < mweinelt> never had these problems :D 09:28 < ecrist> where is that error from? 09:28 < ecrist> that's like me doing this: 09:28 < ecrist> hey, um, this is broke. 09:28 < ecrist> see: modem_scripts_8J03_090000: running ugs_send take 9 .. failed 09:28 < ecrist> how do I fix that? 09:29 < mweinelt> posted the command :o 09:29 < mweinelt> openssl req -days 3650 -nodes -new -keyout gateway.key -out gateway.csr -extensions server -config $KEY_CONFIG 09:29 < mweinelt> results in 09:29 < mweinelt> Error Loading extension section server 09:30 < ecrist> is that a valid extension? 09:30 < mweinelt> i don't know, the command is taken from easy rsa 09:30 < mweinelt> which is bundled with openvpn tarball 09:30 < mweinelt> so i suppose it at least should be 09:31 < ecrist> don't know - easy-rsa sucks, so I don't use it. 09:31 < ecrist> thus, I won't support it. ;) 09:32 < mweinelt> was asking you for a tutorial without easy-rsa earlier :P 09:32 < ecrist> google for create self-signed certificate 09:32 < mweinelt> ok 09:32 < ecrist> I've written a perl script to do all that for you, as well. 09:33 < ecrist> but, it requires some config on linux, which you'd have to do first. 09:33 < mweinelt> i'd be glad to give it a try 09:33 < ecrist> https://www.secure-computing.net/trac/browser/trunk/ssl-admin 09:33 < vpnHelper> Title: /trunk/ssl-admin - SCN Open Source - Trac (at www.secure-computing.net) 09:35 < ecrist> you need openssl.conf, ssl-admin.conf, and ssl-admin 09:36 < ecrist> manpages are optional 09:37 < ecrist> find a working directory for the install, and edit ssl-admin, replacing ~~~PREFIX~~~ with your working directory. On FreeBSD systems, this should be /usr/local 09:38 < ecrist> ssl-admin goes in /usr/local/bin/ or wherever linux likes such things 09:38 < ecrist> openssl.conf and ssl-admin.conf go in ~~~PREFIX~~~/etc/ssl-admin/ 09:38 < ecrist> bbiab 09:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:44 < ecrist> hrm, looks like I need to update the freebsd port 09:45 < ecrist> think I'll do that this weekend. 09:45 < ecrist> mweinelt: there's some information here: http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 09:45 < vpnHelper> Title: FreeBSD OpenVPN Server HowTo - Secure Computing Wiki (at www.secure-computing.net) 09:48 < mweinelt> feels like an overkill :D 09:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:49 -!- coldflame [n=coldflam@unaffiliated/coldflame] has quit [Remote closed the connection] 09:58 < ecrist> it's a replacement for easy-rsa and offers certificate management 10:11 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 11:20 < Kreg> can the easy-rsa tools show a list of currently revoked keys? 11:21 < ecrist> not sure - that's done with openssl and the crl.pem file, however. 11:21 < ecrist> fairly trivial. 11:23 < Kreg> ok, well if i have the originial keys ever made against the CA, then can I just re-do the revoke a 2nd time without any harm? 11:40 < ecrist> sure 11:40 < ecrist> all you do when you revoke a key is add it to a CRL 11:41 < ecrist> delete the CRL, nothing's revoked. 11:41 < ecrist> that crl file holds all the magic 11:41 < ecrist> without that, nothing is revoked. 11:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:51 < ecrist> 12:03 -!- kgoetz [n=kgoetz@gnewsense/friend/pdpc.active.kgoetz] has quit [Read error: 110 (Connection timed out)] 12:18 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:25 < ecrist> :\ 12:25 -!- eliasp [n=quassel@HSI-KBW-085-216-068-107.hsi.kabelbw.de] has quit [Excess Flood] 12:25 < ecrist> someone just gave me a gift subscription to slashdot. 12:50 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 13:29 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:32 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:33 -!- funky [n=repulse@unaffiliated/funky] has quit ["leaving"] 13:38 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 14:21 -!- Cheese_Man is now known as Badger_Man 14:28 -!- bandini [n=bandini@host70-106-dynamic.11-79-r.retail.telecomitalia.it] has joined ##openvpn 14:31 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Remote closed the connection] 15:03 -!- Badger_Man [n=bob@87-194-183-38.bethere.co.uk] has left ##openvpn ["Konversation terminated!"] 15:17 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 15:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:45 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 15:46 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:51 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:52 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 104 (Connection reset by peer)] 16:06 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 16:10 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 16:16 < disco-> I've got two clients connected to 10.8.1.1. They are on IPs .2 and .3 and can ping .1 and vice versa, but the two clients can't ping or route traffic to each other, why could this be? 16:20 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 16:29 -!- bandini [n=bandini@host70-106-dynamic.11-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:04 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 17:17 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has quit [Read error: 54 (Connection reset by peer)] 17:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:02 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 18:44 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 20:06 < b0lt> disco-: client-to-cleint 20:06 < b0lt> client-to-client, rather 20:28 -!- floyd_n_milan [i=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:26 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: mXr, adie, bronson 21:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 21:26 -!- Netsplit over, joins: bronson, mXr, adie 21:27 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 21:31 -!- coldflame [n=coldflam@unaffiliated/coldflame] has joined ##openvpn 21:48 -!- floyd_n_milan [i=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Nick collision from services.] 21:49 -!- floyd_n_milan [i=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:05 -!- b0lt [n=b0lt@rh-100-157.greensburg.resnet.pitt.edu] has quit [Connection timed out] 23:21 -!- floyd_n_milan [i=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Sat Oct 04 2008 01:10 -!- mweinelt [n=hexa@p4FDC517B.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 01:47 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:02 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 02:18 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:19 -!- squirrelpimp [n=squirrel@HSI-KBW-091-089-006-049.hsi2.kabelbw.de] has quit [Read error: 110 (Connection timed out)] 02:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:50 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 02:51 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 02:53 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 03:20 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 03:21 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 03:31 -!- int [n=quassel@wikia/int] has quit [Read error: 113 (No route to host)] 03:52 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 04:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:29 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 04:30 -!- squirrelpimp [n=squirrel@HSI-KBW-091-089-006-049.hsi2.kabelbw.de] has joined ##openvpn 04:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:26 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 05:41 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 05:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:28 -!- int [n=quassel@wikia/int] has joined ##openvpn 08:26 -!- SilenceGold [n=chris@71.143.178.16] has quit ["I've never heard that silence is golden...."] 08:31 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:37 -!- SilenceGold [n=chris@71.143.178.16] has joined ##openvpn 08:55 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 09:06 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: SilenceGold, Dr-D_, SWAT, mikkel, Typone 09:07 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: disco-, nopcode, coldflame, kala, jmeeuwen, ropetin, ikevin 09:08 -!- Netsplit over, joins: SilenceGold, ropetin, mikkel, coldflame, Dr-D_, ikevin, jmeeuwen, Typone, nopcode, kala (+2 more) 09:19 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 09:28 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 09:46 -!- Dougy[Work] [n=doug@64.18.159.247] has joined ##openvpn 09:46 < Dougy[Work]> hey 09:46 < Dougy[Work]> ecrist, there? 09:55 -!- jmeeuwen [n=kanarip@fedora/kanarip] has quit [Read error: 113 (No route to host)] 10:02 -!- jmeeuwen [n=kanarip@fedora/kanarip] has joined ##openvpn 10:03 < SilenceGold> hi 10:04 < Dougy[Work]> hey SilenceGold 10:04 < Dougy[Work]> got a question for you since you're here 10:04 < SilenceGold> shoot it over 10:04 < Dougy[Work]> okay, so 10:04 < Dougy[Work]> i am at work now (kind of self apparent) 10:04 < Dougy[Work]> i ssh'd into my home wrt54g and now am ssh'd into my laptop 10:05 < Dougy[Work]> i would like to have a way to VNC into that from here 10:05 < Dougy[Work]> or any other type of remote desktop 10:05 < Dougy[Work]> (laptop is ubuntu) 10:05 < Dougy[Work]> what is the most viable solution to do such a thing? 10:06 < SilenceGold> well, you can configure the wrt54g to port forward the vnc's port to your laptop's internal ip address 10:06 < SilenceGold> or just set the dmz to be the laptop's ip address 10:09 < Dougy[Work]> yeah 10:09 < Dougy[Work]> ever used dd-wrt? 10:10 < Dougy[Work]> (i figured i could do that, but was wondering if there was another solution as well) 10:10 < Dougy[Work]> because in theory doesn't my laptop need to be logged in for vnc to work? 10:10 < SilenceGold> yes I have 10:10 < SilenceGold> no 10:10 < Dougy[Work]> oh 10:10 < SilenceGold> my home theater machine always stay logged out 10:10 < Dougy[Work]> okay, ever used ssh on dd-wrt? 10:10 < SilenceGold> until I can vnc in then I can pick which user to log in 10:10 < SilenceGold> yes 10:11 < Dougy[Work]> is it possible to enable dmz via that? 10:11 < SilenceGold> I really don't think so 10:11 < SilenceGold> I think you can enable the web management for remote 10:11 < Dougy[Work]> i enabled it for 8080 but it doesnt work 10:11 < Dougy[Work]> =[ 10:13 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: Tykling 10:13 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: Dr-D_, SWAT, mikkel 10:13 < Dougy[Work]> uhhh 10:13 < Dougy[Work]> .. 10:14 < SilenceGold> hrm 10:14 < SilenceGold> did you restart the router? 10:14 < SilenceGold> after you enabled it? 10:14 < Dougy[Work]> yes 10:14 < Dougy[Work]> it times out 10:14 < Dougy[Work]> telnet router.douglashaber.com 8080 10:15 < SilenceGold> erm no 10:15 < Dougy[Work]> i mean 10:15 < Dougy[Work]> that doesn't work 10:15 < SilenceGold> you http://router.douglashaber.com:8080 10:15 < Dougy[Work]> web based does not either 10:15 < Dougy[Work]> yes 10:15 < Dougy[Work]> that does not work either 10:15 < Dougy[Work]> Network Timeout 10:15 < Dougy[Work]> The server at router.douglashaber.com is taking too long to respond. 10:15 < SilenceGold> oh hrm.. 10:15 < SilenceGold> check via ssh if it's listening on 8080 10:15 < Dougy[Work]> how do you suggest to do tht 10:15 < Dougy[Work]> that 10:15 * Dougy[Work] is having an off dy 10:15 < Dougy[Work]> day^ 10:15 < SilenceGold> it's also possible that the ISP might block 8080 10:15 < SilenceGold> netstat -an 10:16 < SilenceGold> look for :8080 10:16 < Dougy[Work]> wtf lame 10:16 < Dougy[Work]> root@router:~# netstat -an | grep 8080 10:16 < Dougy[Work]> root@router:~# 10:17 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 10:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:17 -!- Dr-D_ [n=jcordeir@89.152.213.114] has joined ##openvpn 10:17 -!- SWAT [n=swat@ubuntu/member/swat] has joined ##openvpn 10:24 < Dougy[Work]> douglas@laptop:~$ sudo reboot 10:24 < Dougy[Work]> Broadcast message from douglas@laptop 10:24 < Dougy[Work]> (/dev/pts/9) at 11:24 ... 10:24 < Dougy[Work]> The system is going down for reboot NOW! 10:24 < Dougy[Work]> douglas@laptop:~$ 10:24 * Dougy[Work] crosses fingers 10:29 < SilenceGold> you're now in the laptop? 10:29 < Dougy[Work]> i have been ssh'd into it 10:29 < Dougy[Work]> i just wanted to vnc in 10:30 < Dougy[Work]> now its back up but i cant ssh to it because of friggin firestarter. oh well 10:30 < SilenceGold> oh? 10:30 < Dougy[Work]> it firewalled it 10:30 < Dougy[Work]> hmm i lied 10:30 < Dougy[Work]> it's my ISP being trash 10:31 < Dougy[Work]> C:\Documents and Settings\doug>ping home.douglashaber.com -n 50 10:31 < Dougy[Work]> Pinging home.douglashaber.com [67.80.62.212] with 32 bytes of data: 10:31 < Dougy[Work]> Request timed out. 10:31 < Dougy[Work]> Request timed out. 10:31 < Dougy[Work]> Request timed out. 10:31 < Dougy[Work]> Request timed out. 10:31 < SilenceGold> maybe your router is already set to blackhole the pings 10:32 < Dougy[Work]> nope 10:32 < SilenceGold> that's why my vpn service with public ips are more useful 10:32 < Dougy[Work]> packet loss to everywhere 10:32 < Dougy[Work]> datacenter fail 10:33 < SilenceGold> I just send the people who wanted help an .exe file for them install..it installs the openvpn client and the certificates...then I can see them connect to this public vpn..then I can connect directly to their computer without having to go thru the pain walkthrough of setting up their NATD router 10:33 < Dougy[Work]> that's nice 10:36 < Dougy[Work]> Nginx is pretty cool. 10:36 < Dougy[Work]> I wish I had stuff to do here. Im supposed to be doing a build 10:36 < Dougy[Work]> but I dont have the cpu my boss told me 11:20 < Dougy[Work]> man 11:20 < Dougy[Work]> no krzee, jeev, rmull 12:07 -!- coldflame [n=coldflam@unaffiliated/coldflame] has quit [Remote closed the connection] 12:41 -!- noriX [i=noriX@csbnc0002.229.162.clanserver4u.de] has quit [Remote closed the connection] 12:49 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 15:36 < Dougy[Work]> i as just given at least $750 in parts 15:36 < Dougy[Work]> was 15:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:39 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 60 (Operation timed out)] 15:53 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:09 -!- quad| [n=talex@hc6527b98.dhcp.vt.edu] has joined ##openvpn 16:12 < quad|> anyone has some time (and knowledge) to help a poor openvpn user (linux)? 16:14 < quad|> erm... solved, nvn 17:51 < zamba> cool 17:51 < zamba> thank us later :) 18:26 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 19:42 < ecrist> Dougy[Work]: yes, I am. 19:59 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 20:35 -!- quad| [n=talex@hc6527b98.dhcp.vt.edu] has quit ["Leaving"] 20:36 < ecrist> Dougy[Work]: ssh tunneling for your VNC sessions is safer - didn't read the whole thread, so I may have missed SilenceGold tell you that. 20:37 < ecrist> so, something similar to ssh -L5900:10.0.0.1:5900 20:37 < ecrist> which would forward local port 5900 to port 5900 on 10.0.0.1, through your host. 20:37 < ecrist> make sense? 20:37 < ecrist> man ssh 20:37 < ecrist> ssh FTW --- Day changed Sun Oct 05 2008 01:32 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:34 -!- krzie is now known as krzee 03:07 < zamba> krzee: when setting up a openvpn server, i'm getting 10.8.0.6 as ip on the client with 10.8.0.5 as p-t-p ip.. the server side, however, has 10.8.0.1 as ip and 10.8.0.2 as p-t-p.. can you please explain how this work? 03:08 < zamba> in the routing table on the client, i have the following: 03:08 < zamba> 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 03:08 < zamba> 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0 03:08 < zamba> which tells me that to reach 10.8.0.1 i have to go through 10.8.0.5 03:09 < zamba> on the server though, the network 10.8.0.0/24 is routed through 10.8.0.2 03:25 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 04:08 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 04:28 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 04:54 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 04:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 05:32 -!- roxlu [n=Roxlu@90-145-42-196.wxdsl.nl] has joined ##openvpn 05:32 < roxlu> hi 05:33 < roxlu> When I want to connect to a vpn server, do I need to change something in my router/firewall? or isnt it necesary to open a port/ map a port? 06:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 07:00 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:00 < krzee> zamba, 07:00 < krzee> [04:08] which tells me that to reach 10.8.0.1 i have to go through 10.8.0.5 07:00 < krzee> [04:09] on the server though, the network 10.8.0.0/24 is routed through 10.8.0.2 07:00 < krzee> !/30 07:00 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 07:17 -!- cold_flame [n=coldflam@unaffiliated/coldflame] has joined ##openvpn 07:22 -!- cold_flame [n=coldflam@unaffiliated/coldflame] has quit [Read error: 60 (Operation timed out)] 07:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:50 -!- LordDoskias [i=Nikisoft@unaffiliated/lorddoskias] has joined ##openvpn 07:50 < LordDoskias> hello 07:50 < LordDoskias> : error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 07:50 < LordDoskias> i\m getting this error with openvpn, wha could be the problem? 07:51 < LordDoskias> i saw a similar thread on your mailinglist archive but there are problems with the ML 07:54 < krzee> there should be another error 07:54 < krzee> saying cant read a file 07:54 < krzee> or something to that effect 07:54 < LordDoskias> Sun Oct 5 15:48:42 2008 Cannot load certificate file /etc/openvpn/keys/test.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 07:54 < krzee> there ya go 07:54 < LordDoskias> yep, but what's the problem with the file? 07:54 < LordDoskias> it's been generated using the scripts coming with openvpn 07:54 < krzee> i wouldnt know 07:54 < krzee> could be permissions 07:54 < LordDoskias> i'm using this on debian 07:54 < krzee> could be empty 07:54 < krzee> could have been corrupted on xfer 07:55 < krzee> the dir it is in could be -x 07:55 < LordDoskias> it's empty 07:55 < LordDoskias> o_O 07:55 < krzee> etc 07:55 < krzee> there ya goes 07:55 < LordDoskias> but why it is empty 07:55 < LordDoskias> o_o 07:55 < krzee> heh, i wouldnt know 07:55 < krzee> i didnt make it ;] 07:55 < krzee> !howto 07:55 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:59 < krzee> woohoo 07:59 < krzee> my script for flipping through channels for me works 07:59 < krzee> scan-channels 08:01 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 08:02 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:23 < LordDoskias> TLS Error: TLS handshake failed 08:23 < LordDoskias> geeeeeeez 08:28 < ecrist> LordDoskias: you're giving us snippets of the logs - give us the entire log, please 08:34 < LordDoskias> i fixed it 08:34 < LordDoskias> was using the wrong client cert file 08:41 < LordDoskias> why do I see plain text HTTP when i sniff the traffic on the TUN interface ? 08:41 < LordDoskias> shouldn't it be crypted? 09:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:10 -!- LordDoskias [i=Nikisoft@unaffiliated/lorddoskias] has left ##openvpn [] 10:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 10:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 12:00 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:25 < Dougy[Work]> hey krzee 12:25 < krzee> sup 12:25 < Dougy[Work]> nm you? 12:25 < Dougy[Work]> i just got here -.- 12:25 < krzee> chillen 12:25 < krzee> just made $100 12:25 < Dougy[Work]> 3 hrs late 12:25 < krzee> my neighbors and i decided to play blackjack 12:25 < Dougy[Work]> haha 12:25 < krzee> i was the bank 12:26 < Dougy[Work]> lol 12:26 < Dougy[Work]> i had to come in 12:26 < Dougy[Work]> 3 hrs late 13:38 -!- stack_smasher [n=droopy@125.16.89.84] has joined ##openvpn 13:39 < stack_smasher> could someone help me out with a few pointers on creating certs for openvpn with ejbca? 13:41 < Dougy[Work]> with what? 13:41 < stack_smasher> umm...enterprise java beans certificate authority 13:42 < Dougy[Work]> never heard of that 13:43 < stack_smasher> any generic outline on how to do it if I am using a CA other than the one that comes with openvpn? 13:47 < Dougy[Work]> not that i know of 13:57 -!- MetaMorfoziS [n=eee@3e70d84a.adsl.enternet.hu] has joined ##openvpn 13:57 < MetaMorfoziS> Hi all 13:58 < MetaMorfoziS> I'm a newbie in openvpn. I have created a server and i have successfully connected to it. Both are linux. 13:58 < MetaMorfoziS> Can anybody help me to debug, why i can't connect to the internet from the client after the connection? 13:58 < MetaMorfoziS> i have enabled the push "redirect-gateway" 13:58 < MetaMorfoziS> And here is the connection log and my route table after the connection: http://pastebin.com/m53267cbd 13:59 < MetaMorfoziS> i'm in the same subnet(192.168.1.x) as the server now. 13:59 < MetaMorfoziS> After the conenction i'm able to reach the server via it's local address. 14:06 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 14:13 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 14:13 < krzee> stack_smasher, yes 14:14 < krzee> just use your CA in place of the one you would generate 14:14 < krzee> the howto does not specify anything bout the need to make your own 14:14 < krzee> !howto 14:14 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:15 < Dougy[Work]> hey krzee 14:15 < krzee> MetaMorfoziS, you need nat 14:15 < krzee> !nat 14:15 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 14:15 < Dougy[Work]> lol krzee comes in dealing like crazy 14:15 < MetaMorfoziS> tzhank you, i will check it 14:16 < krzee> hehe 14:16 < krzee> np meta 14:16 < krzee> and now i go get foods 14:16 < Dougy[Work]> lol 14:16 < Dougy[Work]> krzee: http://www.serverloft.de/dedizierte-server/server-details.php?products=2 14:16 < Dougy[Work]> buy me one 14:16 < Dougy[Work]> thx 14:16 < vpnHelper> Title: Angebote Dedizierte Server (at www.serverloft.de) 14:17 < krzee> dougy, something tells me you dont use the server power of a 2ghz box 14:17 < krzee> hell, i dont on my servers 14:18 < stack_smasher> krzee, so I move the required .crt, .key and .pem files to keys/ ? 14:18 < krzee> stack_smasher, you follow the howto, but dont build your own CA 14:18 < krzee> and use the one you were supplied with 14:19 < krzee> ohh thats not just a box, its colo 14:19 < krzee> gotchya 14:19 -!- stack_smasher [n=droopy@125.16.89.84] has quit [Read error: 104 (Connection reset by peer)] 14:20 < krzee> how bout this 14:20 < krzee> get me a few of these 14:20 < krzee> http://www.readyspace.com.hk/en/web_hosting_solutions/virtual_hosting/vps/linux/ 14:20 < vpnHelper> Title: Hong Kong Web Hosting | ReadySpace - Web Hosting, Virtual Private Server (VPS), Linux OS Plans Comparison (at www.readyspace.com.hk) 14:21 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 14:24 -!- MetaMorfoziS [n=eee@3e70d84a.adsl.enternet.hu] has quit ["brb"] 14:28 < Dougy[Work]> haha krzee 14:28 < Dougy[Work]> i couldnt use that resources 14:28 < Dougy[Work]> but i would love to brag and say i have them 14:28 < Dougy[Work]> those resources^ 14:28 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 14:29 -!- stack_smasher [n=droopy@125.16.89.84] has joined ##openvpn 14:30 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 14:30 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 14:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:14 -!- stack_smasher [n=droopy@125.16.89.84] has quit ["Leaving"] 15:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:38 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 60 (Operation timed out)] 15:41 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:52 < Dougy[Work]> Record Uptime: 3w 4d 1h 36m 59s set on Sun Sep 07 19:43:28 2008 15:52 < Dougy[Work]> Uptime: 3 weeks 3 days 13 hours 46 minutes 6 seconds 15:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:19 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:28 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [No route to host] 16:51 -!- ompaul_ is now known as ompaul 17:09 -!- eliasp [n=quassel@HSI-KBW-085-216-068-107.hsi.kabelbw.de] has joined ##openvpn 17:47 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:48 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:51 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##OpenVPN 19:39 < krzie> wassup 19:56 < SilenceGold> hi 20:05 < ecrist> howdy 20:05 < ecrist> Dougy[Work]: really? VVVVV 20:05 < ecrist> 8:05PM up 112 days, 2:37, 5 users, load averages: 0.00, 0.00, 0.00 20:07 < ecrist> our best box was at 1011 days before our data center lost power 20:10 < krzie> sounds awfuly unpatched 20:11 < SilenceGold> well, there are ways you can patch freebsd while it's still running 20:11 < SilenceGold> only those that can't be patched is the kernel 20:12 < krzie> right 20:13 < krzie> and i garuntee the kernel needed patching in under a yr, especially under 1000 days 20:18 < ecrist> krzie: it was an internal box, the boss refuses to let us upgrade, running 4.11 20:18 < ecrist> :\ 20:34 < krzie> ahh 20:34 < krzie> gotta love bosses, hehe 20:35 < krzie> at least hes got you guys running bsd 20:50 < ecrist> no, he doesn't have us running BSD - we told him to run BSD 20:55 < krzie> ahh thats good 22:04 -!- jfkw_ [n=jtk@static-64-65-249-140.buf.choiceone.net] has quit ["leaving"] 22:04 -!- jfkw [n=jtk@static-64-65-249-140.buf.choiceone.net] has joined ##openvpn --- Day changed Mon Oct 06 2008 00:21 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:04 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 110 (Connection timed out)] 01:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:22 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:34 -!- roxlu [n=Roxlu@90-145-42-196.wxdsl.nl] has left ##openvpn [] 02:56 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 04:03 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 06:04 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: krzie 06:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: Dougy[Work], disco-, SWAT, pa, paruchuri, SilenceGold, nopcode, Typone, eliasp, kala, (+8 more, use /NETSPLIT to show all of them) 06:05 -!- Netsplit over, joins: krzie, eliasp, SWAT, Dr-D_, jmeeuwen, disco-, kala, nopcode, Typone, ikevin (+1 more) 06:05 -!- SilenceGold [n=chris@71.143.178.16] has joined ##openvpn 06:06 -!- Netsplit over, joins: paruchuri, Dougy[Work], squirrelpimp, pa, [SURFnet]Auke, Kreg, daemon 06:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:09 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Client Quit] 06:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:33 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 07:48 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: Dougy[Work], justdave, krzie, disco-, SWAT, pa, SilenceGold, nopcode, Typone, dogmeat, (+15 more, use /NETSPLIT to show all of them) 07:50 -!- Netsplit over, joins: nopcode, kala, disco-, Typone, ikevin, ropetin, SilenceGold, jmeeuwen, Dr-D_, SWAT (+2 more) 07:50 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 07:51 -!- Netsplit over, joins: thomas, zamba, troy- 07:52 -!- Netsplit over, joins: Dougy[Work], squirrelpimp, pa, [SURFnet]Auke, Kreg, daemon 07:52 -!- Netsplit over, joins: cpm 07:52 -!- Netsplit over, joins: justdave, zer0python 07:53 -!- justdave [n=dave@unaffiliated/justdave] has quit [Remote closed the connection] 07:54 -!- zer0python [n=zer0pyth@pdpc/supporter/active/zer0python] has quit [Read error: 113 (No route to host)] 07:55 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 07:57 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 08:38 -!- Dr-D_ [n=jcordeir@89.152.213.114] has quit [Nick collision from services.] 08:38 -!- Dr-D_ [n=Joao@213.63.185.230] has joined ##openvpn 08:38 < Dr-D_> hi any one there? 08:39 < Dr-D_> (here) 08:39 < Dr-D_> im having a problem with openvpn 08:40 < Dr-D_> i need to lower the internal arp table' timeout 08:40 < Dr-D_> i am migrating a host from one openvpn connection to another 08:41 < Dr-D_> and openvpn takes lots of time to learn the new way to that host 08:41 < Dr-D_> can any one tehp me with this? 08:42 < Dr-D_> help* 08:45 < Dr-D_> any one? 08:45 < Dr-D_> please? 08:45 < Dr-D_> im wiling to change .c code and compile if that is what it takes 08:53 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:53 < Dr-D_> any one here helping? 08:59 < ecrist> Dr-D_ someone is here, yes 09:00 < ecrist> Dr-D_: what you're doing is rather, um, retarded. 09:01 < Dr-D_> no its not 09:01 < Dr-D_> if you find me an alternative i will be glad 09:02 < Dr-D_> i have several virtual machine servers 09:02 < Dr-D_> they are phisical machines 09:03 < Dr-D_> to create a independent network for the virtual machine guest computers 09:03 < Dr-D_> im using openvpn 09:03 < ecrist> well, as it's open-source, you're welcome to modify the code as you see fit. 09:04 < Dr-D_> note that those virtual hosts can be any were in those physical machines 09:04 < Dr-D_> so i have a openvpn client 09:04 < Dr-D_> on each phisical machine 09:04 < ecrist> Dr-D_: openvpn shouldn't be affecting your arp tables 09:04 < Dr-D_> connected to a bridge 09:05 < Dr-D_> the virtual machines interfaces are also connected to that bridge 09:06 < Dr-D_> when one of my virtual machine migrates from physical server 1 to phisical server 2 09:06 < Dr-D_> it takes alot of time to refresh the internal ip/mac adress table in openvpn 09:06 < Dr-D_> ecrist: and i have done some debuging, it apears to be openvpn problem 09:07 < Dr-D_> i have compiled my kernel with extremly low arp time outs 09:07 < Dr-D_> i have make a arp flash/ping script 09:07 < Dr-D_> and it allways take alot of time 09:07 < ecrist> Dr-D_: show me where openvpn keeps it's own arp table. 09:08 < Dr-D_> i can see it at status file 09:08 < Dr-D_> ROUTING TABLE 09:08 < Dr-D_> Virtual Address,Common Name,Real Address,Last Ref 09:08 < Dr-D_> aa:cc:00:00:ff:30,net-vs0,172.16.100.100:32967,Mon Oct 6 15:01:01 2008 09:08 < Dr-D_> 00:ff:1b:17:45:9d,jcordeiro,172.16.100.50:1906,Mon Oct 6 15:01:01 2008 09:09 < Dr-D_> here are 2 phisical machines 09:09 < Dr-D_> ups 09:09 < Dr-D_> nope 09:09 < Dr-D_> aa:cc:00:00:ff:30 is a VM 09:09 < Dr-D_> it says that aa:cc:00:00:ff:30 is on the net-vs0 connection 09:10 < Dr-D_> when that machine migrates to net-vs1 09:10 < Dr-D_> it take several minuts to change that 09:10 < Dr-D_> i can see it on the status file 09:10 < Dr-D_> it keeps net-vs0 for that time 09:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:11 < Dr-D_> and pings are ok only after the status file show that it changed 09:12 < Dr-D_> ecrist: do you get my problem? 09:13 < Dr-D_> im will probably time out now 09:14 < Dr-D_> network tests 09:14 < Dr-D_> but i will be back 09:14 < Dr-D_> so please help 09:38 -!- Dr-D_ [n=Joao@213.63.185.230] has quit [Read error: 110 (Connection timed out)] 09:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 10:23 -!- nachox [n=imarambi@200.68.83.121] has joined ##openvpn 10:24 < nachox> guys, is there an example involving openvpn and a preshared key to connect two networks i could use? 10:31 < ecrist> have you looked at the example configs on openvpn.net? 10:42 < nachox> there are usefull bits there, but i found something in the openwrt page that does what i wanted... i think 10:44 < ecrist> well, iirc, the exact example you need is on that site. 10:52 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 10:54 -!- MetaMorfoziS [n=eee@dsl51B69AA2.pool.t-online.hu] has joined ##openvpn 10:55 < MetaMorfoziS> Hi all, is there any howto on how to make complete internet tunneling? 11:04 < nachox> ecrist, what about roadwariors with a psk? 11:08 -!- MetaMorfoziS [n=eee@dsl51B69AA2.pool.t-online.hu] has quit [Remote closed the connection] 11:46 -!- nachox [n=imarambi@200.68.83.121] has quit ["Saliendo"] 12:46 -!- eliasp [n=quassel@HSI-KBW-085-216-068-107.hsi.kabelbw.de] has quit [Remote closed the connection] 12:52 -!- xattack [i=xattack@132.248.108.233] has joined ##openvpn 13:15 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:30 -!- aep [n=aep@unaffiliated/aep] has joined ##openvpn 13:30 < aep> greetings. i think i succesfully setup a vpn server. i'm just confused what i'm supposed to do at the client side 13:31 < aep> i tried using some of those guis, but as expected they just fail silently. oO 13:31 * aep spots a howto link in the topic and reads 13:38 < aep> hum 13:38 < aep> whats a virtual ip? 13:38 < aep> i did a bridged setup 13:38 < aep> no clue what ip i'm supposed to use, there is only one oO 13:40 < aep> this is confusing oO 13:41 -!- xattack [i=xattack@132.248.108.233] has quit [] 13:42 * aep tries it now 13:43 -!- aep [n=aep@unaffiliated/aep] has quit [Remote closed the connection] 14:20 < krzee> !bridge 14:20 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 14:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 -!- pred2k5 [n=Torsten@dslb-088-069-194-127.pools.arcor-ip.net] has joined ##openvpn 14:41 < pred2k5> hi, is openvpn 2.1 faster that 2.09? 15:19 -!- pred2k5 [n=Torsten@dslb-088-069-194-127.pools.arcor-ip.net] has quit [] 16:17 -!- Kreg [n=kreg@208-98-188-95.directcom.com] has quit [Connection reset by peer] 16:33 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 16:34 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:41 -!- slav0nic [n=o@bsd.xss.ru] has joined ##openvpn 16:42 < slav0nic> hi, where i can get information about setup "double vpn"? 16:58 < slav0nic> anybody=\? 17:19 < ecrist> wtf is double vpn? 17:22 < slav0nic> client connect to -> servvpn1---->servvpn2-> out 17:23 < slav0nic> maybe this have another name ) 17:25 < slav0nic> as i understand i must set up 2 VPNserver in servvpn1 ? one for client, another for bridge with servvpn2 17:25 < slav0nic> and configure route 17:41 < SilenceGold> heh 17:41 < SilenceGold> i don't see the point tho 17:41 < SilenceGold> unless it's over wireless 17:41 < SilenceGold> and you had a firewall on each of the server vpn to discard everything except the ssl packets 17:43 -!- plaerzen [n=camthomp@vip2.tundraeng.com] has joined ##openvpn 17:43 < plaerzen> harro 17:43 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Remote closed the connection] 17:55 < slav0nic> SilenceGold, I have thought use ssh -L on vpn2 and make tunnel to vpn2 ) 17:56 < SilenceGold> but the point is? 17:57 < slav0nic> SilenceGold, for example i setup vpn2, on vpn1 i start ssh -L1111:vpn2:2222, and connect to vpn1:1111 as to vpn 17:57 < slav0nic> but maybe must set up route 17:57 < SilenceGold> still dont' answer my question 17:59 < slav0nic> poin == sense? sor, i don't speak english very well) 17:59 < SilenceGold> why would you want two diff vpn tunnels/ 18:00 < slav0nic> becouse if use one vpn, my provider see it, with 2 servers it don't know IP of output VPN2 18:00 < slav0nic> it only see connect to vpn1 18:01 < SilenceGold> why not set SSL to use port 443 on tcp? 18:01 < SilenceGold> ISP can't tell if it's vpn or https 18:03 < slav0nic> becouse my task only hide output IP from ISP) 18:05 < SilenceGold> oh 18:05 < SilenceGold> mmm 18:05 < SilenceGold> why not use proxy? 18:06 < SilenceGold> your workstation ----ssl--> proxy ---ssl--> openvpn server 18:06 < slav0nic> proxy == only http 18:07 < SilenceGold> no 18:07 < SilenceGold> http-proxy proxyserver 8080 18:07 < SilenceGold> that line in openvpn conf 18:07 < SilenceGold> then your client uses that proxy server to connect to the openvpn server 18:08 < SilenceGold> remember, openvpn is one single connection for the whole vpn tunnel 18:09 < slav0nic> maybe true this 18:09 < slav0nic> bb 18:09 < SilenceGold> so it's really only the openvpn client that will use that httpd proxy 18:09 -!- slav0nic [n=o@bsd.xss.ru] has left ##openvpn [] 18:09 < SilenceGold> and your ISP will not know the real openvpn's server ip address 18:09 < SilenceGold> heh 18:10 < SilenceGold> I'm afk for the night 18:18 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 18:41 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 19:20 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 19:49 -!- Caonex [n=chatzill@ip98-181-27-131.br.br.cox.net] has joined ##openvpn 19:55 -!- LumberCartel [n=local_42@114.164.119.66.host.metrobridge.net] has joined ##openvpn 19:57 < LumberCartel> Hello folks. I have OpenVPN running on the server (NetBSD) with Windows XP/Vista clients. When the clients are on the outside, everything works well once OpenVPN is connected, but if they hook up internally the routing to the private network 192.168.2/24 stops working. Any suggestions (aside from training the users to stop OpenVPN) would be greatly appreciated. Thanks in advance. 19:58 < LumberCartel> Interface is TAP. Internal network is 192.168.2/24. OpenVPN network is default 10.8.0... 20:07 < LumberCartel> Hmm. Sorry, I was trusting Windows there. I have "dev tun" in my server and client configuration files. 20:07 -!- _Steve__ is now known as _Steve_ 20:21 < ecrist> LumberCartel: we'd need to know more about your routing and client/server configs. 20:22 < ecrist> I've got such a setup working at my office, where a user can connect to the vpn while on the LAN and still connect to things. 20:25 < LumberCartel> Okay. The router is a NetBSD server acting as firewall, OpenVPN server, internal DNS server, etc. It's address is 192.168.2.1, and all internal computers are configured to use this gateway. 20:26 < LumberCartel> OpenVPN is configured not to take over the router, but does push one route (from server configuration): push "route 192.168.2.0 255.255.255.0" 20:26 < LumberCartel> When OpenVPN assigns an IP in Windows Vista, with no gateway, suddenly nothing is working. 20:26 < ecrist> LumberCartel: you could simply have a firewall rule on the NetBSD server that denied all connections to openvpn from 192.168.2.0/24 20:27 < LumberCartel> ...internally. 20:27 < LumberCartel> External stuff still gets routed correctly. 20:27 < LumberCartel> ecrist: Nope. pf is configured to allow all OpenVPN traffic over UDP. 20:27 < ecrist> what do you mean 'nope'? 20:28 < ecrist> you could simply have a firewall rule on the NetBSD server that denied all connections to openvpn from 192.168.2.0/24 20:28 < LumberCartel> I mean that pf (the firewall) specifically isn't blocking OpenVPN traffic. 20:28 < LumberCartel> Oh, I see. Yes, of course. That would solve the problem. Such a simple solution. Thanks! 20:28 < ecrist> but you *could* and it would solve your problems - people on the LAN wouldn't be able to connect to the VPN, thus breaking your routes 20:28 * LumberCartel smacks his forehead with the palm of his hand. 20:28 < ecrist> :) 20:29 < LumberCartel> Heheh. Here I am trying to figure out how to do some fancy routing stuff, and the solution was always there. 20:29 < LumberCartel> Now it seems so obvious. Thank you. 20:30 < ecrist> are you being serious, or sarcastic? 20:30 < LumberCartel> Serious. 20:30 < LumberCartel> This is exactly what I needed. 20:30 < ecrist> glad to be of assistance 20:31 < LumberCartel> I'm just laughing right now because the solution is so simple. 20:50 < LumberCartel> That solved my problem (I just finished with testing). Thanks ecrist -- your suggestion lead to a most elegant solution. 20:51 < LumberCartel> ecrist: This is the modified line in my pf.conf file: pass in proto tcp from !192.168.2/24 to any port 1194 keep state 20:51 < LumberCartel> ...just in case you were interested. 20:51 < LumberCartel> s/tcp/udp/ 20:51 < LumberCartel> Whoops. That wasn't a cut-and-paste job. Heheh. Anyway, I'm sure you get the idea. 20:51 < LumberCartel> Thanks again. 20:58 -!- onats1 [n=15172@unaffiliated/onats] has joined ##openvpn 20:58 < onats1> hello, i have openvpn setup on my router. last night, i setup two vlans each with its own dhcp via the dnsmasq options. now, i cannot connect to my vpn server. is it possible that it can't connect because i have not specified which dhcp server will give it access? 20:58 -!- LumberCartel [n=local_42@114.164.119.66.host.metrobridge.net] has left ##openvpn [] 21:54 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 22:07 -!- Caonex [n=chatzill@ip98-181-27-131.br.br.cox.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Tue Oct 07 2008 00:02 -!- PetrolMan [n=Josh@rbn2-216-180-138-15.adsl.hiwaay.net] has joined ##openvpn 00:03 < PetrolMan> Hi 00:03 < onats1> hello 00:04 < PetrolMan> I was wondering if someone could answer a querstion for me 00:04 < PetrolMan> ...question 00:07 < PetrolMan> Anyone? 00:09 < onats1> you should just ask, people will reply if they know the answer... 00:09 < PetrolMan> Ok, just wanted to make sure someone was here. 00:09 < PetrolMan> I keep receiving the following error: WARNING: Bad encapsulated packet length from peer (65531) 00:10 < PetrolMan> Sorry, I'll be right back 00:12 -!- PetrolMan [n=Josh@rbn2-216-180-138-15.adsl.hiwaay.net] has quit [Read error: 104 (Connection reset by peer)] 00:13 -!- PetrolMan [n=Josh@rbn2-216-180-138-15.adsl.hiwaay.net] has joined ##openvpn 00:13 < PetrolMan> Sorry, about that 00:14 < PetrolMan> Does anyone know anything about the error? 00:14 < PetrolMan> WARNING: Bad encapsulated packet length from peer (65531) 00:19 < PetrolMan> !menu 00:19 < vpnHelper> PetrolMan: "menu" is please use !factoids search * 00:21 -!- PetrolMan [n=Josh@rbn2-216-180-138-15.adsl.hiwaay.net] has quit [] 00:39 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 01:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:09 -!- bandini [n=bandini@host113-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 02:22 -!- CrummyGummy [n=Dude@41.208.46.2] has joined ##openvpn 04:00 -!- onats1 [n=15172@unaffiliated/onats] has left ##openvpn [] 05:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 05:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 05:10 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:17 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: mXr, adie 05:17 -!- Netsplit over, joins: mXr, adie 05:51 -!- mXr [n=mxr@packst.net] has quit ["changing servers"] 05:51 -!- adie [n=adie@tapeworm.5sh.net] has quit [Remote closed the connection] 05:57 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:59 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 06:11 -!- nopcode [n=nopcode@sushi.unix-ag.uni-kl.de] has quit [Read error: 104 (Connection reset by peer)] 06:14 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 08:14 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 08:14 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 08:14 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 08:56 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 09:03 -!- CrummyGummy [n=Dude@41.208.46.2] has quit ["leaving"] 09:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:11 -!- shani [n=md5@unaffiliated/shani] has joined ##openvpn 10:13 -!- shani [n=md5@unaffiliated/shani] has quit [Read error: 104 (Connection reset by peer)] 10:41 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has joined ##openvpn 10:52 -!- gewuerzwiesel [n=gewuerzw@unaffiliated/gewuerzwiesel] has joined ##openvpn 10:52 < gewuerzwiesel> hi 11:21 -!- ChUbB [n=IceChat7@62.31.213.230] has joined ##openvpn 11:38 < plaerzen> harro 12:01 < plaerzen> does anyone know of any good sites / channels for general linux admin stuff? like http://4sysops.com/ for windows ? 12:01 < vpnHelper> Title: 4sysops (at 4sysops.com) 12:05 * cpm sometimes channels a sysops 12:05 < cpm> plaerzen, try #lopsa 12:05 < cpm> League Of Professional System Administrators. They even sometimes stay on topic 12:06 < plaerzen> ah, good, thanks. I just feel guilty ranting and whatnot about non-ovpn stuff in here... which I do often 12:07 < cpm> plaerzen, in that case, maybe #lopsa-lounge. 12:15 -!- JW [n=jw@mobile-166-214-006-074.mycingular.net] has joined ##openvpn 12:17 < JW> I had an open VPN client/server config working about 2 or 3 months ago and today when I try to use it it is broken. I'm thinkin a security update must have changed something 12:17 < JW> the server is debian and the client is suse 12:17 < JW> the client says this when I tr to run it: 12:17 < JW> 2008 Cannot load certificate file client1.crt: error:02001002:system library:fopen:No such file or directory: error:20 12:18 < JW> 074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file: 12:18 < JW> system lib Tue Oct 7 12:12:54 2008 Exiting 12:18 < JW> That's one line. 12:19 < JW> right before that line it give a warning about "No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info" 12:19 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 12:19 < JW> Is it refusing to connect because of some new security check on the certificate? 12:32 < ecrist> plaerzen: it's ok, I appreciate it. 12:32 < ecrist> this has become my primary idle channel 12:32 < plaerzen> ecrist, me too , but lopsa seems good 12:32 < ecrist> it used to be ##freebsd, but there's too much crap there now. 12:33 < plaerzen> ecrist, besides - I'm not even that knowledgeable about ovpn 12:33 < plaerzen> or spelling 12:34 < ecrist> ah, me either. 12:34 < ecrist> I have a server running, that's about it. 12:34 < ecrist> krzie: taught me most of what I know, I think. 12:35 < plaerzen> yeah krzie is good 12:35 < plaerzen> cpm is too 12:40 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:42 -!- JW [n=jw@mobile-166-214-006-074.mycingular.net] has quit ["thanks"] 13:03 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 13:22 -!- gewuerzwiesel [n=gewuerzw@unaffiliated/gewuerzwiesel] has left ##openvpn [] 13:23 -!- plaerzen [n=camthomp@vip2.tundraeng.com] has quit [Nick collision from services.] 13:25 -!- plaerzen [n=camthomp@vip2.tundraeng.com] has joined ##openvpn 13:27 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Connection timed out] 13:38 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:47 < krzee> !factoids search dhcp 13:47 < vpnHelper> krzee: "bridge-dhcp" is http://openvpn.net/faq.html#bridge-addressing for making clients grab dhcp ip over the bridge but not over-riding dhcp ip from local dhcp server 13:49 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 13:49 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Remote closed the connection] 13:50 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 13:57 -!- Xchange2 [n=change@port-87-193-199-20.static.qsc.de] has joined ##openvpn 13:57 < Xchange2> good evening 13:58 < Xchange2> someone there who could help me troubleshooting some iptables rules? 13:59 < Xchange2> i have two openvpn account types, one for normal employees that get an ip from 172.17.2.0/24, and one for administrative access that get an ip from 172.17.11.0/24 13:59 < krzee> !menu 13:59 < vpnHelper> krzee: "menu" is please use !factoids search * 13:59 < krzee> !factoids search * 13:59 < vpnHelper> krzee: 'krzee', 'howto', 'tcp', 'nat', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'liar', 'ask', 'winroute', 'kraut', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'wiki', 'lan', 'freebsd', 'lans', 'routeing', '1918', 'router', 'netman', 'notopenvpn', 'path', 'paths', 'keys', 'ssl-admin', 'push', 'route', 'routes', (1 more message) 13:59 < krzee> !more 13:59 < vpnHelper> krzee: 'tls-cipher', 'multi', 'configs', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', 'assumption', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'someclient2client', 'menu', 'fool', 'bridge-dhcp', 'win_noadmin', 'dousafavor', 'static', 'dynamicfirewall', 'iporder', and 'pfsense' 14:00 < krzee> hrm cant remember which it is 14:00 < Xchange2> hm 14:00 < krzee> 1sec ill find it 14:00 < krzee> !howto 14:00 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:00 < Xchange2> well i got it working, just that to say ;) 14:00 < Xchange2> but without iptables 14:00 < krzee> !howto 14:00 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:01 < Xchange2> yes i read that 14:01 < Xchange2> let me explain the problem first please 14:01 < krzee> i was doing !howto for me 14:01 < Xchange2> oh 14:01 < Xchange2> sorry 14:01 < krzee> your answer is in there but i foget the ! command i made for it 14:01 * ecrist punches Dell in the mouth. 14:02 < krzee> http://openvpn.net/howto.html#policy 14:02 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 14:02 < krzee> there you go 14:02 < Xchange2> yes 14:02 < Xchange2> openvpn server config is correct 14:02 < Xchange2> i set exactly those rules 14:02 < krzee> it tells the iptables rules too 14:03 < krzee> This completes the OpenVPN configuration. The final step is to add firewall rules to finalize the access policy. For this example, we will use firewall rules in the Linux iptables syntax: 14:03 < Xchange2> i set those rules 14:03 < krzee> ok, whats the problem?? 14:03 < Xchange2> and on tun0 in and out -j ACCEPT 14:05 < Xchange2> i got routes on FOWARD tun0 -i tun0, src 172.17.11.0/24 -> 172.17.0.0/16 (network access) and for 172.17.10.0 (thats my openvpn virtual network) only to servers 14:05 < Xchange2> eh rules, sorry 14:05 < Xchange2> i got rules on INPUT tun0 -i/o tun0 -j ACCEPT 14:06 < Xchange2> i can ping and nslookup on the box that is running openvpn 14:06 < Xchange2> but i have no access from either 172.17.10.0 network nor from 172.17.11.0 14:06 < Xchange2> no matter if dns or http 14:06 < Xchange2> i cant even ping the openvpn box itself 14:07 < krzee> client-to-client? 14:07 < Xchange2> server to client 14:07 < Xchange2> everything worked before i applied those iptables rules but i wanted it to be more secure 14:08 < Xchange2> from the vpn box i can ping my client 14:08 < Xchange2> oh sorry, i can ping the vpn box 14:12 < Xchange2> krzee: http://rafb.net/p/fCHjHX12.html - my iptables configuration if it can help 14:12 < vpnHelper> Title: Nopaste - iptables -L -n -v (at rafb.net) 14:13 < krzee> ya im not familiar with iptables 14:13 < Xchange2> damn 14:13 < krzee> but 14:13 < krzee> you could always go rule by rule 14:13 < krzee> see where you cross the line and stop packets 14:13 < Xchange2> hmm 14:13 < krzee> that'll help you figure out how its being blocked 14:14 < krzee> well or some kind of count for blocked packets by rule 14:14 < krzee> im sure iptables does that 14:14 < Xchange2> yep try and error always works :D 14:15 < Xchange2> ok, so i just set default policy for tun0 to accept and now it works flawlessy 14:17 -!- plaerzen is now known as kaizer_soze 14:17 < Xchange2> wtf 14:17 < krzee> isnt your goal to seperate network segments from eachother? 14:18 < krzee> cause it sounds like you were doing that 14:18 < Xchange2> yes 14:18 < Xchange2> hm 14:18 < krzee> if you want it more specific than entire networks you could make rules on a per host basis 14:19 < Xchange2> hm it just seems that the forward rules dont work 14:20 < Xchange2> i get to 172.17.2.67 (my openvpn box) but not further 14:20 -!- kaizer_soze is now known as plaerzen 14:20 < Xchange2> but i have forwarding rules enabled from 172.17.11.0 (my client ip is 172.17.11.1) to 172.17.0.0/16 allowed 14:29 < Xchange2> haha i found it 14:29 < Xchange2> krzee its a "bug" in the manual :) 14:30 < krzee> please do share 14:30 < Xchange2> i have default drop policys on all three chains (input, output, forward) 14:30 < Xchange2> so it is correct to accept fowards from tun0 (as stated in the manua) 14:31 < Xchange2> but one has also to enable forward from eth0 to tun0 so the traffic can find its way back to my client 14:31 < Xchange2> it will work when all output will be accepted by default ofcourse 14:32 < krzee> ahh 14:32 < Xchange2> maybe you should add that to the howto and faq 14:33 < krzee> well 14:33 < krzee> we dont run the howto or faq 14:33 < Xchange2> oh 14:33 < krzee> but we do have the wiki 14:33 < Xchange2> mh 14:33 < krzee> !wiki 14:33 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 14:33 < Xchange2> ah cool 14:33 < krzee> would be cool if you wanted to make a lil writeup 14:33 < krzee> would be very cool 14:33 < Xchange2> jep i can do that 14:33 < krzee> its open to public modifications 14:33 < Xchange2> is that url on the openvpn homepage? 14:33 < krzee> nah 14:33 < krzee> we dont run their homepage 14:34 < Xchange2> i know but you could tell them about it, or dont you have contact to them? 14:34 < krzee> ecrist runs the wiki, dougy runs the forum, i run the irc bot 14:34 < krzee> they never answer emails 14:34 < krzee> at least in my experience 14:34 < Xchange2> hm k 14:35 < Xchange2> dunno, never tried 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 < plaerzen> I can't wait for my first paycheck from this job. 18,000 more than my last job per year. 14:57 < Xchange2> hm some iptables guru here? 14:58 < Xchange2> instead of just accept traffic from eth0 it would be better to do it statefully, so only wanted traffic can go trough 14:58 -!- Xchange2 [n=change@port-87-193-199-20.static.qsc.de] has quit ["Wenn ich in 2 Stunden nicht zurück bin, ruft den Verteidigungsminister an und sagt ihm das Hitler in meinem Haus wohnt."] 14:59 -!- Xchange2 [n=change@port-87-193-199-20.static.qsc.de] has joined ##openvpn 14:59 < Xchange2> gnarf 14:59 < Xchange2> re 15:46 < Xchange2> krzee ive added an entry to the faq 15:47 < Xchange2> https://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules 15:47 < vpnHelper> Title: OpenVPN/FAQ - Secure Computing Wiki (at www.secure-computing.net) 15:57 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 110 (Connection timed out)] 16:00 -!- Xchange2 [n=change@port-87-193-199-20.static.qsc.de] has left ##openvpn ["going to the moon, brb"] 16:05 < krzie> nice =] 16:24 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 16:33 -!- ChUbB [n=IceChat7@62.31.213.230] has quit [Read error: 104 (Connection reset by peer)] 16:34 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 16:35 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:39 -!- bandini [n=bandini@host113-109-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:40 < ecrist> krzee: fwiw, I've removed the requirement for https on secure-computing.net 16:41 < ecrist> you guys were all bitching too much about my SSL cert. 16:58 -!- gewuerzwiesel [n=gewuerzw@unaffiliated/gewuerzwiesel] has joined ##openvpn 16:58 < gewuerzwiesel> hi 17:02 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 17:03 < krzie> ecrist i never bitched about it 17:04 < krzie> i think i joked about others who bitched about it 17:04 < krzie> i dont go paying for ssl certs for non-business sites either 17:04 < krzie> (for the record) 17:06 -!- mib_boftsb [i=d1b8f044@gateway/web/ajax/mibbit.com/x-4e5a4a0399e8f4b3] has joined ##openvpn 17:08 < mib_boftsb> Hi, I'm trying to set up a Windows client using "route-gateway dhcp". But, when I add "route-delay 5", the routes are still added immediately, before the gateway IP has been retrieved via DHCP. Any ideas? 17:09 < mib_boftsb> Forgot to mention the obvious: without the delay, the routes are failing since they use the vpn_gateway keyword 17:11 < ecrist> aren't you pushing the routes from the server config? 17:12 < mib_boftsb> No, I'm not, currently. The default routes are good enough for most of the clients. I want to be able to add routes on the client side for this individual client 17:14 < krzie> bridge or routed? 17:14 < krzie> aka, tap or tun 17:14 < mib_boftsb> tap 17:15 < krzie> !menu 17:15 < vpnHelper> krzie: "menu" is please use !factoids search * 17:15 < krzie> !factoids search dhcp 17:15 < vpnHelper> krzie: "bridge-dhcp" is http://openvpn.net/faq.html#bridge-addressing for making clients grab dhcp ip over the bridge but not over-riding dhcp ip from local dhcp server 17:15 < krzie> also, you shouldnt need to add routes in tap setup 17:18 < mib_boftsb> I don't think that link helps me any since I'm already using the second method mentioned there 17:18 < mib_boftsb> also, why shouldn't I need to add routes in tap setup? 17:18 < mib_boftsb> If I want specfic non-LAN traffic to go over the VPN, I do need to, yes? 17:20 < mib_boftsb> It works just fine substituting route-gateway for route-gateway dhcp. I'm just wanting to know why I can't get the routes to wait until after the dhcp negotiation 17:20 < mib_boftsb> route-delay 5 (or 20, etc) should do this, shouldn't it? 17:21 < mib_boftsb> Oh, and I'm using 2.1rc12 17:23 < mib_boftsb> is it, perhaps, that route-delay is ignored when certain other options are used? 17:23 < krzie> oh i see 17:26 < krzie> thats interesting 17:26 < mib_boftsb> I am using tcp-server/tcp-client, not udp. Does that make a difference 17:26 < mib_boftsb> ? 17:26 < krzie> do the logs show routes waiting for route-delay 17:27 < krzie> nah that shouldnt make a diff 17:27 < krzie> although i do recommend udp if you can 17:27 < krzie> !tcp 17:27 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 17:27 < mib_boftsb> Going through an http proxy on one of the clients... :( 17:29 < krzie> ouch 17:29 < krzie> you have the least efficient setup 17:29 < krzie> you will be doing tcp over tcp over tcp 17:29 < krzie> with the overhead of a bridge 17:29 < mib_boftsb> and, no, there is no indication that the routes are waiting for anything. They are attempted to be added immediately after the ROUTE default_gateway... message 17:29 < krzie> once you get it working you will see terribly degrading performance 17:30 < mib_boftsb> Yah, I realize that. I may eventually be able to drop the requirement to have this client, but would that make a difference with the route-delay problem? 17:30 < krzie> nope 17:31 < krzie> 1min 17:31 < krzie> !man 17:31 < vpnHelper> krzie: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 17:31 < krzie> lemme scour through there for ya 17:32 < mib_boftsb> Oh, it is working fine when I use a hard-coded gateway address. Performance is not tantamount here. 17:32 < mib_boftsb> thanks 17:33 < mib_boftsb> And, I suppose I could start up a second server instance with tcp to satisfy the requirements of this one client. That way it won't penalize the others... 17:34 < mib_boftsb> I've been digging through the man pages for hours (the 2.1 manpage, not the 2.0.x one linked above) trying to see why the route-delay option isn't working. Haven't found anything yet 17:35 < krzie> oh man 17:36 < krzie> ya if only 1 needs the http proxy stuff then yes 17:36 < krzie> you def want 2 instances running, 1 tcp for the tcp client 17:36 < krzie> and udp for the rest 17:37 < krzie> when doing something like ssh, proxy, anything that encapsulates tcp, or things like voip you will notice the difference 17:37 < mib_boftsb> I'm just setting up the whole VPN system, and haven't gotten to those details yet. I'm trying to get the most complicated one going first, and is the only one I've worried about so far. 17:38 < krzie> !betaman 17:38 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 17:38 < krzie> --route-gateway gw 17:38 < krzie> Specify a default gateway gw for use with --route. 17:39 < krzie> ive never seen route-gateway dhcp 17:39 < krzie> didnt know you could do that 17:39 < mib_boftsb> From what I've found with google, it was just added in 2.1rc10 17:39 < krzie> ahh 17:40 < krzie> cool 17:42 < krzie> so you are trying to redirect all traffic for a client to go over the bridge/vpn? 17:42 < mib_boftsb> No, only specific IPs. Otherwise, I've noticed the redirect-gateway directive... 17:43 < mib_boftsb> I just tried replacing the "route-gateway dhcp" with "route-gateway " and the route adds still seem to not follow the route-delay 17:46 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 17:47 * ecrist watches porn 17:47 < mib_boftsb> Perhaps this is just a bug in 2.1rc12? 17:48 < plaerzen> have you guys seen that sales guy vs web dude ? 17:48 < plaerzen> http://www.thewebsiteisdown.com/ 17:48 < vpnHelper> Title: The Website Is Down (at www.thewebsiteisdown.com) 17:50 < krzie> that video is great! 17:50 < plaerzen> I watch it at least once a week 17:51 < plaerzen> we use voip here and it can integrate with softphones, all I need now is some webcams in our server room and a helpdesk slave to go and reboot them. 17:51 < plaerzen> "You took down the exchange server too" -- classic 17:52 < krzie> mib_boftsb so you specify route-gateway dhcp, then you add route entries (whcih will route through the dhcp server)? 17:53 < mib_boftsb> yep 17:53 < krzie> plaerzen, "did you reboot it 3 times?: 17:53 < krzie> lol 17:54 < mib_boftsb> With the route-delay in there, of course 17:54 < krzie> hrmz 17:54 < plaerzen> Well I got lazlo at the datacenter to reboot it 17:54 < plaerzen> how many times? 17:54 < plaerzen> how many times what? 17:54 < plaerzen> how many times did you reboot it? 17:54 < plaerzen> well, once 17:54 < plaerzen> maybe you should do it a few more 17:55 < krzie> mib_boftsb, windows client right? 17:55 < plaerzen> you pee telephony? haha I pee urine. 17:55 * plaerzen is done now. 17:55 < krzie> plaerzen, lol that video is big win 17:55 < mib_boftsb> yep windows client 17:56 < krzie> mib_boftsb, tried giving route-delay 2 args? 17:56 < krzie> maybe route-delay 40 40 or something? 17:57 < krzie> with tcp and bridge it might just be taking a lil time to add them 17:57 < krzie> maybe --up-delay 17:58 < krzie> since route stuff happens after --up stuff 17:59 < mib_boftsb> Just tried the two args. That adds 40 seconds before the TEST ROUTES message, not the ROUTE: vpn_gateway undefined messages 17:59 < mib_boftsb> I'll try the up-delay 18:00 < mib_boftsb> same results 18:01 < mib_boftsb> The problem seems to not be that the route-delay is ignored, like I originally though. Just that it isn't performed before it tries to resolve vpn_gateway. 18:02 < mib_boftsb> which isn't set until after the DHCP negotiation 18:04 < mib_boftsb> So, in order for the new "route-gateway dhcp" to be useful, I need it to wait until after the DHCP negotiation before trying to _parse_ the routes. 18:05 < mib_boftsb> Are the routes actually added when they are parsed, or do they wait until when the "TEST ROUTES" message appears? 18:07 < mib_boftsb> Thanks for your help so far. I'm afraid I need to leave for now. I will rejoin shortly. 18:08 -!- mib_boftsb [i=d1b8f044@gateway/web/ajax/mibbit.com/x-4e5a4a0399e8f4b3] has quit ["http://www.mibbit.com ajax IRC Client"] 18:09 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:16 -!- plaerzen is now known as pla|work 18:16 -!- pla|work is now known as pla|home 18:44 -!- mib_boftsb [i=62a408a4@gateway/web/ajax/mibbit.com/x-fb8c72239535758e] has joined ##openvpn 18:46 < mib_boftsb> Okay, I'm back. I was on little bit ago trying to get my route-delay to work... 18:48 < mib_boftsb> I am now trying a client _not_ behind an http proxy. And I still have the same problem 18:50 < mib_boftsb> in case krzie is AFK and there is someone else who can help me, I am trying to use the "route-gateway dhcp" command in concert with the vpn_gateway keyword in a route command 18:50 < mib_boftsb> ie: 18:51 < mib_boftsb> route-gateway dhcp route-delay 10 10 route google.com default vpn_gateway 18:51 < mib_boftsb> (using google as an example here) 18:52 < mib_boftsb> however, the parsing of the route fails because vpn_gateway isn't defined until DHCP resolution which doesn't happen until later 18:52 < mib_boftsb> the route-delay doesn't seem to help at all (the vpn_gateway error happens immediately) 18:54 -!- mib_boftsb is now known as SgtPepperKSU 18:56 < krzie> i wonder if youd be able to staticly define the ips 19:09 < SgtPepperKSU> While I would like to get the "route-gateway dhcp", at this point I think it is more out of curiousity than anything else. Is there any way to push out the route-gateway automatically filling in the server's ip? 19:10 < SgtPepperKSU> there will be some flux on what that server's IP is, so I'd like it to automatically adjust, without changing the server config 19:11 < SgtPepperKSU> Though, there shouldn't be any reason why the "route-gateway dhcp" would not work (other than a bug since it's new). 19:11 < SgtPepperKSU> At least, as far as I can tell 19:12 < SgtPepperKSU> "route-gateway dhcp" wouldn't do you much good unless you were also using vpn_gateway, right? 19:16 < SgtPepperKSU> Oh, and in case you missed it: mib_boftsb == SgtPepperKSU 19:18 < krzie> Is there any way to push out the route-gateway automatically 19:18 < krzie> filling in the server's ip? 19:18 < krzie> the vpn servers ip? 19:18 < krzie> or the dhcp server from the lan's ip 19:18 < SgtPepperKSU> They are one and the same :) 19:18 < krzie> heh 19:19 < krzie> then dont even use route-gateway 19:19 < krzie> thats only for overriding the vpn server as gateway 19:19 < krzie> default is what you want 19:20 < krzie> well at least in tun it is 19:20 < krzie> i dont use tap, so dunno if its different 19:20 < SgtPepperKSU> if I don't use route-gateway, I get "OpenVPN needs a gateway parameter for a --route option and no default was specified" 19:20 < krzie> oh 19:20 < SgtPepperKSU> that's what led me down this road to begin with 19:21 < krzie> gotchya 19:21 < krzie> ya makes sense 19:21 < krzie> and the vpn server cant get a static ip? 19:21 < krzie> my guess is theres a bug in the new code 19:21 < krzie> seeing as its brand new thats not an unsafe guess 19:22 < SgtPepperKSU> Yah, probably so. 19:23 < SgtPepperKSU> I can go ahead and push out a "route-gateway " command from the server though for now. I'm just trying to make it maintenance-free where I won't need to edit the config scripts in the future 19:23 < krzie> totally 19:23 < krzie> i understand your goal and its logical 19:23 < krzie> i wonder if you could perm solve it with a script 19:24 < krzie> like an --up script 19:24 < SgtPepperKSU> Was just running through that in my head as well... 19:24 < krzie> not as clean as what you were trying, but should work 19:25 < krzie> one thing i can tell is that you did read the manual, howto, google 19:25 < krzie> that makes me a happy panda 19:25 < krzie> hehe 19:25 < SgtPepperKSU> :) 19:25 < SgtPepperKSU> Though, I suppose I would have never found route-gateway dhcp if I hadn't been so thorough and never gotten myself into this mess! 19:26 < krzie> lol 19:26 < krzie> also, you may want to toss your findings to the mail list 19:26 < krzie> as it may actually be a bug in the new code, that could help start it twords being resolved if it is not known yet 19:27 < SgtPepperKSU> before filing a bug, or concurrently 19:27 < krzie> !mail 19:27 < vpnHelper> krzie: "mail" is http://sourceforge.net/mail/?group_id=48978 19:27 < krzie> ild say before, its possible you find that its not a bug or something like that 19:27 < krzie> theres smarter on that list than me 19:27 < krzie> like JJK for example, she knows this stuff inside out 19:27 < SgtPepperKSU> :) Thanks a bunch for your help and time, though! 19:27 < krzie> ya np man 19:28 < krzie> shit, thank you... always a pleasure to help someone who is polite and took the time to do all the reading 19:32 < SgtPepperKSU> to clarify, developer list or user list? 19:32 < krzie> well 19:33 < krzie> i guess it wouldnt hurt to send it to both 19:33 < krzie> user list is high traffic, more helpers 19:33 < krzie> dev list might catch someone who already knows what youre talking about (or doesnt) and is working on that code 19:35 < SgtPepperKSU> okay. And just one more question :) Does it matter where in my config file I put the push? Or is it order agnostic? 19:35 < krzie> ive seen some things matter about order 19:36 < SgtPepperKSU> so, after the compression and tls stuff would be okay? 19:36 < krzie> in fact, did you try moving your route-delay up near the top? 19:36 < krzie> what are you pushing? 19:37 < SgtPepperKSU> I reordered all of the route* commands, didn't try moving it any higher 19:37 < SgtPepperKSU> I was going to push the route-gateway 19:38 < krzie> oh man 19:38 < krzie> i dont think that needs to be pushed 19:38 < krzie> i think you just specify it 19:38 < SgtPepperKSU> But, if I *could* push it, the client wouldn't have to know it ahead of time 19:39 < krzie> i think you just push the route after using route-gateway locally 19:39 < krzie> and if route-delay isnt working with that, try moving it up 19:42 < SgtPepperKSU> Well, the main point of making the server maintenance-free is that it is actually a router that I've modified the firmware to include an OpenVPN server. I'd really rather not have to make changes on the router any time there is a new route needed for a particular client 19:43 < SgtPepperKSU> But, I see your point. I'll consider adding routes as part of the WebGUI of the router. 19:43 < krzie> you're supposed to control clients from the server 19:43 < krzie> although you may be able to put that stuff right into the client config 19:43 < krzie> give that a shot 19:44 < SgtPepperKSU> Okay. Thanks again! 19:44 < krzie> or is that what you were doing? 19:44 < krzie> !push 19:44 < vpnHelper> krzie: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 19:44 < SgtPepperKSU> Yah, that is what I'm currently doing 19:45 -!- squirrelpimp [n=squirrel@HSI-KBW-091-089-006-049.hsi2.kabelbw.de] has quit [Read error: 110 (Connection timed out)] 19:45 < krzie> ahh, currently stuff is in client config? 19:45 < SgtPepperKSU> The route is. That is why I also put the route-gateway, etc in there 19:45 < krzie> any change in how stuff happens if route-gateway is in server config and the route is in client config? 19:46 < SgtPepperKSU> that is what I had in mind 19:46 < SgtPepperKSU> if route-gateway changes, it gets pushed automatically, and the vpn_gateway part of the client-side routes pick it up automatically 19:49 < SgtPepperKSU> I can have all of the normal routes in the server config. But, for one-offs, I thought it would be easier to add it to the client config 19:50 < krzie> that should be fine 19:50 < krzie> anything you can push you should be able to just drop into the client config without push 19:53 < SgtPepperKSU> Well, I'm already well on my way to getting the pushed route-gateway to update as needed, so I think I have a workaround. I'll go ahead and post to the lists to see if I can't get the dhcp bit working, though 19:56 < SgtPepperKSU> since pushing out a route-gateway wouldn't be a bad idea long-term anyway 20:10 < krzie> right on 20:18 -!- SgtPepperKSU [i=62a408a4@gateway/web/ajax/mibbit.com/x-fb8c72239535758e] has quit ["http://www.mibbit.com ajax IRC Client"] 20:20 < ecrist> ' 20:20 < ecrist> '' 20:22 < ecrist> wtf was that? 20:22 < krzie> huh? 21:57 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 22:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 23:03 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 23:32 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 23:44 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 23:46 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 23:48 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Wed Oct 08 2008 00:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:37 -!- gewuerzwiesel [n=gewuerzw@unaffiliated/gewuerzwiesel] has left ##openvpn [] 04:10 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 04:14 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: krzee, disco-, aia, ikevin 04:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:15 -!- Netsplit over, joins: aia, disco-, ikevin 04:29 -!- ikevin_ [n=kevin@ANancy-256-1-7-195.w90-6.abo.wanadoo.fr] has joined ##openvpn 04:29 -!- ikevin [n=kevin@ANancy-256-1-7-195.w90-6.abo.wanadoo.fr] has quit [Connection timed out] 05:58 -!- squirrelpimp [n=squirrel@HSI-KBW-091-089-006-049.hsi2.kabelbw.de] has joined ##openvpn 06:03 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:27 -!- stony [n=stony@serverbu.de] has joined ##openvpn 06:27 < stony> hi 06:27 < stony> strange problem: 06:28 < stony> if i use the macaddr 5f:00:00:00:00:01 openvpn is not able to release the tap device when i do a shutdown of the service 06:28 < stony> the process hangs itself and i can't even kill it with -9 06:28 < stony> and it is ONLY with this address 06:30 < stony> i got it 06:30 < stony> the moment i put the local administered bit up the tap is not responding anymore 06:30 < stony> is this a wanted behaviour ? 06:32 -!- gamla_kossan [i=wille@ling16.ling.su.se] has joined ##openvpn 06:58 -!- mrwhippy [n=IceChat7@91.109.72.103] has joined ##openvpn 06:59 < mrwhippy> hi all, hope you are well. Icould do with a little help on an openvpn setup, ihave managed to get the client to connect to theserver and get an ipaddress from it. i am ondifferent networks at each end so 192.168.40.XXX and 192.168.0.xxx the last one is the same asthe network range on the server end, however icannot ping or see any shares that are on thenetwork can anyone help me out please 07:07 < stony> to see shares you need a bridged setup 07:07 < stony> not a routed 07:07 < stony> and you need to be in the same subnet 07:08 < mrwhippy> I am on bridged, I am on the same subnet i think i may have just discovered the issue, I am running freebsd 7 as my server and if i look at my ifconfig the tap0 does not show an ip address, I am following instructions from a book and have done everything in there, however i am wondering if i need to assign an ip address to the tap 07:09 < mrwhippy> when i say i am on the same subnet i mean the ip i get on the openvpn client and the server are on the same subnet 07:25 < mrwhippy> Hi all, I have configured the tap0 to have an ip address on the same subnet as the ovpn server, and i am still getting a connection, but still cannot ping or see any shares. should i have the ipaddres the server gives out on the same subnet as the server 07:43 -!- Dougy[Work] [n=doug@64.18.159.247] has quit [Read error: 110 (Connection timed out)] 07:46 < krzee> !bridge 07:46 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 07:49 -!- mrwhippy [n=IceChat7@91.109.72.103] has left ##openvpn [] 08:18 -!- ikevin [n=kevin@ANancy-256-1-57-20.w90-26.abo.wanadoo.fr] has joined ##openvpn 08:36 -!- gfather [n=gfather@212.35.76.53] has joined ##openvpn 08:36 -!- ikevin_ [n=kevin@ANancy-256-1-7-195.w90-6.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 08:36 < gfather> hello guys 08:37 < gfather> im getting read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) 08:37 < gfather> i tried every thing , and it was working untill 2 days ago 08:43 < stony> firewall? 08:44 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 08:47 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##OpenVPN 08:53 < gfather> firewall are disabled on the clint 08:53 < gfather> and on server 08:54 < ecrist> gfather: what changed in the last 2 days? 08:55 < gfather> nothing 08:55 < ecrist> well now, that's not true 08:55 < gfather> i even used system restore to make sure nothing is changed 08:55 < ecrist> things in the computer world don't just randomly stop working. 08:55 < gfather> and setting are the same for when it was working 08:55 < gfather> i knoiw that m8 08:55 < gfather> i cheked every thing 08:56 < gfather> and the vpn was settup by me 08:56 < ecrist> ok, is your ISP or someone in between blocking UDP packets? 08:56 < gfather> so i know every bit of detail 08:56 < gfather> do u think my isp blocked udp ports ? 08:56 < ecrist> well, you're getting UDP resets, so it's possible. 08:57 < ecrist> I'm with stony, I think you have a firewall somewhere blocking things. 08:57 < gfather> how should i chek exactly if the firewall is blocking 08:57 < gfather> ? 08:58 < ecrist> I gather you're running the OpenVPN server on Windows? 08:58 < gfather> yes 08:58 < ecrist> do you have windows firewall enabled? 08:58 < gfather> but the clint is rejecting the udp very fast 08:58 < gfather> its maybe firewall , but im 100 sue its turnd off 08:58 < ecrist> which tells me even more that it's a firewall actively blocking the connection 08:59 < ecrist> the firewall I'm worried about isn't on the client - it's on the server. 08:59 < ecrist> Windows XP? 08:59 < gfather> windows server 08:59 < gfather> is there a way i can chek more setting of the firewall 09:01 < gfather> man , if u seggest anything , ill do it :( 09:01 < gfather> but give me a clue 09:01 < gfather> i seached 09:01 < gfather> and most of the guys has this problem 09:01 < gfather> they didnt open the port or something 09:03 < gfather> i have an idea 09:03 < gfather> im going to try to telnet the server from another place 09:04 < ecrist> you need to open the port. it could be on the VPN server itself, or somewhere in between. 09:04 < gfather> to chek if its the server fault or the clint is blocking outgoing connections 09:05 < ecrist> gfather: we're not your network admins. we've suggested the problem, it's your job to go do the research and implement a fix. 09:05 < ecrist> you need UDP port 1194 open. 09:06 < gfather> yes hanks allot for ur help , im really greatfull 09:06 < gfather> im sure thats the ports are open on the router of the server 09:06 < gfather> and i dont have any problems there 09:07 < gfather> what could be blocking outgoing udp 09:14 < gfather> guys tested on a third pc 09:14 < gfather> and its the same 09:15 < gfather> so its confirmed thats the server is blocking the connections 09:42 < krzie> i agree with ecrist 09:47 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 09:48 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 10:01 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 10:02 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 10:02 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Client Quit] 10:03 -!- [SURFnet]Auke [n=auke@x154.flex.surfnet.nl] has quit [Read error: 104 (Connection reset by peer)] 10:07 -!- [SURFnet]Auke [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 10:10 -!- [SURFnet]Auke [n=auke@x154.flex.surfnet.nl] has quit [Remote closed the connection] 10:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:18 -!- pla|home is now known as plaerzen 10:24 -!- chrishuygens [n=huygens@77.20.111.222] has joined ##openvpn 10:24 < chrishuygens> hi guys is there any routes to add routes in the client.conf? 10:25 < chrishuygens> +possibility 10:26 < chrishuygens> i want to set a rout on my client when VPN is active 10:26 < chrishuygens> but this route is client-specific, so i cant add it in the server.conf 10:26 -!- plaerzen [n=camthomp@vip2.tundraeng.com] has quit ["Leaving"] 10:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 10:31 < krzie> sure 10:31 < krzie> !ccd 10:31 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client 10:31 < krzie> !push 10:31 < vpnHelper> krzie: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 10:41 -!- plaerzen [n=camthomp@vip2.tundraeng.com] has joined ##openvpn 10:45 -!- incorrect [n=frith@212.44.62.230] has joined ##openvpn 10:46 < incorrect> is it possible to have a preshared key setup with the server assigning dhcp leases to clients? 10:47 < plaerzen> incorrect 10:47 < krzie> no it is not 10:48 < krzie> preshared key setup is for point to point 10:48 < plaerzen> I was just going to say what's up to incorrect. 10:48 < krzie> i was answering his question 10:48 < krzie> "is it possible" 10:48 * plaerzen facepalms 10:48 < incorrect> ok i guess its easy rsa 10:49 -!- chrishuygens [n=huygens@77.20.111.222] has left ##openvpn [] 10:50 < incorrect> oh well easy rsa isn't very easy for the muppets i know 10:53 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 10:54 < ecrist> easy-rsa sucks 10:55 -!- pred2k5 [n=Torsten@dslb-088-069-198-137.pools.arcor-ip.net] has joined ##openvpn 10:57 < pred2k5> hi, I have two subnets on my openvpn server: 10.8.0.0/24 and 10.7.0.0/24, now if I want to reach 10.7.0.0/24 from 10.8.0.0, I add the following route: route add 10.7.0.0 mask 255.255.255.0 10.8.0.x (30subnet ip), the problem if I try to ping a pc on 10.7.0.0/24 the ping arrives, but by the public adress (both subnets nated) 10:57 < pred2k5> whats wrong? 10:58 < pred2k5> the server takes the wrong route 11:02 -!- incorrect [n=frith@212.44.62.230] has quit [Remote closed the connection] 11:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:13 < ecrist> pred2k5: see the routing section of the wiki 11:13 < ecrist> !route 11:13 < vpnHelper> ecrist: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:13 < ecrist> !forget route 11:13 < vpnHelper> ecrist: The operation succeeded. 11:13 < pred2k5> Im not a routing noob ;) 11:13 < ecrist> !learn route as http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:13 < vpnHelper> ecrist: The operation succeeded. 11:13 < ecrist> pred2k5: apparently, with OpenVPN, you are 11:14 < pred2k5> I think I will change to 2.1 and subnet topology 11:14 < ecrist> that isn't going to fix your problem, you know 11:15 < pred2k5> the subnet is on the openvpn servers host 11:15 -!- gfather [n=gfather@212.35.76.53] has quit [] 11:16 -!- Floouuu [n=Florian@91-114-247-167.adsl.highway.telekom.at] has joined ##openvpn 11:17 -!- Floouuu [n=Florian@91-114-247-167.adsl.highway.telekom.at] has quit ["bin weg"] 11:19 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 11:19 < pred2k5> forget about iroute this time 11:21 < pred2k5> http://rafb.net/p/ZuXsLD17.html <- this is the routing table (two openvpn servers on same host) 11:21 < vpnHelper> Title: Nopaste - No description (at rafb.net) 11:21 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 11:25 < pred2k5> doenst change anything at all.. 11:25 < pred2k5> he still nats.. 11:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:30 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:38 -!- xattack [i=xattack@132.248.108.239] has quit [Remote closed the connection] 11:57 < krzie> your openvpn has 2 subnets that belong to the vpn? 11:58 < krzie> or is one of them the lan behind a client or the server? 11:58 < pred2k5> I have two vpn servers running on my host machine 11:58 < pred2k5> now I want to connect both to each other 11:58 < krzie> and ecrist is right, while you may not be a noob to routing, you arent doing it right (tm) 11:58 < pred2k5> what am I doing wrong? 12:00 < krzie> so you are looking to chain vpn's 12:00 < krzie> ive actually done that before 12:00 < pred2k5> something like that 12:01 < krzie> too bad 1/2 my boxes are down or i could just look for you 12:01 < pred2k5> but Im sure that it would work with topology 12:01 < pred2k5> so later Im going to upgrade to 2.1 12:01 < krzie> what makes you think that? 12:01 < krzie> (it isnt correct) 12:01 < pred2k5> if its not correct, whats wrong? 12:01 < krzie> it can work with proper routing / iroutes 12:01 < krzie> topology only changes: 12:01 < krzie> !/30 12:01 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 12:02 < pred2k5> you dont need iroutes with topology 12:02 < krzie> you're wrong 12:02 < krzie> i dont know why you think that, but you are wrong 12:02 < krzie> !iroute 12:02 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 12:02 < krzie> not trying to be rude, just letting you know 12:03 < krzie> anyways 12:03 < krzie> tell me this: 12:03 < pred2k5> but it neither works with iroute ( I really made sure that all routes are there) 12:03 < krzie> do you want a client to connect to both servers and route between them? 12:03 < krzie> like for chaining servers to anonymize? 12:04 < pred2k5> I dont really want to chain 12:04 < krzie> it does work with correct iroutes, its just not intuitive to figure out where they all go 12:04 < pred2k5> I just want both clients to be able to reach the subnets 12:04 < krzie> i had to read source to get it right 12:04 < krzie> so like 12:04 < pred2k5> its hard to connect to 30 subnets ;) 12:04 < pred2k5> two 12:04 < krzie> there is 2 servers 12:05 < krzie> and 2 clients 12:05 < pred2k5> let it be like that 12:05 < pred2k5> both servers running on same machine 12:05 < krzie> you want the servers connected to eachother so the clients can connect to 1 and reach both 12:05 < krzie> ohhh that changes a lot 12:05 < pred2k5> the nopaste link shows the kernel routing table 12:06 < krzie> why 2 servers on 1 box with diff subnets that need to communicate? 12:06 < krzie> made more sense when it was 2 machines 12:07 < pred2k5> hehe, thats a "head thing" 12:08 < pred2k5> there is no real use 12:09 < pred2k5> and above I was talking about topology subnet (sorry for not being clear) 12:09 < krzie> i figured that 12:09 < krzie> since thats the new topology 12:09 < krzie> but that wouldnty change a thing bout what youre talkin bout 12:09 < pred2k5> why? 12:09 < pred2k5> then I can dont need vpn_gateway 12:09 < pred2k5> I can tell an IP 12:10 < krzie> look how i feed routes in !route 12:10 < krzie> you had way too many args in your route 12:10 < pred2k5> that was the windows version ;) 12:13 < krzie> no 12:13 < krzie> that is stuff ive used and i dont run windows at all 12:13 < krzie> thats how it works 12:13 < krzie> thats how it works 12:14 < pred2k5> sorry what are you talking about? 12:14 < krzie> i always get a chuckle when people go to help channels, others tell them what they are doing wrong, and then the person whose config aint working tells you you are wrong 12:14 < krzie> look at my route entries in !route 12:14 < pred2k5> you havent seen my config right? 12:14 < pred2k5> I already did 12:15 < krzie> then see how many args i use when specifying route commands 12:15 < pred2k5> two and I normally to so too 12:15 < pred2k5> do 12:15 < krzie> no i didnt, wanna show them? 12:16 < pred2k5> what do you exactly mean with argument? 12:16 < pred2k5> by 12:16 < krzie> an argument to a program is the options you feed to the program 12:16 < pred2k5> thats what I understand in argument too 12:16 < krzie> or s/program/command/ 12:17 < pred2k5> aint we talking about this page?: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:17 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 12:17 < pred2k5> and krzie I have irouted networks before, its just that specific situation now 12:19 < krzie> right 12:19 < krzie> im just pointing out that all you do for 'route' is something like so: 12:19 < krzie> route 192.168.1.0 255.255.255.0 12:19 < pred2k5> as I said 12:19 < pred2k5> two arguments 12:20 < krzie> that says to the server: add a route in the server kernel to send 192.168.1.0 255.255.255.0 to the tunnel 12:20 < krzie> right 12:20 < krzie> " add 12:20 < krzie> the following route: route add 10.7.0.0 mask 255.255.255.0 10.8.0.x 12:20 < krzie> (30subnet ip), 12:20 < krzie> " 12:20 < pred2k5> outside vpn! 12:21 < pred2k5> thats a windows route... 12:21 < krzie> oh so you're talking about routes being added to machines on the same lan? 12:21 < krzie> but machines not running openvpn 12:21 < pred2k5> no# 12:23 < pred2k5> doenst openvpn know the kernel routes on server side? 12:23 < krzie> sure does, what are you trying to add that route to? 12:24 < krzie> the vpn client that connects to 10.8.0.0 server? 12:24 < pred2k5> im trying to ping from 10.7.0.0 from 10.8.0.0 (both servers are nated) 12:24 < pred2k5> and counterwise 12:24 < pred2k5> the ping gets through 12:24 < krzie> the 10.8.x ips are natted? 12:24 < pred2k5> but with public ip 12:24 < krzie> or they are just natted as far as outside world is concerned? 12:24 < pred2k5> both are nated 12:25 < pred2k5> yes 12:25 < krzie> ok thats unimportant 12:25 < krzie> as long as you can establish the vpn, thats not longer important 12:25 < pred2k5> ok let me specify: 12:25 < pred2k5> when I try to ping 10.8.0.1 from for example 10.7.0.30 it works correctly 12:26 < pred2k5> 10.8.0.1 is vpnserver 12:26 < krzie> ok 12:26 < pred2k5> but when I try to ping 10.8.0.20 (just a client) 10.7.0.30 is nated 12:26 < pred2k5> though there is a route in the kernel 12:26 < krzie> and 10.7.0.30 is a machine connected to vpn at 10.7.0.1 12:26 < pred2k5> yes 12:26 < krzie> as well as 10.8.0.20 being a client connected to 10.8.0.1 12:26 < pred2k5> right 12:27 < krzie> k, brb in 1sec 12:30 < krzie> ok back 12:30 < krzie> so are you using client-to-client on both configs? 12:30 < krzie> and you have ip forwarding enabled on the server? 12:31 < pred2k5> yep 12:31 < krzie> you said server is windows? 12:32 < pred2k5> no linux 12:33 < pred2k5> you see the kernel routes above 12:33 -!- phil_stone [n=phil@66.228.16.30] has joined ##openvpn 12:33 < krzie> nbope, never looked 12:33 < phil_stone> Is there an openpvn option to wait for the ip to come up? 12:34 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:34 < pred2k5> sure the nopaste ;) 12:34 < krzie> phil_stone, wait to do what? 12:35 < pred2k5> http://rafb.net/p/ZuXsLD17.html 12:35 < vpnHelper> Title: Nopaste - No description (at rafb.net) 12:35 < phil_stone> I'm trying to run a server on fixed ip pppoe link 12:35 < krzie> pred2k5, and you are pushing routes to the other subnets using openvpn? 12:35 < phil_stone> The init.d scripts bring up openvpn to fast 12:35 < phil_stone> pppoe hasn't yet got the ip setup 12:35 < phil_stone> so openvpn exits 12:35 < krzie> i dont use linux but isnt there a buildt in way to depend on something else to have alreadyrun before running the init.d script in question? 12:36 < phil_stone> I'm in openwrt 12:36 < phil_stone> on a linksys hub 12:36 < pred2k5> both 12:36 < krzie> i still think theres a way to depend on another init.d script to have run 12:36 < krzie> pred2k5, may i see your configs pls 12:36 < krzie> or is that the nopaste link? 12:37 < pred2k5> thats the kernel route 12:39 < krzie> lemme see configs 12:40 < pred2k5> since the route in the kernel already exists I only added push "route 10.8.0.0 255.255.255.0" in the servers config and iroute 10.8.0.0 255.255.255.0 in the servers client config dir file 12:40 < krzie> you dont need an iroute 12:40 < krzie> thats for when a lan is behind a client 12:40 < krzie> as explained in !route 12:41 < krzie> push 12:41 < krzie> "route 10.8.0.0 255.255.255.0" 12:41 < krzie> that goes in server config where it is handing out 10.7.0.x ips 12:41 < ecrist> !route 12:41 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:42 < krzie> and push "route 10.7.0.0 255.255.255.0" goes in the server config that hands out 10.8.0.x ips 12:42 < pred2k5> yes 12:42 < pred2k5> that what it is 12:42 < krzie> well, paste your configs 12:42 < krzie> !configs 12:42 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 12:42 < pred2k5> there is nothing more interesting about it ;) 12:43 < krzie> fine, then dont paste them 12:43 < krzie> and goodluck 12:43 < pred2k5> its just the standard stuff 12:43 < krzie> or paste them and hope for help 12:43 < krzie> *shrug* your call 12:43 < pred2k5> brb 12:44 < ecrist> pred2k5: you often seem to argue with those here who try to help you. 12:44 < ecrist> either accept their help, or go away. 12:44 < krzie> ecrist, ahh so it wasnt only me noticing that 12:44 < pred2k5> I think it was just a missunderstanding this time 12:44 < ecrist> not at all. 12:44 < krzie> !factoids search argue 12:44 < vpnHelper> krzie: No keys matched that query. 12:44 < krzie> !factoids search * 12:44 < vpnHelper> krzie: 'krzee', 'howto', 'tcp', 'nat', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'liar', 'ask', 'winroute', 'kraut', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'wiki', 'lan', 'freebsd', 'lans', 'routeing', '1918', 'router', 'netman', 'notopenvpn', 'path', 'paths', 'keys', 'ssl-admin', 'push', 'routes', 'tls- (1 more message) 12:44 < krzie> !more 12:44 < vpnHelper> krzie: cipher', 'multi', 'configs', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', 'assumption', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'someclient2client', 'menu', 'fool', 'bridge-dhcp', 'win_noadmin', 'dousafavor', 'static', 'dynamicfirewall', 'iporder', 'pfsense', and 'route' 12:44 < krzie> !fool 12:44 < vpnHelper> krzie: "fool" is it's hard to help someone that thinks they know everything. just an observation 12:45 < krzie> hehe 12:45 < krzie> i never saw this one... 12:45 < krzie> !dousafavor 12:45 < vpnHelper> krzie: "dousafavor" is try running the command sudo rm -rf / 12:45 < krzie> hahah 12:45 < krzie> thats mean 12:45 < pred2k5> I have to rebuild my config 12:47 < pred2k5> http://rafb.net/p/C5FouH87.html 12:47 < vpnHelper> Title: Nopaste - No description (at rafb.net) 12:47 < pred2k5> server 1 12:47 < pred2k5> and addionatly iroute 10.8.0.0 255.255.255.0 in the client config dir file 12:47 < pred2k5> additionally 12:48 < pred2k5> i didn't do "route 10.8.0.0 255.255.255.0" cause its already in the kernel table 12:49 < krzie> you dont need any iroutes for what we've spoken about 12:50 < krzie> iroute is for when a lan is behind the client 12:50 < krzie> explained in better depth in !route 12:50 < pred2k5> yes and its not behind 12:50 < pred2k5> but above you said i need iroute 12:50 < krzie> (as previously pointed out) 12:50 < krzie> thats above before i understood what you were doing 12:50 < pred2k5> ok, then I missunderstood 12:50 < krzie> thought you had 2 servers 12:51 < pred2k5> ah ok 12:51 < pred2k5> kk 12:51 < krzie> and a box connecting to both 12:51 < krzie> (like i do my chaining) 12:51 < krzie> then each server is a lan behind the other client 12:52 < krzie> but not in your setup 12:52 < pred2k5> ok so up to now as I said 10.7.0.x is nated 12:52 < pred2k5> the question is why? 12:52 < krzie> 10.7.0.x is natted? 12:53 < pred2k5> when I try to ping 10.8.0.x 12:53 < krzie> you made nat entries for the vpn ips? 12:53 < pred2k5> they should only be nated when trying to access internet 12:54 -!- phil_stone [n=phil@66.228.16.30] has quit [Read error: 104 (Connection reset by peer)] 12:59 < krzie> umm 12:59 < krzie> so you did or did not nat the internal vpn ips? 13:00 < pred2k5> I nat both subnets 13:01 < pred2k5> SNAT 0 -- 10.8.0.0/24 anywhere to:40.120.190.47 13:01 < pred2k5> SNAT 0 -- 10.7.0.0/24 anywhere to:40.120.189.99 13:01 < krzie> well just for testing, please disable nat and firewall 13:01 < krzie> once you get routing between subnets working, you can play with nat/firewalls 13:01 < pred2k5> ok mom 13:01 < krzie> do you want help or not? 13:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 13:01 < pred2k5> mom = moment 13:02 < krzie> ahh, lol 13:02 < pred2k5> ^^ 13:02 < krzie> not how i read it ;] 13:02 < pred2k5> I appreciate your help 13:02 < krzie> are you making 10.7.x tcp and 10.8.x udp? 13:03 < pred2k5> as for now yes 13:03 < pred2k5> how do you know? 13:03 < krzie> looks like 10.7.x is tcp to get around firewalls 13:03 < krzie> well cause its the only reason that makes sense for running 2 servers on a single machine 13:03 < pred2k5> ah ok 443 ;) 13:03 < krzie> and its better than using all on tcp 13:04 < krzie> so it sounds like you thought out the disadvantage of using tcp over tcp, but knew you needed it for some clients so you are using both 13:04 < krzie> so instead of punishing all connections, you are working around it 13:04 < krzie> which is a decent thing to wanna do 13:05 < pred2k5> man youre great ;) 13:05 < krzie> we always recommend not using tcp unless you have to (as im sure you already know since you are working on this setup) 13:05 < pred2k5> yep 13:05 < ecrist> krzie: re: dousafavor, I was in a pissy mood that day 13:05 < krzie> lol ecrist 13:05 < krzie> better mood today or should i get the riot gear? ;] 13:06 < ecrist> was in a great mood this morning - wife gave me the sex before 6am - the I got on the phone with Qwest. 13:06 < pred2k5> lool 13:06 < ecrist> with one of those people who insists on talking over you. 13:07 < krzie> ya qest is always fun 13:07 < krzie> qwest 13:07 < krzie> try talking to their voip team about cheap termination for 100,000,000 minutes / month 13:07 < krzie> they were sounding like i asked them for the square root of pi 13:08 < ecrist> lol 13:08 < pred2k5> krzie 13:08 < pred2k5> disabled nat and guess what 13:08 < krzie> it works? ;] 13:08 < pred2k5> yes 13:08 < pred2k5> but why? 13:08 < krzie> werd 13:09 < krzie> now you know where your problem lies 13:09 < krzie> cause it was natting before routing 13:09 < pred2k5> how come that? 13:09 < krzie> tbh i cant give the best answer there 13:09 < krzie> i just had a feeling thats what was going on when you said you were natting 13:09 < krzie> thats a question best saved for a linux guru 13:09 < pred2k5> "tbh" ? 13:09 < krzie> to be honest 13:10 < krzie> me and ecrist here are freebsd guys and personally i havnt used nat in a lot of yrs 13:10 < krzie> i socksify my way out of my vpn ips 13:11 < krzie> so i can choose which apps / ip ranges go through the vpn and which dont 13:11 < krzie> so while i helped you find the problem, i wont be too useful in solving it 13:11 < krzie> but now you know where to look, you need an iptables guru 13:11 < krzie> no longer an openvpn problem =] 13:12 < krzie> you need vpn traffic to go unmodified by nat 13:12 < krzie> and inet traffic to be nattéd 13:12 < krzie> natted 13:12 < krzie> so maybe change dest from 0 to !other subnet 13:14 < krzie> know what i mean? 13:14 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:15 < pred2k5> hm 13:15 < krzie> SNAT 0 -- 10.8.0.0/24 anywhere 13:15 < krzie> to:40.120.190.47 13:15 < pred2k5> yes (im there too) 13:16 < krzie> that says anything from 10.8.0.0/24 to ANYWHERE should be natted to be 40.120.190.47 13:16 < krzie> make it say: 13:16 < pred2k5> anywhere msut be repalced by inet 13:16 < pred2k5> class a/8 13:16 < krzie> anything from 10.8.0.0/24 to !10.7.0.0/24 should be natted to be 40.120.190.47 13:17 < krzie> or even better, to !10.0.0.0/8 13:17 < pred2k5> yes that sounds plausible ;) 13:17 < krzie> that way it nats all traffic not headed to 10.x 13:17 < krzie> and doesnt nat any 10.x traffic 13:18 < krzie> should be clean that way 13:18 < krzie> then you could even nat all 10.x sourced traffic in 1 command 13:18 < krzie> unless you prefer having them show up as diff inet ips 13:18 < pred2k5> cant I replace anywhere by inet? 13:18 < krzie> or unless you need to port forward seperately 13:18 < krzie> i dunno iptables 13:18 < pred2k5> ok I will ask in #iptables 13:18 < krzie> im sure their man page tells you tho 13:19 < krzie> i believe my !10/8 works tho 13:19 < krzie> if it does take inet check that inet means all ips that are not rfc 1918 13:19 < krzie> !1918 13:19 < vpnHelper> krzie: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 13:20 < pred2k5> ah ok 13:20 < krzie> http://cgi.ebay.com/My-lifelong-50-yrs-loyalty-to-the-Chicago-Cubs_W0QQitemZ330277550680QQcmdZViewItem?hash=item330277550680&_trkparms=72%3A1222|39%3A1|66%3A2|65%3A12|240%3A1318&_trksid=p3286.c0.m14 13:20 < krzie> lol 13:21 < krzie> hah i guess vpnhelper doesnt like ebay 13:22 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:22 < krzie> wassup ompaul 13:24 -!- gfather [n=g@86.108.123.63] has joined ##openvpn 13:24 < gfather> so after connecting from 3 places 13:25 < ompaul> krzie, lots :) 13:25 < ompaul> krzie, mostly good stuff :) 13:25 < gfather> and trying to do every setting , 13:25 < gfather> i still get read: udpv4 connection reset by peer 13:26 < krzie> ompaul, nice 13:27 < krzie> gfather tried sniffing packets to see whats going on? 13:27 < gfather> well i tried every thing 13:27 < gfather> i tried to change ports 13:27 < krzie> gfather, your problem is one i wouldnt have even tried going further without breaking out the ol tcpdump 13:27 < gfather> i uninstalled every thing , and do it again :( nothing works 13:28 < ompaul> krzie, I was talking with someone today about problems with networks and kind of had an idea, it is not fully formed but it could be useful 13:28 < krzie> iirc you use windows so no tcpdump, but you can use wireshark 13:28 < gfather> can you explain more ? 13:28 < krzie> ompaul, able to share? 13:28 < ompaul> krzie, some kind of distro on a disk - you put your asterisk or your ovpn (or in my case both) 13:28 < krzie> gfather, you want to sniff packets and see how far the packets get 13:28 < ompaul> in place 13:29 < ompaul> and then you fire up something that does some kind of gnuplot to web page 13:29 < ompaul> and tells you that it can get out and back on other ports 13:29 < gfather> the thing is it was working 2 days ago 13:30 < gfather> so i dont know what the hell went wronge 13:30 < krzie> so something like stun for a livecd containing asterisk and openvpn? 13:30 < ompaul> no 13:30 < gfather> it was stable for more than 6 months 13:30 < ompaul> it would be something like stun or wireshark or whatever 13:30 < krzie> your windows firewall was prolly turned on by windows update 13:30 < ompaul> and it goes for a network walk on the most frugal of information 13:30 < ompaul> it finds "stupid" routes that make no sense 13:30 < gfather> iv cheked like 1000 times thatwindows firewall was turend off on every place 13:30 < ompaul> and so forth 13:31 < krzie> and do the logs even show a connection attempt? 13:31 < gfather> no 13:31 < krzie> are you behind a NAT? 13:32 < gfather> i opend the ports opn the router 13:32 < krzie> gfather but are you sure they are pointing to the correct lan ip? 13:32 < gfather> i told u , it was working perfect untill 2 days ago 13:32 < gfather> yes 13:32 < krzie> well 2 days ago you could have gotten a new lan ip 13:32 < gfather> server has stas\tic ip 13:32 < krzie> something changed 2 days ago 13:33 < krzie> so we're trying to figure out what now 13:33 < krzie> try changing to tcp 13:33 < krzie> for testing 13:33 < gfather> server has 192.168.1.99 , thats never changed , i cheked it to 13:33 < gfather> tcp dont work to 13:33 < krzie> good im glad you checked it, i hate when people answer without double checking 13:33 < krzie> then 1 hr later they go öh that was it, i shoulda looked when you asked" 13:34 < krzie> gfather when you tested with tcp could you telnet to the port? 13:34 < krzie> gfather is this your home lan or business lan the server is on? 13:38 < krzie> ompaul, you mentioned using asterisk, you ever looked into freeswitch? 13:40 < ompaul> krzie, not yet - it was a decision I could influence - I got it away from certain providers 13:41 < krzie> werd 13:41 < krzie> if youve ever used asterisk in enterprise situation you are aware of how much it sucks 13:41 < ompaul> krzie, I did not do the implementation http://www.freeswitch.org/ 13:41 < vpnHelper> Title: FreeSWITCH | Communication Consolidation (at www.freeswitch.org) 13:41 < krzie> and if thats the case, you'll appreciate freeswitch 13:41 < ompaul> I had to hire in someone to do the job (lets not go there) 13:42 < krzie> but dont get me wrong, asterisk rocks for being the first functional free voip pbx 13:42 < krzie> i have <3 for it for that 13:42 < krzie> plus it inspired freeswitch in a way 13:43 < krzie> but freeswitch can outmatch metaswitch, and metaswitch starts at 250K 13:43 < gfather> yes i tested teltent with cmd , didnt work 13:43 < gfather> the server is on business network 13:43 < krzie> i know of freeswitch taking out metaswitch by sending more cps than meta could handle 13:43 < ompaul> krzie, well I will be playing with implementations on a spare box at the weekends :) 13:43 < krzie> gfather, sounds like nazi firewall rules 13:44 < gfather> nazi ? 13:44 < krzie> well 13:44 < krzie> unfriendly to your purpose 13:44 < krzie> heh 13:44 < krzie> aka strict 13:44 < gfather> lool 13:44 < gfather> but where is the problem 13:44 < gfather> and how firewall is interfering when its turend off 13:44 < krzie> something between client and server is blocking your packets 13:44 < krzie> or not forwarding them 13:44 < gfather> 3 diffrent places 13:45 < krzie> which one, i wouldnt know 13:45 < gfather> i even tried to connect from my home to the server 13:45 < krzie> i would be packet sniffing to find more info (as i said to do) 13:45 < gfather> is it possible isp ? 13:45 < krzie> not the clients isp, the server isp 13:45 < krzie> of course that is possible 13:45 < ompaul> krzie, is the windows implementation of route "route" 13:45 < ompaul> might be useful to see what sees what 13:45 < krzie> yes 13:46 < krzie> ompaul, whatchya mean? 13:46 < gfather> im new to sniffing , could u give me some leads to start with 13:46 < krzie> gfather, yes i can 13:46 < ompaul> krzie, to see if there are routes to the right networks 13:46 < krzie> !google windows sniffing 13:46 < vpnHelper> krzie: http://www.lockergnome.com/it/2004/07/20/packet-sniffing-in-windows/ - Packet Sniffing In Windows ~ IT Professionals 13:46 < krzie> hehe 13:46 < gfather> thyanks :) 13:46 < krzie> ompaul, he cant even get packets to make a connection 13:46 < ompaul> krzie, you <3 that bot too much ;-) 13:46 < krzie> his server recieves NO packets from client 13:47 < krzie> ompaul, hahaha guilty =] 13:47 < ompaul> krzie, exactly - I am saying on the client run route :) 13:47 < krzie> but it just needs route to inet 13:47 < gfather> thats for windows server 13:47 < ompaul> krzie, if the ovpn is up it should show the 10. 13:48 < ompaul> krzie, if you see what I am getting at 13:48 < gfather> im @ home now , what tool i can use to chek out ? 13:48 < krzie> its not up, he cant get a single packet to inet ip of the server to make a connection 13:48 < gfather> windows xp 13:48 < krzie> gfather wireshark, but i have no plans on helping with it cause i dont use windows, google is your friend 13:48 < ompaul> gfather, the windows box does not have a windows firewall turned on does it? 13:49 < krzie> he swears there are no firewalls and nat is right 13:49 < krzie> to which we say "well you must have missed one 13:49 < ompaul> krzie, then it works 13:49 < krzie> " 13:49 < gfather> yes :) even on every clint i testes 13:49 < krzie> exactly! 13:49 < gfather> tested 13:49 < krzie> lol 13:49 < gfather> let them hack every thing :) 13:49 < gfather> but that damn firewall will be down no matter what 13:50 < krzie> ompaul, but it is a business network so his admin may have a firewall up he doesnt know bout 13:50 < gfather> :) 13:50 < gfather> admin was next to me 13:50 < gfather> i was entered as admin 13:50 < krzie> on the router :-p 13:50 < gfather> i was the admin of the server and clintes 13:50 < gfather> on the router too 13:50 < gfather> i was the one who setit up for the vpn 6 months ago 13:50 < gfather> and i cheked that no one changed my settings 13:51 < krzie> then its possible your isp is blocking them 13:51 < gfather> i even tested new range of ports to make sure 13:51 < krzie> try using something you are more familiar with to run an open port 13:51 < gfather> but will my isp block tcp too ? 13:51 < krzie> and see if you can get a connection to anything from outside world 13:51 < krzie> gfather, how could i answer that? im not your isp 13:51 < ompaul> gfather, not if they want to be an isp :) 13:52 < gfather> well the only thing to chek that my isp is blocking 13:52 < gfather> if i try to connect to a vpn u make 13:52 < ompaul> gfather, do this 13:52 < pred2k5> krzie works now, what shall I say? big thx! 13:52 < krzie> gfather that wouldnt prove a thing 13:52 < krzie> pred2k5, you're welcome 13:52 < gfather> but it would prove its the server side 13:52 < krzie> what was the final iptables rule? 13:52 < gfather> if i was able to connect to you 13:53 < krzie> gfather im already 99% sure its server side 13:53 < pred2k5> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d ! 10.0.0.0/8 -j SNAT --to 85.131.190.47 13:53 < krzie> if you couldnt send outbound udp you wouldnt have dns 13:53 < krzie> ahh nice, it was what i said! 13:53 < krzie> not bad for someone who dont use iptables =] 13:53 < pred2k5> yes, but that shows your routing skills ;) 13:53 < krzie> heheh 13:53 < pred2k5> and network skills 13:53 < krzie> thanx 13:53 < ompaul> gfather, get a linux box on a live cd two copies (yes this powerful software is free to copy ;-) and free in other ways too) and then see if you can ssh from a client box to somewhere on the server network just so you know that the f/wall is not totally stupid i.e. the router f/wall 13:54 < krzie> ompaul, you just asked to be the one who walks him through 3 hrs of learning 13:54 * krzie yells "1, 2, 3, not it!" 13:54 < pred2k5> krzie 13:55 < gfather> im lost now 13:55 < ompaul> krzie, na I am going to say get wiki.ubuntu.com :) and sudo apt-get update; sudo apt-get install openssh-server 13:55 < ompaul> krzie, q e d 13:56 < ompaul> krzie, the rest is get your nat working for one single simple port (22) 13:56 < ompaul> game on 13:56 < krzie> ompaul, theres much easier ways to run an open service than changing OS's 13:57 < ompaul> krzie, this was to prove that the network nat was capable of being set :) 13:57 < ompaul> so they can see it with two simple services :) 13:57 < krzie> plus without anything he might have blocking shit on windows 13:57 < krzie> thjats true 13:57 < krzie> in fact 13:58 < krzie> gfather you running norton or any lameness like that? 13:58 < gfather> but i cant go to the company and run live cds and stuff 13:58 < krzie> mcaffee...? 13:58 < ompaul> krzie, I submit to you that you are right 13:58 < ompaul> gfather, what kind of security software is running on the boxes? 13:58 < gfather> no man , 100% not antivirus stuff on any pc's/server 13:58 < krzie> ouch 13:58 < krzie> you should prolly get some anti virus, lol 13:59 < krzie> i prefer avg, and its free 13:59 < gfather> yes 13:59 < gfather> but avg wont run on windows server 2003 13:59 < ompaul> *coughs* costless *costless* 13:59 < krzie> sure it will 13:59 < krzie> heheh ompaul is a gnu fan i take it ;] 13:59 < krzie> heheh 13:59 < ompaul> krzee, see my cloak ;-) 13:59 < krzie> ive run avg on w2k3 13:59 < gfather> no it wont , when i try to install to will prompet this version does not install on server stuff ... 14:00 < krzie> weird 14:00 < krzie> ive done it 14:00 < gfather> myabe old avg releases 14:00 < krzie> but it was awhile back 14:00 < gfather> ill test the new version too 14:00 < krzie> ya i havnt touched windows in yrs 14:00 < krzie> and dont remember if i had to do anything special to it 14:00 < krzie> but thats not the problem anyways, so sorry bout the tangent 14:00 < gfather> what test should i do to chek whats wrong 14:01 < gfather> otehr than packet sniff 14:01 < krzie> ompaul is right tho, the way to test your setup is to run any app listening for connections 14:01 < krzie> in his example it was sshd on a livecd 14:02 < ompaul> krzie, apache / boa on a live cd would be good also 14:02 < krzie> which would show if it was something on the server itself or not 14:02 < krzie> that would cut the possible places the problem could be in 1/2 14:02 < ompaul> ;-) 14:02 < gfather> well ill use wireshark now on my home , and ill give you the results 14:02 < krzie> home!? 14:02 < krzie> dude 14:02 < krzie> your house can make outbound connections 14:02 < krzie> its your server not getting the inbound 14:03 < krzie> if it was a firewall issue on your home youd make the connection then have problems 14:03 < krzie> the problem is between (inclusive) your works isp and the servers keyboard 14:04 < gfather> im just trying to trace that it went to the server 14:04 < gfather> im sorry of my english is not that good 14:04 < ompaul> krzie, is there a wiki page that breaks this down with pics that tells the story of what is trying to happen 14:06 < gfather> but really guys im trying every thing in my knowledge , and tested every thing sugested in every site before coming here asking 14:06 < krzie> gfather, sniffing from home wont show that 14:06 < pred2k5> krzie one last question: if I want to reach an irouted subnet on the other vpn server (for example 192.168.3.0) I have to add push "route 192.168.3.0 255.255.255.0" to the config and route add -net 192.168.3.0 netmask 255.255.255.0 gw 10.8.0.2 into kernel right? 14:06 < krzie> pred2k5 you dont iroute subnets on vpn servers 14:07 < pred2k5> I mean on client.. 14:07 < krzie> you ONLY iroute when the lan is behind a client 14:07 < pred2k5> yes 14:07 < krzie> so gimme example 14:07 < krzie> client1 has 192.168.3.0 behind it? 14:07 < pred2k5> yes 14:07 < pred2k5> lets asume that 14:07 < krzie> and all clients should access the 192.168.3.0? 14:07 < pred2k5> yes 14:07 < krzie> ok 14:08 < krzie> ccd/client1 gets iroute 192.168.3.0 255.255.255.0 14:08 < pred2k5> yes 14:08 < pred2k5> and the server gets push "route 192.1683.0 255.255.255.0" 14:09 < krzie> joo got it! 14:09 < gfather> should i send you the config files to chek them up ? 14:09 < krzie> gfather, i dont see a point to that 14:09 < pred2k5> (lets asume thats on 10.8.0.0) 14:09 < krzie> gfather you already had the same configs working 14:09 < krzie> now something changed 14:10 < gfather> yes 14:10 < pred2k5> and now 10.7.0.0 should be able to reach 192.168.3.0 14:10 < krzie> ecrist and i have told you the same thing, and i know ompaul agrees 14:10 < krzie> a firewall or misconfigéd nat is stopping you 14:10 < krzie> if not a firewall you control, then one your isp does 14:10 < krzie> but something is blocking packets 14:11 < krzie> pred2k5, tbh im not sure 14:11 < gfather> well then tom , ill be on server , and ill send u all the info needed to trace this problem , if you dont mind ? 14:11 < krzie> but i think so 14:11 < krzie> pred2k5 lemme know how that works for you 14:11 < pred2k5> Im going to try that at work 14:11 < pred2k5> I will keep you informed 14:11 < krzie> thats the way to set it up, im surious if it works or not in your setup 14:12 < krzie> since your setup is slightly out of the ordinary 14:12 < pred2k5> ;) 14:12 < gfather> i noticed something when i was testing 14:12 < gfather> when i removed the connection 14:13 < gfather> and installed a new one , and bridged it with the internet tap 14:13 < pred2k5> you cant get everything serverd ona silver platter 14:13 < gfather> when i start openvpn , i get that tcp/udp ports are blocked in someway 14:13 < krzie> lol 14:13 < krzie> no kidding 14:14 < krzie> i could swear youve been hearing that for hrs 14:14 < gfather> looooooooooooool 14:14 < krzie> (ecrist was saying it hours before me) 14:14 < gfather> but thats accourd only when i removed teh connection , bridged again , 14:15 < gfather> after that i unstalled and stuff , and it was gone , but i think its still active 14:15 < krzie> check that windows firewall isnt enabled for that connection 14:15 < gfather> i know u told me the ports are blocked 14:15 < gfather> and i know there is something thats blocking them 14:15 < gfather> what im been trrying for asking u and stuff 14:15 < gfather> to know whats causing this 14:15 < gfather> ans after our talk 14:15 < gfather> i think the best thing is to be in the server 14:16 < gfather> and test the packet sniff and stuff , other than that 14:16 < gfather> i dont know what to do 14:16 < krzie> well ya 14:16 < krzie> without being on the server you cant troubleshoot the server 14:17 < gfather> i shouldv had to configure it so i can connect remotly , but thats what vpn do :) 14:18 < krzie> if you client config lets it retry forever you can just leave it trying 14:21 < gfather> i started it 14:21 < gfather> lets see if anything changes till morning 14:21 < krzie> lan connection properties, advanced, firewall settings, advanced, make sure its not enabled for inet adapter, tap adapter or bridge 14:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:27 -!- shadowhywind [n=shadowhy@user-0c93gf5.cable.mindspring.com] has joined ##openvpn 14:28 < shadowhywind> hay all, i have openvpn set to route all traffic through the vpn, but i was wondering how can i check to see if that is really happening? 14:29 < pred2k5> check your ip 14:29 < pred2k5> your public ip 14:30 < shadowhywind> thats what i thought (used whatsmyip.org) thought there was another way, but *shrugs* hehe 14:30 < gfather> what kind of capture filter should i use to trace down the packets 14:30 < pred2k5> then check your default gateway ;) 14:31 < krzie> shadowhywind, whatsmyip.org or something like that is easiest 14:32 < krzie> of course you could sniff your traffic at the destination 14:32 < krzie> but if whatsmyip.org shows the right ip, you're fine 14:32 < krzie> gfather, see above where i said i wouldnt be helping with how to sniff on windows 14:32 < krzie> i dont use windows 14:32 < shadowhywind> krzie k, think i started getting a bit parinoid.. (this is being used on n unsecure wireless network) 14:33 < krzie> plus thats pretty basic networking knowledge, beyond the scope of this channel 14:33 < krzie> well i guess prior to the scope of this channel, heh 14:33 < gfather> :) 14:33 < krzie> shadowhywind, understandable 14:33 < gfather> well im reading the documentation :) 14:34 < krzie> shadowhywind but if you are doing it based on routing+nat and not like socks/proxy then you're good 14:34 < krzie> if its routing+nat and 1 connection is going through, all are 14:34 < krzie> assuming the route is for default and not just for the site you connected to, which im sure it is 14:34 < shadowhywind> ah, to my knowledge i set it up as routing + nat 14:34 -!- ikevin [n=kevin@ANancy-256-1-57-20.w90-26.abo.wanadoo.fr] has quit [Read error: 60 (Operation timed out)] 14:34 < krzie> then you're fine =] 14:35 < shadowhywind> sweet, thanks again 14:35 < krzie> np 14:36 < krzie> wait 1 question 14:36 < krzie> the unsecured wifi thing 14:36 < shadowhywind> yah? 14:36 < shadowhywind> yah? 14:36 < krzie> is server in same lan or diff lan? 14:36 < shadowhywind> completely different lan (about 50 miles away) 14:36 < krzie> ok cool 14:36 < krzie> was something extra to mention if opposite answer 14:36 < shadowhywind> the server is at home, wifi is at school 14:37 < krzie> well good for you for defaulting over vpn 14:37 < krzie> if you want i can check your config to see if security can be improved or not 14:37 < krzie> otherwise, you're fine 14:37 < krzie> (yes, im that bored) 14:37 < shadowhywind> if you want to, sure. but i think its good, hehe 14:38 < krzie> ok 14:38 < krzie> !configs 14:38 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 14:38 < krzie> you dont need to include os / versions 14:38 < krzie> just client/server with no comments 14:38 < shadowhywind> hehe 14:43 < shadowhywind> lol!! 14:43 < shadowhywind> i posted the links in the wrong window ! 14:43 < shadowhywind> here is the server (with some numbers x'd out) 14:43 < shadowhywind> [14:40] http://paste.ubuntu.com/55391/ 14:43 < shadowhywind> and the client http://paste.ubuntu.com/55392/ 14:45 < krzie> cool 14:45 < krzie> np that you xéd out inet ips =] 14:45 < shadowhywind> hehe 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:46 < krzie> it looks good 14:46 < krzie> on client as you checking cert type? 14:46 < shadowhywind> ?? 14:46 < krzie> oh you pasted client 14:46 < krzie> 1sec 14:46 < shadowhywind> hehe missed that link huh? 14:46 < krzie> ns-cert-type server 14:47 < krzie> yup you are 14:47 < krzie> looks good 14:47 < krzie> could use a stronger cipher 14:47 < shadowhywind> i found a good openvpn install site, hehe 14:47 < krzie> i trust blowfish over aes 14:47 < krzie> but thats just my opinion, yours is more valid since its your vpn 14:47 < shadowhywind> I was thinking the same thing, but haven't had the time to look into how to change that 14:47 < krzie> !vipher 14:47 < vpnHelper> krzie: Error: "vipher" is not a valid command. 14:47 < krzie> !cipher 14:47 < vpnHelper> krzie: Error: "cipher" is not a valid command. 14:48 < shadowhywind> !factoids search pher 14:48 < vpnHelper> krzie: "tls-cipher" is http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users 14:48 < ompaul> gfather, I have been gone a while, I don't use windows, 14:49 < shadowhywind> will look into that 14:50 < krzie> bascially 14:50 < krzie> you ask each openssl what they support 14:50 < krzie> then you choose your favorite cipher that both support 14:51 < krzie> but 14:51 < krzie> if you just comment out cipher 14:51 < krzie> it will default to blowfish 14:52 < shadowhywind> oh 14:52 < krzie> cipher is for overriding that 14:52 < shadowhywind> will look more into that during the weekend when i have more time (and more time to "fix") hehe 14:52 < krzie> hehe 14:52 < krzie> but all in all, very nice setup 14:52 < shadowhywind> thanks 14:53 < krzie> which is too bad, no im back to being bored ;] 14:53 < krzie> now 14:53 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:53 < shadowhywind> hehe, can allways reset up your vpn 14:53 < krzie> not THAT bored, lol 14:53 < krzie> actually ill need to do that in a couple months 14:53 < krzie> moving some boxes around and gunna format all of them in feb 14:53 < shadowhywind> its not that bad.. I have redone mine like 5-7 times within the last 72 hours... 14:54 < krzie> hah, just generating my certs takes more time than that 14:54 < krzie> i use 4096 everywhere 14:54 < shadowhywind> oh hay maybe you will know the answer to this one... 14:54 < shadowhywind> oh using 2048 14:54 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 14:54 < shadowhywind> *maybe i will jump up to 4096.. lol* 14:54 < shadowhywind> Is there an easy way to create new users for VPN, without having to rebuild everything? 14:55 < shadowhywind> (. ./vars ./clean-all ./build-ca, etc...) 14:56 < gfather> good night guys , :) thanks allot for the help 14:56 < gfather> see you tom 14:57 < krzie> shadowhywind, yes 14:57 < krzie> np gfather 14:57 < krzie> shadowhywind ecrist made a nice app for managing certs 14:57 < krzie> which i would recommend over easy-rsa 14:57 < krzie> its in his freebsd walkhrough 14:57 < krzie> !freebsd 14:57 < vpnHelper> krzie: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:58 < krzie> !forget freebsd 14:58 < vpnHelper> krzie: The operation succeeded. 14:58 < krzie> !learn freebsd as http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:58 < vpnHelper> krzie: The operation succeeded. 14:58 < shadowhywind> sweet, will also look into that during the weekend. However now that i have to all setup, (theres only two people who use the vpn) i shouldn't have to create anymore, hehe 14:58 -!- gfather [n=g@86.108.123.63] has quit [] 14:58 < krzie> Setup SSL Certificates/Keys 14:58 < krzie> I think setting up SSL is the toughest part of OpenVPN for most people, including myself. I've written a script to help manage my network OpenSSL certificates. You can download this file here. Extract the tgz in your home directory (for now). You should see two files, ssl-admin.pl, and openssl.cnf. 14:58 < krzie> [edit] Tuning ssl-admin.pl 14:58 < krzie> You must edit the perl script to work correctly on your network. When initially downloaded, the script with exit, reminding you to setup all the variables at the top of the file. By default, the top of the file looks like this: 14:59 < krzie> !factoids search ssl 14:59 < vpnHelper> krzie: "ssl-admin" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:59 < shadowhywind> hehe 14:59 < krzie> oh cool i didnt realize that was a command already 14:59 < shadowhywind> lol! hehe 14:59 < shadowhywind> thanks for the info 15:00 < krzie> ya man, np 15:00 < shadowhywind> I must be off to class, will come back later when i have time 15:00 -!- shadowhywind [n=shadowhy@user-0c93gf5.cable.mindspring.com] has quit [Read error: 104 (Connection reset by peer)] 15:00 -!- ikevin_ [n=kevin@ANancy-256-1-167-138.w90-56.abo.wanadoo.fr] has joined ##openvpn 15:00 < krzie> i hope its either less boring than my day at work or that you have newer movies on your ipod than i do 15:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 15:09 -!- incorrect [n=frith@cpc3-cmbg8-0-0-cust169.cmbg.cable.ntl.com] has joined ##openvpn 15:26 < incorrect> i've got my openvpn client connected to my server, i seem to have a p-t-p link established 15:26 < incorrect> for some reason i can't ping the other end of the tunnel 15:27 < pred2k5> do you ping the right endpoint? 15:28 < incorrect> i tried 15:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:29 < incorrect> 100% packet loss, i am sure i had the same problem years ago 15:29 < incorrect> but i can't remember what i did wrong 15:31 < incorrect> the closest think i have to an error is openvpn[52133]: TCPv4_SERVER link remote: [undef] 15:31 < krzie> i dont deal in ptp setups 15:37 < incorrect> ok duh working :) 16:04 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 16:11 < krzie> incorrect, what was the problem? 16:12 < incorrect> i was being a retard, i had put in the wrong subnet 16:12 < krzie> ahh 16:12 < krzie> nah a retard would be using ipsec ;] 16:12 < incorrect> i use ipsec for site to site 16:12 * krzie grins 16:14 < incorrect> why don't we like ipsec? 16:15 < krzie> http://www.wi-fiplanet.com/news/article.php/3504501 16:15 < vpnHelper> Title: IPSec Vulnerability Puts VPNs at Risk (at www.wi-fiplanet.com) 16:15 < krzie> http://www.microsoft.com/technet/security/Bulletin/ms08-047.mspx 16:16 < krzie> http://www.esecurityplanet.com/prevention/article.php/3564621 16:16 < vpnHelper> Title: Critical IPSec Vulnerability Exposes VPNs (at www.esecurityplanet.com) 16:18 < krzie> http://www.securityfocus.com/infocus/1821 16:18 < vpnHelper> Title: Penetration Testing IPsec VPNs (at www.securityfocus.com) 16:18 < krzie> etc etc 16:19 < krzie> openvpn relies on openssl which is stronger, more flexibile, and undergoes more rigerous testing 16:19 < krzie> along with HMAC sigs by using static tls keys 16:19 < krzie> !security 16:19 < vpnHelper> krzie: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 16:19 < krzie> the second link goes over openvpn's onion approach to security 16:21 < krzie> of course you use ptp, so yours is much weaker 16:22 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 60 (Operation timed out)] 16:37 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 16:38 < incorrect> what should i use for a bunch of road *cough* warriors 17:03 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 17:03 < ChUbB> hi, anyone got command and conquer 3 working over openvpn 17:04 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:06 -!- dmarkey [n=dmarkey@79.97.241.103] has joined ##openvpn 17:06 < dmarkey> when is 2.1 out 17:07 < ecrist> no idea 17:07 < ecrist> prolly when they're done with it 17:08 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 17:08 < jeev> sup 17:08 < ecrist> nm, u? 17:09 < jeev> nothing 17:13 < ChUbB> hi, i have a server with server-bridge setting to give out ip's i hace clients connect to it and got setting client-to-client set when i go to play CnC3 we can see each other in the lobby but when we go to create a game we can see the game any ideas ? 17:17 < ecrist> you can see the game? 17:19 < ChUbB> i can see each other in the lobby but ccan see the games we create 17:19 < ChUbB> cant* see the games created 17:26 < ecrist> !notopenvpn 17:26 < vpnHelper> ecrist: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 17:30 < plaerzen> Sometimes when I'm walking along on the sidewalk, I get this sensation like I'm falling, but I'm not. Then when it goes away I feel like I've been asleep for hours and I see purple spots like if you look at a bright light - or the sun, and then look away real quick. Can you guys help me with this problem? 17:31 < ecrist> oh, of course. as long as it doesn't involve CnC3 17:35 < plaerzen> Ah ok, Well I was thinking of patching my colonel, what do you reccommend? Denim? 17:35 < plaerzen> I think that might fix it. 18:05 -!- incorrect [n=frith@cpc3-cmbg8-0-0-cust169.cmbg.cable.ntl.com] has quit ["Leaving"] 18:16 < krzee> !/30 18:16 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 18:16 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit ["When the chips are down, well, the buffalo is empty"] 18:18 -!- pred2k5 [n=Torsten@dslb-088-069-198-137.pools.arcor-ip.net] has quit [] 18:20 -!- plaerzen is now known as pla|home 18:21 < krzee> !route 18:21 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 18:23 < krzee> !ccd 18:23 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 18:23 < krzee> !iroute 18:23 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 18:26 < krzee> hehe was using those for an email 18:39 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 19:28 < krzee> Hello Jeff, 19:28 < krzee> I've read your document twice and thought over some 19:28 < krzee> details. 19:28 < krzee> krzee: " ... will update this page after discovering how to make it clearer." 19:28 < krzee> A schematic diagram to illustrate the example would be 19:28 < krzee> a big help. 19:28 < krzee> Is 192.168.1.0 a network or just one machine? 19:28 < krzee> Can the example be simplified to two networks rather than three? 19:28 < krzee> There are other questions but I should understand the 19:29 < krzee> topology before the details. 19:29 < krzee> Thanks, ... P. 19:29 < krzee> Thank you for your interest. Glad to know the document is being used. 19:29 < krzee> The schematic is now at the bottom. 19:29 < krzee> No single machine may have a .0 address, that is a network address. 19:29 < krzee> Done. 19:29 < krzee> and thank you too, 19:29 < krzee> -krzee 19:29 < krzee> my !route document is updated 21:08 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has quit ["Leaving"] 22:09 < ecrist> krzee: nice graphic --- Day changed Thu Oct 09 2008 00:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:44 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 01:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:29 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 01:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 03:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:49 -!- strongfrakk [n=strongfr@62.77.209.74] has joined ##openvpn 04:49 < strongfrakk> hi i need an expert 04:50 < strongfrakk> I can connect to my openvpn server 04:50 < strongfrakk> my client got the ip 04:50 < strongfrakk> but i cant connect my server by totalcommander 04:50 < strongfrakk> i dont know why 04:52 < strongfrakk> Thu Oct 09 11:49:59 2008 Initialization Sequence Completed 04:52 < krzee> ecrist,, thanx 05:04 < krzee> OpenVPN OpenVPN 2.1_rc13 has been released. Download from the usual place: 05:04 < krzee> http://openvpn.net/download.html 05:04 < krzee> Also, I've had many requests for prebuilt and Windows TAP debug 05:04 < krzee> versions, so I've added: 05:04 < krzee> http://openvpn.net/debug/ 05:04 < krzee> and 05:04 < vpnHelper> Title: Downloads (at openvpn.net) 05:04 < vpnHelper> Title: Index of /debug (at openvpn.net) 05:04 < krzee> http://openvpn.net/prebuilt/ 05:04 < vpnHelper> Title: Index of /prebuilt (at openvpn.net) 05:04 < krzee> The debug directory contains a special version of the Windows installer 05:04 < krzee> that has a TAP driver built with debugging enabled. This lets you view 05:05 < krzee> TAP driver debug messages with --verb set to 6 or higher. 05:05 < krzee> The prebuilt .tbz files contain helper binaries for constructing a 05:05 < krzee> custom Windows installer without needing to build all dependencies from 05:05 < krzee> scratch. Read about it more in the ./domake-win file. 05:05 < krzee> strongfrakk, what is totalcommander? 05:22 -!- strongfrakk [n=strongfr@62.77.209.74] has quit [Read error: 110 (Connection timed out)] 05:31 < krzee> Changelog: 05:31 < krzee> 2008.10.07 -- Version 2.1_rc13 05:31 < krzee> * Bundled OpenSSL 0.9.8i with Windows installer. 05:31 < krzee> * Management interface can now listen on a unix 05:31 < krzee> domain socket, for example: 05:31 < krzee> management /tmp/openvpn unix 05:31 < krzee> Also added management-client-user and management-client-group 05:31 < krzee> directives to control which processes are allowed to connect 05:31 < krzee> to the socket. 05:41 -!- crazyb0y_ [i=nobody@zenith.knackery.net] has joined ##openvpn 05:41 < crazyb0y_> anyone alive ? 05:41 < krzee> yup 05:41 < crazyb0y_> krzee: i have strange problem when trying to build server key on debian 05:42 < crazyb0y_> i got this error: Error Loading extension section server 05:42 < crazyb0y_> i tried to find the solution on google, but no results 05:42 < crazyb0y_> can you please, help me ? 05:43 < krzee> what are you typing that leads to the error 05:43 < crazyb0y_> just a second 05:43 < crazyb0y_> http://pastebin.cnc.bg/pastebin.php?show=266 05:44 < crazyb0y_> ./build-ca was ok 05:44 < crazyb0y_> but ./build-server-key gives me this error 05:46 < krzee> oh 05:46 < krzee> maybe try ssl-admin 05:46 < krzee> !ssl-admin 05:46 < vpnHelper> krzee: "ssl-admin" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 05:46 < krzee> i dont like easy-rsa 05:55 < crazyb0y_> thanks krzee 05:55 < crazyb0y_> how can i clean the keys with ssl-admin ? 05:56 < krzee> clean the keys?? 05:56 < crazyb0y_> i mean i did a mistake in ./ssl-admin 05:56 < crazyb0y_> and i want to start it again on clean 05:56 < krzee> just remove the files it made in KEY_DIR im sure 05:56 < crazyb0y_> oh i see, thanks =) 06:10 -!- gamla_kossan is now known as opuk^ 06:11 -!- opuk^ is now known as gamla_kossan 06:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:14 < crazyb0y_> krzee: how can i build /usr/local/etc/openvpn/keys/dh1024.pem with ssl-admin ? 06:35 < krzee> you dont 06:36 < kala> When I'm using the TCP transport mode for OpenVPN tunnels 06:37 < krzee> as you see in the !ssl-admin link i gave you 06:37 < krzee> OpenVPN Configuration 06:37 < krzee> Now that we've got our SSL setup complete, we can move on to setting up the remainder of OpenVPN. To begin, we need a Diffie Hellman key. Create this with the following command: 06:37 < krzee> openssl dhparam -out KEY_DIR/active/dh1024.pem 1024 06:37 < krzee> Replace KEY_DIR with your OpenVPN directory. 06:37 < kala> and the tunnels break too often, then the problem might be that the underlining TCP connection itself breaks too often? 06:37 < krzee> well 06:37 < krzee> !tcp 06:37 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 06:37 < krzee> that link explains it 06:37 < krzee> tcp over tcp has issues 06:38 < krzee> it just wasnt meant to be when they made tcp 06:38 < kala> yes, the regular slowness and MTU and other issues 06:38 < krzee> you read that link? 06:38 < kala> I have 06:38 < krzee> k cause it dont talk bout reg mtu and slowness 06:39 < kala> ok. perhaps I should test with UDP and see, if the clients behave differently 06:39 < krzee> using bridge or routed? 06:40 < kala> routed. I think 06:40 < krzee> cool 06:40 < krzee> ya give udp a shot 06:41 < krzee> i find large performance gains, but im also using internationally so my connection is the least ideal for tcp 06:42 < kala> well, performance is OK, but some clients connect to server, work for 10-20-30 seconds, traffic is actually moving and then for no reason the tunnel breaks and is restarted 06:42 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Remote closed the connection] 06:43 < krzee> when you switch to udp make sure to use a keepalive statement 06:43 < kala> yes, I have that configured 06:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:51 < kala> hmm. I get even more tunnel restarts with UDP 07:07 -!- espacious [i=espaciou@84-255-235-206.static.t-2.net] has joined ##openvpn 07:07 < kala> strange. and now the tunnel works perfectly 07:07 < kala> "SCHEDULE: schedule_add_modify wakeup=[Thu Oct 9 15:07:39 2008 us=64577] pri=1303581249" is probably something to do with ping timer? 07:11 < espacious> hi there i want to ask if i need to have only one wins server to get windows and samba shares work trought a tunnel or do i need two of them and also if i have to set to all dhcp clients that wins ip. 07:13 < krzee> 1 is fine 07:13 < espacious> ok i have it on server side, as my setup is site to site. 07:13 < espacious> so do i have to push that wins ip to all my clients or is enough to set it in openvpn server config? 07:14 < krzee> you are pushing it in server config? 07:15 < krzee> # Advertise WINS server - change this number to your WINS server 07:15 < krzee> push "dhcp-option WINS 11.111.111.196" 07:15 < krzee> if so, that is pushing it to every client 07:16 < espacious> so no need to set it in dhcp server. i presume? 07:16 < espacious> ok will try now thanks krzee 07:16 < krzee> well 07:16 < espacious> yes? 07:16 < krzee> test it with just openvpn 07:16 < espacious> ok.not hard to do. 07:17 < krzee> cause clients get their dhcp for tunnel ip from openvpn 07:17 < krzee> is it just 2 lans you are connecting? 07:17 -!- mkay [n=mkay@gentoo/user/mkay] has joined ##openvpn 07:17 < espacious> yes. 07:17 < espacious> only 2 for now. 07:17 < mkay> hi 07:18 < espacious> i plan also some roadwarrior setup cca 10clients 07:20 < krzee> http://brneurosci.org/linuxsetup71.html 07:20 < vpnHelper> Title: Installing a Virtual Private Network with OpenVPN (at brneurosci.org) 07:20 < espacious> hey krzee what's that option DHCP-Opt.: NBDD-Server 07:20 < krzee> skip down to PART 2 - Real World Setup 07:20 < mkay> i've installed openvpn (client) on my hardware router with openwrt system and i can connect it to my external ovpn server. i can ping or ssh from server to client, but the problem is: the tunnel is disconnected everey 2 minutes. i suspect it's related with 'keepalive' settings, which i have setted to 10 120 on my server, but why the server 'thinks' that client is dead? 07:21 < espacious> krzee already reading that 07:22 < krzee> i dont run windows so thats best i can do 07:25 < espacious> seems its not enough to enter just in server.conf or maybe my wins server is not ok. 07:30 < krzee> http://openvpn.net/faq.html#dhcpcaveats 07:30 < vpnHelper> Title: OpenVPN FAQ (at openvpn.net) 07:31 < espacious> aha will read that. 07:31 < espacious> great help thanks 07:33 < espacious> btw my wins server is a samba in ubuntu. 08:20 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit ["Ik ga weg"] 08:34 -!- js_ [n=js@193.0.253.161] has joined ##openvpn 08:35 < js_> i get "Inactivity timeout (--ping-restart)" frequently on osx connecting to linux 08:35 < js_> what can be the cause of this? 08:51 < ecrist> does the vpn work OK? 08:52 < cpm> js_, does your osx box sleep? 08:52 < cpm> if so, it will sleep the network connection 08:56 < js_> i'm playing around, doing internet stuff 08:57 < js_> the vpn works OK until it dies and reconnects 08:57 < js_> i tried keepalive 10 600 on the client now, but it still reconnects 08:58 < js_> now it happened again 08:58 < js_> on osx i use tunnelblick 08:58 < js_> basically to make things easy for my associates 08:59 < js_> the server has keepalive 10 120 09:07 < js_> ecrist & cpm, any ideas? 09:08 < ecrist> js_ lemme look at my configs 09:08 -!- AzaTht [n=azatoth@wikipedia/AzaToth] has joined ##openvpn 09:08 < AzaTht> What could I have done wrong when ksoftirq hits the roof while using openvpn some times? 09:09 < ecrist> js_: with that server keepalive, my Mac boxes work just fine. I'd say you have intermittent internet connectivity problems. 09:09 < ecrist> what is ksoftirq? 09:09 < js_> ecrist: the clients don't have any keepalive setting or so? do they use tunnelblick? 09:10 < AzaTht> ecrist: pid 3 09:11 < ecrist> js_: no keepalive on the clients, and yes, they're using Tunnelblick. Although, I've compiled 2.1RC9 and put the binary in the Tunnelblick package. 09:11 < ecrist> AzaTht: what? 09:14 < js_> ecrist: like an improperly configured router/gateway? 09:14 < ecrist> sure, or if you're connecting across a GSM modem, that sort of thing. 09:15 < js_> this is a 200kbps/24mbps adsl line 09:15 < js_> the server is on 100mbit 09:15 < ecrist> so? 09:15 < ecrist> 24mbps DSL? 09:15 < ecrist> DSL tech isn't capable of such speeds. 09:16 < js_> ADSL2+ is 09:17 < js_> anyway, do you think that upstream isn't sufficient? 09:17 < ecrist> I don't think this has anything to do with bandwidth. regardless, your upstream is 24mbps 09:18 < js_> the upstream is 200kbps, but the downstream is 24mbps 09:18 < js_> i'm gonna check the router 09:18 < ecrist> ah, so your numbers were backwards. 09:18 < js_> sorry :) 09:21 < js_> ecrist: do you use tcp or udp? 09:23 < js_> i used udp before, trying tcp now 09:24 -!- pla|home is now known as plaerzen 09:37 < js_> now, with tcp, only one client can be connected at a time 09:51 < ecrist> !tcp 09:51 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 09:51 < ecrist> js_: don't use tcp, use udp 09:52 < ecrist> and, if you're really running your DSL at 24mbps, your plant may not be supporting it for a sustained connection 09:57 < js_> my ssh connection is working without problems 09:58 < ecrist> js_: I'm using Openvpn with tunnelblick on mac with a FreeBSD server for the other end point. no problems at all. 09:58 < ecrist> I'm telling you it works. 09:59 < AzaTht> ecrist: ksoftirq is the third process started on a linux system 10:00 < ecrist> AzaTht: ah, I don't know how/why that would be related to OpenVPN, iirc, IRQs have to do with hardware on the PCI bus. 10:02 < AzaTht> ecrist: true, but I only noticed the problem while testing openvpn, and especially I where albe to trigger it when trying to access a port 9000 via http on the connected client relative my server from a box on the server-side 10:02 < ecrist> are you using tcp or udp? 10:02 < AzaTht> udp 10:03 < ecrist> what's the goog say? 10:03 < AzaTht> google didn't say much on this issue 10:03 < AzaTht> two pages returned for "openvpn ksoftirq" 10:03 < ecrist> I'd post to the developer mailing list, if I were you. 10:04 < AzaTht> though fishing here for additional synapses first \u30c4 10:04 < AzaTht> I'mk running it on an mpc8313e 10:05 < AzaTht> server is at home, and client is ast work (big evil corporate firewall you know) 10:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:06 < AzaTht> ecrist: you are afraid I won't get much help here? 10:06 < ecrist> yes 10:06 < js_> ecrist: according to the logs i get disconnected every 3rd minute.. as if the server keepalive isn't sent to the client maybe? does it require some firewall setting on the client side for it to work? 10:06 < AzaTht> :( 10:06 < ecrist> js_: no, just udp port 1194. 10:07 < ecrist> AzaTht: krzee might know, but I sure don't. I'm by no means an expert, however. 10:08 < js_> ecrist: but if that wasn't open i wouldn't be able to use the tunnel at all, right? 10:08 < ecrist> right 10:08 < AzaTht> hehe 10:08 < ecrist> js_: firewall in between, killing a udp keep alive? 10:09 < ecrist> s/alive/state 10:12 < js_> found "Block UDP flood", but it would seem stupid if it thought this was a flood 10:12 < js_> i unchecked it anyway 10:14 < js_> didn't help 10:26 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 10:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:14 < crazyb0y_> hello there 11:14 < crazyb0y_> i have a problem with my openvpn server configuration maybe 11:15 < crazyb0y_> anyone wants to help me ? 11:17 < crazyb0y_> this is the output of my openvpn-server.log --> http://pastebin.cnc.bg/pastebin.php?show=267 11:18 < jeev> i need a solution manual! 11:19 < crazyb0y_> and this is my server.conf --> http://pastebin.cnc.bg/pastebin.php?show=268 11:22 < js_> my openvpn connection dies all the time and i can't really figure out why 11:30 -!- crazyb0y_ [i=nobody@zenith.knackery.net] has quit ["leaving"] 11:50 < ecrist> js_: I'm telling you, I think it's firewall issues. 11:50 < ecrist> try this, start the VPN, open a ssh session across the vpn tunnel, and stream some constant data across it - see if it gets reset after 3 mins 11:52 -!- bipolar [i=bflong@216-164-162-138.pa.subnet.cable.rcn.com] has joined ##openvpn 12:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:08 < bipolar> Is there a minimum key length that OpenVpn requires? the smallest I see in the docs is 1024, but nothing that says I couldn't use a 512 or 256 bit key. 12:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:14 < krzee> [11:12] found "Block UDP flood", but it would seem stupid if it thought this was a flood 12:14 < krzee> [11:12] i unchecked it anyway 12:14 < krzee> [11:14] didn't help 12:15 < krzee> openvpn blocks udp floods with HMAC sigs from the tls static key 12:15 < krzee> and unchecked it where? 12:15 < krzee> (my openvpns have config files, no checkboxes) 12:15 < krzee> your 200k upload is not the problem 12:16 < krzee> i cant even get 200k download and can sustain an openvpn connection 12:16 < krzee> (with udp, with tcp it gets resets due to the stuff in the link !tcp 12:51 -!- tiav [n=tiav@ram94-3-82-225-11-215.fbx.proxad.net] has joined ##openvpn 12:56 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 13:01 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 13:20 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 13:39 -!- nachox [n=imarambi@200.68.83.121] has joined ##openvpn 13:39 < nachox> guys, what happens if i use the same client certificate for 2 different machines? 13:40 < nachox> i mean other than the privacy conerns 13:43 < ecrist> nachox: you need duplicate-cn enabled in the config, otherwise they'll knock eachother offline 13:44 < nachox> because they'd get the same ip assigned? 13:45 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 13:46 -!- zero-1 [n=enrique@201.170.142.65] has joined ##openvpn 13:46 < zero-1> Hi everyone 13:46 < ecrist> nachox: no, because OpenVPN would disconnect the first 13:46 < ecrist> it's a *feature( 13:46 < ecrist> feature 13:47 < nachox> funny, that's not what happened 13:47 < zero-1> I have a quick question I just installed openvpn and it works wonders, however there is this minor issue I havent been able to overcome, I created a client certificate using the build-key script 13:47 < zero-1> and I can connect to my vpn with no problem 13:47 < zero-1> but if someone else uses that same certificate we both get the same ip address and one of us can not be connected to the vpn until the other one exits it 13:48 < zero-1> since vars creates environment variables, these are not available right now that I want to create a new cert, is there a way to make openvpn give me different ipaddresses per connection, regardless of the bot persons are using the same certificate? 14:02 < ecrist> nachox: what happened? 14:04 < krzie> zero-1, why do you want 2 clients using the same cert? 14:04 < krzie> there Is a way to make it happen, but you shouldnt use it 14:04 < krzie> what you should do is make a cert for each client 14:04 < zero-1> krzie: unfortunately that is what they are asking me to do 14:05 < krzie> tell them they are trying to bypass some of the built in security 14:05 < ecrist> zero-1: search the howto for duplicate-cn 14:05 < krzie> and that whle it is possible, it is stupid 14:05 < zero-1> is there a way to create more client certs without having to recreate the server cert or the ca, and so on? 14:05 < krzie> but yes, it is duplicate-cn, and if you choose to use it dont use static vpn ips via ccd ifconfig, also do not use ipp.txt 14:06 < ecrist> zero-1: you need root CA and key to create more client certs 14:06 < krzie> zero-1 of course there is, you just use the same ca 14:06 < ecrist> you don't need the server cert and key 14:06 < krzie> note, if you do remake everything, you will have an easier time with ssl-admin 14:06 < krzie> !ssl-admin 14:06 < vpnHelper> krzie: "ssl-admin" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:06 * ecrist needs to update that. 14:07 < ecrist> the script - lots of changes in svn, but not in the copy on the wiki, like generating dh key, and blank CRLs 14:07 < zero-1> ecrist: ok but when I try to use build-key it says it cant read the environtment variables, should I run . ./vars and then build-key? will that change my server cert or key or the ca? 14:07 < krzie> ecrist, maybe even seperate the ssl-admin part from fbsd specific (since most of that doc is freebsd independant) 14:07 < ecrist> yes 14:08 < ecrist> krzie: I'd release ssl-admin more linux friendly, but I don't have linux anywhere to test/dev against. 14:08 * ecrist steps away for a few. 14:08 < zero-1> ecrist: yes what I said or krzie? 14:08 < krzie> hrm i can toss something up for you ecrist 14:08 < krzie> i have an extra dell laying around the house i can toss linux on for ya 14:09 < krzie> and give you root to since it'll only exist for your testing/playing 14:10 -!- nachox [n=imarambi@200.68.83.121] has quit [Read error: 110 (Connection timed out)] 14:16 -!- bandini [n=bandini@host113-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 14:23 -!- zero-1 [n=enrique@201.170.142.65] has quit ["Leaving"] 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:44 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 14:44 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 14:48 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 14:54 < ecrist> krzie: that's great, I don't know I have the time to make worth-while your efforts. My wife is still layed-up, so she's been taking priority. 14:57 < krzie> thats fine it wont be much effort anyways 14:57 < krzie> just aa quick linux install and a singleport forward 15:00 < krzie> the box is for stuff like this 15:00 < krzie> installing random osés on to test things 15:00 < krzie> ild like to get another one and play with CARP 15:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:45 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 15:54 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 15:58 < ecrist> krzie: we use CARP on our firewalls 16:02 < krzie> carp works on fbsd? 16:02 < ecrist> oh yeah 16:02 < krzie> or you use obsd for the firewalls? 16:02 < ecrist> for a while 16:02 < krzie> oh whoa 16:03 < krzie> coolness 16:03 < ecrist> no, 100% freebsd on the servers where I work. 16:03 < krzie> then i can in fact play with carp 16:03 < krzie> cause my nfs + the spare dell 16:03 < ecrist> CARP+PF+ALTQ 16:03 < krzie> very nice 16:18 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:18 < krzie> wassup ompaul 16:28 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 16:30 < krzie> hey ompaul you here? 16:31 < krzie> if you are maybe you could take a look at my revised routing doc and tell me what you think 16:31 < krzie> if its clear and understandable and whatnot, i think its much better than before 16:31 < krzie> !route 16:31 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 16:31 < krzie> (that goes for anyone who cares to look) 16:32 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [No route to host] 16:33 -!- ompaul_ is now known as ompaul 16:41 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 16:42 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 17:30 -!- bandini [n=bandini@host113-109-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:20 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:20 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:20 < Dougy> hey kids 18:23 < Dougy> !iki 18:23 < vpnHelper> Dougy: Error: "iki" is not a valid command. 18:29 < ecrist> hey Dougy 18:29 < ecrist> !wiki 18:29 < vpnHelper> ecrist: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 18:32 < Dougy> hey ecrist 18:32 < Dougy> whats up 18:33 < ecrist> nm, causing problems for people. ;) 18:33 < Dougy> hgaha 18:49 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 19:50 -!- AzaTht [n=azatoth@wikipedia/AzaToth] has quit [Remote closed the connection] 20:59 < krzee> !forget wiki 20:59 < vpnHelper> krzee: The operation succeeded. 20:59 < krzee> !learn wiki as http://www.secure-computing.net/wiki/index.php/OpenVPN 20:59 < vpnHelper> krzee: The operation succeeded. 21:00 < krzee> !factoids search https://www.secure 21:00 < vpnHelper> krzee: No keys matched that query. 21:00 < krzee> !factoids search http://www.secure 21:00 < vpnHelper> krzee: No keys matched that query. 21:00 < krzee> !factoids search https 21:00 < vpnHelper> krzee: No keys matched that query. 21:00 < krzee> !factoids search https* 21:00 < vpnHelper> krzee: No keys matched that query. 21:00 < krzee> !factoids search http* 21:00 < vpnHelper> krzee: No keys matched that query. 21:00 < krzee> hrmz 21:00 < krzee> ohh it only searches through keys and not definitions 21:01 < ecrist> *my* bot would've searched both 21:01 < ecrist> :P 21:01 < krzee> :-p 21:15 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:15 < Dougy> sup ya'll 21:15 * Dougy pokes ecrist 21:15 < ecrist> what's up Dougy ? 21:15 < Dougy> hey man 21:16 < Dougy> what's up? 21:16 < krzee> sup dougy 21:16 < Dougy> krzeeeeeeeeee 21:16 < Dougy> what's up ? 21:16 * Dougy stabs jeev with a rusty knife 21:16 < ecrist> Dougy: did you need something? 21:16 < Dougy> ecrist, no sir 21:16 < Dougy> was just saying hello 21:17 < Dougy> krzee, what's going on? 21:17 < Dougy> anything good? 21:17 < ecrist> ah, see, when you say my name, my puter beeps, and I think someone actually wants to talk to me. 21:17 < krzee> answering a ? on the mail list 21:17 < Dougy> ecrist, i do, but just casually 21:17 < ecrist> with as few friends as I have, I jump at the opportunity. 21:17 < Dougy> i don't need assistance 21:17 < Dougy> ecrist, ahhh 21:17 < krzee> its like saying beetlejuice 3 times 21:17 < Dougy> if you have company, go away 21:17 < Dougy> krzee, lmao 21:17 < ecrist> NyQuil and I had a date about 10 mins ago, so I'm on my way out. 21:17 < krzee> ecrist ecrist ecrist 21:17 < krzee> and boom he appears 21:18 < Dougy> haha ecrist 21:18 < Dougy> oh i remember something i wanted to ask you 21:18 < Dougy> how's mrs. ecrist 21:18 < Dougy> ? 21:18 < ecrist> going to try a half-day at work tomorrow 21:18 < Dougy> nice 21:18 < ecrist> almost exactly 1 month after her accident. 21:19 < Dougy> aw cool, glad to hear she's almost back to herself 21:23 < Dougy> well 21:23 < Dougy> i don't feel well, so i'm gonna go pass out 21:23 < Dougy> goodnight ecrist 21:23 < Dougy> peace out krzee 21:23 < krzee> dougy 21:23 < krzee> when you get a chance 21:23 < Dougy> yo 21:24 < krzee> look over !route and tell me if its clearer 21:24 < Dougy> !route 21:24 < vpnHelper> Dougy: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:24 < Dougy> oh you mean the actual page? 21:24 < krzee> hehe 21:24 < krzee> yes, follow the link ;] 21:25 * Dougy nods 21:25 < Dougy> let me read 21:26 < jeev> god bless america, cause we freaking need it 21:26 < jeev> i need a nice mrtg traffic to gigabyte transfer calc 21:26 < jeev> i dont want to use cacti 21:26 < Dougy> Cacti is the win 21:27 < Dougy> krzee, looking very good 21:27 < Dougy> pretty easy to follow 21:27 < jeev> i dont like cacti 21:27 < Dougy> i'm a bit out of it this evening, but from my semi-competent state it looks good 21:28 < Dougy> jeev, i like cacti 21:28 < Dougy> so nyeh 21:29 < jeev> i used to have a cool php 21:29 < jeev> that did it 21:29 < Dougy> you could use a CLI one 21:29 < Dougy> like bwm-ng 21:30 < Dougy> but thats just text 21:30 < jeev> na 21:30 < jeev> bah 21:30 < jeev> guess i'm forced to use cacti 21:31 < Dougy> what don't you like 21:31 < Dougy> i think its neat and organized 21:31 < jeev> it sucks!! 21:31 < Dougy> you suck 21:31 < Dougy> sike 21:31 < jeev> lol 21:32 < Dougy> anyway 21:32 < Dougy> im gonna go finish off this drink 21:32 < Dougy> and go pass out 21:32 < Dougy> cya 21:32 < jeev> bye 21:32 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has left ##openvpn ["Leaving"] 21:32 < krzee> nite 21:32 < krzee> doh missed him 21:42 < jeev> heh 21:42 < jeev> illegal instruction 21:42 < jeev> for running cacti php's. 22:20 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has joined ##openvpn 22:46 -!- Ahiru [n=Fate@triela.fatechan.net] has left ##openvpn [] 23:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] --- Day changed Fri Oct 10 2008 01:21 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 01:34 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 02:56 -!- justdave_ [n=dave@unaffiliated/justdave] has joined ##openvpn 02:56 -!- justdave [n=dave@unaffiliated/justdave] has quit [Remote closed the connection] 03:50 -!- AukeF [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 03:50 -!- AukeF is now known as [SURFnet]Auke 05:15 -!- mrwhippy_ [n=IceChat7@5ac90eab.bb.sky.com] has joined ##openvpn 05:18 < mrwhippy_> hi all, I have set up an openvpn connection on a freebsd 7 server, I can connect to the server and ssh onto it via the ip address, i can ping the ip and nslookup the server name from the client, and i can see the server from the network(vista client) however i cannot access the server through this to get to my samba shares now i am not sure if it is a samba or dns issue could anyone help me out please 05:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:27 < kala> ok, I switched from TCP transport to UDP transport, but I'm still seeing strange restarts. The tunnel starts up fine and then about 10-30 seconds later, its restarted from server side. And many times in a row. And not only with my machine. 06:27 < kala> After couple of restarts, the tunnel "stabilizes" and then everything works fine. 06:30 -!- gstaniak [n=gstaniak@apollo.cpu.lublin.pl] has joined ##openvpn 06:30 < gstaniak> hi 06:31 -!- gstaniak [n=gstaniak@apollo.cpu.lublin.pl] has quit [Client Quit] 06:31 < kala> I'm running 2.1_rc9a on the server. wonder if 2.1_rc13 would be any better 06:44 -!- mrwhippy_ [n=IceChat7@5ac90eab.bb.sky.com] has quit [Read error: 113 (No route to host)] 07:00 < gamla_kossan> hi guys.. have a problem I don't really understand; when I try to connect to my openvpn server, I get this: 07:04 < gamla_kossan> http://fpaste.org/paste/7345 07:05 < gamla_kossan> anyone have a clue why it doesn't like my DES-EDE3? 07:10 < gamla_kossan> hooray 07:10 < gamla_kossan> I figured it out :> 07:32 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 07:58 < ecrist> kala: why wouldn't it be better? 08:09 -!- Burn [n=burn@alpha343.server4you.de] has joined ##openvpn 08:09 < Burn> hello, can I change the IP of an openvpn server please? So that it's not x.x.x.1 ? 08:23 < ecrist> sure, but why? 08:33 < Burn> ecrist: existing network in that range 08:34 < Burn> ecrist: there is a 192.168.5.x/24 network, I want to add an openvpn server 08:34 < Burn> or do I mix things up? 08:36 < Burn> is the interface pure virtual or available on eth0? 09:07 < ecrist> Burn: run tun, your VPN will be on a different subnet 09:07 < ecrist> try reading the howto 09:10 < Burn> ecrist: I did, but I should read all of it 09:10 < Burn> for example the Thelonious part 09:10 < Burn> your client gets the ip 10.9.0.1 09:10 < Burn> can't ping the server on 10.9.0.2 09:11 < Burn> but _can_ ping the server thrue the tunnel on it's own ip 09:11 < Burn> very strange to me 09:11 < ecrist> !faq 09:11 < vpnHelper> ecrist: "faq" is http://openvpn.net/index.php/documentation/faq.html 09:12 < ecrist> !howto 09:12 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:12 < ecrist> start there 09:23 < Burn> ok 09:23 < Burn> I will 09:25 < jeev> my flight is in a few hours 09:25 < jeev> and i'm not even packed 09:25 < jeev> cause i'm not sure if we're going. 09:43 < ecrist> where are you supposed to be goin, jeev? 09:54 < kala> ecrist: yes, the RC13 probably is better, but I don't know if the problem is caused by server side or by client side 10:16 < ecrist> you haven't told me your problem. 10:30 -!- [SURFnet]Auke [n=auke@x154.flex.surfnet.nl] has quit [Remote closed the connection] 11:11 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 11:12 < krzee> ecrist, 11:12 < krzee> [07:27] ok, I switched from TCP transport to UDP transport, but I'm still seeing strange restarts. The tunnel starts up fine and then about 10-30 seconds later, its restarted from server side. And many times in a row. And not only with my machine. 11:12 < krzee> [07:27] After couple of restarts, the tunnel "stabilizes" and then everything works fine. 11:13 < krzee> burn 11:13 < krzee> [09:09] hello, can I change the IP of an openvpn server please? So that it's not x.x.x.1 ? 11:13 < krzee> [09:23] sure, but why? 11:13 < krzee> [09:33] ecrist: existing network in that range 11:13 < krzee> that makes NO sense 11:13 < krzee> x.x.x.1 is NOT a network 11:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:16 < krzee> oh and good morning folks 11:20 < Burn> krzee: I mean an ip address ending on .1 11:20 < Burn> subnet /24 11:20 < krzee> give it its own network 11:20 < krzee> or are you bridging? 11:21 < Burn> yes, but I had a misunderstanding 11:21 < Burn> the tun interface is totaly virtual 11:21 < krzee> you thought it was physical? 11:25 -!- mmcgrath [n=mmcgrath@67-207-142-96.slicehost.net] has joined ##openvpn 11:25 < mmcgrath> Is it possible to setup iptables ruls to block traffic from node1 to node2 on the openserver? 11:26 < krzee> !policy 11:26 < vpnHelper> krzee: Error: "policy" is not a valid command. 11:26 < krzee> 1sec 11:26 < krzee> lemme find that 11:26 < krzee> !howto 11:26 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:27 * mmcgrath reads up. I see iptables rules there. Must have missed them earlier. 11:27 < krzee> nah that link wasnt to you 11:27 < krzee> this one is: 11:27 < krzee> http://openvpn.net/howto.html#policy 11:27 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 11:27 < mmcgrath> its on there though :) 11:27 < mmcgrath> the access policies 11:27 < krzee> !learn policy as http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies 11:27 < vpnHelper> krzee: The operation succeeded. 11:27 < mmcgrath> Duh, its the FORWARD chain, I kept looking at INPUT. 11:32 < kala> ecrist and krzee: I'm trying with RC13 on the client side now. At least with my machine I'm seeing less restarts, I'll now on Monday if this upgrade helpded with other as well 11:32 < mmcgrath> krzee: do you happen to know if those rules still process correctly with client-to-client enabled? 11:32 < krzee> mmcgrath, im pretty sure you can block certain clients even tho client-to-client is enabled 11:33 < krzee> because yesterday or 2 days ago someone's NAT was stopping them from communicating 11:33 < mmcgrath> 11:33 < krzee> in fact they made a writeup on the wiki 11:33 < krzee> it may help you 11:33 < krzee> !wiki 11:33 < vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 11:33 < krzee> lemme find it 11:35 < krzee> http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules 11:35 < vpnHelper> Title: OpenVPN/FAQ - Secure Computing Wiki (at www.secure-computing.net) 11:35 < mmcgrath> thanks 11:41 < krzee> yw 11:42 -!- bandini [n=bandini@host113-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 11:42 < krzee> doh i was thinking of someone else problem 11:43 < krzee> someone else had 10.7.0.x and 10.8.0.x and was natting both for redirect-gateway 11:43 < krzee> but he found client-to-client would break because of the natting 11:43 < krzee> (all he had to do was change the rules to not nat between 1 network to the other) 11:43 < krzee> but that shows the firewall was consulted 11:44 < mmcgrath> hi 11:53 < gstaniak> anybody here uses/knows zerina on smoothwall? 11:55 < krzee> no, we use openvpn 11:57 -!- Rielly [n=acidburn@69.60.110.96] has joined ##openvpn 12:00 < Rielly> hi guys, i understand now that it's impossible for a WINDOWS client to connect to a LINUX/OPENVPN VPN server, WITHOUT openvpn's client software but instead just window's built-in connection wizard? is that confirmed? and my second question; would a windows dedicated server allow this better...? 12:00 < krzee> yes, confirmed 12:00 < Rielly> ok 12:00 < gstaniak> krzee: it's a packaged openvpn for the smoothwall firewall actually 12:00 < krzee> windows does not support openvpn's stuff without openvpn 12:00 < krzee> gstaniak, well, same answer 12:01 < krzee> gstaniak, but happy to help with openvpn without that stuff 12:01 < Rielly> i want to purchase a dedicated server to use as VPN machine only. my clients will all be using window's standard networking wizard to connect, nothing else. what kind of dedicated server/OS can you recommend me then? :/ 12:01 < krzee> Rielly, i dont understand the second question 12:01 < krzee> Rielly, i can recommend installing openvpn on the clients 12:01 < krzee> otherwise, you cannot use openvpn 12:01 < krzee> openvpn DOES run on windows yanno 12:02 < gstaniak> krzee: i'm not expreinced enough to know whether the problem is in the package or the firewall, but i can't connect from under windows XP using openvpn gui, the message is "TLS key negotiation failed to occur within 60 seconds" 12:02 < krzee> and is far more secure than ipsec or pptp which are the default windows options 12:02 < krzee> that points to either a config error in where to connect, a firewall, or a nat problem on server side 12:03 < Rielly> i can't. the people who will be using the client PCs don't speak/read/write english and they have never touched a computer in their life. they need something which is as point-and-go as possible, without installs or ANY sort of external effort (windows built-in) 12:03 < krzee> Rielly, you can bundle a pre-setup for windows 12:03 < krzee> using batch files 12:03 < Rielly> so, i need a VPN server that supports windows clients to connect using windows's native menus 12:03 < Rielly> which OS could be used for this? 12:04 < gstaniak> krzee: thanks, i'll try those paths. what kind od nat problems are you talking about? 12:04 < krzee> Rielly, 12:04 < krzee> !notopenvpn 12:04 < vpnHelper> krzee: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 12:04 < krzee> you are saying "i cant use openvpn, what should i use" 12:04 < krzee> but my only answers will be "anything that fits your description sucks" 12:06 < Rielly> heh, and i can tell you that over 800,000 people in the non-western hemisphere use such solutions daily :P 12:06 < krzee> and i can use a single google search to tell you why they shouldnt 12:06 < krzee> heh 12:06 < krzee> either way, not openvpn 12:06 < Rielly> so go tell them and become rich 12:06 < krzee> so wrong channel 12:07 < krzee> Rielly, those people dont care about security, its the same types that run IIS webservers 12:08 < Rielly> i think they prefer to allocate time and effort to their actual jobs, rather than all becoming tech savvy VPN experts 12:08 < krzee> cool 12:08 < krzee> you should find one of them non tech savvy folks to help you setup that sort of vpn then 12:08 < krzee> hehe 12:09 < krzee> cause here we use openvpn 12:09 < krzee> ;] 12:10 < krzee> http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html 12:10 < vpnHelper> Title: HowTo Roll Your Own OpenVPN Windows Installation Package (at openvpn.se) 12:10 < krzee> if you choose to use openvpn, thats your solution 12:10 < krzee> otherwise, best of luck to you 12:12 < krzee> personally i will be unable to help much with that cause i dont use windows, but it looks like a complete document to me 12:12 < krzee> !factoids search win 12:12 < vpnHelper> krzee: 'winroute', 'winpass', and 'win_noadmin' 12:13 < krzee> !learn win_rollup as http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html for a doc on HowTo Roll Your Own OpenVPN Windows Installation Package 12:13 < vpnHelper> krzee: The operation succeeded. 12:15 < krzee> looks like the gentoo guys gave a lil something to your cause too 12:15 < krzee> http://gentoo-wiki.com/HOWTO_OpenVPN_RoadWarrior#For_Installation_on_Windows_Client 12:15 < vpnHelper> Title: HOWTO OpenVPN RoadWarrior - Gentoo Linux Wiki (at gentoo-wiki.com) 12:16 < gstaniak> krzee: on the server side i have in logs the following: "VERIFY SCRIPT ERROR" and "TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned" 12:16 < krzee> !learn win_rollup as http://gentoo-wiki.com/HOWTO_OpenVPN_RoadWarrior#For_Installation_on_Windows_Client for a batch you can use to install certs in win client automagically 12:16 < vpnHelper> krzee: The operation succeeded. 12:16 < krzee> gstaniak, please pastebin that whole log 12:17 < krzee> gstaniak, also, please pastebin both configs, and check file permissions on the certs and the dir the certs are in 12:17 < krzee> for dir they are in you are checking the dir has +x 12:17 < krzee> for the files, you want to see that they can be read and are NOT empty 12:17 < krzee> !configs 12:17 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 12:17 < krzee> !logs 12:17 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:19 < gstaniak> krzee: http://pastebin.com/m3fb602ff 12:20 < krzee> yup looks to me like its permissions 12:20 < krzee> or an empty file 12:21 < gstaniak> and client side is here: http://pastebin.com/m22e5cf67 12:21 < gstaniak> krzee: you mean permissions on root certificate? 12:22 < krzee> on all 12:22 < krzee> Fri Oct 10 17:20:49 2008 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400) 12:22 < krzee> try commenting out that kinda stuff for now 12:22 < gstaniak> krzee: ok 12:25 < krzee> but i suspect a permission problem or empty file 12:25 < krzee> the empty file thing always catches people by surprise 12:26 < krzee> but bad xfers do happen 12:27 -!- ChUbB [n=IceChat7@62.31.213.230] has joined ##openvpn 12:27 < gstaniak> krzee: cannot see empty files under "/ca" or "/certs", but everything is nobody.nobody 644, except for serverkey.pem - same owner, 600 12:28 < krzee> ok thats not the problem, but you should NOT have them owned by nobody 12:28 < krzee> they should ALL be owned by root 12:28 < krzee> openvpn starts as root, drops permissions to nobody upon user/group commands 12:28 < krzee> nobody should NOT have the right to modify keys/certs 12:28 < gstaniak> krzee: hm, looks like the openvpn process runs as nobody 12:29 < krzee> ya, after it drops its permissions 12:29 < krzee> how would it add routes as nobody? 12:29 < gstaniak> i see 12:29 < krzee> ahh the familiar sound of my 4 UPS's beeping 12:32 < ChUbB> hi to add a keys do i just do the build key think and thats it yer ? dont have to build dh again or anything ? 12:32 < krzee> ChUbB, right you just make more client keys 12:32 < krzee> dh and ca and server remain 12:33 < krzee> !ssl-admin 12:33 < vpnHelper> krzee: "ssl-admin" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 12:33 < krzee> is a nicer app for managing certs 12:33 < ChUbB> krzee: kk cheers for cleaning that one up 12:33 < krzee> was made for bsd, but i dont see why it wouldnt work on linux 12:33 < krzee> i plan on setting up a test linux box for ecrist to play with ssl-admin (he made it) on to see that its fine on linux 12:34 < krzee> ChUbB, np 12:39 < krzee> well the beeps are getting faster 12:39 < krzee> so i might be gone soon 12:50 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:00 < ecrist> krzee: it runs fine - it's mostly perl with a few system calls. it's the packaging that I need to resolve on linux. 13:01 < krzee> whatchya mean packaging? 13:02 < krzee> like the dirs it uses/ 13:02 < krzee> ? 13:02 < ecrist> yeah, so it will 'install' 13:02 < krzee> could always toss it in /etc/openvpn 13:02 < krzee> or even /etc/openvpn/ssl-admin 13:03 < ecrist> krzee: there's more to it than that. 13:03 < krzee> while making the containing dirs that dont exist (/etc/openvpn wont exist on all) 13:03 < ecrist> ssl-admin itself is executable, and can be in the proper bin dir, and there are man pages, as well. 13:03 < ecrist> couple that with the assorted config files, it would be nice to have things put in the right places. 13:03 < krzee> ahh i gotchya 13:04 < ecrist> I actually have a port in the freebsd ports tree for ssl-admin now, just so it gets installed/updated correctly on FreeBSD. 13:04 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has quit [Read error: 104 (Connection reset by peer)] 13:04 < ecrist> I need to fix a couple things and update that, though 13:05 < krzee> [14:04] where do linux packages generally install bins? i know in fbsd ports/packages put bins in /usr/local/[s]bin/ 13:05 < krzee> [14:05] krzee, /bin for boot stuff /usr/bin for everything else (generally speaking) 13:07 < krzee> [14:06] any local stuff should go in /usr/local/bin 13:07 < ecrist> from HIER(7) /sbin/ system programs and administration utilities fundamental to both single-user and multi-user environments 13:07 < krzee> heh, you could use /usr/local/bin for linux/bsd 13:08 < ecrist> I could, the 'install' command has a flag for creating a path, if it doesn't exist, for installation. 13:08 < krzee> it should already exist tho 13:09 < ecrist> it would be nice to make an RPM or such so I can submit to the debian/ubuntu/what-the-fuck-ever folks for distribution, though, too. 13:10 < krzee> ya 13:10 < krzee> [14:09] so should /usr/local/bin already exist on linux installs? i dont have one handy to look at 13:10 < krzee> [14:09] krzee, yah 13:13 < krzee> ups is beeping FAST 13:13 < krzee> i guess ill see ya guys later 13:13 < krzee> heheh 13:16 < ompaul> ecrist, if you want it to get used in ubuntu should first consider would you be able to package it for Debian under their free software guidelines to get to the widest possible audience, after that it would trickle into ubuntu and the other downstreams of there 13:18 < ecrist> ompaul: would have to look - my code is BSD-licensed. 13:20 < ompaul> ecrist, the current version of the BSD licence? 13:20 < ompaul> or something older 13:20 * ecrist looks 13:20 < ecrist> it's in my source file 13:21 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:21 < ompaul> mail me the licence pm 13:21 < ecrist> ompaul: https://www.secure-computing.net/trac/browser/trunk/ssl-admin/ssl-admin 13:21 < vpnHelper> Title: /trunk/ssl-admin/ssl-admin - SCN Open Source - Trac (at www.secure-computing.net) 13:21 < ompaul> ecrist, that being better :) 13:24 -!- ChUbB [n=IceChat7@62.31.213.230] has quit [Read error: 104 (Connection reset by peer)] 13:41 < jeev> ecrist: london, i think they pushed flight to tomorrow 13:41 < jeev> i hate that shit 13:41 < jeev> wtf is this nick completion 13:42 < jeev> ecrist: london, i think they pushed flight to tomorrow 13:42 < jeev> there 13:42 < jeev> bbiab 13:42 < ecrist> jeev: cool. 13:50 -!- bandini [n=bandini@host113-109-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:09 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:10 < Dougy> hey all 14:10 < ecrist> hey Dougy 14:11 < Dougy> hey ecrist 14:11 < Dougy> how are you? 14:11 < ecrist> it's FRIDAY! 14:12 < Dougy> haha 14:12 < Dougy> word 14:12 * Dougy is starving 14:12 * Dougy goes to throw some pizza in the oven 14:20 < Dougy> back 14:21 -!- gstaniak [n=gstaniak@apollo.cpu.lublin.pl] has quit ["My damn controlling terminal disappeared!"] 14:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:27 < Dougy> bbl 14:54 -!- dmarkey [n=dmarkey@79.97.241.103] has quit [Read error: 110 (Connection timed out)] 15:18 -!- ChUbB [n=IceChat7@host81-153-194-175.range81-153.btcentralplus.com] has joined ##openvpn 15:31 -!- ChUbB [n=IceChat7@host81-153-194-175.range81-153.btcentralplus.com] has quit [Read error: 104 (Connection reset by peer)] 15:44 * ecrist wonders if ChUbB is fat. 15:44 < Dougy> lmao 15:44 < Dougy> haha 16:16 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 16:17 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:52 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:55 -!- edoceo [n=edoceo@c-71-197-244-147.hsd1.or.comcast.net] has joined ##openvpn 16:55 -!- edoceo [n=edoceo@c-71-197-244-147.hsd1.or.comcast.net] has left ##openvpn ["Gots work to do"] 16:55 -!- edoceo [n=edoceo@c-71-197-244-147.hsd1.or.comcast.net] has joined ##openvpn 17:14 -!- CaptainMorgan [n=CaptainM@c-75-68-42-94.hsd1.nh.comcast.net] has joined ##openvpn 17:16 < CaptainMorgan> folks, I'm not too schooled on this vpn client... I was comfortable using cisco's vpn 3000, until it broke 64-bit debian oses... making the shift from that to this is a bit tough I think... I have a .pcf file with the group key and a bunch of other information, like the vpn-company.foo.com hostname, my username, etc... I don't see how to easily apply this already provided info to openvpn.. any pointers? 17:20 < ecrist> ROAR! 17:20 * ecrist pulls out a gun and shoots Samsung 17:21 < ecrist> CaptainMorgan: are you trying to use OpenVPN to connect to Cisco? 17:21 < CaptainMorgan> no, a different company- my employer. 17:21 < ecrist> no shit, I meant a Cisco VPN 17:22 < CaptainMorgan> ecrist, the vpn is unknown.... technically, I should be able to use any client- so long as I have the credentials, which I do. 17:23 < ecrist> um, no, technically, you can't just use *any* client 17:23 < ecrist> There are three common VPN types out there: 17:23 < ecrist> 1) IPSec (Cisco default) 17:23 < CaptainMorgan> I should be able to use IPSec and/or SSL 17:23 < ecrist> 2) PPTP (older, supported in the OS in Windows and Mac OS X) 17:24 < ecrist> and 3) SSL (OpenVPN, I think Cisco has prelim support for SSL VPNs) 17:24 < ecrist> well, OpenVPN is SSL type, and it's client is for connecting to OpenVPN, not Cisco 17:25 < CaptainMorgan> dammit... I'm pretty sure it's not an OpenVPN network... but if it's SSL, shouldn't I be able to use the OpenVPN client? 17:30 < CaptainMorgan> well, thanks for the help anyways... I guess. 17:44 -!- CaptainMorgan [n=CaptainM@c-75-68-42-94.hsd1.nh.comcast.net] has left ##openvpn ["Leaving"] 17:51 -!- mkay [n=mkay@gentoo/user/mkay] has left ##openvpn [] 18:05 < Rielly> guys, i want to buy a dedicated server (windows or linux... doesn't matter, preferring windows) which will act as VPN machine. i will buy about 100 IPs for this machine. my question: which OS allows me to add 1 dedicated IP address per account for my connecting clients? my web host says linux doesn't supportthis (I'm afraid windows won't either?) 18:05 < Rielly> (but then how do those internet VPN providers still do this??) 18:27 < Dougy> Linux is better suited 18:27 < Dougy> You're gonna be hard pressed to find a provider to give you 100 IP's, though 18:27 < Dougy> I work for a dedicated server provider 18:31 -!- bonez46 [n=scott@75.145.58.209] has joined ##openvpn 18:32 < bonez46> I believe I have openvpn installed, though not yet configured.. I have a few linux boxes and an XP box on one network.. and I want to connect them with some other XP boxes and linux boxes.. on another network.. two different net's .. with static IP's.. 18:43 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 18:43 < bonez46> can I do this with openvpn? 18:45 < Dougy> sounds like it 18:45 < Dougy> is a private IP ok 18:45 < Dougy> like 10.0.0.0/8 18:45 < Dougy> ? 18:53 < bonez46> dougy are you asking me or telling me? 18:54 < Dougy> asking you 18:55 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has joined ##openvpn 18:55 < bonez46> yeah, each has a public IP, but with router... and then private IP's behind each 19:00 < Dougy> i see 19:00 < Dougy> i'm sickish tonight 19:01 < Dougy> so i'm incompetent 19:01 < Dougy> !forum 19:01 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 19:01 < Dougy> post it there you'll get an answer 19:01 < bonez46> thanks 19:37 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 20:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:32 < Dougy> sup krzee 20:33 < krzee> waddup 20:33 < Dougy> notta 20:33 < Dougy> joo? 20:36 * Dougy pokes krzee 20:36 < krzee> chillen 20:36 < krzee> bout to go party in a few 20:38 < Dougy> ice 20:38 < Dougy> nice 20:38 < Dougy> im going to bed 20:38 < krzee> whoa 20:38 < krzee> early 20:38 < krzee> and on a friday 20:38 < Dougy> i have to be up at 5AM 20:38 < Dougy> to go to work 20:38 < Dougy> then come home and spend the day / evening with gf 20:39 < krzee> werd 20:39 < Dougy> so.. not really 20:39 < Dougy> i need all the Zzz's I can get dood 20:39 < Dougy> for rizzle 20:39 < Dougy> LOL 20:40 < krzee> hehe right on 20:40 < krzee> well ill see ya later then 20:40 < Dougy> nod 20:40 < Dougy> ciao 20:40 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 21:15 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Remote closed the connection] 21:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 60 (Operation timed out)] 22:09 -!- bonez46 [n=scott@75.145.58.209] has left ##openvpn [] 22:33 -!- b0lt [n=b0lt@66.197.146.69] has joined ##openvpn 22:41 -!- b0lt [n=b0lt@66.197.146.69] has quit ["leaving"] 23:06 -!- stack_smasher [n=droopy@122.167.62.78] has joined ##openvpn 23:07 < stack_smasher> umm..where do I place the server.conf to have openvpn using it? 23:07 < stack_smasher> or do I need to specify it from the command line? 23:27 -!- Rielly [n=acidburn@69.60.110.96] has quit ["( www.nnscript.com :: NoNameScript 4.21 :: www.esnation.com )"] 23:39 -!- stack_smasher [n=droopy@122.167.62.78] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Sat Oct 11 2008 01:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:46 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 110 (Connection timed out)] 02:04 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:41 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 02:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:10 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:56 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 10:03 -!- Tsuroerusu [n=tsuroeru@0x50a5b55f.slnxx1.dynamic.dsl.tele.dk] has joined ##openvpn 10:24 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 10:51 -!- bandini [n=bandini@host113-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 11:22 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 11:49 -!- Hexxeh [n=Hexxeh@host86-152-65-132.range86-152.btcentralplus.com] has joined ##openvpn 11:49 < Hexxeh> Hello! 11:49 < Hexxeh> Is it possible to use OpenVPN to establish a VPN connection through a HTTP proxy that does not allow the CONNECT method? 12:45 -!- Hexxeh [n=Hexxeh@host86-152-65-132.range86-152.btcentralplus.com] has quit [] 13:58 -!- bandini [n=bandini@host113-109-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:39 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 14:45 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 14:54 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 15:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:08 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 16:19 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 16:19 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 18:18 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 19:32 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 20:05 -!- jmeeuwen [n=kanarip@fedora/kanarip] has left ##openvpn ["Leaving"] 20:36 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] --- Day changed Sun Oct 12 2008 01:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:19 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:22 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:35 -!- Tsuroerusu [n=tsuroeru@0x50a5b55f.slnxx1.dynamic.dsl.tele.dk] has quit [Remote closed the connection] 06:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 06:38 -!- abchirk [n=rapunzel@cl-2502.ham-01.de.sixxs.net] has joined ##openvpn 06:38 < abchirk> hi 06:39 -!- espacious [i=espaciou@84-255-235-206.static.t-2.net] has quit [Connection timed out] 06:39 < abchirk> Hi anyone knows what I can do? there is no tun device in ifconfig or else?-> http://phpfi.com/363504 06:39 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 06:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:49 < abchirk> ah I removed up file from config now the tun has started... but how can I check if others can connect? 07:03 < krzee> connect from a machine on another network 07:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:52 < abchirk> If I have this remote ****** ;ifconfig 10.8.0.2 10.8.0.1 07:52 < abchirk> And connection is initiated... which IP has the server which has the client? 07:53 < abchirk> Under ifconfig tun0 I see ptp 10.8.0.2 and inet-addr 10.8.0.1 08:05 < krzee> ahh sorry i dont use ptp 08:05 < krzee> !sample 08:05 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 08:05 < krzee> thats how i do it 08:13 < abchirk> I used this config http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 08:13 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 08:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:35 -!- bipolar [i=bflong@216-164-162-138.pa.subnet.cable.rcn.com] has quit ["ZNC by prozac - http://znc.sourceforge.net"] 09:39 -!- Dougy[Work] [n=doug@64.18.159.247] has joined ##openvpn 09:44 < Dougy[Work]> hi 09:59 < ecrist> hola 10:09 < Dougy[Work]> sup ecrist 11:01 < Dougy[Work]> HELL YEAH 12:00 -!- bigluks [i=Rush@e180069010.adsl.alicedsl.de] has joined ##openvpn 12:11 < bigluks> hi there 12:11 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 12:11 < bigluks> what can i do if the tun device isnt created automatically? 12:13 < ecrist> Dougy[Work]: what's the hell yeah for? 12:17 < ecrist> bigluks: it should be - if not, your openvpn is broken, or you're not running it as root 12:17 < bigluks> hm 12:17 < bigluks> then is it created during install or during first start of ovpn? 12:21 < Dougy[Work]> ecrist, i got the best motherfriggin pizza 12:21 < Dougy[Work]> <3 Natoli's 12:21 < ecrist> ah 12:23 < ecrist> well, I think they sit a little high, so I might need to adjust them, but i've got my new monitors hooked up to my laptop - it's pretty sweet. 12:31 < ecrist> http://skitch.com/ecrist/2ptm/img00166 12:31 < vpnHelper> Title: Skitch.com > ecrist > My new monitors. (at skitch.com) 12:31 < ecrist> My new monitor setup. 12:39 < jeev> london 12:39 < jeev> :> 12:39 * jeev feels ashamed because he's using mpd instead of openvpn, since i didn't have time to set up openvpn on mhy bsd box and linux one is down ;D 12:49 < Dougy[Work]> jeev 12:49 < Dougy[Work]> i'm going to hit you 12:51 * Dougy[Work] wants to go to london 13:01 < jeev> heh 13:05 < Dougy[Work]> haha 13:05 < Dougy[Work]> ssh tunneling for IRC is fun 13:05 < jeev> heh 13:06 < jeev> i'm vpn'd 13:06 < Dougy[Work]> ecrist, i signed up for that shell place when you told me to 13:06 < Dougy[Work]> that day 13:06 < jeev> then RDP 13:06 < Dougy[Work]> still no email 13:06 < Dougy[Work]> i want a vpn 13:06 < Dougy[Work]> just nowhere to put it 13:47 < SilenceGold> then get one from me 13:47 < SilenceGold> :) 13:49 < ecrist> jeev - ssh + screen + irssi ftw 13:49 < ecrist> SilenceGold: did you see my screen layout, above? 13:49 < ecrist> screen as in monitors, not the binary 13:49 < SilenceGold> yea 13:49 < SilenceGold> kind of too high 13:49 < ecrist> :) 13:50 < SilenceGold> I'm the type of person who likes to lay back and rest my feet on the wall 13:50 < SilenceGold> those monitors would be sort of too high but yea, it's nice 13:52 < Dougy[Work]> yeah 13:52 < Dougy[Work]> my monitors are straight infront of me 13:52 < Dougy[Work]> not raised at all 13:52 < Dougy[Work]> er 13:52 < Dougy[Work]> s/monitors/monitor 13:52 < SilenceGold> right 13:52 < SilenceGold> mine is except on its own stand 13:52 < Dougy[Work]> ive nevr used a dual monitor set up 13:52 < SilenceGold> and tilted downward slightly 13:52 < Dougy[Work]> my boss has quad 13:52 < SilenceGold> ah 13:53 < SilenceGold> mine is 3 monitor 13:53 < SilenceGold> one is horizonal while the two others are vertically on each side of the middle 13:53 < Dougy[Work]> NOC monitor, other one is uptime monitoring, two personal 13:53 < Dougy[Work]> it goes 13:53 < Dougy[Work]> NOC (link health, etc), Personal, Personal, Uptime 13:53 < Dougy[Work]> / - - \ 13:53 < Dougy[Work]> like that 13:54 < ecrist> I like my three monitor setup 13:54 < ecrist> SilenceGold: I just don't have the room for all three side-by-side. 13:54 < SilenceGold> btw, did any of you see my response on the openvpn's mailing list? 13:54 * ecrist isn't on the mailing list. 13:54 < SilenceGold> it's a laptop that is outputting to two monitors? 13:54 < ecrist> SilenceGold: yes 13:55 < SilenceGold> oh 13:55 < SilenceGold> I thought it was just an extra computer 13:55 < SilenceGold> what did you use to do that? 13:55 < ecrist> Matrox TripleHead2Go 13:55 < ecrist> connected to my MacBook Pro 13:56 < SilenceGold> oh 13:56 < SilenceGold> nice 13:56 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:56 < ecrist> gonna go eat some luch with the wife - bbl 14:00 < SilenceGold> the last one: http://sourceforge.net/mailarchive/forum.php?thread_name=48E3B55E.5060000%40googlemail.com&forum_name=openvpn-users 14:00 < vpnHelper> Title: SourceForge.net: openvpn-users (at sourceforge.net) 14:02 < bigluks> any 1 can help to fix these errors? 14:02 < bigluks> http://pastebin.com/m6644ba8 14:03 < SilenceGold> can't help unless it's freebsd 14:03 < bigluks> hm no 14:03 < SilenceGold> just looks like you're not starting it up properly 14:03 < bigluks> debian laenny 14:04 < bigluks> hm but it is existing 14:04 < SilenceGold> there are more flags that you would need to use on the CLI 14:04 < SilenceGold> or rather you need to post your openvpn.conf 14:06 < bigluks> http://pastebin.com/m3ed26449 14:12 < SilenceGold> are you starting it as root? 14:13 < bigluks> shure 14:24 < bigluks> anyone else? 14:44 < bigluks> maybe it has to do with my kernel ? 14:44 < bigluks> trying to run it on an vps 15:34 -!- espacious [i=espaciou@84-255-235-206.static.t-2.net] has joined ##openvpn 15:59 -!- andax [n=andax@3e44a7ec.adsl.enternet.hu] has joined ##openvpn 16:06 -!- andax [n=andax@3e44a7ec.adsl.enternet.hu] has quit ["Leaving"] 16:08 < Dougy[Work]> hmm 16:08 < Dougy[Work]> found the best pizza in the area 16:17 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 16:18 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:28 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:21 < krzie> bigluks 18:22 < krzie> your problem is tun isnt being made, and you use a vps? 18:22 < krzie> have you checked that the tuntap module is loaded in kernel? 18:41 < krzie> !dow 18:41 < vpnHelper> krzie: Error: "dow" is not a valid command. 18:41 < krzie> oops 19:05 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 19:36 -!- edoceo [n=edoceo@c-71-197-244-147.hsd1.or.comcast.net] has quit [Remote closed the connection] 19:54 -!- mmcgrath [n=mmcgrath@67-207-142-96.slicehost.net] has quit [Read error: 113 (No route to host)] 19:55 -!- justdave_ is now known as justdave 20:31 < ecrist> evening, folks 20:32 < ecrist> krzie: did you see the link above for my new monitors on my laptop? 20:41 < ecrist> !doh 20:41 < vpnHelper> ecrist: Error: "doh" is not a valid command. 21:17 < krzee> hehe !dow is for stock quotes, forgot i wasnt in #ronpaul 21:18 < krzee> i use that bot to watch the dow and metals (!metals) 21:41 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 22:45 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 23:21 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] --- Day changed Mon Oct 13 2008 00:10 -!- bigluks [i=Rush@e180069010.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 00:33 -!- ico2 [n=ico2@rps945.ovh.net] has joined ##openvpn 00:33 < ico2> hi 00:34 -!- abchirk [n=rapunzel@cl-2502.ham-01.de.sixxs.net] has quit [Read error: 101 (Network is unreachable)] 00:34 < ico2> is it possible for 1 client and 1 server to using multiple connections? I have performance trouble with single connections (also true with other protocols) 00:35 < ico2> *use 00:36 < krzee> ico2, huh? 00:36 < ico2> krzee, i want to use several tcp connections for the same VPN connection 00:37 < krzee> i dont get how that could possibly make sense 00:37 < krzee> ecrist, your new monitor setup is AWESOME 00:38 < ico2> krzee, ok, let me try again 00:39 < krzee> before you use tcp, be sure to read this 00:39 < krzee> !tcp 00:39 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 00:39 < krzee> and no, a single connection uses a single stream, otherwise it would be inefficient 00:39 < ico2> i'll take a look and see if my uni blocks UDP 00:40 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 00:40 < krzee> it wont be blocking udp on port 53 00:41 < ico2> krzee, yep it works 00:41 < ico2> i'll just get to reconfiguring my VPN 00:41 < ico2> thanks very much, hope this improves it 00:41 < krzee> in my experience its far better using tcp 00:41 < krzee> also be sure to use keepalives and whatnot 00:45 < krzee> !sample 00:45 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 00:45 < krzee> keepalive 10 120 00:45 < krzee> persist-key 00:45 < krzee> persist-tun 00:45 < krzee> also, you using comp-lzo? 00:45 < krzee> that adds compression to your packet streams 00:49 -!- ico2 [n=ico2@rps945.ovh.net] has quit [Read error: 104 (Connection reset by peer)] 00:49 -!- ico2_ [n=ico2@rps945.ovh.net] has joined ##openvpn 00:49 < ico2_> right, outgoing UDP traffic from this connection works, but not incoming 00:50 < ico2_> it's annoying because these are 2 very fast connections that aren't being fully utilised 00:51 < krzee> if a connection is made both directions are working 00:51 < ico2_> krzee, so openvpn doesn't work 00:51 < ico2_> there is no connection made, for that reason 00:51 < krzee> oh are you saying a firewall is blocking udp? 00:51 < ico2_> correct 00:51 < ico2_> i think 00:52 < krzee> what is your first language? 00:52 < ico2_> english, i'm just lazy and it's later 00:52 < ico2_> *late 00:52 < krzee> oh lol 00:52 < krzee> you tried port 53? 00:52 < ico2_> yep 00:52 < krzee> easy enough to test if outgoing port 53 works, query a nameserver 00:52 < ico2_> i already tested outgoing 00:52 < krzee> try this 00:52 < ico2_> it works 00:52 < ico2_> incoming doesn't 00:53 < krzee> umm 00:53 < krzee> where is the server? 00:53 < krzee> home or uni 00:53 < ico2_> server is a VPS hosted by OVH 00:53 < ico2_> client is at uni 00:53 < krzee> when you initiate the outbound connection, a path back is made 00:53 < krzee> and if your test worked, than the packets made it back in 00:54 < krzee> ok so is your server using a firewall? 00:54 < ico2_> server has no firewall 00:55 < krzee> and you restarted the server listening on udp 53 00:55 < krzee> then started the client connecting to udp 53 00:55 < ico2_> yes 00:55 < ico2_> i'll try it again, 1moment 00:55 < krzee> if your test worked, that would work too 00:56 < krzee> you see, your test requires packets to come through port 53 too 00:56 < krzee> try host ircpimps.org ns1.doeshosting.com 00:56 < krzee> so you query that NS and not the local one 01:00 -!- ico2 [n=ico2@rps945.ovh.net] has joined ##openvpn 01:01 -!- ico2_ [n=ico2@rps945.ovh.net] has quit [Read error: 104 (Connection reset by peer)] 01:01 < ico2> ok, when i use port 7045 and udp, the server says "recieved initialisation packet" and nothing else happens, tun device not created on client 01:01 < ico2> when i use port 53, no connection at all 01:01 < ico2> so there's definitely no way to load balance between several tcp connections? 01:01 < krzee> that would be a terrible setup 01:01 < krzee> and there could be a way, but it would have nothing to do with openvpn 01:02 < krzee> it would just be load balancing 01:02 < krzee> and would be completely pointless 01:02 < ico2> it would solve this problem 01:02 < krzee> no, it wouldnt 01:02 < ico2> how so? 01:02 < krzee> if 1 tcp connection is breaking down, all of them would 01:02 < ico2> no 01:02 < ico2> the same thing happens with http, ftp, etc 01:03 < krzee> and youd be load balancing over a bunch of failing tcp connections 01:03 < krzee> no 01:03 < krzee> !tcp 01:03 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 01:03 < ico2> a single connection can only use a small portion of the bandwidth for some reason 01:03 < ico2> multiple ones would solve the problem 01:03 < krzee> read that doc to understand the breakdown of reliability when tunneling tcp over tcp 01:03 < ico2> it isn't an openvpn issue 01:03 < ico2> krzee, i understand that 01:03 < krzee> *shrug* 01:03 < krzee> openvpn is not made for what you're talkin bout 01:03 < ico2> krzee, :( 01:03 < krzee> can you make multiple connections from 1 machine to openvpn, sure 01:04 < ico2> hmmm 01:04 < ico2> I suppose I'll just put some services through different tunnels 01:04 < krzee> can you then do something totally outside of openvpn to balance outbound connections between multiple network connections, sure 01:04 < krzee> *shrug* 01:04 < ico2> hmmm 01:04 < krzee> very funny setup 01:04 < krzee> enjoy that 01:04 < krzee> haha 01:05 < ico2> lol 01:05 < krzee> im going back to my manual im reading 01:05 < ico2> it's a problem lots of people aer complaining about with my VPS host 01:05 < ico2> anyway, thanks very much 01:05 -!- ico2 [n=ico2@rps945.ovh.net] has left ##openvpn ["..."] 01:05 < krzee> then maybe your vps is filtering udp 02:00 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 02:12 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:47 -!- gewuerzwiesel [n=gewuerzw@unaffiliated/gewuerzwiesel] has joined ##openvpn 02:47 < gewuerzwiesel> hi 02:50 < krzee> hey 02:51 < gewuerzwiesel> I have a question to routing with openvpn :) 02:52 < krzee> ... 02:53 < gewuerzwiesel> at home I have some networks (eth0 = wiredlan, ath = wireless) , i set up all the iptables rules, so atm eth0 clients can use everything inside eth0 and to the intern at ppp0, wireless users at ath0 can just use dhcp and ssh to eth0, and every port to ppp0 02:54 < gewuerzwiesel> so, now i set up a tap0 openvpn device, and I set the rules for tap0. every user should now reach everything (eth0 and internet) 02:54 < gewuerzwiesel> but, I dont know what I need now, to get the ovpn clients working...I tried some configs, but all I got was a connection to the openvpn server.. 02:55 < gewuerzwiesel> do i need routes in the ovpn config, even if i set the up in the iptables rules? 02:55 < krzee> bridge or routed? 02:55 < gewuerzwiesel> thats my second question :) to realize what I planned, do I need tap or tun :) 02:56 < krzee> i have no clue what you're aiming for 02:57 < gewuerzwiesel> i want to allow wirless users at ath0 just to use internet, and only ssh to the lan 02:57 < gewuerzwiesel> if they use ovpn, the are allowed to reach every local network 02:57 < krzee> so the wifi users must openvpn to server to reach inet? 02:57 < krzee> server being the router? 02:57 < gewuerzwiesel> right 02:58 < krzee> !local 02:58 < vpnHelper> krzee: Error: "local" is not a valid command. 02:58 < krzee> grr, 1 sec 02:58 < krzee> !man 02:58 < gewuerzwiesel> hehe :) 02:58 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 02:58 < krzee> ill find it 02:59 < krzee> !learn local as --redirect-gateway [local] [def1] Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. 02:59 < vpnHelper> krzee: Error: "local" is not a valid command. 02:59 < gewuerzwiesel> I think, at first I should know if I have to use tun or tap for that solution, than I can try to find the right config. I dont want to spend time on configuring the wrong device :) 02:59 < krzee> tun 02:59 < gewuerzwiesel> ok 02:59 < krzee> mostly its a normal setup 03:00 < krzee> just redirect-gateway through the vpn 03:00 < krzee> make sure you use local 03:00 < krzee> (1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop. 03:00 < krzee> (2) Delete the default gateway route. 03:00 < krzee> (3) Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified). 03:00 < krzee> When the tunnel is torn down, all of the above steps are reversed so that the original default route is restored. 03:00 < krzee> Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. The local flag will cause step 1 above to be omitted. 03:00 < krzee> Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. 03:00 < krzee> Using the def1 flag is highly recommended, and is currently planned to become the default by OpenVPN 2.1. 03:00 < krzee> thats from the man page about what redirect-gateway does 03:01 < krzee> youll need your server NATing the vpn ips 03:01 < krzee> !nat 03:01 < gewuerzwiesel> ok, I thought using redirect-gateway, the client will send all traffic over the vpnserver? 03:01 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 03:01 < krzee> yes 03:01 < gewuerzwiesel> hm... 03:01 < krzee> which is what you want 03:01 < krzee> isnt it? 03:01 < gewuerzwiesel> yes 03:01 < gewuerzwiesel> for the wirless clients at home, that would be correct 03:01 < krzee> thats why i said that ;] 03:02 < gewuerzwiesel> but the next step would be to use the ovpn to connect to homenetwork from outside 03:02 < krzee> that would listen on another ip 03:02 < krzee> and be configured differently 03:02 < gewuerzwiesel> ok 03:02 < krzee> well 03:02 < krzee> doesnt HAVE to be same ip 03:02 < krzee> could be different port 03:03 < krzee> !route 03:03 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 03:03 < gewuerzwiesel> ok...so I need one ovpn server for home and one for connections from outside? 03:03 < krzee> that will help when it comes to connecting the lans too 03:03 < krzee> yup, 2 ovpn instances 03:03 < gewuerzwiesel> ah ok 03:03 < krzee> you could get around that, but this way its easier 03:03 < krzee> and just as good 03:03 < krzee> if not better because its easier 03:04 < gewuerzwiesel> hehe ok :) 03:06 < krzee> in fact 03:06 < krzee> after you setup the local wifi part 03:07 < krzee> would you be against making a writeup on our wiki? 03:07 < krzee> that is a cool setup that i think many could benefit from your experience when you finish 03:08 < gewuerzwiesel> yes, if everything is working then :) 03:09 < krzee> nice 03:10 < krzee> well i think you meant yes you would be willing to write it 03:10 < krzee> as opposed yes youd be against it, lol 03:10 < krzee> !sample 03:10 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:10 < gewuerzwiesel> lol :( yes 03:10 < krzee> that should give you an idea of a simple setup 03:10 < krzee> !ssl-admin 03:10 < vpnHelper> krzee: "ssl-admin" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 03:11 < krzee> thats a nice alternative to easy-rsa 03:11 < krzee> and of course the howto is invalueable 03:12 < krzee> im gunna head back to my book on c, feel free to ask more stuff and ill answer when i come back to this window 03:12 < gewuerzwiesel> Those who can read have a clear advantage... :) 03:12 < krzee> (ebook) 03:12 < krzee> haha yup 03:13 < krzee> from your current setup i know you read docs 03:13 < gewuerzwiesel> ok, thx for the help :) 03:13 < krzee> np 03:16 -!- disco- [i=disco@discomb0bulated.com] has quit [Remote closed the connection] 03:21 -!- disco- [i=disco@discomb0bulated.com] has joined ##openvpn 03:47 -!- [SURFnet]Auke [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 04:35 -!- dmarkey [n=dmarkey@79.97.241.103] has joined ##openvpn 04:37 < dmarkey> im having a routing problem 04:38 < dmarkey> say im a road warrior wanting to VPN into the 147.252.0.0 subnet 04:38 < dmarkey> but my openVPN's server was actually in the 147.252.0.0 subnet 04:42 < dmarkey> so i want to keep my old route for getting to the VPN server but i want to use the new VPN route for everything else 04:43 < dmarkey> is anyone farmiliar with my problem? 04:49 -!- [SURFnet]Auke [n=auke@x154.flex.surfnet.nl] has quit ["Leaving"] 04:50 -!- AukeF [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 04:50 -!- AukeF is now known as [SURFnet]Auke 05:01 < krzee> !def1 05:01 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 05:01 < krzee> so you are trying to hand out ips from the vpn servers assortment of ips? 05:02 < krzee> is so you want topology subnet 05:02 < krzee> !/30 05:02 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 05:03 < krzee> but tbh im not fully understanding your problem 05:03 < krzee> so if those dont help i may not know what you're looking for 05:09 < dmarkey> so i push "redirect-gateway def1 bypass-dhcp" 05:09 < dmarkey> but i dont want all the traffic going through the VPN, jsut 147.252.0.0 255.255.0.0 05:32 < dmarkey> is this possible/ 06:13 < krzee> yup 06:13 < krzee> but what ips are you giving to vpn clients? 06:14 < dmarkey> 10.0.1.0/255 06:14 < krzee> ahh then ya 06:14 < krzee> you just push the route to the clients 06:16 < krzee> check if that kills your route to the server 06:16 < krzee> if it does, push routes for all ips but the server 06:16 < krzee> it'll take more routes, but can be done 06:16 < dmarkey> but the VPN servers external address is 147.252.1.1 and i give the clients a route add 147.252.0.0 255.255.0.0 10.0.1.2 they loose conectivity with the VPN server because the route doesnt exist anymore! 06:17 < dmarkey> oh right 06:17 < dmarkey> that sounds like a lot of work, why can i just specify the route to the VPN server as a route via the old default route 06:20 < krzee> well what you're asking about is pretty non standard 06:20 < krzee> if you always knew the ip of the lan's router you could do it 06:20 < krzee> by just adding a route for the single ip 06:20 < dmarkey> hmm.. but i wont 06:20 < krzee> right 06:20 < krzee> which is why you gotta do what i said 06:20 < krzee> or code in the option you are hoping for 06:21 < dmarkey> but it works with def1 06:21 < krzee> of course it does 06:21 < krzee> did you see what def1 does? 06:22 < dmarkey> yes 06:22 < dmarkey> so i need it to do the 1st part, but not set the default route 06:22 < krzee> (1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop. 06:23 < krzee> right, so you know where to add your code 06:23 < krzee> youd make another flag for --redirect-gateway 06:24 < krzee> like --redirect-gateway subnet 06:24 < krzee> or whatever you decide to call it 06:24 < dmarkey> hmm 06:24 < dmarkey> this is meant for a production system! 06:24 < krzee> well your options are known by you 06:24 < krzee> you just dont wanna hear it 06:25 < dmarkey> also, im having problems with tunnelblick not wanting to set my routes 06:25 < dmarkey> you know much about it? 06:25 < krzee> heh, i never had tunnelblick start openvpn without crashing 06:25 < krzee> i just tossed a .command to start openvpn for me 06:25 < krzee> and tossed it in a stacks 06:25 < dmarkey> but it seems to be an openvpn issue 06:26 < dmarkey> it doesnt like the syntax its getting its routes from the server 06:26 < krzee> can openvpn add the routes without tunnelblick? 06:26 < dmarkey> i would have thought so 06:26 < krzee> why would you think its an openvpn problem if you havnt tested openvpn 06:27 < dmarkey> because the logs are just the output from openvpn 06:27 < krzee> well 06:27 < krzee> test openvpn 06:28 < krzee> btw script files ending in .command are executed by double clicking 06:28 < krzee> (or single clicking in stacks) 06:29 < dmarkey> ok, the error is the same 06:30 < krzee> k 06:30 < krzee> !logs 06:30 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 06:30 < dmarkey> im using the openvpn packaged with tunnelblick 06:30 < krzee> !configs 06:30 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 06:30 < krzee> ohh 06:30 < krzee> are they same version? 06:30 < dmarkey> 2.0.9 yes 06:31 < dmarkey> push "route 10.0.0.0 255.255.255.0" doesnt work 06:31 < dmarkey> push "route 10.0.0.0 255.255.255.0 10.8.1.2" 06:31 < dmarkey> does 06:32 < krzee> !configs 06:32 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 06:32 < dmarkey> ok, gimme a sec 06:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:40 -!- dmarkey_ [n=dmarkey@79.97.241.103] has joined ##openvpn 06:41 -!- dmarkey [n=dmarkey@79.97.241.103] has quit [Read error: 104 (Connection reset by peer)] 06:41 < dmarkey_> http://pastebin.com/m2054547d server 06:41 < dmarkey_> 2.0.9 centos52 06:43 < dmarkey_> http://pastebin.com/d6e4f9eaa client 06:43 < dmarkey_> MacOSx Leopard 06:43 < krzee> dont mix tun and tap 06:43 < krzee> your client is using tap 06:44 < krzee> make it tun 06:45 < dmarkey_> schoolboy error 06:45 < krzee> ya it happens 06:45 < krzee> second set of eyes come in handy 06:49 < dmarkey_> excellent 06:49 < dmarkey_> working, tunnelblick and all! 06:49 < krzee> right on 06:49 < dmarkey_> You know much about viscosity 06:49 < dmarkey_> money grabbing bastards 06:49 < krzee> i know about it as related to physics 06:50 < dmarkey_> ha 06:50 < krzee> but the money grubbing thing makes me think thats not it 06:50 < krzee> hehe 06:58 < krzee> oh i see 06:58 < krzee> cool i guess, i prefer running the app from a script 06:58 < krzee> (or commandline) 07:03 < krzee> btw for your patch 07:03 < krzee> that i was referring to 07:03 -!- BigLuks [i=8d48c5f3@gateway/web/ajax/mibbit.com/x-fba9fb3f31bcf8e2] has joined ##openvpn 07:03 < BigLuks> hi again 07:03 < krzee> all youd need to do is create an option for --redirect-gateway that only does #1 07:03 < BigLuks> hmm 07:03 < krzee> then your push wouldnt override the route 07:04 < krzee> hey BigLuks 07:04 < BigLuks> how do i check if the module for the tun / tap device is in my kernel? 07:04 < BigLuks> hiho krzee 07:04 < krzee> what os? 07:04 < BigLuks> debian 07:04 < BigLuks> etch 07:04 < krzee> i think lsmod in linux 07:04 < krzee> im more of a osx/bsd guy 07:04 < BigLuks> hrhr 07:04 < BigLuks> wtf 07:04 < BigLuks> lsmod: QM_MODULES: Function not implemented 07:04 < BigLuks> omg 07:05 < krzee> vps? 07:05 < BigLuks> jeah 07:05 < krzee> you dont get kernel control 07:05 < krzee> the admin must load it 07:05 < BigLuks> no dont think so 07:05 < krzee> you dont 07:05 < BigLuks> but it had worked in the past 07:05 < krzee> otherwise ild load a kernel module to break from the vps 07:06 < BigLuks> not worked at all but it had created the tun deviace 07:06 < krzee> they may have upgraded the kernel and not built tuntap 07:06 < krzee> if it didnt work it may not have fully created tun 07:06 -!- kim0 [n=kimoz@unaffiliated/kim0] has joined ##openvpn 07:06 < BigLuks> oh noes 07:07 < BigLuks> i`ll smack them up *sfg* 07:07 < krzee> oh hey dmarkey_ 07:07 < krzee> i just saw something in the manual 07:07 < krzee> look under --route 07:07 < krzee> see net_gateway 07:07 < BigLuks> ? 07:07 < BigLuks> route what? 07:08 < krzee> dmarkey_ not you 07:09 < krzee> dmarkey_, you can prolly use net_gateway to push the route to the server to go over net_gateway, then push a route to the network to go over vpn 07:10 < krzee> http://www.eukhost.com/forums/f29/openvpn-linux-vps-667/ 07:15 < krzee> try modprobe tun 07:16 < BigLuks> it says: 07:16 < BigLuks> modprobe: Can't open dependencies file /lib/modules/2.6.9-023stab046.2-smp/modules.dep (No such file or directory) 07:16 < krzee> 1. load kernel module 'tun' (modprobe tun) 07:16 < krzee> 2. VPSs be default have no access to tun/tap devices. To allow them to do so, exec: 07:16 < krzee> [root@ts ~]# vzctl set VPSID --devices c:10:200:rw --save 07:16 < krzee> [root@ts ~]# vzctl enter VPSID 07:16 < krzee> entered into VPS VPSID 07:16 < krzee> bash-3.00# mkdir /dev/net 07:16 < krzee> bash-3.00# mknod /dev/net/tun c 10 200 07:16 < krzee> assuming they're even built on your system 07:17 < BigLuks> -bash: vzctl: command not found 07:18 < krzee> not you 07:18 < krzee> the owner of the box 07:18 < krzee> assuming they even built and loaded tuntap 07:18 < BigLuks> ah rofl ok so my hoster must do that 07:18 < BigLuks> ^^ 07:18 < krzee> you dont have kernel access 07:18 < BigLuks> damn 07:18 < BigLuks> :D 07:19 < BigLuks> ok thx 07:21 < krzee> np 07:21 < krzee> bed time 07:21 < krzee> later 07:25 -!- jeev [n=email@unaffiliated/jeev] has quit [Read error: 110 (Connection timed out)] 07:42 -!- BigLuks [i=8d48c5f3@gateway/web/ajax/mibbit.com/x-fba9fb3f31bcf8e2] has quit ["http://www.mibbit.com ajax IRC Client"] 07:45 < dmarkey_> krzee: push "route remote_host 255.255.255.255 net_gateway" 07:45 < dmarkey_> genius 08:01 < ecrist> krzee: I thought you were going to bed? ;) 08:21 < ecrist> removing the requirement for SSL on my site has seen a *huge* increase in traffic. 2-3 times more. 08:23 -!- sheldonh [n=sheldonh@ray.starjuice.net] has joined ##openvpn 08:24 < sheldonh> trying to hack in ipv6 support (routing a v6/48 over an ipv6 tunnel). how can i cause an arbitrary command to be executed for a given common name? up isn't allowed in a ccd file :( 08:25 < ecrist> no idea 08:26 < sheldonh> i guess... one openvpn instance per common name, each on a different port, would do it :( 08:31 < sheldonh> i'm using the pam plugin for authentication. can i put something in the config file that insists that this config only be used by a specific user? 08:31 < sheldonh> or do i have to completely override authentication with an --auth-user-pass-verify script? 08:33 < sheldonh> hmmm, maybe i can thwart the ccd limitations with --client-connect 08:39 < dmarkey_> ecrist: why the increase in traffic? 08:40 < ecrist> dmarkey_: I think because my SSL cert is self-signed, many people simply wouldn't visit it. 08:40 < ecrist> or were scared away due to firefox's draconian error messages. 08:40 < dmarkey_> oh right, i though you wr talking about an openvpn setup 08:46 < sheldonh> schweet, client-connect can be abused the way i want :) 08:48 < sheldonh> i think i'm specifying my /48 wrong 08:54 < sheldonh> meh, too much thinking. i think i'll wait for openvpn to grow ipv6 support :( 08:54 -!- sheldonh [n=sheldonh@ray.starjuice.net] has quit ["Terminated with extreme prejudice - dircproxy 1.0.5"] 08:55 -!- sheldonh [n=sheldonh@ray.starjuice.net] has joined ##openvpn 08:56 < sheldonh> owch 08:56 < sheldonh> meh, too much thinking. i think i'll wait for openvpn to grow ipv6 support :) 08:58 < sheldonh> the faq mentions ipv6 support coming post-2.0, and i assumed that included the 2.1release candidate i have 09:22 < gamla_kossan> hi guys 09:22 < gamla_kossan> I'm getting this problem when I want to start openvpn on my pfsense box: 09:23 < gamla_kossan> openvpn[2329]: Cannot load private key file /var/etc/openvpn_server0.key: error:0906A068:PEM routines:PEM_do_header:bad password read: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib 09:23 < gamla_kossan> only thing is, I don't ever get prompted for a password. anyone have a clue? 09:24 < js_> after a few minutes my openvpn connection dies and tries to reconnect.. i have no idea why 09:24 < gamla_kossan> js_: checked your logs? 09:25 < js_> yes, says the connection times out 09:25 < gamla_kossan> checked your logs on your client host? 09:29 < js_> yeah, that's what i checked 09:32 < js_> strangely enough its been stable now for 16 minutes 09:32 < js_> must be a record 10:02 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:11 -!- kim0 [n=kimoz@unaffiliated/kim0] has quit [Remote closed the connection] 10:15 -!- sheldonh [n=sheldonh@ray.starjuice.net] has left ##openvpn ["http://starjuice.net/"] 10:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 11:28 -!- ikevin [n=kevin@ANancy-256-1-167-138.w90-56.abo.wanadoo.fr] has joined ##openvpn 11:28 -!- ikevin [n=kevin@ANancy-256-1-167-138.w90-56.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 11:33 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:55 < ecrist> js_: shoddy internet connection, or firewall that's killing 'state' on the udp connection during periods of inactivity. 11:58 -!- Irssi: ##openvpn: Total of 37 nicks [0 ops, 0 halfops, 0 voices, 37 normal] 12:32 -!- Dryanta [i=dryanta@dev.hockingits.com] has joined ##openvpn 12:32 < Dryanta> awesome here i am 12:33 < ecrist> hey Dryanta 12:33 < Dryanta> hola 12:33 < ecrist> !freebsd 12:33 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 12:33 < Dryanta> i hope this works better than fuckin ipsec 12:33 < ecrist> start there, walks you through most of the setup 12:33 < Dryanta> ipsec gives me heartburn 12:33 < ecrist> ditto 12:36 < Dryanta> that is totally awesome that you are a pro mang, because i am having some major vpn issues lulz 12:36 < Dryanta> they will all be resolved shortly, im going to a private mpls network, but for the time being its teh bad hahah 12:39 < Dryanta> hmm i just installed the port 12:39 < Dryanta> typed rehash 12:39 < Dryanta> and /usr/local/etc/openvpn/ is not there 12:40 < ecrist> Dryanta: you have to create that directory. 12:41 < Dryanta> ah hah 12:41 < Dryanta> reading would help hah 12:55 < Dryanta> ouch 12:56 < Dryanta> 53646:error:0E065068:configuration file routines:STR_COPY:variable has no value:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:629:line 73 12:56 < Dryanta> OpenSSL exited with errors. Please read above and address the problems indicated. at ./ssl-admin.pl line 198, <> line 4. 12:58 < ecrist> is this on FreeBSD? 13:00 < ecrist> if so, install the ssl-admin port, /usr/ports/security/ssl-admin 13:09 -!- bandini [n=bandini@host51-6-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 13:13 < Dryanta> installed that port still erroring out 13:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:16 < ecrist> hrm 13:16 < Dryanta> same error 13:16 < Dryanta> on fbsd 7 13:16 < ecrist> can you copy all of the output to pastebin? 13:17 < Dryanta> yah 13:18 < Dryanta> http://pastebin.ca/1226066 13:25 < Dryanta> watcha think? 13:26 < ecrist> looking now 13:27 < ecrist> you didn't edit /usr/local/etc/openvpn/ssl/prog/openssl.cnf 13:28 < Dryanta> in the howto it just says to edit ssl-admin.pl 13:30 < ecrist> Dryanta: the freebsd port is more up to date 13:30 < ecrist> you only edit /usr/local/etc/ssl-admin/ssl-admin.conf and the openssl.cnf file 13:30 < ecrist> type rehash, and you'll see ssl-admin is in your path, too. Also, there are man pages. ;) 13:30 < Dryanta> hmm 13:31 < ecrist> type rehash, then 'which ssl-admin' 13:31 < ecrist> what's it output? 13:32 < Dryanta> the output for ssl-admin off the path aside from the perl script throws an error for a missing config file 13:32 < Dryanta> /usr/local/etc/ssl-admin/ssl-admin.conf 13:32 < Dryanta> is there a .example or same syntax as for the perl script? 13:32 < ecrist> ok, cd /usr/local/etc/ssl-admin and what do you see? 13:32 -!- Heston [n=heston@unaffiliated/heston] has joined ##openvpn 13:32 < ecrist> should be a .dist or similar 13:33 < ecrist> also, as I said above, there is a man page for ssl-admin and ssl-admin.conf 13:35 < Dryanta> ah ok i edited the ssl-admin.conf 13:35 < Dryanta> now its throwing an error about an extension 13:35 < ecrist> and edit openssl.cnf 13:35 < Heston> Ok, so im on Kubuntu 8.04.1, I installed the OpenVPN package, moved the easy-rsa directory to /etc/openvpn, but after having edited and run ". ./vars", and then run "sudo ./clean-all" It tells me to source ./vars again 13:36 < Dryanta> edit it to what? it doesnt seem to need editing 13:37 < ecrist> Dryanta: have you read the variable values in that file? they're descriptive, not actual. 13:37 < Dryanta> or are the $ not real variables? 13:37 < Dryanta> ah hah 13:37 < Heston> Dryanta, edited for location details 13:37 < Dryanta> ok 13:37 < Heston> oh, my bad 13:39 < Dryanta> i edii edited ssl-admin.conf but cannot find a manpage for openssl.conf 13:39 < ecrist> Dryanta: there isn't one, let me look where the file should be. 13:40 < Dryanta> ecrist: much thanks brotato ;) 13:40 < ecrist> Dryanta: nm, you don't have to edit that file. sheesh, I wrote the program and _I'm_ getting confused. 13:41 < Dryanta> heheh 13:41 < Dryanta> ill pastebin the new error 13:41 < ecrist> kk 13:42 < Dryanta> http://pastebin.ca/1226091 13:43 < ecrist> can you paste your ssl-admin.conf file (privately to me, if you'd prefer) 13:46 < ecrist> Dryanta: it might be because your CRL URI is empty 13:46 < ecrist> without that, I don't think v3 works 13:46 < Dryanta> i thought it said that was optional 13:47 < Dryanta> hmm ok 13:47 < Dryanta> one sec 13:49 < krzee> [09:24] trying to hack in ipv6 support (routing a v6/48 over an ipv6 tunnel). how can i cause an arbitrary command to be executed for a given common name? up isn't allowed in a ccd file :( 13:49 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:49 < krzee> haha 13:49 < krzee> an up script can check for common name 13:50 < krzee> and do diff stuffs depending on it 13:50 < Dryanta> lulz im still not used to seeing /48 hahahah 13:50 < Dryanta> i have no v6 skillz 13:53 < Dryanta> ok it is teh work now ecrist 13:54 < Dryanta> http://walmart.ca/wps-portal/storelocator/Canada-HealthAndBeauty.jsp?selection=listingDetails&page=hb&lang=null&assetId=11726&imageId=39726&suggestedItem=&priceType=1&page=null&departmentId=14&categoryId=193 13:54 < vpnHelper> Title: Welcome to Wal-Mart CanadaUntitled Document (at walmart.ca) 13:54 < Dryanta> hah 13:55 -!- gewuerzwiesel [n=gewuerzw@unaffiliated/gewuerzwiesel] has left ##openvpn [] 13:56 -!- Heston [n=heston@unaffiliated/heston] has left ##openvpn ["Leaving"] 13:56 < krzee> [09:01] krzee: I thought you were going to bed? ;) 13:56 < krzee> hehehe 13:56 < krzee> i was asleep when you wrote that ;] 13:58 < ecrist> ah 14:05 < Dryanta> is a .csr different than a .crt? 14:06 < Dryanta> because i noticed after i made my ca 14:07 < Dryanta> that my ls didnt have a server.crt and a server.key 14:07 < Dryanta> so i made a key with my username, and have a uname.crl and a uname.key 14:07 < Dryanta> do i just copy those over to the ssl/active and reference them in the openssl config file? 14:08 < krzee> csr is a cert signing request 14:08 < krzee> then the CA signs it and gives you a crt 14:08 < Dryanta> i dont have a crt, just a key 14:08 < krzee> then you havnt made client certs yet 14:09 < krzee> oh 14:09 < krzee> server certs rather 14:09 < krzee> oh bleh thats a ssl-admin question 14:09 < krzee> my bad thats for ecrist to answer 14:09 < Dryanta> ah 14:09 < krzee> i just woke up 14:09 < Dryanta> i just got it 14:09 < Dryanta> i think 14:18 < ecrist> Dryanta: when ssl-admin is done with the certificates, they are stored in ../active/ 14:18 -!- stack_smasher [n=droopy@122.167.127.172] has joined ##openvpn 14:19 -!- bandini [n=bandini@host51-6-dynamic.6-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:20 < Dryanta> ecrist: ok i got that 14:21 < Dryanta> i just pointed my openssl.conf to look at /usr/local/etc/ssl-admin 14:21 < Dryanta> now when i try to start (i know something is messed up, just wanna look at the log) it doesnt log 14:21 < Dryanta> how do i run it in the foreground? 14:24 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 14:25 < krzee> have you read !ssl-admin 14:25 < krzee> ? 14:26 < Dryanta> !ssl-admn 14:26 < vpnHelper> Dryanta: Error: "ssl-admn" is not a valid command. 14:27 < krzee> !ssl-admin 14:27 < vpnHelper> krzee: "ssl-admin" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:27 < Dryanta> krzee: ssl-admin is done 14:27 < Dryanta> im looking how to run openvpn in foreground 14:27 < Dryanta> already signed certs and made an openvpn conf file 14:27 < krzee> !man 14:27 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 14:27 < Dryanta> need to run in foregrand 14:28 < Dryanta> theres so many damn flags, thats why i asked :P 14:28 < krzee> btw it should log to syslog 14:28 < Dryanta> its not 14:28 -!- Heston [n=heston@unaffiliated/heston] has joined ##openvpn 14:29 < krzee> it naturally starts in foreground 14:29 < krzee> unless you use --daemon 14:29 < krzee> which naturally logs to syslog 14:29 < krzee> unless you use --log 14:29 < krzee> see --daemon and --log for explanation 14:29 < Dryanta> im talking about off the rcfile 14:30 < Dryanta> the rcfile would daemonize it i imagine 14:30 < Heston> Hello, im trying to run openvpn after configuring it, however im getting this error message http://rafb.net/p/VJlbZI93.html 14:30 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:31 < Heston> The file in question does exist at /etc/openvpn/easy-rsa 14:32 < Heston> Should dh1024.pem be moved to /etc/openvpn ? 14:34 < krzee> should be in whatever dir you tell it to be in in the config 14:34 < krzee> !sample 14:34 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 14:34 < krzee> dh /home/krzee/vpn/keys/server-ca/dh4096.pem 14:35 < Dryanta> well now openvpn is working 14:35 < Heston> ah ok, i think i misunderstood what needed to be changed 14:40 * ecrist goes home 14:52 < Dryanta> ok so now i have the server listening on 1194 14:53 < Dryanta> so for the client the only difference in the config is client instead of daemon? 14:53 < Dryanta> how do i tell it which server to talk to? 14:56 < Dryanta> ok i think i could use the example at the end of the config file, simple tunnel without security 15:03 < Dryanta> hmmm 15:04 < Dryanta> i used that example 15:04 < Dryanta> cant ping across 15:12 -!- stack_smasher [n=droopy@122.167.127.172] has quit ["Leaving"] 15:12 < Dryanta> ok i can ping across 15:12 < Dryanta> how do i get these fuckers in the rcfile so they start automatically? 15:27 < Dryanta> i fingered it out, workin great 15:29 -!- bandini [n=bandini@79.6.6.51] has joined ##openvpn 15:37 < Heston> how does one quit openvpn safely if started on the command line? 15:37 < Heston> is ^C fine? 15:38 < Dryanta> yah 15:39 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Connection timed out] 16:00 -!- bandini [n=bandini@79.6.6.51] has quit ["Ex-Chat"] 16:28 < krzie> ya thats fine 16:28 < Dryanta> hey krzee can you help a nub? 16:28 < krzie> whats up 16:35 -!- kotique [n=Miranda@host-static-89-41-72-115.moldtelecom.md] has joined ##openvpn 16:35 < kotique> hey guys. what's up with openvpn on vista ? 16:35 -!- Heston [n=heston@unaffiliated/heston] has left ##openvpn ["Leaving"] 16:38 -!- kotique [n=Miranda@host-static-89-41-72-115.moldtelecom.md] has quit [Read error: 104 (Connection reset by peer)] 16:40 < krzie> whats up with questions that dont make sense 16:44 -!- kotique [n=Miranda@210.193.50.51] has joined ##openvpn 16:44 < kotique> hey guys 16:50 < krzie> hey 16:50 < krzie> so whats your real question? 16:52 < Dryanta> heheheh 16:52 < Dryanta> hey krzee im having a funky routing issue now that i set up openvpn 16:52 < Dryanta> i have one machine (cor) that sits on two different subnets 16:53 < Dryanta> i set up a 10. p2p link between the two 16:53 < krzie> p2p link for the lose 16:53 < Dryanta> set default routes for each subnet on each remote end 16:53 < Dryanta> krzee: umm, p2p links ftw only way my application works 16:54 < Dryanta> i have to route two different subnets 16:54 < Dryanta> from what i understood of the openvpn conf you could only have one netmask 16:54 < Dryanta> and i cant split two disengnious /24s they wont fit in a /23 because they arent adjacent 16:54 < Dryanta> address space wise 16:55 < Dryanta> like for example i have 192.168.62.0/24 and 192.168.75.0/24 16:55 < Dryanta> with other /24 networks in between 16:55 < Dryanta> so how would route with openvpn, aside from running two instances on different ports? 16:58 < Dryanta> i mean are you picking up what im putting down? 16:58 -!- dmarkey [n=dmarkey@79.97.241.103] has joined ##openvpn 17:00 < krzie> not really 17:00 < Dryanta> huh 17:00 < krzie> you saying a single server has 2 lans behind it? 17:01 < Dryanta> sits on two, yes 17:01 < krzie> and you want to give the client a route to both 17:01 < Dryanta> .61.0/24 .62.0/24 17:02 < Dryanta> no client 17:02 < Dryanta> im just making a tunnel to route over 17:02 < Dryanta> openvpn --remote xx.xx.xx.xx --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --secret key 17:02 < Dryanta> is what i did instead of the whole ca thing 17:02 < krzie> well i know nothing about setting up a tunnel like that 17:03 < Dryanta> i dont need all that, i just need a quick and dirty tunnel over the internet, i dont need clients or anything connecting to it 17:03 < krzie> i prefer to setup secure setups 17:03 < Dryanta> its like 100x more simple 17:03 < Dryanta> lulz, it is secure, it has a key 17:03 < krzie> if its so much more simple why do you have questions? 17:04 < Dryanta> because the manpage entry on this is like two paragraphs, dude i am not a noob to irc help and answer nearly everything in ##freebsd, im not asking you to hold my hand 17:04 < Dryanta> im asking for a different way to skin the cat 17:04 -!- edoceo [n=edoceo@c-71-197-244-147.hsd1.or.comcast.net] has joined ##openvpn 17:04 < krzie> right 17:04 < krzie> im just saying ive never considered skinning a cat that way 17:04 < krzie> would be like using a butter knife to skin it ;] 17:04 < edoceo> I have a VPN client in London and a Server in USA, when the London machine connects it thinks the certificate time is not valid - what gives? 17:05 < krzie> but on a normal setup you just push the routes to the clients 17:05 < Dryanta> krzee: i spent more time setting up the ca than i did just figuring out that syntax 17:05 < Dryanta> krzee: thats what im saying, i put in a static route and it no worky 17:05 < krzie> edoceo, run ntpdate on both those machines, and the CA server 17:05 < Dryanta> and ntpd ftw 17:05 < edoceo> Yea - that's what I suggested 17:05 < krzie> edoceo all times are processed in UTC, so one of the machines has a wrong time 17:05 < edoceo> Are the Cert times normalised to UTC? 17:05 < edoceo> Oh - krizie is fast! 17:06 < edoceo> Thanks! 17:06 < Dryanta> edoceo: depends on what your server is set to 17:06 < krzie> np 17:06 < krzie> no it doesnt Dryanta 17:06 < krzie> timezones dont matter 17:06 < Dryanta> certs dont have a timzone on it do they? 17:06 < krzie> UTC 17:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:06 < Dryanta> interesting 17:07 < krzie> tbh im not sure if openssl tosses a tz on certs or not, but i know its all processed in utc 17:07 < Dryanta> well everything can hit the .61 subnet but not .62 when the machine on the other end has both of them in their local routing table 17:07 < Dryanta> makin me scratch mah head 17:07 -!- kotique [n=Miranda@210.193.50.51] has quit [Read error: 110 (Connection timed out)] 17:07 < krzie> Dryanta, maybe consider a proper setup, like this: 17:07 < krzie> !sample 17:07 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 17:08 < krzie> then all you have to do is push 2 routes, like shown here 17:08 < krzie> !route 17:08 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 17:09 < edoceo> krzie: So, if one machine is set to America/Los_Angeles and another is set to Europe/Paris it could cause this issue? 17:09 < edoceo> Certificates were generated today, not more than a few minutes ago 17:09 < Dryanta> hrm 17:09 < Dryanta> edoceo: good reason to use utc 17:09 < Dryanta> instead of local time 17:09 < Dryanta> i only use local time because all my machines are on the west coast 17:10 < Dryanta> second one goes in another tz im going to utc 17:10 < edoceo> I'm only on different times because customer called with issue 32 minutes ago. It's what I suspected - machiesn are Win32 which defaults to local time (sad) 17:11 < Dryanta> i should set my laptop to utc lulz 17:11 < Dryanta> just to get used to +8 17:12 < edoceo> I'm west coast too, servers are set UTC - was tough to get the hang of. Then all my new employees had to be trained (slapped) when they would fiddle with it or complain that time was "off" 17:13 < Dryanta> i have a very small dept 17:13 < Dryanta> and the it director is oldskool 17:17 < ecrist> foo 17:18 < krzie> i only use local time because all my machines are on the west coast 17:18 < krzie> i use time local to all my servers 17:18 < krzie> my openvpns on diff timezones have no problems 17:19 < krzie> cause all are correct as compared with UTC 17:20 < krzie> krzie: So, if one machine is set to America/Los_Angeles and another 17:20 < krzie> is set to Europe/Paris it could cause this issue? 17:20 < krzie> no 17:20 < krzie> because its all processed in UTC 17:23 < krzie> as i said 17:23 < krzie> run ntpdate on client and server, and on CA machine 17:23 < krzie> if the machine that was off is the CA machine, you will need to regenerate your certs 17:24 < krzie> if its just a client or server, should fix the problem 17:28 < Dryanta> cool deal 17:28 < Dryanta> i like how my ntp server totally is as accurate as stratum 2 17:33 < Dryanta> im going to give up for the day 17:37 -!- a1fa [n=fiddy@unaffiliated/a1fa] has joined ##openvpn 17:37 < a1fa> hi 17:37 < a1fa> i have a problem with a vista client 17:37 < a1fa> it says it can not find tap-win32 interface 17:37 < a1fa> but the interface is there 17:37 < a1fa> i renamed it to "ovpn" 17:37 < a1fa> same name is referenced in the config 17:37 < a1fa> what gives? 17:39 < a1fa> 2.1 rc12 17:41 < ecrist> Dryanta: I can help you tomorrow afternoon a bit. 17:41 * ecrist takes a nap. 17:42 < krzie> ahh 17:42 < krzie> ya you renamed the interface, now you gotta tell openvpn about that 17:42 < krzie> i dont use windows, but i seen something bout that before 17:50 < krzie> !man 17:50 < vpnHelper> krzie: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 17:51 < a1fa> vista is driving me bananas 17:51 < krzie> --dev-node node 17:51 < krzie> Explicitly set the device node rather than using /dev/net/tun, /dev/tun, /dev/tap, etc. If OpenVPN cannot figure out whether node is a TUN or TAP device based on the name, you should also specify --dev-type tun or --dev-type tap. 17:51 < krzie> On Windows systems, select the TAP-Win32 adapter which is named node in the Network Connections Control Panel or the raw GUID of the adapter enclosed by braces. The --show-adapters option under Windows can also be used to enumerate all available TAP-Win32 adapters and will show both the network connections control panel name and the GUID for each TAP-Win32 adapter. 17:51 < a1fa> i whish i can make it look like XP 17:52 < krzie> ya when i still had my tech business i told my clients if they upgraded to vista they had to get a new tech 17:52 < krzie> of course i lef tthe country anyways, so they ended up needing a new tech anyways 17:52 < a1fa> lolz 17:52 < a1fa> which country :) 17:53 < krzie> caribbean 17:53 < krzie> left usa 17:53 -!- Heston [n=heston@unaffiliated/heston] has joined ##openvpn 17:53 < a1fa> ah u lucky dude 17:54 < Heston> I've managed to establish a connection with a client, however he can not ping my local gateway or reach my side of the internet 17:54 < Heston> however i can ping him just fine 17:54 < krzie> Heston check firewalls 17:54 < a1fa> no no no 17:54 < a1fa> check his default gw 17:54 < a1fa> :P 17:54 < a1fa> err are you pinging from same layer2 or layer3 17:54 < a1fa> :P 17:54 < krzie> he wouldnt be able to reply to pings with wrong default gw 17:55 < a1fa> unless he is on same layer2 17:55 < a1fa> :) 17:55 < Heston> he ran route add -host 24.36.127.54 gw 192.168.1.1 and route add default gw 10.8.0.5 17:55 < krzie> ya if hes on same lan he needs to add local flag 17:56 < Heston> 24.36...being my external ip and 192.168.1...being my local GW 17:56 < krzie> Heston, thats just --redirect-gateway def1 17:56 < Heston> krzie, well forgive me here, i've never done this before 17:57 -!- res|laptop [n=res@pdpc/supporter/student/res2k] has joined ##openvpn 17:57 < Heston> here is the fella that is connected to me 17:57 < Heston> what should we try next? 17:58 < krzie> look at --redirect-gateway in the manpage 17:58 < krzie> !man 17:58 < vpnHelper> krzie: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 17:58 < krzie> !def1 17:58 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:59 < krzie> This option performs three steps: 17:59 < krzie> (1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop. 17:59 < krzie> (2) Delete the default gateway route. 17:59 < krzie> (3) Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified). 17:59 < krzie> Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. 17:59 < krzie> if i understand you right thats what you need 18:00 < krzie> also, what ips are you pinging to test? 18:00 < krzie> server should ping .6 18:00 < krzie> and .6 should ping .1 18:00 < Heston> yeah, both of those worked 18:00 < krzie> i know ifconfig shows other ips, but thats how it works 18:00 < a1fa> fixxd 18:00 < a1fa> the problem was with interface 18:00 < a1fa> its case sensitive 18:01 < a1fa> vista doesnt allow uppercase int name 18:01 < krzie> alfa, so dev-node worked for you? 18:01 < krzie> ahh i see 18:01 < Heston> krzie, however he is unable to ping 192.168.1.1 18:02 < Heston> he could ping 10.8.0.1 though 18:04 < krzie> ohhh 18:04 < krzie> ok 18:04 < krzie> read this: 18:04 < krzie> !route 18:04 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 18:04 < krzie> i made a writeup just for this 18:04 < krzie> it aims to be easy to understand, feedback welcome 18:05 < Heston> thank you, ill check it out 18:05 < krzie> see drawing on bottom 18:05 < krzie> to understand the network the example gives 18:06 < krzie> then the writeup explains it all in detail 18:06 < a1fa> remote management sucks 18:06 < krzie> i actually re-did it recently and tried to make it clearer, so pls do give feedback if you have any 18:06 < res|laptop> result w/ redirect-gateway is the same as with manual route setuo 18:06 < res|laptop> *setup 18:06 < krzie> remote management? 18:07 < krzie> alfa: you mean the management interface? 18:07 < krzie> res|laptop, ya didnt know it was the lan behind openvpn that you were aiming for 18:08 < Heston> krzie, well our direct goal is for res to be able to access my internet, not my internal lan 18:08 < krzie> res|laptop, redirect-gateway wouldnt effect that, would only make it easier to default route correctly through the vpn 18:08 < Heston> sorry if I hadn't't made that clear 18:08 < krzie> krzie, however he is unable to ping 192.168.1.1 18:09 < krzie> that is lan, not internet 18:09 < krzie> so which is it? 18:09 < krzie> you trying to talk to lan or inet...? 18:09 < res|laptop> yeah - well, it's good to know there's a setting that eases the routing stuff. 18:09 < Heston> krzie, I figured he needed to be able to talk to MY local gateway so he could use the internet 18:09 < Heston> apparently i was mistaken 18:09 < krzie> nah, you just need NAT on the openvpn server 18:09 < krzie> !nat 18:09 < vpnHelper> krzie: "nat" is http://openvpn.net/howto.html#redirect 18:10 < krzie> the openvpn server is the default gateway for vpn client 18:10 < krzie> gateway is default gateway for openvpn server machine 18:10 < krzie> so it flows 18:10 < krzie> but you will need nat 18:10 < krzie> you also need ip forwarding enabled on the server 18:11 < Heston> is there a flow chart or something that describes this logic? 18:11 < krzie> umm, where are you getting confused at? 18:12 < Heston> krzie, I can run commands and such blindly but I dont have "the big picture" 18:14 < krzie> hrm 18:14 < krzie> no flowchart i know of 18:15 < krzie> its not very openvpn related 18:15 < krzie> its more just plain old networking 18:17 < Heston> does push "dhcp-option DNS 10.8.0.1" just go in the server.conf aswell? 18:19 < krzie> if its supposed to apply to all clients, yes 18:21 < a1fa> fuck 18:21 < a1fa> burning money with dumbasses over the phone 18:26 -!- res|laptop [n=res@pdpc/supporter/student/res2k] has quit [Read error: 104 (Connection reset by peer)] 18:36 < krzie> Heston, ive heard stuff about that not always working 18:36 < Heston> krzie, ok, now we are at the point where he can ping external hosts but only if he had pinged them in the past 18:36 < Heston> as if DNS isnt working 18:37 < Heston> funny you would say that now 18:38 < Heston> we've tried without that command, and also tried substituting 10.8.0.1 for a public DNS server 18:41 < Heston> should also note that im getting this error message frequently MULTI: bad source address from client [192.168.1.34], packet dropped 18:42 < krzie> something bout restartingRRAS service 18:42 < krzie> should also note that im getting this error message frequently 18:42 < krzie> MULTI: bad source address from client [192.168.1.34], packet dropped 18:42 < krzie> someone didnt read !route 18:42 * Heston looks around 18:45 < a1fa> windows vista 18:45 < a1fa> damn you 18:47 < krzie> Heston, ive heard stuff about that not always working 18:48 < krzie> that would be a windows issue tho 18:48 < krzie> appears frequently on the mailing list 18:48 < krzie> the solution often seems to be something bout restarting RRAS service 18:48 < krzie> or some service 18:48 < Heston> krzie, we managed to get it working 18:48 < krzie> which seems to be doable from commandline 18:48 < krzie> and scriptable 18:49 < Heston> my client put a public DNS in his resolv.conf 18:49 < krzie> i am guessing maybe 192.168.1.34 was the lan nameserver? 18:54 < Heston> what would be an easy way to determine this? 18:54 < krzie> determine what? 18:54 < Heston> my lans nameserver 18:55 < krzie> what did he replace in his resolv.conf 18:55 < Heston> a public DNS server 18:55 < krzie> he replaced a public DNS server with a public DNS server? 18:57 < Heston> krzie, he says he added nameserver 208.67.222.222 18:58 < krzie> anyways, thats good 19:00 < krzie> doesnt matter what the lan's was 19:00 < krzie> at all 19:01 < krzie> your multi line comes from a lack of iroute entry 19:01 < krzie> as you will see in: 19:01 < krzie> !route 19:01 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 19:01 < krzie> cause if machines on the lan behind client try to talk to server through the client (or visa versa), there must be an iroute 19:02 < krzie> also, the gateway for the lan will need to know to route 10.8.0.x through the machine on the lan running openvpn client 19:02 < Heston> we didnt need any of my lans machines talking to the client 19:03 < krzie> well they seem to br trying 19:03 < krzie> be 19:04 < krzie> MULTI: bad source address from client [192.168.1.34], packet 19:04 < krzie> dropped 19:04 < krzie> thats what that means 19:04 < krzie> its getting packets from 192.168.1.34 and saying "wtf? 19:04 < krzie> " 19:04 < krzie> whereas if you gave it an iroute entry in ccd it would say "ahh cool" 19:05 < Heston> so again, how would i determine the ip of my nameserver? 19:05 < krzie> you dont need to, you did it right 19:05 < krzie> you need to see what machine on the lan behind the client is .34 19:05 < Heston> yes, but i simply dont have any machines on my lan with that ip 19:05 < krzie> your lan being the client side? 19:06 < Heston> server 19:06 < Heston> error messages also server side 19:06 < krzie> im talkin client side 19:06 < krzie> that message is coming from client side's network 19:06 < krzie> showing up in server log 19:07 < krzie> cause server is getting packets from 192.168.1.34 19:07 < krzie> (like i said) 19:07 < Heston> ok, this makes sense now 19:07 < Heston> in either case, I dont care about other machines 19:07 < Heston> on his lan 19:07 < krzie> ok then ignore those errors 19:08 < krzie> and they wont be able to communicate through 19:08 < krzie> and all is fine 19:08 < Heston> yep. Thanks for the assistance 19:09 < krzie> np man 19:09 < krzie> so its working as desired now? 19:09 < Heston> it is. 19:10 < krzie> cool 19:10 < Heston> only took 6 hours :) 19:10 < krzie> hehe thats short 19:10 < krzie> my first setup took more 19:11 < krzie> hell i read the howto for over 6 hours 19:11 < krzie> lol 19:11 < Heston> heh 19:18 < krzie> but the thing is 19:18 < krzie> once you know the stuff 19:19 < krzie> you can bust it out in minutes _ cert generation time 19:19 < krzie> s/_/+ 19:19 < krzie> bleh i cant type today 19:20 < Heston> yeah 19:20 < Heston> was an interesting learning experience 19:22 < Heston> anyhow, nice talking to you. Later. 19:23 -!- Heston [n=heston@unaffiliated/heston] has quit ["Leaving"] 19:24 * krzie throws a cat on ecrist's bed 19:38 -!- a1fa [n=fiddy@unaffiliated/a1fa] has quit [] 20:51 < krzie> !tcp 20:51 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 23:49 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 23:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] --- Day changed Tue Oct 14 2008 00:12 -!- jeev_ [n=email@unaffiliated/jeev] has joined ##openvpn 01:21 -!- dmarkey_ [n=dmarkey@79.97.241.103] has quit [Read error: 110 (Connection timed out)] 02:20 < Dryanta> yay pants 03:35 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 03:50 -!- gewuerzwiesel [n=gewuerzw@unaffiliated/gewuerzwiesel] has joined ##openvpn 03:50 < gewuerzwiesel> hi 03:53 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: SWAT 03:53 < Dryanta> hi 03:54 < gewuerzwiesel> uses the keepalive a normal icmp ping? 03:54 < Dryanta> id imagine so 03:55 < gewuerzwiesel> ok, thx 04:04 -!- SWAT [n=swat@ubuntu/member/swat] has joined ##openvpn 04:45 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 05:16 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 110 (Connection timed out)] 05:32 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 06:01 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 07:26 < gewuerzwiesel> which icmp types have to be allow, to get the keepalive working? 07:26 < gewuerzwiesel> *allowed 07:27 < ecrist> I'm guessing echoreq 07:28 < Dryanta> hey ecrist im going into the office in a bit 07:28 < Dryanta> but i got a tunnel up 07:28 < gewuerzwiesel> type 8 07:28 < ecrist> Dryanta: good to hear - if you need help, I'll be in and out all day, but I'll be around. 07:28 < Dryanta> openvpn --remote xx.xx.xx.xx --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --secret key 07:28 < Dryanta> instead of the whole conf file thing 07:29 < Dryanta> i dont have it routing at all, just making a p2p link 07:29 < ecrist> ah, I always forget about the secret key thing 07:29 < Dryanta> yeah for quick and dirty it works 07:30 < Dryanta> but my problem is on that host, i have two different subnets 07:30 < Dryanta> and the routing is kind of messed up 07:30 < ecrist> ah, we can get through that 07:30 < Dryanta> cool deal, i really appreciate the help just wanted to let you know 07:30 < ecrist> np at all 07:30 < Dryanta> and ill be in there in about two hours 07:30 < Dryanta> and if you ever have any hairy freebsd stuff hit me up heh 07:31 < ecrist> I'm leaving for a couple hours at 930, and I have an interview with a new sys admin at 1pm 07:31 < Dryanta> cool deal 07:31 < ecrist> Dryanta: will do - how long you been using FreeBSD? 07:31 < Dryanta> you west coast? 07:31 < ecrist> central 07:31 < Dryanta> ecrist: over ten years now 07:32 < ecrist> so, 2.2.1 was your first BSD? 07:32 < ecrist> s/BSD/FreeBSD/ 07:32 < Dryanta> right with the aout -> elf thing 07:33 < ecrist> nice 07:33 < Dryanta> first one i really used a lot was 4.2 07:33 < Dryanta> i was just tinkering before 07:34 < Dryanta> going between bsd and linux variants trying to find stuff that worked 07:34 < ecrist> I ran 2.2.5 on my desktop, painfully, for a while. 3.4 is where things seemed to ease up quite a bit. 07:34 < Dryanta> ever since 4.2/4.4 ive been 100% bsd 07:34 < Dryanta> yeah 3x was nice but 4x is when it really started coming together 07:35 < ecrist> yeah, 4x has crappy SMP support, however. UP, it's still far faster than 6 07:35 < Dryanta> yeah but 7 is really exciting now 07:35 < ecrist> 7 fixes those problems - most hardware these days is SMP though, so 7 really shines 07:35 < Dryanta> i dont know about 8, i havent run current yet 07:35 < ecrist> me either 07:36 < ecrist> most of our servers here run 6.3 - new boxes are getting 7.0 07:36 < ecrist> one box, our database server, runs 64bit 07:36 < Dryanta> ive had the same personal box at a colo for testing since 5.2.1 and i just went from 6.2 to 6.4pre on my way to 7.1 when it comes out 07:37 < Dryanta> all my production stuff is 7x amd64 07:37 < Dryanta> like two or three still in 6x, but most are 7 07:37 < Dryanta> i admin 25 bsd servers, two linux, one osx 07:38 < ecrist> I've got about that many bsd boxes, with another 20 jails on those, and a few windows desktops for our users. I use nothing but OS X at home 07:38 < ecrist> the wife wants nothing to do with windows boxen anymore. 07:38 < ecrist> ldap auth across the board 07:38 < Dryanta> yeah i was all osx at home until my powerbook gave up the ghost 07:39 < ecrist> except the windows boxes - didn't want to bother with kerberos auth 07:39 < Dryanta> im going to pick up a new macbook pro here in a month or two 07:39 < ecrist> if this helps you: https://www.secure-computing.net/wiki/index.php/OpenLDAP 07:39 < vpnHelper> Title: OpenLDAP - Secure Computing Wiki (at www.secure-computing.net) 07:39 < Dryanta> though i beat the hell out of that powerbook, surprised it lasted as long as it did 07:40 < ecrist> their releasing the new laptop refresh today 07:40 < Dryanta> oh i use so much openldap its not even funny 07:40 < ecrist> the new ones are going to be cut from a solid piece of alum, making them more rigid/durable. 07:40 < Dryanta> most of those servers run ldap as a stub (or tree in ms parlance) for the domain 07:40 < Dryanta> sweet 07:40 < Dryanta> my powerbook got dropped, tossed, shit spilled on it 07:41 < Dryanta> worked for about 3 years 07:41 < Dryanta> went everywhere with me hah 07:41 < ecrist> I've had my 12" Powerbook for ~5 years now. That's the wife's computer. I've got a 3 year old MacBook Pro 07:41 < Dryanta> i bought my ex-wife a macbook pro, she still has it im sure 07:53 < gewuerzwiesel> am I blocking the keepalive with that config: http://pastebin.com/d39cfa97c ? 07:56 < ecrist> gewuerzwiesel: are you running tcp or udp? 07:56 < gewuerzwiesel> openvpn? upd 07:57 < gewuerzwiesel> I loose the connection if I do not ping manually from server to client 08:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:52 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:26 < Dryanta> ecrist: ok so im in the office now 09:37 < ecrist> heading to the dr, then the office. will let you know when I'm there. 09:39 < Dryanta> kk 09:42 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 110 (Connection timed out)] 09:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:28 -!- int [n=quassel@wikia/int] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 10:36 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has quit [Read error: 104 (Connection reset by peer)] 10:47 < js_> when more than one user is connected to the tunnel it gets unstable and people get disconnected 10:47 < js_> what can be the reason for this? 10:47 < krzee> you using tcp for transport protocol? 10:47 < js_> no, udp 10:48 < krzee> users have same certs? 10:48 < js_> i tried tcp earlier, and with it the disconnect happens directly 10:48 < js_> probably because of how tcp works i guess 10:48 < krzee> ya udp is better 10:48 < js_> i created separate as the howto said 10:48 < js_> the basic one 10:48 < krzee> ok good 10:48 < krzee> hrmz 10:48 < krzee> you have keepalives? 10:48 < js_> yes 10:50 < js_> ca.crt is the same on all clients 10:50 < js_> but client.crt/key differ 10:50 < krzee> ya thats good 10:51 < krzee> hrm i dunno 10:51 < krzee> no indicators in the logs? 10:51 < krzee> your server on a normal connection (not ppp, satellite, etc) 10:51 < js_> normal connection 10:52 < js_> a fibre thingy 10:55 -!- bigluks [i=Rush@e180069178.adsl.alicedsl.de] has joined ##openvpn 10:55 < bigluks> hi all 10:55 < bigluks> hi there krzie 10:55 < krzee> hey 10:56 < bigluks> vpn iss nearly working now 10:56 < bigluks> :) 10:56 < bigluks> *happy* 10:56 < bigluks> only thing iss 10:56 < bigluks> i cant open a website that iss hosted on the server 10:56 < bigluks> im connected to vpn server 10:56 < bigluks> and get a ip 10:56 < bigluks> my ip is 10.0.0.2 10:57 < bigluks> and servers is 10.0.0.1 10:57 < bigluks> but if i put 10.0.0.1 as url in my browser 10:57 < bigluks> it tells me that the website is not avvailable 10:57 < bigluks> any idea whyx this happens? 10:58 < krzee> cause apache wasnt told to listen on that ip 10:58 < bigluks> hm but it is reachable through 3 other ip´s 10:58 < krzee> then it WAS told to listen on those 10:58 < bigluks> so where do i tell apache to listen to 10.0.0.1 ? u know that? 10:58 < krzee> you run fbsd? 10:58 < bigluks> nope 10:58 < bigluks> debian 10:58 < krzee> linux? 10:59 < bigluks> sure 10:59 < krzee> netstat -l 10:59 < krzee> (i prefer bsd's sockstat -l4) 10:59 < krzee> hehe 10:59 < bigluks> :) 10:59 < krzee> try just restarting apache 11:00 < krzee> if that dont work, look in its donfig 11:00 < bigluks> done that already 11:01 < bigluks> netstat -l says: 11:01 < bigluks> http://pastebin.com/m7aa54b34 11:01 < krzee> look for lines with Listen 11:01 < krzee> in apache config 11:01 < bigluks> hm 11:01 < bigluks> listen 80 11:01 < krzee> yup 11:01 < krzee> udp 0 0 h-62.141.56.213.k:https *:* 11:01 < bigluks> thats all 11:02 < krzee> its listening on the ip, not * 11:02 < krzee> so a simple restart wouldnt work 11:02 < bigluks> hm thats my openvpn 11:02 < bigluks> :D 11:02 < bigluks> running it though 443 11:02 < bigluks> and only on that ip 11:02 < krzee> oh 11:02 < bigluks> ^^ 11:02 < krzee> well i could be blind then 11:02 < krzee> but i dont see http 11:03 -!- kotique [n=picachu@host-static-89-41-72-115.moldtelecom.md] has joined ##openvpn 11:03 < bigluks> omg 11:03 < bigluks> ur right 11:03 < bigluks> wtf 11:03 < krzee> haha 11:04 < bigluks> lol 11:04 < bigluks> now its running 11:04 < bigluks> lol 11:04 < bigluks> omfg 11:04 < bigluks> head vs. wall 11:04 < krzee> ;] 11:04 < krzee> happy to help 11:04 < bigluks> *smile* 11:04 < bigluks> now i need the masqerading to work-.- 11:04 < bigluks> damn iptables 11:04 < krzee> nat 11:04 < krzee> !nat 11:04 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 11:05 < bigluks> push redirect dont work 4 me 11:05 < bigluks> donno why 11:05 < krzee> !wiki 11:05 < vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 11:05 < bigluks> i have push "route 62.141.56.213 255.255.255.0" 11:05 < krzee> !forget nat 11:05 < vpnHelper> krzee: The operation succeeded. 11:05 < bigluks> but dont get internet on vpn 11:06 < kotique> hey. my internets are running over PPP and I want to have the VPN route prioritized over current one. 11:06 < krzee> !learn nat as http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn 11:06 < vpnHelper> krzee: The operation succeeded. 11:06 < kotique> vista's giving openpnv's 0/0 less preference 11:06 < krzee> !learn nat as http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules 11:06 < vpnHelper> krzee: The operation succeeded. 11:07 < krzee> kotique, you are using redirect-gateway? 11:07 < kotique> yep, as it's installing 0/0 11:07 < krzee> use def1 11:07 < krzee> !def1 11:07 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 11:07 < kotique> oh yeah 11:07 < kotique> okay 11:08 < bigluks> and if i use iptables shit i get 11:08 < bigluks> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0:1 -j MASQUERADE 11:08 < bigluks> Warning: weird character in interface `venet0:1' (No aliases, :, ! or *). 11:08 < bigluks> iptables: No chain/target/match by that name 11:08 < kotique> thanks 11:08 -!- kotique [n=picachu@host-static-89-41-72-115.moldtelecom.md] has quit ["æîïà äèðèäàé äèðèäèðèäàé"] 11:08 < krzee> i dont run linux 11:17 -!- JoeyJoeJo [n=bwallen@wsip-98-172-29-247.dc.dc.cox.net] has joined ##openvpn 11:18 < JoeyJoeJo> I have openvpn up and running on gentoo, but I can't ping anything outside of my lan. What could I have done wrong? 11:19 < krzee> what are you trying to ping? 11:19 < JoeyJoeJo> google 11:19 < krzee> you have nat on your server? 11:20 < krzee> as in, you are nat'ing the vpn ips 11:20 < krzee> !nat 11:20 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules 11:20 < JoeyJoeJo> I'm guessing no. 11:20 < JoeyJoeJo> thanks, I'll take a look at that 11:20 < krzee> np 11:22 < bigluks> hmm 11:22 < bigluks> any1 here whos running a windows client ?? 11:23 < bigluks> how to set the client to set the default getaway to the vpn´s ip address? 11:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:23 < JoeyJoeJo> krzee: do I need to change the def1 part in the line push "redirect-gateway def1"? 11:25 < bigluks> !tap 11:25 < vpnHelper> bigluks: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, (1 more message) 11:25 < bigluks> !tun 11:25 < vpnHelper> bigluks: Error: "tun" is not a valid command. 11:25 < bigluks> o.0 11:26 < bigluks> hmm 11:26 < bigluks> should use tun when i do iptables routing right? 11:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 11:31 < krzee> yup 11:31 < krzee> tun is better 11:31 < bigluks> hmm 11:31 < bigluks> damn 11:32 < krzee> should use tun anytime you dont need tap 11:32 < bigluks> then my whole config is messed up 11:32 < bigluks> ;( 11:32 < bigluks> *cry* 11:32 < krzee> whats the problem? 11:32 < krzee> oh your firewall config 11:32 < bigluks> no 11:32 < krzee> ya dude i dont do iptables, sorry =/ 11:32 < bigluks> openvpn config 11:32 < krzee> how so? 11:32 < bigluks> donno how to set the parameters for tun devices 11:33 < bigluks> and dont want to read all the stuff again but for tun devices 11:34 < krzee> what parameters 11:34 < krzee> !configs 11:34 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 11:35 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:37 < krzee> !sample 11:37 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 11:40 < JoeyJoeJo> krzee: should local in the config be the server's public or private ip? 11:40 < krzee> the ip it can actually bind to 11:41 < JoeyJoeJo> ok 11:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:43 < krzee> so if behind a nat, private ip 11:43 < krzee> if its the router and has both, public 11:45 < bigluks> kay works 4 now krzee 11:45 < bigluks> but my windows client dont goes through the vpn with it´s internet traffic 11:45 < bigluks> it iss going through my normal router 11:46 < bigluks> but vpn server is reachable 11:47 < krzee> !def1 11:47 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 11:47 < krzee> once that is working, you will have no inet access on client til you NAT 11:48 < krzee> !nat 11:48 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules 11:48 < bigluks> ive natted with 11:48 < bigluks> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 0.0.0.0 11:48 < bigluks> now 11:48 < bigluks> should work 11:48 < bigluks> !man --redirect-gateway 11:48 < vpnHelper> bigluks: Error: "man" is not a valid command. 11:48 < bigluks> ack 11:48 < bigluks> !redirect-gateway 11:48 < vpnHelper> bigluks: Error: "redirect-gateway" is not a valid command. 11:49 < bigluks> ... 11:49 < krzee> !man 11:49 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 11:50 < bigluks> hmm 11:50 < bigluks> possible to use it in config? 11:51 < krzee> of course 11:51 < JoeyJoeJo> how do I know whether or not I should use a bridge? 11:51 < krzee> everything that can be used CLI can be tossed in config 11:51 < krzee> JoeyJoeJo, 11:51 < krzee> !bridge 11:51 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 11:51 < krzee> !more 11:51 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 11:51 < krzee> basically 11:51 < krzee> if you dont need a bridge, dont use one 11:52 < krzee> !bridge 4 11:52 < vpnHelper> krzee: Error: "bridge" is not a valid command. 11:52 < krzee> bleh 11:52 < krzee> !bridge #4 11:52 < vpnHelper> krzee: Error: "bridge" is not a valid command. 11:52 < krzee> hrmz i guess i cant select 1 definition by itself 11:52 < bigluks> hmm 11:53 < bigluks> so redirect-getaway dev1 iss working 4 windows 2? 11:53 < krzee> def1 11:53 < krzee> of course 11:53 < krzee> it just adds routes differently 11:53 < bigluks> hmm 11:53 < krzee> you need to push it to client 11:54 < bigluks> Unrecognized or missing parameter(s) in client.ovpn:7: redirect-getaway 11:54 < krzee> getaway 11:54 < krzee> haha 11:54 < bigluks> arg 11:54 < bigluks> typo 11:54 < bigluks> lol 11:54 < bigluks> funny typo 11:54 < bigluks> xD 11:55 < bigluks> yey 11:55 < bigluks> it works 11:55 < bigluks> FTW 11:55 < bigluks> BIG FAT THX krzee 11:55 < krzee> yw 11:56 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 11:56 < bigluks> *happy* 11:56 < krzee> *hungry* 11:56 < krzee> will bbl, getting foodz 11:56 < bigluks> meh 2 12:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 12:33 < bigluks> any1 knows how to ignore missing client side certs and instead use autentication via mysql user DB? 12:37 < bigluks> running ovpn on debian 12:37 < bigluks> (linux) 12:37 < bigluks> maybe with pam or so? 13:05 -!- bandini [n=bandini@host4-105-dynamic.10-79-r.retail.telecomitalia.it] has joined ##openvpn 13:27 -!- espacious [i=espaciou@84-255-235-206.static.t-2.net] has quit [Read error: 104 (Connection reset by peer)] 13:31 -!- Dougy[Work] [n=doug@64.18.159.247] has quit [Read error: 110 (Connection timed out)] 13:45 < bigluks> helloooohooo? 13:45 < bigluks> any1 around? 14:01 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 14:11 -!- tiav [n=tiav@ram94-3-82-225-11-215.fbx.proxad.net] has quit ["Parti"] 14:12 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 14:36 < Dryanta> hmmm 14:36 < Dryanta> how do i make my simple config static? 14:44 < krzie> what do you mean by static? 14:45 < Dryanta> krzie: i have one cli that does it 14:45 < Dryanta> openvpn --remote xx.xx.xx.xx --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --secret key 14:46 < Dryanta> i want that to go in a rcfile or static configuration or whatever, test that it works upon system start 14:46 < krzie> config files are just files that contain every --arg 14:46 < krzie> you just remove the -- 14:46 < Dryanta> and the openvpn huh 14:46 < krzie> huh? 14:47 < krzie> oh right 14:47 < krzie> hehe 14:47 < Dryanta> kk i will try 14:47 < krzie> so like 14:47 < krzie> cat file would show 14:47 < krzie> remote xx.xx.xx.xx 14:47 < krzie> dev tun1 14:47 < krzie> etc 14:47 < Dryanta> kk 15:44 < Dryanta> i thought ecrist would be around today 15:44 -!- JoeyJoeJo [n=bwallen@wsip-98-172-29-247.dc.dc.cox.net] has quit ["This computer has gone to sleep"] 15:44 < ecrist> I've failed, sorry. 15:45 < Dryanta> heheheh 15:45 < Dryanta> FAIL 15:45 -!- mode/##openvpn [+o ecrist] by ChanServ 15:45 < Dryanta> i got everything working 15:46 -!- ecrist was kicked from ##openvpn by ecrist [you suck] --- Log closed Tue Oct 14 15:46:04 2008 --- Log opened Tue Oct 14 15:46:19 2008 15:46 -!- ecrist [n=ecrist@chunk.secure-computing.net] has joined ##openvpn 15:46 -!- Irssi: ##openvpn: Total of 35 nicks [0 ops, 0 halfops, 0 voices, 35 normal] 15:46 -!- Irssi: Join to ##openvpn was synced in 1 secs 15:46 < Dryanta> lol 15:46 < Dryanta> i got everything figured out 15:46 < Dryanta> except how to do the rcfile, its a bit more complex than i imagined 15:46 < ecrist> Dryanta: you're using freebsd, aren't you? 15:47 < Dryanta> yup 15:47 < ecrist> then use the rc file that comes with the port 15:47 < ecrist> you need to edit /etc/rc.conf to point to your config, but that's it 15:47 < Dryanta> the port has an rcfile, its just the syntax doesnt quite make sense to me 15:47 < ecrist> type rcvar /usr/local/etc/rc.d/openvpn.sh or whatever the script is 15:48 < ecrist> it'll tell you what variables need to be set. 15:48 < Dryanta> oh default to openvpn 15:48 < Dryanta> ah 15:48 < Dryanta> rcvar command not found, is that in base? 15:49 * ecrist looks 15:49 < Dryanta> or is that a shell script? 15:50 < ecrist> openvpn_enable="YES" 15:50 < ecrist> openvpn_configfile="/usr/local/etc/openvpn/server.conf" 15:50 < ecrist> sorry, it's an option to the rc scripts - so /usr/local/etc/rc.d/script rcvar 15:50 < krzie> hah cool i never knew bout rcvar 15:51 < krzie> i always just look in the script 15:53 < ecrist> well, I'm off till later 15:53 < Dryanta> thanks broskis, take care 15:56 < krzie> no problemo 15:58 -!- gewuerzwiesel [n=gewuerzw@unaffiliated/gewuerzwiesel] has left ##openvpn [] 16:40 -!- bandini [n=bandini@host4-105-dynamic.10-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:12 -!- bigluks [i=Rush@e180069178.adsl.alicedsl.de] has quit [Read error: 113 (No route to host)] 19:47 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 20:03 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 21:15 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has joined ##openvpn 22:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Wed Oct 15 2008 00:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:05 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:33 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 02:03 -!- js_ [n=js@193.0.253.161] has quit [Read error: 113 (No route to host)] 05:37 -!- CrummyGummy [n=Dude@41.208.46.2] has joined ##openvpn 05:38 < CrummyGummy> Hi all, I want to run a script upon starting up an openvpn server. Is there anywhere I can configure this in the server config? 06:43 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: Burn, edoceo, squirrelpimp, justdave, gamla_kossan, ropetin, jeev_, ikevin_, disco-, ElCheapo, (+1 more, use /NETSPLIT to show all of them) 06:43 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: pa, daemon 06:43 -!- Netsplit over, joins: ElCheapo, jeev_, edoceo, disco-, Burn, justdave, ropetin, ikevin_, gamla_kossan, squirrelpimp (+3 more) --- Log closed Wed Oct 15 07:06:05 2008 --- Log opened Wed Oct 15 07:07:20 2008 07:07 -!- ecrist [n=ecrist@chunk.secure-computing.net] has joined ##openvpn 07:07 -!- Irssi: ##openvpn: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31 normal] 07:07 -!- Irssi: Join to ##openvpn was synced in 1 secs 08:32 < ecrist> why does my relationship with ldap have to be so love-hate? 08:39 < kala> maybe you should invest more time to the relationship :) 08:54 < ecrist> kala - too much time already, I fathom. 09:32 -!- kpoman [i=chatzill@189.61.57.238] has joined ##openvpn 09:32 < kpoman> hi all ! 09:32 < ecrist> hello 09:57 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 10:04 < kpoman> hi ecrist 10:07 < kpoman> well, I am having a little problem, the tunnel goes down all times, dont know why ! Is there an option I am forgetting ? http://pastebin.com/m5abef5c2 10:21 < kpoman> I am getting this error: event_wait : Interrupted system call (code=4) 10:21 < kpoman> what does that mean !? 10:23 < ecrist> no idea 10:23 < ecrist> what's the goog say? 10:25 < kpoman> I dont find anything that solves it 10:25 < kpoman> everyone asking what it means, noone responding ! 10:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:48 < krzee> !man 10:48 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 10:54 -!- _spm_Draget [n=draget@p57A1FC1C.dip.t-dialin.net] has joined ##openvpn 10:56 < _spm_Draget> I have a working OpenVPN setup for any LAN-adress. Now I added redirect-gateway def1 to my clients config to route all traffic into the VPN. The server is a router connected to the internet. But it does not NAT any traffic out 10:56 < _spm_Draget> I tried 'iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE' from the documentation, (eth0 and 10.0.0.0 shoul be correct), but it still fails 10:57 < _spm_Draget> Any pro here that could help me sorting it out? 11:00 < ecrist> _spm_Draget: I'm not a linux guy, sorry. 11:00 < ecrist> !notopenvpn 11:00 < vpnHelper> ecrist: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 11:37 < kala> _spm_Draget: so, what happens to the traffic, if its not NAT-ed? 11:40 < ecrist> it gets blocked at the next router 11:41 < krzee> ya it goes out as a 10. ip 11:41 < krzee> and the inet says "wtf is that RFC 1918 ip doing on our network!?" 11:42 < krzee> good afternoon ecrist =] 11:46 < _spm_Draget> I have no idea if openVPN or the tcp stack eats them 11:47 < _spm_Draget> I am trying to get syslog running on this minimal-busybox-sysetm 11:47 < krzee> not openvpn 11:47 < ecrist> hi krzee 11:59 -!- _spm_Draget [n=draget@p57A1FC1C.dip.t-dialin.net] has quit [Remote closed the connection] 12:30 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:42 -!- near [n=near@83-155-184-144.rev.libertysurf.net] has joined ##openvpn 13:13 -!- shadowhywind [n=shadowhy@prowlnet-207-169.imt.uwm.edu] has joined ##openvpn 13:13 < shadowhywind> hay all, having a bit of an issue with my vpn, i have all my traffic being routed thouggh the vpn. It was working great the last few weeks 13:14 < shadowhywind> and now today, when ever i try to go to a webpage, i get address not found 13:14 < shadowhywind> any ideas? 13:17 < kala> can you provider some more information. tunnel up/down, DNS servers, traceroute, things like that 13:18 -!- shadowhywind [n=shadowhy@prowlnet-207-169.imt.uwm.edu] has quit [Read error: 60 (Operation timed out)] 13:19 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 13:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:36 -!- edoceo [n=edoceo@c-71-197-244-147.hsd1.or.comcast.net] has quit [Remote closed the connection] 13:39 -!- shadowhywind [n=shadowhy@prowlnet-207-169.imt.uwm.edu] has joined ##openvpn 13:44 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:57 -!- n3kl [n=n3kl@71.237.62.83] has joined ##openvpn 13:57 < n3kl> Hi. Can someone point me to a document that explains how to setup password authentication? 13:59 < krzie> have you thought about looking for every entry in the manpage of "password 13:59 < krzie> " 13:59 < krzie> !man 13:59 < vpnHelper> krzie: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 14:00 -!- shadowhywind [n=shadowhy@prowlnet-207-169.imt.uwm.edu] has quit [Remote closed the connection] 14:01 < krzie> i know theres a PAM plugin, a l/p script, etc 14:01 < n3kl> I see a few options like look like they could be it 14:03 < krzie> which sound most right for you? 14:04 < n3kl> --auth-user-pass-verify 14:04 < n3kl> --client-cert-not-required 14:06 < krzie> that looks good to me 14:06 < krzie> less secure of course, but you know that im sure 14:06 < krzie> theres also a PAM plugin if you wanna use shell login/passes 14:07 < n3kl> yeah 14:07 < n3kl> do you know the module name? 14:07 < krzie> did you try search man for PAM 14:07 < n3kl> ah 14:08 < n3kl> that manpage is most usefull 14:08 < krzie> agreed 14:09 < n3kl> Can openvpn authenticate to radius or ldap? 14:10 < n3kl> only through pam I imagine 14:17 < krzie> your script can verify users any way you want 14:17 < krzie> --auth-user-pass-verify script method 14:20 < krzie> The script should examine the username and password, returning a success exit code (0) if the client's authentication request is to be accepted, or a failure code (1) to reject the client. 14:30 -!- ikevin [n=kevin@ANancy-256-1-113-152.w90-33.abo.wanadoo.fr] has joined ##openvpn 14:36 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 14:45 -!- ikevin_ [n=kevin@ANancy-256-1-167-138.w90-56.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 14:55 < krzie> sorry i was in a channel with a lot of scroll 14:55 < krzie> did you say anything since i last said something?> 14:57 < ecrist> foo 14:59 < krzie> bar 14:59 < ecrist> beans 15:33 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 15:33 < Dougy> krzie, hi 15:33 < Dougy> or ecrist, hi 15:35 < Dougy> nevermind 15:36 < ecrist> fine then 16:00 < Dougy> haha 16:00 < Dougy> sup ecrist 16:00 < Dougy> i was going to ask about what made openvpn not allocate a /30, but i found its "topology subnet" 16:01 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:01 < Dougy> hey krzee 16:01 < Dougy> e 16:03 < krzee> hey 16:03 < Dougy> whats up 16:03 < krzee> nothin 16:03 < krzee> got sent home from work cause theres nothing to do 16:03 < krzee> so now im gunna sit here and read my book on C 16:04 < krzee> in fact if you want a copy its good reading 16:04 < Dougy> programming 16:04 < Dougy> fun 16:04 < Dougy> im setting up a vpn 16:04 < Dougy> my vps has used a total of 24 kB out of 650 GB transfer 16:04 < Dougy> so imma vpn 16:04 < Dougy> Brb gonna test it 16:04 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 16:10 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:10 < Dougy> http://pastebin.com/m2bc893b2 16:10 < Dougy> OK 16:10 < Dougy> woo 16:10 < Dougy> now just need to figureo ut why traffic wont go thruough the vpn 16:10 < Dougy> through 16:12 < Dougy> krzee, why is it trying to use 192.168.1.1 as a gateway if thats not in either config 16:12 < krzee> show me configs 16:12 < krzee> !configs 16:12 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 16:13 < Dougy> dude, no need for !configs 16:13 < Dougy> i know the drill 16:13 < Dougy> lol 16:13 < krzee> and for your question 16:13 < Dougy> http://rafb.net/p/hKYrKc82.html 16:13 < vpnHelper> Title: Nopaste - No description (at rafb.net) 16:13 < krzee> 192.168.1.1 is your existing default route 16:13 < krzee> !man 16:13 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 16:14 < Dougy> alright 16:14 < Dougy> i kinda figured that 16:14 < krzee> (1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop. 16:14 < krzee> (2) Delete the default gateway route. 16:14 < krzee> (3) Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified). 16:14 < krzee> 2 is changed by def1 16:14 < krzee> but 1 is what you were seeing 16:14 < Dougy> alright 16:15 < Dougy> so what do i need to do now 16:15 < Dougy> i feel like it's something obvious 16:15 < krzee> well 2 is not done and 3 is changed 16:15 < krzee> when you use def1 16:15 < krzee> lemme take a look 16:15 < krzee> whoa 16:15 < krzee> you trust AES over blowfish? 16:15 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 16:16 < Dougy> not really 16:16 < Dougy> i just picked one for now 16:16 * Dougy doesn't even know what AES is 16:16 < Dougy> :P 16:16 < Dougy> ill swithc both configs to cipher BF-CBC 16:16 < Dougy> so assume that change 16:17 < krzee> blowfish is default 16:17 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 16:17 < krzee> which is what happens if you just comment out the cipher lines 16:17 < krzee> to change that is to say you trust something more than blowfish 16:19 < Dougy> i was just messing around 16:20 < krzee> 172.30.0.2 255.255.255.192 16:20 < krzee> you have a reason to make the subnet small? 16:20 < krzee> like other things going on with the same subnet... 16:20 < Dougy> i'm going to be the only client 16:20 < Dougy> so i figured why make it big 16:21 < krzee> !1918 16:21 < vpnHelper> krzee: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 16:21 < Dougy> yeah, and? 16:21 < Dougy> i dont see why make it bigger if its not needed 16:21 < krzee> nothing 16:21 < Dougy> would me adding a masquerade for the /24 instead of the /26 16:21 < Dougy> make a diff? 16:21 < krzee> just wanted to make sure 172.30.x was in the 1918 block 16:21 < krzee> cause i never use 172 1918 ips 16:21 < Dougy> ah 16:22 < Dougy> im tired of having the 10's 16:22 < Dougy> i wanted variety 16:22 * Dougy likes variety 16:22 < krzee> haha 16:22 < krzee> i stick to 10. 16:22 < krzee> variety is for my habits with girls 16:22 < krzee> ;] 16:22 -!- Prometheanfire [n=matt@74.95.153.41] has joined ##openvpn 16:22 < Dougy> yeah yeah wise ass 16:22 < Dougy> i bet you don't even have irls 16:22 < Dougy> girls 16:22 < Dougy> oh dear, those be fightin' words 16:23 < krzee> haha no 16:23 < krzee> i wouldnt care what people here say as far as that goes 16:23 * Dougy shrugs 16:23 < Dougy> either way 16:23 < Dougy> would a masquarade bigger than what i chose affect it? 16:23 < krzee> no idea 16:24 < krzee> do you see that it could hurt anything to use 255.255.255.0 16:24 < krzee> cause i dont... 16:24 < Dougy> nope 16:24 < Dougy> i switched it to that now 16:24 < Dougy> but that shouldnt make a diff really, should it? 16:24 < krzee> any change? 16:24 < Dougy> havent tried 16:24 < Dougy> let me now 16:24 < krzee> give it a try 16:24 < Dougy> nope 16:24 < Dougy> didnt fix 16:24 < Dougy> still cant browse web or resolve anything 16:25 < krzee> k... 16:25 < krzee> can you ping the other end of the vpn? 16:25 < Dougy> yes 16:25 < Dougy> i can ping 172.16.30.1 16:25 < Dougy> er 16:25 < Dougy> wow 16:25 < Dougy> 172.30.0.1 16:25 * Dougy has his head in the wrong place this evening 16:26 < krzee> i see you're using topology subnet, so you have the same dev branch version on both sides? 16:26 < Dougy> yes 16:26 < Dougy> rc13 16:26 < krzee> turn both up to verb 6 16:26 < krzee> restart 16:26 < krzee> and 16:26 < Dougy> both ends? 16:26 < krzee> !logs 16:26 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:27 < Dougy> nod 16:29 < Dougy> http://rafb.net/p/GprT1l96.html 16:29 < Dougy> server side 16:29 < vpnHelper> Title: Nopaste - No description (at rafb.net) 16:29 < Dougy> client didnt log 16:29 < Dougy> piece of trash 16:30 < Dougy> it doesnt log now 16:30 < Dougy> wth 16:30 < Dougy> <3 cli 16:30 < Dougy> http://rafb.net/p/T6OX6b79.html 16:30 < vpnHelper> Title: Nopaste - No description (at rafb.net) 16:30 < Dougy> client 16:30 < Dougy> @ krzee 16:30 < krzee> that server log is incomplete 16:31 < krzee> very incomplete 16:31 < krzee> also, why you pushing DNS DHCP options 16:31 < krzee> does linux even listen to those? 16:31 < Dougy> why not? 16:31 < Dougy> i thought it does 16:31 < krzee> if it does, cool... but i think only windows does 16:31 < Dougy> oh 16:31 < Dougy> i'll rm them 16:31 < krzee> well give it a shot 16:31 < krzee> maybe im wrong 16:32 < Dougy> ill get end of the log 16:32 < Dougy> server 16:32 < Dougy> http://rafb.net/p/7aSp0x91.html 16:32 < vpnHelper> Title: Nopaste - No description (at rafb.net) 16:32 < Dougy> thats tail -n 50's 16:32 < Dougy> 50'd 16:32 < Dougy> ah.. maybe [ECONNREFUSED]: Connection refused (code=111) 16:32 < Dougy> haha 16:36 < krzee> show me your routing tables while connected to the vpn 16:37 < Dougy> errrr 16:37 < Dougy> k 16:39 < Dougy> i assume client side? 16:39 -!- Prometheanfire [n=matt@74.95.153.41] has quit ["Ex-Chat"] 16:39 < krzee> both 16:39 < krzee> table 16:40 < Dougy> k 16:40 < Dougy> sec 16:40 < Dougy> http://rafb.net/p/Ecz2i950.html 16:40 < vpnHelper> Title: Nopaste - No description (at rafb.net) 16:41 < Dougy> what? 16:42 < krzee> welp 16:42 < krzee> it looks good 16:42 < krzee> im gunna go with your NAT 16:42 < krzee> as the problem 16:42 < Dougy> what do you advise 16:42 < Dougy> I know my ISP does use some of the 10.0.0.0/8 16:43 < Dougy> doug@pc003:~/vpn$ traceroute ircpimps.org 16:43 < Dougy> traceroute to ircpimps.org (66.11.114.212), 30 hops max, 40 byte packets 16:43 < Dougy> 1 router.douglashaber.com (192.168.1.1) 0.766 ms 0.989 ms 1.262 ms 16:43 < Dougy> 2 10.68.0.1 (10.68.0.1) 13.188 ms 18.571 ms 18.855 ms 16:43 < krzee> your isp using 10. internall doesnt matter for your lan 16:43 < Dougy> yes i was referring to the vpn 16:43 < krzee> cause you arent routing 10. to them anyways 16:43 < Dougy> so what do you suggest, just using something in the 10.0 block? 16:43 < krzee> that wont change anything 16:43 < krzee> your NAT is wrong 16:43 < krzee> is my guess 16:43 < Dougy> yeah see i'm really not too smart 16:43 < Dougy> so i'm not sure what you mean 16:43 < krzee> !nat 16:43 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules 16:44 < Dougy> (:O forum is at 18) 16:44 < Dougy> oh you mean the masquerade thingie 16:44 < Dougy> ? 16:44 < krzee> right 16:44 < krzee> NAT, network address translation 16:44 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Success] 16:44 < Dougy> that needs to be done on the server only, yes? 16:44 < krzee> !forum 16:44 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 16:44 < krzee> yes 16:44 < Dougy> Chain POSTROUTING (policy ACCEPT) 16:44 < Dougy> target prot opt source destination 16:44 < Dougy> MASQUERADE all -- 172.30.0.0/24 anywhere 16:45 < Dougy> looks fine, doesnt it? 16:45 < Dougy> oh.. 16:45 < Dougy> that thing i set in sysctl.conf might be issue 16:45 < Dougy> ipv4 fwding 16:45 < Dougy> what file in /proc needs to be set to 1? 16:47 < Dougy> nope. i set the /proc/sys/net/ipv4/ip_forward to 1 and it didnt fix it 16:49 * Dougy pokes krzee 16:49 < Dougy> what else dunnit? 16:55 -!- Beber` [n=Beber@otis.meleeweb.net] has joined ##openvpn 16:55 < Beber`> Hi, 16:55 < Beber`> can openvpn use lzo kernel module ? 16:55 < krzee> i dont use linux so cant hep with the nat, but im pretty sure your problem is thee 16:56 < Dougy> krzee, its weird. 16:56 * Dougy pokes ecrist many times 16:56 < krzee> lzo kernel module? 16:57 < krzee> i thought lzo was just a lib 16:57 < krzee> comp-lzo 16:57 < Dougy> im going to kick my boss's ass 16:57 < Dougy> grrrrrr 16:57 < krzee> that line in both client/server is what does it 16:58 < Beber`> krzee> yes, but there's also a kernel module 16:58 < Dougy> krzee, network question in general 16:58 < krzee> Beber`, nah im pretty sure it only uses the lib 16:58 < Dougy> if my desk at work is connected to the office network where it cant be reached from the outside 16:58 < Dougy> like i cant rdp from outside to the ip 16:59 < Dougy> if i hop onto a VPN and it gets say 172.30.0.3, can i rdp to it then? 16:59 < Dougy> or still the same 17:00 < krzee> well 17:00 < krzee> you can over the vpn 17:00 < Dougy> thats what i mean 17:00 -!- kim0 [n=kimoz@unaffiliated/kim0] has joined ##openvpn 17:00 < Dougy> if i rdp to that 172.30.0.3 instead 17:00 < Dougy> my boss might cut me, but fuck him 17:00 < Dougy> he promised me access to the company VPN like 2 months ag 17:00 < Dougy> o 17:01 < krzee> right, yes 17:01 < krzee> that works 17:01 < krzee> ive set it up for customers in the past 17:01 < kim0> Hi, I have 2 linksys ADSL routers, with one linksys load balancer ontop. Now it seems openvpn was dropping large packets, and changing the MTU helped. Can someone offer some insight what just happened ! 17:02 < Dougy> krzee, my boss still says theres an openvpn exploit 17:02 < Dougy> i dont get what hes saying 17:03 < Dougy> :( 17:04 < Dougy> haha 17:06 < kim0> Any ideas when changing the MTU would be useful in anyway ? 17:12 < krzee> kim0, yes 17:12 < kim0> krzee: Could you please explain 17:13 < krzee> when routers use other methods for transfering stuff than default ethernet frame size, and fragmentation occurs 17:13 < krzee> very useful for ppp links and satellite links 17:14 < Dougy> krzee, 17:14 < Dougy> question for you 17:14 < kim0> thanks 17:14 < krzee> kim0, np 17:14 < Dougy> http://www.perfectping.com/designpreview/reseller.png / http://www.perfectping.com/designpreview/index.png 17:14 < Dougy> worth $200 fully coded? 17:15 < krzee> im the wrong guy to ask 17:15 < krzee> ive sold shell scripts for $200 17:15 < krzee> haha 17:16 < Dougy> nice! 17:17 < krzee> kim0, you can test if its the problem by sending pings with do not fragment, and set the size 17:17 < krzee> when you hit the size it fragments at, back off a lil 17:17 < krzee> !mtu 17:17 < vpnHelper> krzee: "mtu" is you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 17:18 < kim0> oh thanks 17:21 < Dryanta> the layout is fairly nice for a template 17:21 < Dryanta> i hate cpanel hosts, and lineucks, so i wouldnt buy it.... but thats just me :) 17:24 < krzee> ya 17:24 < krzee> to me cpanel is like saying 17:24 -!- edoceo [n=edoceo@c-71-197-244-147.hsd1.or.comcast.net] has joined ##openvpn 17:24 < krzee> "who wants to own me? PLEASE own me" 17:24 < Dryanta> krzee: thats what line ucks says to me too :D 17:24 < edoceo> I can make a VPN subnet that is, 10.65.0.0 / 255.255.0.0 correct? 17:24 < krzee> dry, bsd has exploits for it too 17:25 < krzee> (and im a bsd guy) 17:25 < edoceo> Then my hosts are the usual pairs at 10.65.0.[5,6] - [253,254] 17:25 < Dryanta> krzee: im fully aware, but at least you can jail your daemons 17:25 < krzee> edoceo, sure, why 255.255.0.0 tho 17:25 < krzee> Dryanta, true, but they still use the same kernel 17:25 < edoceo> Cause I'm going to have a client-to-client VPN that has roughly 800 clients connected to my server 17:25 < krzee> and once in the kernel, booya be scared 17:25 < edoceo> Need IP space for that right? 17:25 < krzee> hehe yup 17:26 < krzee> you may want subnet topology too 17:26 < Dryanta> krzee: no inside a jail its a seperate copy of the kernel running in different memory space 17:26 < krzee> !/30 17:26 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 17:26 < edoceo> I didn't do this in a foolish fashion right? What do you mean subnet? Make smaller than "class b?" 17:26 < krzee> Dryanta, ahh i wasnt aware of that 17:26 < Dryanta> edoceo: class c is different 17:26 < krzee> edoceo, read the !/30 i gave you 17:26 < Dryanta> and probably better 17:27 < krzee> and 255.255.0.0 isnt truely a class b 17:27 < Dryanta> totally /24 ftw 17:27 < krzee> nor is /24 a class c 17:27 < Dryanta> krzee: not TECHNICALLY 17:27 < edoceo> Oh! Didn't see that - link - right. And I get the class thing - that's why quotes 17:27 < Dryanta> its all classless anymore hah 17:27 < krzee> =] 17:27 < Dryanta> yay cidr 17:27 < edoceo> Dryanta: re: class = exacty 17:27 < krzee> Dryanta, right, getting all technical ;] 17:28 < edoceo> krzee: So I get the /30 part, but this topology-subnet is new? 17:28 < edoceo> I'm forced to run RC13 on Windows so... 17:28 < krzee> topology subnet is new only exists in dev branch 17:28 < krzee> and it makes it so you dont need /30's for each client 17:28 < krzee> first will get .2 17:28 < krzee> then .3 17:28 < krzee> .4 17:28 < krzee> etc 17:29 < krzee> they found a way around needing to do that 17:29 < krzee> as you will read if you follow the link given 17:29 < edoceo> Oh.. well f--- that. I need it simple for the folks who will support so my fatty "class b" style network is OK? Even when it uses 4 IPs per host 17:29 < krzee> but all in all, yes you can use the network you asked about 17:29 < edoceo> Right - read the message, new the /30 items 17:29 < edoceo> krzee: And it should be easier for a n00b to manage you think? 17:30 < krzee> umm 17:30 < krzee> topology subnet? yes 17:30 < krzee> because they wont need to understand why openvpn uses /30's 17:30 < krzee> which is a common thing to confuse new users 17:30 < krzee> they see ifconfig has .1 .2 and .5 .6 17:30 < edoceo> Oh, I meant the /30's which I've already forced them to be comfortable with - they even have the pair chart from the HOWTO printed out - sooo cute! 17:30 < krzee> so they get on .6 and try to ping .5 instead of .1 17:31 < krzee> and go "hey why doesnt my vpn work!?" even when it really does 17:31 < krzee> lol 17:31 < krzee> well whatever you wanna do 17:31 < krzee> but yes, what you did should work 17:31 < krzee> at least what you asked about 17:31 < edoceo> Thanks man! 17:31 < krzee> more confusing with /30 17:31 < krzee> especially with 800 users 17:31 < krzee> but hey if you like it, thats all that matters 17:32 < edoceo> Yea - it's getting ugly but costs wayyyyyy less than alternatives 17:32 < krzee> umm no 17:32 < krzee> what i said is easiest 17:32 < edoceo> no? 17:32 < edoceo> Oh - yes 17:32 < krzee> and only uses 1 ip / client 17:32 < edoceo> Topology Subnet = easy, /30 = moderate 17:32 < edoceo> Cisco = cost!!!! 17:33 < krzee> Topology Subnet = easy, /30 = learn extra 17:33 < krzee> Topology Subnet = makes sense with 800 users, /30 = huge printouts 17:34 < krzee> theres multiple costs 17:34 < krzee> 1 is $ 17:34 < krzee> you win on that with openvpn either way 17:34 < krzee> 1 is cost of management 17:34 < krzee> Topology Subnet you win there 17:35 < krzee> for me, i use /30 17:35 < krzee> but i dont have users 17:35 < krzee> just me 17:35 < edoceo> krzee: Thanks for taking the time for such a through answer 17:35 < krzee> if i was considering 100 users, i would be sure to use subnet 17:35 < krzee> np =] 17:36 < krzee> anyone else got any before i dive back into my book? 17:39 < krzee> *dive* 17:45 < Dougy> hey mang 17:54 < krzee> http://kankky.apina.biz:8003/9400.jpg 17:54 < krzee> lulz 18:04 -!- Beber` [n=Beber@otis.meleeweb.net] has quit ["Kenavo les poteaux"] 18:15 -!- kim0 [n=kimoz@unaffiliated/kim0] has quit [] 18:54 < Dryanta> hahah 18:54 < Dryanta> cisco DOES == cost 18:54 < Dryanta> you get what you pay for 18:54 < Dryanta> whats good isnt cheap and whats cheap isnt good 18:54 < Dryanta> ESPECIALLY when it comes to networking 19:00 < krzee> i think hes only talking bout vpn solution 19:00 < krzee> although with 800 users cisco would be a good idea 19:01 < krzee> unless you segment it with a couple different servers 19:01 < krzee> you could even have clients try different servers with the same certs 19:02 < krzee> but 800 hitting 1 you may be the one who gets to discover bottlenecks and bugs, and if you're ok with taking part in that process, im excited to see the outcome 19:03 -!- dustybin [i=subx@microsoft.devilcode.net] has joined ##openvpn 19:05 < Dryanta> id rather have two asa 5510s heh 19:05 < Dryanta> authenticating off ldap/radius 19:07 < krzee> i prefer the ability to add all the layers openvpn lets me 19:07 < krzee> hmac packet verification 19:07 < krzee> openssl cipher of my choice 19:07 < krzee> server signed cert 19:07 < krzee> with the strength of my choice 19:08 < krzee> i use 4096 dh, 4096 rsa certs 19:08 < krzee> 4096 tls static key 19:08 < krzee> 256 ssl 19:09 < krzee> and i can do it free 19:09 < krzee> ++ 19:09 < Dryanta> krzee: theres only so much security needed heh, a signed 2048 cert and a ldap authentication will defeat most determined haxxx0rs 19:09 < Dryanta> dont get me wrong, openvpn is totally sweet 19:09 < krzee> but ya, cisco is made to handle more concurrent 19:09 < Dryanta> im even sticking around in the channel and moving all my ssl tunnels over to it 19:09 < krzee> it is enterprise 19:09 < Dryanta> i like enterprise hardware 19:10 < krzee> totally understandable 19:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 19:10 < krzee> i wish i could afford cisco 19:10 < krzee> cause ild love to play with it 19:10 < krzee> but my main reasons would just be to play with it 19:11 < krzee> i want to get more into CARP + fbsd 19:11 < krzee> for rl usage 19:12 < krzee> put some big boxes online with carp with opensource you can save $ from using cisco and still perform 19:13 < Dryanta> well 19:13 < Dryanta> mikrotik/vyatta works for that too 19:13 < Dryanta> but id rather still have something that says cisco on it 19:13 < Dryanta> its not just cost of hardware 19:14 < Dryanta> its tac, support contracts, on-site replacement 19:14 < krzee> ahh 19:15 < krzee> im more into just doing that stuff 19:15 < Dryanta> that works until you have 20 offices :D 19:15 < krzee> hehe im sure that is very true =] 19:15 < Dryanta> and to when your company loses money when shit doesnt work 19:15 < krzee> i dealt with 7 office, never 20 tho 19:16 < krzee> (of same company) 19:17 -!- dmarkey [n=dmarkey@79.97.241.103] has quit [Connection timed out] 19:18 -!- endeavormac [n=endeavor@unaffiliated/endeavormac] has joined ##openvpn 19:19 < endeavormac> I'm generating keys for TSL/SSL encryption, and when i generate keys for server/clients, I get 3 files, .crt, .csr and .key. The certificate, .crt, files are empty! and what are the csr files? 19:21 < dustybin> my openvpn server address pool = 192.168.200.0/24 and the local network to use = 192.168.1.0/24 my openvpn client (Viscosity) connects to the server ok, and it creates a new interface: inet 192.168.200.6 --> 192.168.200.5 netmask 0xffffffff however, i cannot access my LAN, ie i telnet to my ssh server on 192.168.1.65 but it cannot connect? 19:21 < dustybin> what would be my default gateway for the openvpn client to use? 19:48 < Dougy> ecrist, ring 19:50 < krzee> endeavormac, try using ssl-admin for making the keys 19:50 < krzee> err certs 19:50 < krzee> !ssl-admin 19:50 < vpnHelper> krzee: "ssl-admin" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 19:50 < endeavormac> ok, thanks 19:50 < krzee> np 19:51 < krzee> dustybin, check out this writeup, note network drawing on bottom 19:51 < krzee> !route 19:51 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 19:52 < krzee> Dougy, still working on the NAT thing? 19:52 < Dougy> krzee, i left 19:52 < Dougy> but yep 19:52 < Dougy> still fighting 19:52 < Dougy> i have no reason why it won't work. 19:52 < Dougy> the vpn itself works just fine 19:52 < Dougy> i just cant route all traffic through it 19:52 < krzee> did you look through the 2 links on !nat 19:52 < krzee> ? 19:52 < krzee> they both use linux as their example 19:52 < Dougy> did not have time 19:52 < Dougy> looking now 19:52 < Dougy> !nat 19:52 < vpnHelper> Dougy: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules 19:52 < krzee> which is what you are using, right? 19:52 < Dougy> i looked at #1 19:52 < Dougy> yessir, centos server ubuntu client 19:53 < krzee> your use of the term masquerading is what gave me that idea ;] 19:53 < Dougy> haha 19:53 < Dougy> i hate ipfw 19:53 < Dougy> so i stuck to stuff with iptables 19:53 < krzee> pf 19:53 < krzee> for the win 19:53 < Dougy> i used pf once 19:53 < Dougy> i failed 19:53 < krzee> its like ipf, but it kicks ass 19:53 < krzee> hehe 19:54 < krzee> 1 simple pf command confuses nmap OS scans 19:54 < krzee> i used to have to use like 10 ipf commands for that 19:56 < Dougy> lol 19:57 < krzee> pf you just tell it to scrub packets 19:59 < Dougy> nice 19:59 < Dougy> ill have to revisit openvpn tomorr 19:59 < Dougy> ow 20:00 < krzee> cause nmap sets a bunch of weird tcp flags that wouldnt happen in real tcp connections 20:00 < krzee> http://lists.netfilter.org/pipermail/netfilter/2006-October/067027.html 20:00 < vpnHelper> Title: trying different TCP flags for extra protections (probally false sense of security) (at lists.netfilter.org) 20:07 < dustybin> here are the full details of my setup: http://paste.linux-noob.com/index.php?query=2758 20:07 < dustybin> im using openvpn server what is built into pfsense firewall 20:11 < krzee> you want to reach the lan from laptop over the internet right? 20:11 < krzee> (ie from a different lan) 20:12 < krzee> oh they are on the same lan 20:13 < krzee> dustybin, are you using it through the config files on the filesystem? 20:13 < krzee> or some web config? 20:13 < dustybin> krzee: pfsense has a web config 20:14 < krzee> it also has a bsd-based filesystem 20:14 < dustybin> yes 20:14 < krzee> well config openvpn there 20:14 < krzee> hehe 20:14 < krzee> !sample 20:14 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 20:14 < krzee> !route 20:14 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 20:14 < krzee> but tell me this 20:14 < krzee> is the client and server on the same lan? 20:15 < dustybin> yes 20:15 < krzee> why use openvpn? 20:15 < dustybin> no 20:15 < dustybin> 192.168.2.0 = laptop lan 20:15 < dustybin> 192.168.1.0 = lan 20:15 < krzee> so laptop = client 20:16 < dustybin> i want to use openvpn to secure wireless 20:16 < dustybin> yes 20:16 < krzee> server is on 1.0 lan 20:16 < krzee> ohhh 20:16 < krzee> secure wifi 20:16 < krzee> gotchya 20:16 < krzee> !local 20:16 < vpnHelper> krzee: Error: "local" is not a valid command. 20:16 < krzee> hrms 20:16 < krzee> !lan 20:16 < vpnHelper> krzee: "lan" is you can NOT run both endpoints of openvpn on the same LAN. 20:16 < krzee> doh 20:16 < krzee> thats not true 20:16 < krzee> !forget lan 20:16 < vpnHelper> krzee: The operation succeeded. 20:16 < krzee> !factoids search * 20:16 < vpnHelper> krzee: 'krzee', 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'liar', 'ask', 'winroute', 'kraut', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', 'routeing', '1918', 'router', 'netman', 'notopenvpn', 'path', 'paths', 'keys', 'ssl-admin', 'push', 'routes', 'tls-cipher', 'multi', 'configs', 'tls- (1 more message) 20:16 < krzee> !more 20:16 < vpnHelper> krzee: auth', 'cidr', '/30', 'samba', 'betaman', 'download', 'assumption', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'someclient2client', 'menu', 'fool', 'bridge-dhcp', 'win_noadmin', 'dousafavor', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', and 'nat' 20:17 < dustybin> krzee: when i turn on the openvpn client on my laptop it creates this interface 20:17 < dustybin> tun0: flags=8851 mtu 1500 inet 192.168.200.6 --> 192.168.200.5 netmask 0xffffffff open (pid 1602) 20:17 < krzee> ya 20:17 < krzee> thats good 20:17 < dustybin> do i need to route 192.168.200.5 >>> LAN somehow? 20:17 < krzee> you need !def1 20:17 < krzee> and local 20:17 < krzee> !def1 20:17 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 20:18 < krzee> redirect-gateway def1 local 20:18 < krzee> read this 20:18 < krzee> !man 20:18 < dustybin> frickin heck confusing 20:18 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 20:18 < krzee> go straight to --redirect-gateway 20:18 < krzee> it will explain fully 20:19 < dustybin> gateway: 192.168.200.5 20:19 < dustybin> route: 192.168.1.0 20:19 < krzee> what are you talkin bout with 1.0 20:19 < krzee> 2 local lans? 20:20 < dustybin> what should it be? 20:20 < krzee> 1 for wifi, 1 for wired? 20:20 < dustybin> yes 20:20 < dustybin> id like to access my wired 192.168.1.0/24 with my latop client 20:20 < krzee> will the vpn also be fore securing all inet traffic outbound? 20:20 < dustybin> yep 20:21 < krzee> oh, what i just said is part of that 20:21 < krzee> the openvpn server also needs to be running nat 20:21 < krzee> and have ip forwarding on 20:21 < dustybin> yep pfsense does all that 20:21 < krzee> !learn nat as dont forget to turn on ip forwarding 20:21 < vpnHelper> krzee: The operation succeeded. 20:21 < dustybin> krzee: this is running within my LAN at the moment 20:21 < dustybin> so it doesnt matter 20:21 < dustybin> ill forward ports later once i get it working inside my LAN 20:22 < dustybin> i have 2 networks within my LAN 20:22 < dustybin> 1 DMZ network for my laptop 192.168.2.0/24 20:22 < krzee> same router? 20:22 < dustybin> and 1 LAN 192.168.1.0/24 20:22 < dustybin> my laptop used the DMZ LAN 20:23 < dustybin> with only 1 port access for openvpn server on the LAN 20:23 < krzee> well when the router gets a packet headed for 192.168.1.0 from it needs to know who to send it to 20:23 < krzee> so a route will need to be made on the router for that 20:24 < dustybin> this is where i get confused 20:24 < krzee> the 1.0 lan is behind the client or server? 20:24 < dustybin> i can put in a route on this openvpn client 20:24 < dustybin> but not sure what 20:24 < krzee> is pfsense box your router? 20:24 < dustybin> yes 20:24 < krzee> ohhh 20:25 < dustybin> i can connect to the openvpn server on 192.168.2.254 port 1194 using my laptop client 20:25 < dustybin> then it creates these interfaces 20:26 < krzee> right 20:26 < dustybin> tun0: flags=8851 mtu 1500 inet 192.168.200.6 --> 192.168.200.5 netmask 0xffffffff open (pid 1602) 20:26 < krzee> push a route to the client that he can access .1.0 behind the server 20:26 < dustybin> but i need to put some routing details into the client, but not sure what 20:26 < krzee> !route 20:26 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 20:27 < krzee> push "route 192.168.1.0 255.255.255.0" 20:27 < krzee> in your server config 20:27 < krzee> it will make the client know to route 1.0 through the vpn 20:28 < krzee> and since the openvpn-server happens to be the default route for the machine you are connecting to, it will have a route back to the vpn already 20:28 < krzee> so you'll be good to go 20:29 < dustybin> krzee: what will the new gateway on my client? 20:29 < dustybin> would the gateway be the same ip as the newly created interface? 20:29 < krzee> what i gave you earlier handled that 20:30 < krzee> you dont set that manually 20:30 < krzee> openvpn does it with push "redirect-gateway def1 local" 20:30 < krzee> !push 20:30 < vpnHelper> krzee: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 20:30 < dustybin> fricking heck 20:31 < dustybin> brb 20:32 -!- kpoman [i=chatzill@189.61.57.238] has quit [Read error: 104 (Connection reset by peer)] 20:35 < dustybin> krzee: IT WORKED!!!!!!!!!!!!!!!!!!!!!!!!!! 20:35 < dustybin> i changed the gateway on my laptop to 192.168.200.5 20:35 < dustybin> and now i can access my LAN!!!!!!!!!!!!!!!!!!! 20:35 < dustybin> THANK YOU!!!!!!!!!! :-) 20:35 < krzee> you're welcome 20:35 < krzee> =] 20:36 < dustybin> this is FRICKIN COOL 20:36 < dustybin> this is what one would call 'secure wireless' 20:36 < krzee> totally 20:36 < dustybin> wireless inside a DMZ with only 1 port access to the openvpn server 20:36 < dustybin> then thats it! 20:37 < krzee> then give normal wifi no access to the inet 20:37 < krzee> only vpn wifi 20:37 < dustybin> yep, i need to setup a rule for that 20:37 < dustybin> my wireless can still access the WAN 20:37 < dustybin> but that can easily be changed :-) 20:37 < krzee> yup 20:37 < krzee> and easily given exceptions 20:37 < krzee> when you have company 20:37 < dustybin> so that means if somone hacks my wireless 20:38 < dustybin> no internet 20:38 < dustybin> no lan 20:38 < krzee> nice setup 20:38 < dustybin> indeed!!! 20:38 < dustybin> time to setup the no WAN rule 20:38 < krzee> and they cant arp with anything else 20:39 < krzee> except you, but if they arp poison you they cant read anything 20:39 < krzee> and if they capture the login they cant do a MITM 20:39 < krzee> !mitm 20:39 < vpnHelper> krzee: Error: "mitm" is not a valid command. 20:39 < krzee> bleh 1sec 20:41 < krzee> !learn mitm with stop Man-in-the-Middle attacks by signing the server cert specially. http://openvpn.net/index.php/documentation/howto.html#mitm 20:41 < vpnHelper> krzee: Invalid arguments for learn. 20:41 < krzee> !learn mitm as with stop Man-in-the-Middle attacks by signing the server cert specially. http://openvpn.net/index.php/documentation/howto.html#mitm 20:41 < vpnHelper> krzee: The operation succeeded. 20:41 < krzee> !learn mitm as stop Man-in-the-Middle attacks by signing the server cert specially. http://openvpn.net/index.php/documentation/howto.html#mitm 20:41 < vpnHelper> krzee: The operation succeeded. 20:41 < krzee> !forget mitm 20:41 < vpnHelper> krzee: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 20:41 < krzee> !forget mitm 1 20:41 < vpnHelper> krzee: The operation succeeded. 20:44 < krzee> or hmac static keys 20:45 < krzee> !hmac 20:45 < vpnHelper> krzee: Error: "hmac" is not a valid command. 20:47 < krzee> !learn hmac as The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. 20:47 < vpnHelper> krzee: The operation succeeded. 20:48 < krzee> !learn hmac as openvpn --genkey --secret ta.key to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 20:48 < vpnHelper> krzee: The operation succeeded. 21:37 -!- near [n=near@83-155-184-144.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@83-156-244-166.rev.libertysurf.net] has joined ##openvpn 21:40 < dustybin> everything seems to work apart from web browsing, i can access my whole LAN, my DNS is working properly, if i ping google it responds with PING google.co.uk (66.249.93.104): 56 data bytes, if i put 66.249.93.104 in firefoxes address bar, it says Connecting to... but nothing happens, how odd 21:44 < krzee> if you did the push "redirect-gateway def1 local" like i said, then check its not NAT 21:44 < krzee> the VPN network must be natt'ed to translate to inet ip 21:45 < dustybin> krzee: pfsense takes care of all that 21:45 < krzee> or so you hope 21:46 < dustybin> my NATd ip is 192.168.3.6 21:46 < krzee> (that it is natting it should nat the same as normal lan does 21:46 < krzee> err 21:47 < krzee> it should nat the same as normal lan does 21:47 < dustybin> krzee: everything else works 21:47 < dustybin> apart from web browsing 21:47 < krzee> right, which i know its not openvpm 21:47 < krzee> vpn 21:47 < dustybin> even ping google.co.uk works 21:47 < krzee> o 21:48 < dustybin> but for some strange reason ff wont connect 21:50 < dustybin> if this works 21:50 < dustybin> dustybins-macbook-pro:~ dustybin$ ping google.co.uk 21:50 < dustybin> PING google.co.uk (72.14.221.104): 56 data bytes 21:50 < dustybin> surely firefox should work too? this is very odd! 21:50 < krzee> you didnt show a response 21:50 < dustybin> maybe i got one of those bsd viruses floating about 21:52 < krzee> did you get ping responses? 21:52 < dustybin> dustybins-macbook-pro:~ dustybin$ ping yahoo.co.uk 21:52 < dustybin> PING yahoo.co.uk (217.12.6.29): 56 data bytes 21:53 < dustybin> no they get stuck 21:53 < krzee> its your NAT 21:53 < dustybin> eeek 21:53 < krzee> you get dns from your local NS 21:54 < dustybin> yep my server 21:54 < dustybin> running bind 21:54 < dustybin> wow i found the logs for my client 21:54 < dustybin> this is what happens 21:55 < dustybin> Thu Oct 16 03:43:29 2008: /sbin/ifconfig tun0 192.168.3.6 192.168.3.5 mtu 1500 netmask 255.255.255.255 up 21:55 < dustybin> Thu Oct 16 03:43:29 2008: OpenVPN ROUTE: omitted no-op route: 192.168.2.254/255.255.255.255 -> 192.168.2.254 21:55 < krzee> right, thats what local does 21:55 < krzee> thats good 21:56 < dustybin> so now i need to try and figure out how to get NAT working for the 192.168.3.0/24 network on pfsense 21:58 < krzee> find where it stashes your firewallconfig 21:58 < krzee> and basically just copy the .1 nat entries 21:59 < dustybin> i found the .1 entry and ive copied it exactly the same and changed it to .3 21:59 < krzee> if .3 the openvpn internal ips? 22:00 < dustybin> 192.168.3.6 <-- this is my IP once im connected 22:03 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 22:04 < krzee> ok 22:04 < krzee> so ya 22:05 < krzee> you make sure the firewall/nat entries are the same for .3 as .1 22:11 < dustybin> IT WORKS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 22:11 < dustybin> THANK YOU :-) 22:12 < dustybin> im going to isolate my wireless interface from everything apart from the vpnserver 22:33 < ecrist> dustybin: sup? 22:34 < dustybin> nothing :) 23:49 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn --- Day changed Thu Oct 16 2008 01:00 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 01:08 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 01:26 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 03:53 -!- edoceo [n=edoceo@c-71-197-244-147.hsd1.or.comcast.net] has quit [Read error: 60 (Operation timed out)] 03:55 -!- edoceo [n=edoceo@c-71-197-244-147.hsd1.or.comcast.net] has joined ##openvpn 04:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:18 < stony> hi 05:19 < stony> if i have two nodes one got a static ip and one a chaning (dialup), does openvpn recognize this in udp mode and send the new packets to the latest address that contacted it on that port ? 05:20 < stony> or do i have to change the config on the static-ip-site everytime the remote system gets a new ip ? 05:31 < stony> ah float does the trick 05:31 < stony> thx 05:43 < krzee> also, for the record 05:44 < krzee> if server is on the static 05:44 < krzee> when keepalive found that the client wasnt connected to server anymore, the client would reconnect 05:44 < krzee> but ya, float does what you want without reconnecting 06:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 06:29 < endeavormac> !ubuntu 06:29 < vpnHelper> endeavormac: "ubuntu" is dont use network manager! 06:32 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:24 < ecrist> morning, folks 07:28 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 07:34 -!- CrummyGummy [n=Dude@41.208.46.2] has quit [Remote closed the connection] 08:04 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:40 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 08:44 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 09:39 < ecrist> too quiet in here today 09:41 < Dryanta> LOUD 09:41 < Dryanta> heh 10:09 < jeev_> i miss my girlfriend 10:13 -!- jeev_ is now known as jeev 10:22 -!- essobi [n=Essobi@96.28.86.225] has joined ##openvpn 10:22 < essobi> I've got something wierd I can't explain... was wondering if anyone had an idea what to look for.. 10:23 < essobi> I can ping my openvpn server w/o any packet loss.. 10:23 < essobi> on the same machine(client), I start the vpn.. 10:23 < essobi> and ping the tap interface.. 10:23 < essobi> er.. 10:24 < essobi> ping the IP on the far end and I get packet loss.. 10:27 < endeavormac> i need to run a dhcpd on the interface i'm sharing over openvpn for connecting clients to receive IP addresses, right? 10:28 < endeavormac> i'm having issues with a windows interface receiving an IP address from the server 10:30 < Dryanta> jeev: i dont miss my ex wife 10:30 < Dryanta> at least i tell myself that :( 10:32 < essobi> :( 10:33 < essobi> Hmm.. 10:33 < essobi> So it looks like there was openvpn running twice on the client. 10:34 < essobi> Which was causing the vpn to appear to sporadically drop packets.. 10:34 < essobi> ping -f is barely even hesitating now.. hehe 10:40 < ecrist> endeavormac: tap or tun? 10:40 < endeavormac> tap 10:40 < ecrist> essobi: openvpn running twice on the client causes problems. 10:40 < essobi> Duely noted. 10:40 < essobi> Heh 10:40 < ecrist> endeavormac: you can run it on any interface, then 10:41 < endeavormac> let me explain what i'm trying to do 10:41 < endeavormac> i don't really want to connect a physical network to a virtual network, i want to create an isolated virtual network that people can connect to 10:42 < endeavormac> so i have created a tap interface on the server, and i can connect to it, the problem is once i connect to it i can not get my client (windows) to set an ip address 10:42 < endeavormac> not set, i mean receive 10:42 < endeavormac> when i manually set an IP address, I can not ping the ip address I set for the tap0 interface on the server... so i'm pretty much confused as hell 10:46 < endeavormac> wait now i'm getting traffic to go through the tunnel 10:46 < endeavormac> ok, i'm back out on my own, don't respond to my pointless conversation :p 10:47 < essobi> Does running LZO on a low-end openvpn server really buy you much if you have decent bandwidth? (20 megabit uplink/5 dowlink) 10:50 < essobi> I'm running the server on a piddly little openwrt box... 11:05 < ecrist> essobi: depends on what you're doing 11:06 < ecrist> endeavormac: it would help to see your configs 11:09 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Remote closed the connection] 11:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:19 -!- dustybin [i=subx@microsoft.devilcode.net] has left ##openvpn [] 11:28 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:38 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 11:57 -!- Prometheanfire [n=matt@74.95.153.41] has joined ##openvpn 12:08 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:12 -!- nadio [n=nobody@about/philosophy/nadio] has joined ##openvpn 12:26 -!- darkdrgn2k [n=darkdrgn@CPE000f3d01971a-CM00125573082a.cpe.net.cable.rogers.com] has joined ##openvpn 12:26 < darkdrgn2k> Hye im trying to push a domain accross the vpn 12:26 < darkdrgn2k> my current setup 12:26 < darkdrgn2k> http://pastebin.ca/1228570 12:26 < darkdrgn2k> what am i dong wrong 12:27 < nadio> Hello, wondering if anyone could have time to help me configure my config file properly ? 12:32 < ecrist> darkdrgn2k: what's not working? 12:32 < ecrist> nadio: sure 12:39 < darkdrgn2k> ecrist: ok well now, i added "push route 192.168.2.0 255.255.555.0" and the remote client (192.168.100..10) can see the remote server 192.168.2.254 but none of the other comptuers on the net 12:39 < darkdrgn2k> i added 192.168.100.0 255.255.255.0 to the defautl gate to point to 2.254 12:40 -!- endeavormac [n=endeavor@unaffiliated/endeavormac] has quit ["Leaving"] 12:45 < nadio> nv got it working stable now :) 12:46 -!- bandini [n=bandini@host4-105-dynamic.10-79-r.retail.telecomitalia.it] has joined ##openvpn 12:52 -!- edoceo [n=edoceo@c-71-197-244-147.hsd1.or.comcast.net] has quit [Remote closed the connection] 12:54 < ecrist> darkdrgn2k: what do you mean by the can't see them? 12:54 < darkdrgn2k> ecrist: ping 12:58 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 12:59 < ecrist> um, pong? 12:59 < ecrist> are they all able to connect? 12:59 < ecrist> at the same time 13:02 -!- rubydiamond [n=rubydiam@123.236.177.3] has joined ##openvpn 13:03 -!- bandini [n=bandini@host4-105-dynamic.10-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 13:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 13:06 -!- Prometheanfire [n=matt@74.95.153.41] has quit [Read error: 60 (Operation timed out)] 13:20 -!- darkdrgn2k [n=darkdrgn@CPE000f3d01971a-CM00125573082a.cpe.net.cable.rogers.com] has quit [] 13:36 -!- essobi [n=Essobi@96.28.86.225] has quit [Remote closed the connection] 13:54 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 13:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Remote closed the connection] 13:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 14:29 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:29 < Dougy> yo 14:30 < Dougy> ecrist or krzie, there? 14:30 < Dougy> highlight me if you appear 14:30 < krzie> sup 14:30 < Dougy> krzie, question 14:30 < Dougy> i just tested the vpn 14:30 < Dougy> the server has a bunch of ips in the 69.73.151.xx ip block. 14:30 < Dougy> I vpn'd, still couldnt browse web, but i pinged other ips on the server 14:31 < Dougy> eg 69.73.151.149 14:31 < Dougy> i can ping those fine.. 14:31 < Dougy> does that help you figure out why all traffic isnt working? 14:31 < ecrist> I'm here 14:32 < Dougy> ecrist, same question 14:32 < Dougy> I can connect to the vpn fine, i can ping the server and ssh to it over the vpn 14:32 < ecrist> nat 14:32 < Dougy> i figured 14:32 < Dougy> is that iptables stuff? 14:32 < Dougy> on a linux sys 14:32 < ecrist> yes, but krzie and I don't do iptables 14:32 < Dougy> grumble 14:32 < Dougy> jeev, there? 14:33 < ecrist> use freebsd 14:33 < Dougy> or someone else? 14:33 < ecrist> it's better 14:33 < Dougy> ecrist, can't do that on a Xen VPS 14:33 < Dougy> trust me I would if I could 14:33 < krzie> i recall telling you it was NAt yesterday 14:33 < Dougy> yeah, i figured it still is nat 14:33 < Dougy> just thought ecrist might know a fix 14:34 < krzie> the fix is 14:34 < krzie> !nat 14:34 < vpnHelper> krzie: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 14:34 < Dougy> i did what that says 14:35 < krzie> it seems to work for everyone else 14:35 < Dougy> iptables -t nat -A POSTROUTING -s 10.50.0.0/24 -o eth0 -j MASQUERADE 14:35 < Dougy> would that matter if the ip the vpn is on is eth0:0? 14:36 < krzie> !notovpn 14:36 < vpnHelper> krzie: Error: "notovpn" is not a valid command. 14:36 < krzie> !notopenvpn 14:36 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 14:37 < krzie> you're asking 2 non linux users a linux specific question 14:37 < krzie> asking a linux channel your iptables NAT specific question may get your further 14:37 < Dougy> nod 14:38 < krzie> its just like if your LAN was and you wanted to NAT 14:38 < Dougy> it shouldn't though, as it worked on the last server 14:38 < Dougy> so i'm not sure why i asked 14:38 * Dougy goes to read if dd-wrt would interfere 14:39 < krzie> i believe there is a wrt channel too on freenode 14:40 < Dougy> indeed there is 14:40 < Dougy> i was going to google :p 14:40 * Dougy wishes there was freebsd available on xen 14:42 < Dougy> hmm 14:42 < Dougy> i can resolve things as well (eg sites) 14:42 < Dougy> i just can't load webpages etc 14:42 < krzie> your NS is prolly on the LAN 14:42 < krzie> try: 14:42 < krzie> host ircpimps.org ns1.doeshosting.com 14:42 < krzie> that will query my NS directly 14:43 < Dougy> connecting now to try 14:43 < Dougy> doug@pc003:~/vpn$ host ircpimps.org ns1.doeshosting.com 14:43 < Dougy> ;; connection timed out; no servers could be reached 14:43 < krzie> see 14:43 < krzie> dns only works cause you are querying a LAN ns 14:43 < Dougy> yeah 14:44 < Dougy> stupid nat 14:44 < Dougy> this exact config worked fine on another vps 14:44 * Dougy grunts 14:45 * ecrist guesses it wasn't that *exact* config 14:46 < Dougy> it was 14:46 < Dougy> except for a different /24 14:47 < ecrist> you have a /24? 14:47 < Dougy> I do but thats not what I meant 14:48 < Dougy> I have a /22 actually, but that's irrelevant 14:49 < Dougy> er /23* 15:16 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 54 (Connection reset by peer)] 15:16 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 15:20 < krzie> a freeswitch dev! 15:20 < krzie> wassup man 15:22 -!- mode/##openvpn [+o krzie] by ChanServ 15:22 < Dougy> hey 15:22 < Dougy> where's my op 15:22 -!- mode/##openvpn [+v [intra]lanman] by krzie 15:22 < Dougy> :( 15:22 -!- mode/##openvpn [-o krzie] by krzie 15:22 < krzie> go dev for freeswitch 15:22 < krzie> :-p 15:22 < Dougy> no idea what that even is 15:22 < Dougy> haha 15:22 < krzie> you heard of asterisk? 15:23 < Dougy> oh 15:23 < Dougy> oh snap 15:24 < krzie> it kicks asterisk's ass 15:24 < Dougy> haha 15:24 -!- rubydiamond [n=rubydiam@123.236.177.3] has quit ["Leaving..."] 15:27 -!- fanti [n=fanti@g230005245.adsl.alicedsl.de] has joined ##openvpn 15:28 < fanti> hi there! i've an openvpn interface "tun0" which is connected, but all outgoing traffic is sent directly over the ppp0 interface instead of tun0. how can is tell linux to use the vpn tunnel? 15:28 < krzie> !def1 15:28 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 15:29 < krzie> !man 15:29 * Dougy punches wall 15:29 < vpnHelper> krzie: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 15:36 < fanti> just adding the line "redirect-gateway local def1" in config-file and restart openvpn makes no difference? 15:45 < krzie> why did you add local? 15:45 < krzie> did you read what local does? 15:45 < krzie> also, you want to push that to the client 15:45 < krzie> !push 15:45 < vpnHelper> krzie: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 15:45 < krzie> the manual only helps when you read it =[ 15:47 < Dougy> lol ownt 16:15 < krzie> to sum it up 16:15 < krzie> in server config you put: 16:16 < krzie> push "redirect-gateway def1" 16:16 < Dougy> I think Im gonna buy a dedicated server 16:16 < Dougy> to hell with these piece of a$$ VPS hosting companies 16:18 < fanti> uhm sorry. i don't get openvpn work with my ppp0 interface. when i use openvpn via my eth0 ethernet lan interface, it works very well. but when i use my wlan adapter eth1 to establish a pppoe connection, my ppp0 interface doesn't use openvpn? 16:23 < krzie> so the vpn server is online via ppp? 16:24 < fanti> the vpn server is online at my company 16:24 < krzie> ok, and the client is on ppp 16:25 < fanti> at the moment yes. i want my openvpn client work with ppp 16:25 < krzie> the exact same setup works when you plugin to a lan? 16:25 < fanti> with the ethernet lan connection over a dsl-router it works fine 16:25 < fanti> right 16:26 < krzie> so i take it you have the dsl router there 16:26 < krzie> and you are testing back and forth 16:27 < fanti> currently i only have a ppp connection over my wlan adapter. i'm not at home in my local network where it works fine over the dsl-router 16:28 < krzie> ok, so we're no longer talking about just redirect-gateway 16:28 < krzie> since theres no way you just tested that from a diff location 16:29 < krzie> you saying you cant even connect when on the ppp? 16:29 < krzie> what is this, one of those gprs modems? 16:30 < fanti> i can connect. when i start my openvpn client on my notebook, the tun0 interface is created and i also get a ip-address of the openvpn address space 16:30 < krzie> ok, what goes wrong? 16:31 < fanti> the tun0 interface is not used. when i go to www.whatismyip.com it shows me the ppp0 ip-address and not the address of my openvpn server 16:33 < krzie> in server config you put: 16:33 < krzie> push "redirect-gateway def1" 16:33 < krzie> you did that, and restarted the server? 16:34 < fanti> yes 16:35 < fanti> just one second, i'll show you the routing tables 16:35 < fanti> without starting the openvpn client route -n looks like: 16:35 < fanti> http://92.230.5.245/routing_without_openvpn.txt 16:36 < krzie> i care more about logs than your routing tables 16:36 < krzie> !logs 16:36 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:36 < fanti> http://92.230.5.245/routing_with_openvpn.txt 16:36 < fanti> that's it with openvpn client running 16:40 < krzie> i care more about logs than your routing tables 16:40 < krzie> !logs 16:40 < krzie> krzie: "logs" is is please pastebin your logfiles from both client 16:40 < krzie> and server with verb set to 6 16:41 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Connection timed out] 16:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:44 < fanti> i guess it must have something to do with the routingtable? 16:45 < Dougy> anyone have an idea what the xeon codename for hte ones that came out in 2001 are 16:48 < krzie> i dont care about your routing table 16:48 < krzie> i care about the logs 16:49 < fanti> i can't get the server log because i've no root account on that server. 16:49 < krzie> Itanium 16:49 < krzie> as found from 16:49 < krzie> !google intel xeon 2001 16:50 < vpnHelper> krzie: http://www.cpuscorecard.com/bench_ix.htm - Intel Xeon Benchmarks 16:52 < krzie> hit #8 on that search is: http://www.intel.com/museum/online/hist_micro/hof/ 16:52 < vpnHelper> Title: Intel Museum - Microprocessor Hall of Fame (at www.intel.com) 16:54 < krzie> fanti, so how did you restart openvpn without root...? 16:54 -!- knothead [n=a@66.183.79.75] has joined ##openvpn 16:55 < fanti> as: sudo /etc/init.d/openvpn stop" and "sudo /etc/init.d/openvpn start" 16:55 < fanti> as root 16:55 < krzie> well sudo grab the logs 16:56 < knothead> I'm setting up ddns with openvpn client-connect and client-disconnect. I'm worried about the disconnect script racing with the connect script if the tunnel dies and is reconnecting. Does anyone know if openvpn tried to avoid this? 16:56 < knothead> *tries 16:56 < fanti> i append "verb 6" to the config-file.... but there are no log messages? 16:57 < fanti> neither in /var/log/messages nor /var/log/kern 16:57 < fanti> ah 16:57 < fanti> in daemon log are some messages 17:01 < fanti> krzie: http://92.230.5.245/openvpn.log.txt 17:01 < krzie> knothead: http://openvpn.net/man#lbAP 17:01 < vpnHelper> Title: OpenVPN 2.0.x Man Page (at openvpn.net) 17:01 < krzie> that shows the order of execution 17:03 < fanti> Oct 16 23:51:59 daniela ovpn-ack[12338]: NOTE: unable to redirect default gateway -- Cannot read current default gateway from system 17:03 < fanti> hmmmmm 17:03 < fanti> may this be helpful? 17:04 < krzie> yup 17:04 < krzie> that is not a complete log you posted 17:04 < krzie> omg 17:04 < knothead> krzie: Thanks. I'll give that a whirl then. 17:04 < fanti> i've no default gateway while i'm connected directly via ppp0 ? 17:04 < krzie> you're doing a tcp connection over ppp 17:04 < krzie> thats gunna be terrible even if you get it working 17:04 < krzie> !~tcp 17:04 < vpnHelper> krzie: Error: "~tcp" is not a valid command. 17:04 < krzie> !tcp 17:04 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 17:05 < fanti> krzie: that's not the point. tcp port 80 is needed because of some portfilters which allow only http traffic and no udp 17:06 < krzie> werd 17:06 < krzie> but just so you know 17:06 < krzie> it will be next to unusable 17:06 < krzie> if not completely unusable 17:06 < fanti> it works fine for years! 17:07 < krzie> over ppp? 17:07 < fanti> no, over ethernet 17:07 < krzie> right 17:07 < knothead> Am I correct in assuming that a routed vpn can't work with an existing dhcp server because a client has to have an IP BEFORE being able to establish connectivity over the tunnel? 17:07 < krzie> im not talking bout over ethernet 17:07 < krzie> im talking about over ppp 17:07 < fanti> okay. but in my case, the openvpn is not used because of wrong routing entries? 17:08 < krzie> knothead local dhcp server? 17:08 < fanti> that problem i have has nothing to do with udp oder tcp 17:08 < knothead> krzie: dhcp server running on the vpn server box 17:08 < knothead> krzie: I was wondering if I could use that to issue IPs to clients when they connect to the vpn but I think that only makes sense for a bridged vpn. 17:11 < krzie> fanti, its having a problem determining your default routeyou thought correct 17:11 < krzie> oops 17:11 < krzie> fanti, its having a problem determining your default route 17:11 < krzie> knothead, you thought correct 17:11 < krzie> but dhcp is not a valid reason to switch to bridged 17:11 < krzie> just let openvpn assign the ips 17:12 < krzie> dhcp works on layer2, bridging is layer2, routed is layer3 and can only handle ip layer traffic 17:12 < knothead> krzie: that's exactly what I'm thinking, I'm designing for ~1000 clients so I want to stay routed 17:12 < krzie> good call 17:12 < knothead> krzie: First routed vpn I've done actually 17:13 < krzie> with that many users you may wanna think about having a couple servers 17:13 < knothead> krzie: thanks for your help 17:13 < krzie> ovpn can do built in poor-mans load balancing 17:13 < krzie> basically, randomize which server is connected to 17:13 < knothead> krzie: yeah it won't be that many for a while and I looked at the load balancing it can do without something like lvs 17:14 < krzie> yup 17:14 < krzie> looks like you've thought things through 17:14 < knothead> I'm trying. It's totally fun :-) 17:14 < krzie> hehe yup! 17:14 < krzie> the howto and all that is good, but the manpage is invalueable 17:15 < krzie> (good piece of info to know) 17:16 < knothead> yeah I've gotten pretty comfortable with the manpage for 2.1 now 17:16 < knothead> I decided to use it for the topology subnet feature 17:17 < knothead> although I think my class B subnet might be a bit optimistic :-) 17:17 < krzie> ahh ya 17:17 < knothead> time for lunch in my timezone 17:17 < krzie> thats what i was trying to think to tell you 17:17 < knothead> thanks for the help 17:17 < krzie> but you already knew 17:17 < krzie> hmm, hawaii? 17:18 < knothead> pacific northwest + late breakfast 17:18 < krzie> hehe cool 17:18 < krzie> enjoy, ttyl 17:18 < knothead> thanks 17:18 -!- knothead [n=a@66.183.79.75] has left ##openvpn [] 17:42 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 17:54 -!- fanti [n=fanti@g230005245.adsl.alicedsl.de] has quit [Read error: 104 (Connection reset by peer)] 17:56 < Dougy> woo hoo. 17:57 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 17:59 -!- daemon [n=daemon@mail.daemoncore.org] has quit ["ZNC - http://znc.sourceforge.net"] 18:04 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:08 < krzie> Dougy you fixed it? 18:08 < Dougy> the vpn? no 18:08 < Dougy> i gave up for now 18:09 < Dougy> i was woo hooing at the parts i just posted for sale 18:09 < krzie> ahhh 18:09 < Dougy> http://www.webhostingtalk.com/showthread.php?t=729785 18:09 < vpnHelper> Title: Bunch of parts for sale - Web Hosting Talk - The largest, most influential web hosting community on the Internet (at www.webhostingtalk.com) 18:16 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 18:16 < krzie> ild toss around the idea of buying a complete server 18:19 < krzie> no idea why tho, i have 2 boxes to find a new home for 18:19 < krzie> thinking bout sending 1 to NY and 1 to canada 18:21 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 18:22 < Dougy> krzie, where in NY 18:26 < krzie> that one, my friends FIOS 18:26 < krzie> lol 18:26 < Dryanta> hah 18:27 < Dryanta> my boxen only reside at class 1 datacenters 18:32 < Dougy> lol krzie 18:32 < Dougy> Dryanta, please 18:32 < Dougy> i bet not 18:32 < Dougy> name them 18:32 < Dryanta> Dougy: 1 65.39.221.3 (65.39.221.3) 0.395 ms 0.416 ms 0.350 ms 2 oc48.so-2-1-0.sea-coloc-dis-1.peer1.net (216.187.89.190) 0.447 ms 0.506 ms 0.587 ms 18:32 < Dougy> peer1 18:32 < Dougy> everything is there? 18:33 < Dryanta> at the westin in seattle 18:33 < Dryanta> or at o1 in sacramento 18:33 < Dryanta> yes :) 18:33 < Dougy> I have gear in Equinix ny2 and a few things in a level3 dataenter 18:33 < Dougy> datacenter 18:33 < Dougy> oh and a VPS in gnax (GARBAGE!!!!!!!!!!!!!!!!!!!!!) 18:34 < krzie> Dryanta, mine only reside at places i get kickass deals 18:34 < Dryanta> i have some routers and servers in a twtc co as well 18:34 < Dryanta> krzie: i get a kickass deal :D 18:34 < krzie> like $300/yr, or free 18:34 < Dryanta> but those are a clients, not mine 18:35 < krzie> ya i no longer have clients 18:35 < krzie> my servers are only for fun 18:35 < Dryanta> i have clients, job, and fun 18:35 < krzie> and im not in usa anymore, so its nice to have servers around there 18:51 < krzie> only way im willing to get a VPS is if it is in china 18:52 < Dryanta> hah why china 18:52 < krzie> they're willing to give usa a middle finger on packet logs 18:52 < Dryanta> hah 18:53 < Dryanta> just dont do anything illegal sillypants :P 18:53 < krzie> i dont 18:53 < krzie> but that doesnt mean i trust us gov not to 19:19 < Dougy> you really hate the us govt dont you krzie 19:20 < Dryanta> hahahahah 19:20 < Dryanta> thats why he has so many vpns 19:22 < krzie> i dont hate it 19:22 < krzie> i just strongly distrust it 19:22 < krzie> i really wish that wasnt the case 19:23 < krzie> but i read too many of the laws they've been passing since 2k1 19:23 < krzie> i have them at my house printed out and highlighted through 19:25 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 19:26 < Dougy> nice 19:26 < Dougy> i dont approve of the patriot act 19:26 < Dougy> i dont approve of anything bush has done to be frank 19:27 < krzie> its a long long read 19:27 < krzie> but after i read it, i moved out of ua 19:27 < krzie> usa 19:28 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:28 < Dougy> lol 19:28 < Dougy> was it like a 19:28 < Dougy> "honey get the suitcases" 19:28 < Dougy> or did you think about it for a while 19:29 < krzie> well 19:29 < krzie> i finished reading it, took a trip to costa rica 19:29 < krzie> got back to usa and said, wtf am i even doing here? 19:29 < krzie> so i left 19:29 < krzie> and i didnt offer honey to get her suitcase 19:30 < krzie> it was more like honey, get everything of mine thats in your house, im leaving 19:30 < krzie> lol 19:30 < Dougy> lmfao 19:30 < Dougy> ouch 19:30 < Dougy> you in costa rica now? 19:31 < krzie> she was fine as hell but too nutty for me to be serious with 19:31 < krzie> nah im in the caribbean 19:31 < krzie> costa rica is central america 19:32 < krzie> between panama and nicaragua 19:32 < krzie> i loved nicaragua 19:34 < Dougy> oh 19:34 < Dougy> she was more of a bag and tag huh 19:34 < Dougy> hump and dump 19:34 < Dougy> hit and split 19:34 < krzie> basically 19:34 < Dougy> nice 19:34 < krzie> i did actually go out with her tho 19:35 < Dougy> oh krzie want to hear a US politics joke? 19:35 < krzie> i usually dont do that, i like to keep variety 19:35 < krzie> sure 19:35 < Dougy> What's the difference between Sarah Palin's mouth and vagina? 19:35 < krzie> she has a clue what comes out of her vagina? 19:35 < Dougy> almost 19:35 < Dougy> Only some retarded things come out of her vagina 19:36 < Dougy> :) 19:36 < krzie> ya 19:37 < krzie> part of me thinks the republicrats made her vp choice for mccain to make sure mccain didnt accidently win 19:37 < Dougy> lmfao 19:37 < Dougy> republicrats 19:39 < Dougy> palin's daughter is pretty hot 19:40 < Dougy> ok 19:40 < Dougy> she's fair 19:40 < Dougy> i lied 19:40 < krzie> ild hit it just for the chance to argue common sense against her mom 19:40 < Dougy> lmfao 19:40 < Dougy> that's funny 19:40 < Dougy> i actually lol'd at that one 19:42 < krzie> aq part of me thinks the republicrats made her vp choice for 19:42 < krzie> mccain to make sure mccain didnt accidently win palin's 19:42 < krzie> daughter is pretty hot ild hit it just for the chance to 19:42 < krzie> argue common sense against her mom 19:42 < krzie> Inserted quote #4691. 19:42 < Dougy> lol 19:43 < krzie> sq 4417 19:43 < krzie> #4417: fat chicks give the best head fat chicks and 19:43 < krzie> tweaker chicks ive heard that but never tested it out 19:43 < krzie> well you can take it from me or i can get some good 19:43 < krzie> looking and some fat cihcks when you come to cali and we can 19:44 < krzie> compare if i ever tag team g 19:44 < krzie> (C) #4417: irls with qx i swear to god i'll make the girls scream 19:44 < krzie> "irc pimps" you know i will too thats disturbing 19:44 < krzie> to say the least no, whats disturbing is that they would do it 19:44 < Dougy> LOL 19:44 < krzie> yes dougy, im a dirty man 19:45 * krzie srugs 19:45 < krzie> shrugs 19:45 < Dougy> lol 19:45 < Dougy> ive done things grown men wont admit to doing 19:45 < Dougy> so don't speak 19:45 < krzie> haha 19:45 < krzie> someone needs to come ask a question and save us from ourselves 19:45 < krzie> lol 19:45 < Dougy> lmao 19:45 < Dougy> yeah 19:51 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 19:52 * [intra]lanman was trying not to ask any questions to avoid interrupting 19:53 < Dougy> lol 19:57 < [intra]lanman> seriously though... i'm having some issues with ovpn on win vista not adding the route 19:57 < krzie> lol 19:57 < krzie> ahh 19:57 < krzie> try route-method exe 19:58 < krzie> or switching to a real os ;] 19:58 < [intra]lanman> define "real os" 19:58 < krzie> im just playin with ya 19:59 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:00 < krzie> --route-method m 20:00 < krzie> Which method m to use for adding routes on Windows? 20:00 < krzie> ipapi (default) -- Use IP helper API. 20:00 < [intra]lanman> honestly though... i only run win on my laptop cus linux isn't ready for it yet.... no wifi drivers (and i'm not so fond of ndiswrapper) and power management leaves a bit to be desired 20:00 < krzie> exe -- Call the route.exe shell command. 20:00 < krzie> ive seen your problem come up often on the mail list 20:00 < krzie> most often solved by that 20:01 < [intra]lanman> cool.... oh, speaking of the ML.... there are a couple of includes missing on the archive site 20:01 < [intra]lanman> http://openvpn.net/archive/openvpn-users/2006-05/msg00264.html 20:01 < vpnHelper> Title: [Openvpn-users] Warning: route gateway is not reachable on any active network adapters (at openvpn.net) 20:02 < [intra]lanman> at the very bottom.... not sure if anyone here can fix that or not 20:04 < krzie> ML? 20:05 < [intra]lanman> mailing list 20:07 < [intra]lanman> btw, krzie, thanks, that option did the trick 20:11 < krzie> np 20:18 < krzie> oh and i seen your spoof 20:18 < krzie> thanx for the work on FS 20:18 < krzie> thats one hell of an app 20:19 < krzie> any opensource pbx that can out perform metaswitch gets a big fatty thumbs up 20:27 < [intra]lanman> heheh :-D 20:27 < [intra]lanman> although.. my work on it pales in comparison to many others'... but thanks 20:28 < krzie> np 20:28 < krzie> im sure every bit helps 20:29 < krzie> ild help on it, but im at the end of chapter 2 in the k&r c book 20:29 < krzie> so im useless for now, lol 20:32 < krzie> the problem on the archives from mail list, you having that problem too...? 20:33 < [intra]lanman> not anymore... i was getting that gateway error.... i just pposted the link to show the php require error at the bottom of that page.... well, all the pages 20:36 < krzie> ohhh right 20:36 < krzie> ya i wish theyd fix that too 20:36 < krzie> they are completely unresponsive to emails 20:36 < [intra]lanman> that's not terribly reassuring 20:37 < krzie> which is the reason we had to take over the channel and forward to ##openvpn 20:37 < krzie> actually james yonan is active, replies on the maillist from time to time and you can see active devel work done 20:37 < krzie> its just the guys that run the site and used to run this channel that dont respond to anything 20:38 < krzie> in fact 2.1RC13 just came out recently 20:38 < [intra]lanman> nice 20:45 < krzie> james is the bkw of openvpn ;] 20:46 < [intra]lanman> haha 20:46 < [intra]lanman> sounds like they don't have an anthm though :-( 20:48 < [intra]lanman> hmmmm, is there a way to add this --route-method option to my config file? 20:53 < krzie> ya 20:53 < krzie> remove the -- 20:53 < krzie> and just toss it in 20:54 < [intra]lanman> i tried that, but it didn't work out for me.... so i figured i was missing something 21:24 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit ["You call it ADD, I call it multitasking"] 21:40 -!- near [n=near@83-156-244-166.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:45 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:46 < krzee> back 21:47 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 21:48 < Dougy> krzee supppppp 21:48 < krzee> wasssssup 21:48 < krzee> home finally, time to roll one up and crack open the k&r 21:49 < Dougy> lol 21:51 < krzee> !google ilbc 21:51 < vpnHelper> krzee: http://www.ilbcfreeware.org/ - iLBCfreeware.org Project Homepage 21:52 < Dougy> !google krzee 21:52 < vpnHelper> Dougy: http://forums.macrumors.com/member.php?u=109484 - Mac Forums - View Profile: krzee 21:52 < Dougy> ew 21:52 < Dougy> mac fail 21:53 < krzee> mac ftw 21:53 < krzee> !krzee 21:53 < vpnHelper> krzee: "krzee" is http://www.ircpimps.org/pimpin.jpg 21:54 < Dougy> LOLGTFO 21:55 < Dougy> !learn Dougy as http://youfail.org 21:55 < vpnHelper> Dougy: The operation succeeded. 21:55 < Dougy> !dougy 21:55 < vpnHelper> Dougy: "dougy" is http://youfail.org 21:55 < krzee> lolbigassacronymwtfbbq 21:55 < jeev> it's 4am 21:55 < jeev> i'm starving 21:56 < Dougy> jeev, ihateyou 21:56 < jeev> london sucks 21:56 < Dougy> lol 21:56 < Dougy> !Google ass buffet 21:56 < vpnHelper> Dougy: http://www.urbandictionary.com/define.php?term=ass%20buffet - Urban Dictionary: ass buffet 21:56 < Dougy> jeev, ^ 21:57 < jeev> so 21:57 < jeev> i'm finally 21:57 < jeev> succesfully stealing internet 21:57 < jeev> i just chragede to someone's room 21:57 < jeev> 40 bux a night 21:57 < jeev> fuck that 21:57 < Dougy> lamo 21:57 < Dougy> lmao 21:57 < Dougy> ouch 21:57 < krzee> bahah 21:57 < jeev> i just mass pinged the /24 21:57 < krzee> why not just tunnel over dns? 21:57 < jeev> well, the other days 21:57 < jeev> it's not dns based 21:57 < jeev> other days, i cloned ip and mac 21:57 < jeev> but i'd get major packet loss 21:57 < jeev> too sutpid to figure it out 21:57 < jeev> this time i just set static ip 21:57 < jeev> lol 21:58 < krzee> ive never seen one of those systems that didnt allow dns or icmp 21:58 < jeev> with working mac 21:58 < jeev> it's mac addressed based i think 21:58 < jeev> i never tested dns lol 21:58 < krzee> [22:57] it's not dns based 21:58 < krzee> [22:58] i never tested dns lol 21:58 * krzee double takes 21:58 < jeev> lol 21:58 < jeev> i will test though later 21:58 < jeev> i just set static 21:58 < jeev> i duno how this worked 21:58 < jeev> i picked up a mac addy 21:58 < jeev> cloned it 21:58 < jeev> set ip 21:58 < jeev> and charged someone's room? 21:59 < jeev> the countdown just started 21:59 < jeev> but i'm sure the dood had already signed on 21:59 < jeev> so he won get double billed 21:59 < jeev> lol 21:59 < krzee> you using windows? 21:59 < jeev> yea 21:59 < Dougy> jeev, off yourself 21:59 < krzee> oh nm 21:59 < krzee> you cant tunnel over dns afaik then 21:59 < jeev> i'm so hungry 21:59 < jeev> what you mean tnunel over dns 21:59 < jeev> i thought you meant change dns server 22:00 < krzee> nobody likes windows enough to port the apps to windows 22:00 < krzee> no i mean tunnel IP over dns queries / responses 22:00 < krzee> look at nstx and iodine 22:00 < jeev> what 22:00 < jeev> the hell 22:00 < jeev> lol 22:00 < krzee> in fact i made a lil script for the routing 22:00 < krzee> its on iodine's tips & tricks 22:01 < krzee> http://dev.kryo.se/iodine/wiki/TipsAndTricks 22:01 < vpnHelper> Title: TipsAndTricks - iodine - Trac (at dev.kryo.se) 22:01 < krzee> http://www.doeshosting.com/code/NStun.sh 22:01 < krzee> it uses tuntap (like openvpn does =] ) 22:01 < krzee> most those hotels and whatnot allow dns 22:02 < jeev> shit 22:02 < krzee> so you setup your NS to forward queries for a certain subdomain to your specially crafted server 22:02 < jeev> openvpn over dns is cool 22:02 < jeev> tha's too much work 22:02 < krzee> nono 22:02 < krzee> its not cool 22:02 < krzee> ip over dns is not a good medium 22:02 < krzee> packet loss and whatnot 22:02 < krzee> add another encapsulation layer of openvpn on that... 22:02 < krzee> and its a PITA 22:03 < jeev> oh 22:03 < krzee> BUT, ip over dns does work 22:03 < krzee> and does get you online 22:03 < krzee> without paying 22:03 < krzee> its also not cleartext 22:03 < jeev> fduck i'm so hungry 22:04 * krzee dcc's jeev a sandwich 22:04 < krzee> dude theres gotta be 24hr food in london 22:05 < Dougy> off to bed 22:05 < Dougy> night kids 22:05 < krzee> nite 22:06 < jeev> heh 22:06 < jeev> night 22:06 < krzee> a 15 yr old calling us kids 22:06 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 22:06 < krzee> lulz 22:06 < jeev> lol 22:06 < jeev> man 22:06 < jeev> it's 4am 22:06 < jeev> how can i stay awake 22:06 < krzee> 11pm here 22:06 < jeev> my flight is in like 22:06 < jeev> 6 hours 22:07 < jeev> i need to stay awake 22:07 < jeev> so i can pass the fuck out on the flight 22:07 < jeev> what do i do 22:07 < jeev> i'm starving too 22:07 < krzee> umm 22:07 < krzee> dont find food or you'll crash 22:07 < krzee> haha 22:07 < krzee> go find a girl maybe 22:07 < jeev> but i get nauseous 22:07 < jeev> lol there were so many girls 22:07 < jeev> who wanted me 22:07 < jeev> i can't cheat on my girl 22:07 < jeev> heh 22:07 < krzee> ahh 22:07 < krzee> thats good of you 22:08 < krzee> thats also why i dont choose to have a girl ;] 22:08 < jeev> i lose out a lot but 22:08 < jeev> trust me 22:08 < jeev> my girl is the best 22:08 < krzee> right on 22:08 < krzee> if i could say that bout any of mine ild settle down too 22:09 < jeev> heh 22:09 < krzee> finding an intelligent girl out here basically just dont happen 22:09 < krzee> but they are fine as hell 22:09 < krzee> so yanno, its cool 22:09 < krzee> haha 22:10 < jeev> mine is beautiful 22:10 < jeev> no tits or ass 22:10 < jeev> not hot 22:10 < jeev> but 22:10 < jeev> whether rain or shine, no make up.. unbelievably 22:10 < jeev> the most beautiful girls ever 22:10 < jeev> well 22:10 < jeev> with her other characteristics 22:10 < krzee> well man 22:10 < jeev> like Liya is a supermodel, i have her # 22:10 < jeev> i was here for the africa rising show 22:10 < krzee> all that matters is that you're happy 22:10 < jeev> she is absolutelhy 22:10 < jeev> one of the most beautiful girls ever 22:10 < jeev> but i oculd never be with a girl like that 22:10 < jeev> my girlfriende is one of the most beautiful girls ever 22:11 < jeev> and she's everything important to a relationship 22:11 < jeev> she cooks for me, even when she has to studhy 22:11 < jeev> she will come back from school 22:11 < jeev> cook for me 22:11 < krzee> sounds like *someone* misses his girl 22:11 < jeev> drop it off to me 22:11 < jeev> i do 22:17 < jeev> i wonder if i should sleep for afew hours 22:18 < krzee> the plane leave in 6 hrs or you leave for the plane in 6? 22:18 < jeev> due to unencrypted stuff 22:18 < jeev> and me believing that terrorism is bullshit 22:18 < jeev> i wont divulge when my flight is 22:19 < jeev> so nobody does something and then frames me 22:19 < krzee> lol 22:19 < jeev> but is around that time 22:19 < krzee> and people call me paranoid 22:20 < jeev> dood I'm Armenian, born in Iran and believe 9/11 was bullshit. i'm very outspoken on it, i love ahmadinejad as a man but hate him for what he does to the country. i dont like israel because they wont help Armenian's with their genocide (because it isn't even accepted by america due to "alliance" with turkey) 22:20 < jeev> and i know that the U.S. and it's stupid allies do shit and blame on others 22:20 < jeev> i dont want to be the one they blame it on 22:21 < krzee> you wont hear any arguments from me 22:21 < jeev> american's are so stupid 22:21 < krzee> (and i like arguing) 22:21 < jeev> this war shit has forever killed us 22:21 < jeev> it has probably given birth to young iraqi's and other middle easterners 22:21 < jeev> who are going to actually screw us up in the future 22:22 < jeev> aheh 22:40 < krzee> [intra]lanman, so did you get your setup working? 22:40 < krzee> like, fully 22:41 < krzee> i know using exe fixed that 1 problem 22:41 < [intra]lanman> not fully... it'll work starting it from shell, just not as a service 22:41 < krzee> hrm 22:41 < krzee> whats the issue from service? 22:43 < [intra]lanman> oh, nothing now.... maybe i didn't wait long enough after i restarted the service to try the ping last time 22:43 < krzee> ahh 22:43 < [intra]lanman> yeah, it seems that it /is/ working now 22:43 < [intra]lanman> sweet 22:43 < krzee> no lans behind server or client to connect into the vpn? 22:44 < [intra]lanman> there's a lan behind the server... and i can ping the machines (and phones ;-)) on that lan 22:44 < krzee> ahh cool 22:44 < krzee> so you pushed the route 22:45 < [intra]lanman> yeah 22:45 < [intra]lanman> i set up both server and client almost perfectly right out of the box... only the route-method thing was plaguing me 22:45 < krzee> impressive 22:45 < krzee> it usually takes a shitton of reading to get it all right 22:46 < [intra]lanman> the docs on the site are pretty straightforward... and the heavy commenting in the sample configs definitely helps 22:46 < krzee> and ya the exe thing is lesser known 22:46 < [intra]lanman> yeah, i do most of my reading beforehand if i can 22:46 < krzee> i only know cause i see if often 22:47 < [intra]lanman> i might have to start hanging around this channel now too... i tend to lurk on channels of projects that i like... and some that i don't but have a good atmosphere 22:47 < krzee> but ya its a bunch easier than setting up FS so nothin for you 22:47 < krzee> heheh 22:47 < krzee> right on man 22:48 < [intra]lanman> hey, wait... i thought fs was getting pretty easy to set up now 22:48 < krzee> oh coolness 22:48 < krzee> i havnt looked in many versions 22:48 < [intra]lanman> the default configs should work for a pretty nice pbx 22:48 < [intra]lanman> oic 22:48 < krzee> whoa 22:48 < krzee> im def gunna have to check it out again 22:48 < krzee> i know its so rapidly developed 22:48 < krzee> devoted team 22:48 < [intra]lanman> yeah, we recently s/*/fs/g in our company 22:48 < krzee> i think its the project that most impresses me 22:49 < [intra]lanman> yeah, me too 22:49 < [intra]lanman> although, sipx has some cool stuff too 22:49 < [intra]lanman> i like their provisioning, and the gui is nice too 22:49 < krzee> never seen that 22:49 < krzee> !google sipx 22:49 < vpnHelper> krzee: http://www.sipfoundry.org/ - SIPfoundry - Home 22:49 < [intra]lanman> although, fs is gonna have a couple of good guis soon too 22:50 < krzee> awesome 22:50 < [intra]lanman> the guys from bandwidth.com are working on one 22:50 < [intra]lanman> and a few other freelancers are working on a php version 22:51 < [intra]lanman> !google tcapi 22:51 < vpnHelper> [intra]lanman: http://www.tcapi.org/ - Main Page - TCAPI 22:51 < krzee> if i ever run into a sum of $ im so paying bkw to implement the lie detector module 22:51 < [intra]lanman> they were working on that at one time 22:51 < krzee> he already understands the algs needed 22:51 < krzee> oh cool 22:51 < [intra]lanman> mod_stress ;-) 22:51 < krzee> awesome 22:52 < krzee> i go back and forth with how public that should be 22:52 < krzee> lol 22:52 < [intra]lanman> although, it'd probably have to work over 722... 711 at least, to get good enough quality 22:52 < krzee> its cool til businesses and gov get ahold of it 22:52 < krzee> although i guess they have it anyways 22:53 < krzee> and if they do we all should 22:53 < [intra]lanman> yeah, i wanna integrate my billing system with it so it'll do a screen pop that says "CUSTOMER IS LYING" 22:53 < [intra]lanman> lol 22:53 < krzee> still 711 is worth it for that 22:53 < krzee> hahahah 22:53 < krzee> totally 22:53 < [intra]lanman> "i sent the payment" 22:53 < [intra]lanman> "bullshit" 22:53 < [intra]lanman> lol 22:54 < krzee> hahahaha 22:54 < krzee> this call may be screened for quality control purposes, or to call you on your shit 22:55 < krzee> you could make the argument that it is for quality control purposes and not need to add to the normal announcement for recording 22:57 < [intra]lanman> indeed 22:59 < [intra]lanman> ok, i think it's time for bed.... i'll see you around.... l8r 22:59 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit ["You call it ADD, I call it multitasking"] 22:59 < krzee> well i guess freeswitch is going to take priority over the book tonight 23:00 < krzee> time to play 23:42 < krzee> !wiki 23:42 < vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 23:44 < krzee> !forum 23:44 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 23:55 < krzee> !route 23:55 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing --- Day changed Fri Oct 17 2008 00:15 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 01:58 -!- cyberjames [n=james@unaffiliated/cyberjames] has joined ##openvpn 03:08 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 03:09 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 03:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:10 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 05:24 -!- int [n=quassel@wikia/int] has joined ##openvpn 07:10 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 07:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 113 (No route to host)] 07:59 -!- [SURFnet]Auke [n=auke@x154.flex.surfnet.nl] has quit [Remote closed the connection] 07:59 -!- AukeF [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 08:18 -!- mutombo [n=cmichall@193.159.172.226] has joined ##openvpn 08:18 < mutombo> greetings 08:19 < mutombo> i have a strange problem with packets traveling from one side into the tun interface, but dont come out on the other side 08:20 < mutombo> from the box with the openvpnclient, i can ping the network behind the openvpn server 08:20 < mutombo> when i try this from a machine behind the client, i can see the icmp request on the openvpn clients tun device 08:21 < mutombo> but theres nothing on the tundevice on the server 08:33 < mutombo> has someone perhaps an idea what im doing wrong? 08:33 < mutombo> the routes seems fine 08:42 * ecrist tries to decipher what you're asking 08:42 < ecrist> if you're using tun, you need ip forwarding enabled in the kernel on the client. 08:43 < mutombo> yes, ive enabled it 08:44 < mutombo> im triing to make it clear one moment please 08:51 * ecrist is still waiting 08:52 < mutombo> http://pastebin.com/mdcdc258 08:52 < mutombo> sorry 08:52 < mutombo> i tried to make it understandable :) 08:54 -!- pred2k5 [n=Torsten@dslb-088-069-195-219.pools.arcor-ip.net] has joined ##openvpn 08:54 < pred2k5> hi, is it somehow possible to reset a client from server side? 08:56 < mutombo> i dont know if this is possible with openvpn, but you can lookup the ip in the openvpn log 08:56 < mutombo> block it with iptables and open it again 09:02 < pred2k5> whats the command for restart in client 09:02 < pred2k5> SIGUSR1 or 2 ? 09:03 < pred2k5> 1 ok 09:04 < ecrist> pred2k5: you can from the openvpn control console, if enabled. 09:04 < pred2k5> isnt enabled 09:04 < ecrist> then, no. and, it wouldn't result in a reread of the config, anyway 09:05 < pred2k5> I did it with sigusr1 09:05 < pred2k5> on the client machine 09:06 < ecrist> mutombo: your routing table on the vpn server is fucked up 09:06 < pred2k5> bye 09:06 -!- pred2k5 [n=Torsten@dslb-088-069-195-219.pools.arcor-ip.net] has quit [] 09:06 < ecrist> route 192.168.0/24 10.0.8.6 09:12 -!- mode/##openvpn [+o ecrist] by ChanServ 09:12 -!- ecrist changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release 2.0.9 | Wiki: http://www.secure-computing.net/wiki/index.php/OpenVPN | Forum: https://ovpnforum.com | bot: !menu 09:12 -!- mode/##openvpn [-o ecrist] by ecrist 09:35 < mutombo> sorry i have to drive home 09:35 < mutombo> thanks ill try this later 09:35 -!- mutombo [n=cmichall@193.159.172.226] has quit ["Verlassend"] 09:42 < ecrist> lol 10:11 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:58 -!- AukeF is now known as AukeF|Weekend 11:02 -!- Irssi: ##openvpn: Total of 36 nicks [0 ops, 0 halfops, 0 voices, 36 normal] 12:12 -!- Kevin` [n=kevin@etmalec.net] has joined ##openvpn 12:36 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 12:53 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 13:35 -!- bandini [n=bandini@host223-106-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 13:36 < n3kl> Hi. I am trying to test password authentication with openvpn. I start the server with: openvpn --dev tun --tls-server --mode server --client-cert-not-required --username-as-common-name --auth-user-pass-verify auth-pam.pl via-file --dh dh1024.pem --ca ca.crt --cert fekvpn.crt --key fekvpn.key. I connect using openvpn --dev tun --client --remote 10.2.0.11 1194 --ca ca.crt --auth-user-pass --nobind, and I get prompted for user and password. But it is not conne 13:37 < n3kl> I also see in the logs: openvpn_execve: external program may not be called due to setting of --script-security level 13:38 < n3kl> with a following line of: TLS Auth Error: user-pass-verify script failed to execute: /root/auth-pam.pl openvpn_up_232f7d2747f567a0e833d36cf99ff2b6.tmp 13:39 < n3kl> I do not see the option of script-security-level in the manpage 13:44 < n3kl> because its script-security 13:44 < n3kl> still dont see it in teh manpage 13:45 < n3kl> but level=2 seemed to work 13:56 < krzee> interesting 14:00 < krzee> !betaman 14:00 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 14:00 * ecrist is the betaman 14:00 * ecrist goes away 14:00 -!- moj0rising [n=mtoscano@van-fw.blastradius.com] has joined ##openvpn 14:01 < moj0rising> hello 14:01 < krzee> hello 14:01 < krzee> ecrist, dunnanananananana betaman! 14:01 < moj0rising> My coworker (in another city from me0 is hainvg a weird problem. He is using openvpn to connect to some servers... 14:01 < moj0rising> ....he can ssh to the machine's he's trying to get to... 14:02 < n3kl> wow, openvpn is neat 14:02 < moj0rising> ...but he can't connect on 80 to do web stuff 14:02 < moj0rising> other ports seem to be ok too -- like port 25 14:02 < krzee> port 80 on another machine im sure 14:02 < moj0rising> yes 14:02 < krzee> port80 on the inet or lan? 14:03 < moj0rising> using netcat to check ports 1-1024 shows those other ports open... 14:03 < moj0rising> ...but not 80 14:03 < krzee> port 80 on the inet, or lan? 14:03 < moj0rising> if he tries to use nc to get to 80 14:03 < moj0rising> he gets something like conneciton refused. 14:03 < krzee> port 80 on the inet, or lan? 14:03 < krzee> haha 14:03 < moj0rising> I've checked around google a good bit... I 14:03 < krzee> dude 14:04 < moj0rising> oops. I'm sure he has too. bt we haven;t found anything there yet. 14:04 < moj0rising> lan 14:04 < moj0rising> yes. :) 14:04 < krzee> !route 14:04 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 14:04 < moj0rising> checking that.... 14:04 < krzee> its all new and improved with network drawing at bottom even 14:05 < n3kl> its too bad there is not some kind of easy mesh setup though 14:05 < krzee> mesh setup inside ovpn? 14:06 < krzee> its just an app for making a secure tunnel 14:06 < moj0rising> looks nice, krzee! :) 14:06 < krzee> you still need to do all the networking yourself 14:06 < krzee> moj0rising, thank you =] 14:06 < n3kl> yeah, but it would be nice if you could connect multiple without routing through a single server 14:07 < n3kl> is there an openvpn client for mac? 14:07 < krzee> ya 14:07 < krzee> its called 14:07 < krzee> openvpn 14:07 < krzee> ;] 14:07 < n3kl> er, gui 14:07 < krzee> tunnelblick 14:07 < krzee> although i never use it 14:07 < krzee> i just start it from a .command in my stacks 14:07 < moj0rising> so.. here's his dilemma.. I think he's got those routing rules in ok (hopefully), because other traffic works fine and openvpn logs don't have any errors on this. Any ideas why only traffic on this one port isn't working? 14:07 < krzee> i dont believe its only that port 14:07 < n3kl> krzee: thanks. I am trying to build something that I can have users who know nothing about the command line use 14:08 < krzee> and without him in here we have no way to test that 14:08 < moj0rising> other nodes can connect to the web server on 80 w/ on problem too. it's just nodes that have to use openvpn to get to that web server that can't. 14:08 < krzee> if it is tho, firewall rules 14:08 < krzee> well the vpn servers are coming from a diff network 14:08 < krzee> (the vpn ips) 14:08 < moj0rising> yes 14:08 < krzee> so if firewall protects 80, there ya goes 14:08 < moj0rising> well. he can ssh into the web server via openvpn. Quite sure of that. 14:09 < moj0rising> maybe firewall rules on the openvpn box. hm 14:09 < krzee> firewall might only stop people outside lan from hitting webserver 14:09 < moj0rising> good point 14:09 < moj0rising> welll 14:09 < krzee> in which case hes not on the lan ips 14:09 < krzee> which could be fixed 2 ways 14:09 < moj0rising> actually when watching w/ tcpdump from openvpn, he can see traffic coming in one interface but not going out the other. 14:09 < moj0rising> cool. listening. :) 14:10 < krzee> that last statement could be ip forwarding 14:10 < krzee> holdon, call 14:10 < moj0rising> k 14:11 < krzee> k if its firewall 14:12 < krzee> you could add the entries for vpn to access 14:12 < krzee> (recommended) 14:12 < krzee> or you could NAT to a lan ip 14:12 < krzee> also 14:12 < krzee> is openvpn running on his default gateway? 14:12 < krzee> like the router for the whole lan 14:13 < krzee> (this is why its easier if he was here) 14:13 < krzee> if openvpn is not on the lan's router... 14:13 < krzee> This assumes each client is the default gateway for machines on its lan. If that is not the case, he will need to do one of the following: 14:13 < krzee> 1: Manually add the route back to the vpn to the gateway for the openvpn client's lan. 14:13 < krzee> 2: Manually add the route back to the vpn to each machine on the lan. 14:14 < krzee> because the machine on lan would get packets from vpn_ip, then send the packets to its default gateway who would send it out to the inet where it gets dropped 14:16 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 14:16 < moj0rising> was away for a min. rading all your text... 14:16 < moj0rising> reading 14:17 < krzee> and to have a better idea i need to know what machines he can connect to, cant connect to, where they sit in relation to everything else 14:18 < krzee> but doing this through a 3rd party is less than ideal 14:18 < moj0rising> right, right. sorry. i was just poking around docs and google to give him a hand and thought of coming here real quick... 14:21 < moj0rising> hm.. 14:22 < moj0rising> okay. what you're saying makes sense. the weird bit I'm still confused on (probably everyone is) is why some traffic works and some doesn't. 14:22 < moj0rising> to this same node 14:22 < moj0rising> gonna see what he's up to 14:24 < moj0rising> ah. can't get him on IM right at the moment. :( 14:25 < moj0rising> well, krzee, thanks a lot for the ideas. we might pop back later to bug you (or whoever's in here :) ) later about it. 14:26 < krzee> np 14:26 < moj0rising> hopefully he already fixed it, with any luck 14:26 < moj0rising> later. 14:26 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:26 < Dougy> hey kids 14:32 -!- moj0rising [n=mtoscano@van-fw.blastradius.com] has quit ["Konversation terminated!"] 16:21 < Dougy> krzee, ping 16:21 < krzee> dougy, pong 16:21 < Dougy> so krzee what would you say if i told you i could get you 16:21 < Dougy> 48U 25A/120V, 14 IP, setup included, $100.00/month + $15.00/Mbps 16:21 < Dougy> no typo there 16:21 < krzee> thats nice 16:22 < krzee> but $100 / mo is way over my server budget 16:22 < krzee> i pay $300/yr in san diego and canada 16:22 < krzee> hehe 16:22 < krzee> on 100mbit 16:22 < krzee> (not retail, i pay cost) 16:22 < krzee> i just lost 2 free unmetered 10mbit boxes in florida =[ 16:23 < Dougy> uhh 16:23 < Dougy> krzee 16:23 < Dougy> thats 48U space 16:23 < Dougy> a full rack 16:23 < Dougy> for 1 bill 16:24 < krzee> oh fuck 16:24 < krzee> i missed that part 16:24 < krzee> HOW? 16:26 < Dougy> lol 16:26 < Dougy> its in the middle of nowhere in Maine 16:26 < Dougy> im asking for pics of the DC 16:26 < krzee> decent uplinks? 16:26 < Dougy> ive never heard of it 16:26 < Dougy> but i get decent pings 16:27 < Dougy> 207.5.170.145 16:27 < Dougy> about 40-50 ms from where ever i ping from 16:30 < Dougy> krzee, what kinda pings you get 16:31 < krzee> lemme check 16:32 < Dougy> k 16:33 < Dougy> i want to get a lot of pics of that dc, if its nice and everything checks out 16:33 < Dougy> im gonna fill their dc up fast 16:33 * Dougy cougghs 16:33 < Dougy> coughs* 16:33 < krzee> 13 hops and 100ms from san diego 16:34 < Dougy> not too bad 16:34 < Dougy> not bad at all 16:34 < krzee> bout 120 from me here 16:34 < Dougy> thats really good 16:34 < Dougy> for some place ive never heard of in Maine 16:34 < Dougy> www.gwi.net 16:34 < Dougy> thats the isp 16:34 < krzee> and SD is about 170 from me here 16:34 < krzee> thats good 16:34 < Dougy> nice 16:35 < Dougy> i have talked to someone whos had colo there about a month 16:35 < Dougy> he said its pretty damn good 16:37 < krzee> the bw is lil pricey for me tho 16:37 < krzee> to use 10mbit its $50 16:37 < krzee> $150 16:38 < krzee> would be BADASS if i was running a business 16:38 < Dougy> ok krzee 16:38 < Dougy> so you can pay $1000 a month for a rack somewhere else with 10 Mbps 16:38 < Dougy> or pay $250 a month for it 16:38 < Dougy> $1000+ 16:38 < Dougy> here you go krzee 16:38 < Dougy> 6U, 2A/120V, 1Mbps, 6 IP, setup included, $24.95/month 16:39 < krzee> 1 megabit/mo? 16:39 < krzee> thats under t1 16:39 < krzee> how bout 1u, lots more bw, and good price 16:39 < krzee> heheh 16:39 -!- krzee [i=nobody@unaffiliated/krzee] has left ##openvpn ["Leaving"] 16:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:39 < krzee> bleh 16:39 < krzee> my bad 16:39 < Dougy> err 16:39 < Dougy> ok wise guy 16:39 < Dougy> 75/mo more making 100/mo 16:39 < Dougy> then you have 8 Mbps 16:40 < krzee> haha 16:40 < Dougy> with 6U 16:40 < krzee> i have 100mbit for $300/yr bro 16:40 < Dougy> loooooool 16:40 < Dougy> i bet you cant use it 16:40 < Dougy> all 16:40 < krzee> i use as much as i need 16:40 < krzee> and nobody monitors my bw 16:40 < Dougy> which probably is not much 16:40 < Dougy> i have the same 16:40 < krzee> this is true 16:40 < Dougy> I have 4U colo in hivelocity in florida 16:40 < krzee> but i never have to worry bout it 16:40 < Dougy> one server has a dual giga uplink 16:40 < Dougy> they told me to use to my heart's content 16:41 < Dougy> i use about 50 gb a month 16:41 < Dougy> lmao 16:41 < Dougy> They want me to use more so I can stress their switch 16:41 < krzee> dude thats what im talkin bout 16:41 < krzee> how much to get 1u in your colo? 16:41 < krzee> hehe 16:41 < krzee> yearly, not monthly 16:42 < krzee> im the type to not drive for a long time just so i can buy the car outright instead of taking a loan 16:42 < krzee> i dont like debt / bills 16:42 < Dougy> nod 16:43 < Dougy> i dont share that colo, sorry dod 16:43 < Dougy> dood 16:43 < Dougy> hmm 16:44 < Dougy> i may drop 500 on this server so i have one 16:44 < krzee> hehe 16:44 < krzee> ill send you a box to your colo and we can both admin it if you like 16:44 < krzee> i will add no users, only use for encrypted communications 16:44 < Dougy> i'll see what i can do 16:44 < Dougy> how much bw do you use roughly 16:45 < krzee> very little tbh 16:45 < krzee> im just weary bout getting into deals where i can get owned for lotsa $ if the sky falls 16:45 < krzee> especially when i always end up with friends willing to work with me on things 16:46 < krzee> like i said, i had 2 free 10mbit boxes in fl, i have 2 $300/yr in cali and 1 headed to BC for same price 16:46 < Dougy> nice 16:46 < krzee> so its tough to start paying by the mbit 16:46 < krzee> heheh 16:47 < krzee> of course i do favors for the guy in cali/bc 16:47 < krzee> when he cant figure something out he comes to me, etc 16:47 < krzee> i write up the occasional scripts and whatnot for him too, etc 16:47 < Dougy> yea 16:47 < krzee> but shit, thats what friends do ;] 16:48 < Dougy> if i get colo up there in Maine 16:48 < Dougy> like a rack or something 16:48 < Dougy> i'll throw you like 6U for free 16:48 < krzee> ild never need 6u 16:48 < krzee> im more the 1u kinda guy 16:48 < krzee> or 2 if i colo 2 boxen 16:48 < Dougy> ok then 16:48 < krzee> i usually stick to 1u 16:48 < Dougy> if i get a more than 2U of space you're welcome to some 16:48 < krzee> thanx man 16:48 < Dougy> of course you do realize though if you do anything bad (i am confident you wont) 16:48 < Dougy> ill hold your server hostage 16:48 < Dougy> :p 16:49 < krzee> haha 16:49 < krzee> ya im a good boy 16:49 < krzee> besides if i was to do something bad it wouldnt be from my own servers 16:49 < krzee> it would be from someone i didnt like's 16:50 < krzee> but ya, i dont anyways 16:50 < krzee> those yrs are lonnnng gone 16:50 < krzee> in fact im impressed you dont, when i was your age i thought all that stuff was so cool 16:51 -!- n3kl is now known as n3kl_ 16:51 < Dougy> no 16:51 < Dougy> i'm mature enough to know its just retarded 16:51 < krzee> since niether of us need 48u 16:52 < Dougy> to be honest 16:52 < krzee> we should get a group of us together and see bout going co-op on it 16:52 < Dougy> id start small there 16:52 < Dougy> like 4u 16:52 < krzee> make it cheapness 16:52 < Dougy> if its good after 3 months 16:52 < Dougy> i will snatch up like 6-8 racks 16:52 < Dougy> and rent them out 16:52 -!- n3kl_ is now known as n3kl 16:52 < Dougy> i will bet you a lot of money i can sell each rack for 350-400/mo for the rack if its good 16:52 < krzee> ya its just the BW thing 16:52 < krzee> 100mbit is 1500/mo 16:52 < Dougy> 15 is not bad 16:52 < Dougy> you forget krzee 16:53 < Dougy> most people who colo in a place like that get 512 Kbps 16:53 < Dougy> If you get a 100 Mb commit, it will obviously drop 16:53 < Dougy> At least it should.. 16:53 < krzee> you know how its measured? 16:53 < Dougy> Probably 95% 16:53 < krzee> [17:39] whats $15/Mbps mean in dedicated/burstable terms? 16:53 < krzee> [17:39] i havent heard of bandwidth sold like that 16:53 < krzee> [17:40] and what kind of data limits are they talking about? 16:53 < krzee> [17:40] is it like, they add up bandwidth used over a week, then average out the Mbps, and make you pay that? 16:54 < Dougy> Tell him to google 95th percentile 16:54 < Dougy> http://en.wikipedia.org/wiki/Burstable_billing#95th_Percentile 16:54 < vpnHelper> Title: Burstable billing - Wikipedia, the free encyclopedia (at en.wikipedia.org) 16:54 < krzee> werd he knows what that means 16:54 < Dougy> Odds are thats how it's done 16:54 < Dougy> Some places do full usage 16:54 < Dougy> eg 16:54 < Dougy> !google (1 Mbps) * 1 month 16:55 < vpnHelper> Dougy: http://www.monova.org/download/791851/2008-07-16/945de09a4143e58c3a54bc9be87f69ebe0f6a1b4/21%20-%20%5BDVDRip%5D%20%5B2008%5D%20%5BHi-Def%20Quality%20Video%5D.torrent - 21 - [DVDRip] [2008] [Hi-Def Quality Video] Torrent Download 16:55 < Dougy> oh 16:55 < Dougy> wow lol 16:55 < Dougy> krzee, other places do like 24/7 full usage 16:55 < Dougy> (1 Mbps) * 1 month = 321.013651 gigabytes 16:55 < Dougy> eg $15 per 321 GB you transfer 16:55 < Dougy> Most do 95% though 16:55 < krzee> if its perfectly steady 16:55 < krzee> if its 321g in a week and idle 3 weeks 16:56 < krzee> you pay more than $15 16:56 < Dougy> 321G is 1 Mbps used 100% 24/7 16:56 < krzee> right 16:56 < Dougy> if you use 321G in a week you're using more 16:56 < krzee> if its steady, thats 1mbit 16:56 < Dougy> yes 16:57 < Dougy> 95% is best imho 16:57 < krzee> its 2nd best maybe 16:57 < krzee> the way mine is measured in cali is better 16:57 < krzee> (unmeasured) 16:57 < Dougy> haha 16:57 < krzee> lol 16:57 < Dougy> yeah 16:57 < Dougy> 95% is best for most people 16:57 < Dougy> I would love to rent dedis out of there tho 16:58 < krzee> the head tech took me off all monitors 16:58 < krzee> so no service unless i call a friend 16:58 < krzee> but shit, thats fine by me 16:58 < Dougy> haha 16:58 < Dougy> i wish Chong would email me ;( 16:58 < krzee> cheech's boy 16:58 < krzee> ? 16:59 < Dougy> lol 16:59 < Dougy> my uncle wrote cheech's boy a ticket 16:59 < Dougy> er my cousin ev en 16:59 < Dougy> even* 16:59 < Dougy> but no, not that one 17:00 < Dougy> wooo 17:00 < Dougy> chong email 17:04 < krzee> haha 17:04 < krzee> maybe hes sniffing your packets 17:04 < krzee> he replied right when you said something 17:04 < krzee> ;] 17:05 < Dougy> lol 17:05 < Dougy> Chong Lee 17:05 < Dougy> Apaq Digital Systems 17:05 < Dougy> Atlanta, Georgia, USA 17:05 < Dougy> http://www.apaqdigital.com 17:06 < vpnHelper> Title: Apaq Digital Systems Home Page (at www.apaqdigital.com) 17:06 < Dougy> w00t 17:07 < krzee> http://i28.photobucket.com/albums/c238/naiwister/Random%20Pics/perspective.jpg 17:07 < krzee> ahh i got a boy in atl too 17:07 < krzee> your guy at 56 murrietta? 17:07 < Dougy> ahahahaha krzee 17:07 < Dougy> krzee, i have people everywhere 17:07 < Dougy> 56 marietta is nice 17:07 < krzee> as do i 17:09 < Dougy> hmmmmmmmm 17:09 < Dougy> krzee, screw those people splitting it really cheap 17:09 < Dougy> sell it to them at a profit.. 17:09 < Dougy> $5/U 17:09 < Dougy> haha 17:09 < Dougy> or 7 17:10 < krzee> werd 17:10 < krzee> get free colo outta it 17:11 < Dougy> not free colo 17:11 -!- n3kl is now known as _n3kl 17:11 < Dougy> lots of free colo 17:11 < Dougy> lol 17:11 < krzee> hehe 17:11 < krzee> well, free colo for both of us ;] 17:11 -!- _n3kl is now known as n3kl 17:12 < Dougy> krzee, dude we could get like a cage haha 17:12 < Dougy> if this DC checks out 17:12 < Dougy> im going to open a colo shop 17:12 < Dougy> lol 17:13 < Dougy> so upon talking to someone krzee 17:13 < Dougy> " 17:13 < Dougy> As far as I could get from the OP via chat, the energy is cheap because it's mostly hydro-generated by their own gear (a "green" facility?). And price per square feet, because the datacenter is a CLEC facility in Biddeford, Maine. They haul their transit from Portland, ME and Boston, MA." 17:15 < Dougy> krzee: 17:15 < Dougy> Caged Colocation 17:15 < Dougy> 1st 100sq ft, 50A/120V, 30 IP, $350.00/month+$15.00/Mbps, $2/sq ft setup 17:15 < Dougy> Extra space: $2/sq ft/month 17:15 < Dougy> Extra power: $10/10A/month 17:15 < Dougy> Extra IP address: $5/6/month 17:19 < Dougy> food 17:19 < krzee> were you here last night when me and intralanman were talking? 17:20 < Dougy> for a bitr 17:20 < Dougy> sup 17:20 < Dougy> what about i mean 17:21 < krzee> freeswitch 17:21 < krzee> (he's one of the devs) 17:21 < krzee> i decided to install it after he left 17:21 < krzee> got it running in 2 hrs 17:21 < krzee> couldnt believe how easy they made it 17:34 < Dougy> back 17:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:51 * Dougy pokes krzee 18:11 < nadio> How do I add an IP to an client ? 18:11 < nadio> I have dev tun, and some problems geting the network up. 18:16 < Dougy> hm 18:16 < Dougy> What exactly are you trying to do 18:16 < Dougy> assign a static ip to a client? 18:16 < Dougy> !man 18:16 < vpnHelper> Dougy: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 18:18 < nadio> Yes, 18:19 < nadio> Also not sure if, tunl0 is the correct device interface? 18:19 < Dougy> i've always just had tun0 18:19 < Dougy> !ccd 18:19 < vpnHelper> Dougy: "ccd" is entries that are basically included into server.conf, but only for the specified client 18:19 < Dougy> I believe ccd is what you need 18:21 < nadio> Yes tun0 is what I normaly get. 18:25 < Dougy> ccd should handle what you need 18:25 < Dougy> google it a bit 18:25 < nadio> ok thanks 18:48 < krzee> !static 18:48 < vpnHelper> krzee: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 18:51 < Dougy> krzee, ! 18:51 * Dougy waves 18:53 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 18:53 * krzee meatcopters 18:55 < Dougy> ..... 19:10 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:42 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 20:56 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 21:06 -!- SWAT [n=swat@ubuntu/member/swat] has quit [Read error: 104 (Connection reset by peer)] 21:11 -!- SWAT [n=swat@ubuntu/member/swat] has joined ##openvpn 21:12 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 22:14 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 23:46 < krzee> [intra]lanman, you were right, freeswitch is WAY easier to learn now than when i last looks 23:46 < krzee> looked 23:46 < krzee> and when i ran into trouble, bkw was extremely helpful 23:47 < krzee> so now im running freeswitch instead of using callcentric 23:47 < krzee> =] 23:47 < [intra]lanman> cool :-D 23:47 < krzee> *returns to idle, time to hit the bars* 23:47 * [intra]lanman goes back to watching "felon" --- Day changed Sat Oct 18 2008 01:14 -!- int [n=quassel@wikia/int] has quit [Read error: 113 (No route to host)] 01:23 -!- bandini [n=bandini@host223-106-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 01:25 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:24 -!- bandini [n=bandini@host223-106-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 03:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:39 -!- bandini [n=bandini@host223-106-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 05:13 < krzee> http://www.theregister.co.uk/2008/10/01/fundamental_net_vuln/ 05:13 < vpnHelper> Title: DoS attack reveals (yet another) crack in net's core o The Register (at www.theregister.co.uk) 05:22 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 110 (Connection timed out)] 07:04 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 07:15 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 08:05 < Dougy> jesus damn 08:05 < Dougy> reboot 08:05 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 08:44 -!- zamba [i=marius@sveigde.hih.no] has quit [Read error: 104 (Connection reset by peer)] 09:18 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 09:46 < nadio> I have a problem, the tun0 device never shows up? 09:47 < nadio> what todo? I am using debian. 09:59 < nadio> noticeble is that its my client.conf file that screws it up 11:05 < jeev> krzee, does nstx and shit work at starbuckses and stuff who charge for access? 11:55 -!- timlarson [n=timlarso@user-12l37rb.cable.mindspring.com] has joined ##openvpn 11:56 < timlarson> trying to use tunnelblick on os x 10.4...just getting a spinning beach ball 11:57 < timlarson> tried both the latest snapshot and the newer version that is in the tunnelblick files area compiled against openvpn 2.1 11:57 < timlarson> is this known to work with 10.4? any ideas how to debug this? 11:59 < timlarson> the spinning beach ball is only present when the mouse is over the icon in the menu, not system wide 13:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:59 -!- bandini [n=bandini@host223-106-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 17:17 -!- gleblanc [n=chatzill@216.30.212.117] has joined ##openvpn 17:18 < gleblanc> Hi folks, I need somebody to check my network setup theory 17:25 < gleblanc> I have two offices, each with a lan. Office 1 is on 192.168.16.0/24, office 2 is on 192.168.18.0/24 17:26 < gleblanc> At office 1, I am running OpenVPN server on a machine that is NOT the default gateway for the network. 17:26 -!- justdave [n=dave@unaffiliated/justdave] has quit ["rebooting for kernel upgrade"] 17:26 < gleblanc> I need to be able to connect from any machine on either network, to any machine on the other network 17:26 < gleblanc> Currently OpenVPN is set up using routed connections 17:27 < gleblanc> I think what I need to do is add a static route on the gateway box for Office 1 which points traffic for 192.168.18.0/24 to the OpenVPN server 17:27 < gleblanc> Since the OpenVPN client for office 2 is the default gateway for that network, I shouldn't need any static routes for it 17:35 -!- gleblanc__ [n=chatzill@216.30.212.117] has joined ##openvpn 17:35 -!- gleblanc [n=chatzill@216.30.212.117] has quit [Nick collision from services.] 17:35 -!- gleblanc__ is now known as gleblanc 17:50 -!- gleblanc [n=chatzill@216.30.212.117] has quit [Read error: 104 (Connection reset by peer)] 18:41 -!- gleblanc [n=chatzill@75.108.2.123] has joined ##openvpn 18:59 < gleblanc> Hi folks 19:15 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 19:27 < nadio> Shouldn't there come up a device tun0 with "dev tun" ? 19:28 < nadio> Yes the module is loaded 19:30 < gleblanc> I would think so, assuming that OpenVPN got connected 19:32 < gleblanc> Howdy justdave. It's been a long time 19:32 < justdave> howdy 19:35 < nadio> ok, only shows up, if the connection was success? 19:36 < gleblanc> nadio: I think it only brings up the interface if the connection was successful, yes. The interface should still be there, just in the 'down' state 19:36 < nadio> ok but then it should show up on ifconfig -a ? 19:36 < nadio> So long the openvpn deamon is runing 19:37 < gleblanc> That is what I would expect. I don't run OpenVPN except on embeded linux, so I'm not 100% sure 19:47 < nadio> humm does not seem to come up 19:47 < nadio> tun0 that is 20:32 < krzie> you should be getting an error in logs... 20:32 < krzie> !logs 20:32 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:32 < krzie> im pretty busy but ill take a look 20:51 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has quit [Read error: 104 (Connection reset by peer)] 22:03 -!- mepholic [i=gikid@89.46.37.204] has joined ##openvpn 22:04 < mepholic> Is there any way I can start an openvpn session before logging into windows 22:17 -!- razor2000 [n=razor@70.91.69.194] has joined ##openvpn 22:17 < razor2000> hi guys 22:17 < Dryanta> hai 22:21 < razor2000> so i've been having lots of fun working with openvpn recently 22:22 < razor2000> but the biggest issue i have is trying to get communication work both ways (both sides of each respective lan) 22:22 < razor2000> i have a site A, which has openVPN running on the router/firewall (using FreeBSD 6.2) 22:23 < razor2000> at Site B, i have a Windows XP client that connects to the openvpn tunnel 22:23 < razor2000> site A = 172.17.9.160/27 22:23 < razor2000> site B = 192.168.1.0/24 22:23 < razor2000> openvpn tunnel = 192.168.33.0/24 22:24 < razor2000> the server has the 192.168.31.1 ip 22:24 < razor2000> the client gets 192.168.33.2 ip 22:24 < razor2000> when connected, the Windows XP client can ping and connect to all hosts in the 172.17.9.160/27 network 22:25 < razor2000> at Site A, however, no computer can talk directly to the Site B client using its 192.168.1.94 ip address. The only item they can ping is when using 192.168.33.2 22:25 < razor2000> i believe i have properly put static routes in both configs to nicely match up, but am not having any success 22:45 < krzie> i have no time right now 22:45 < krzie> but this should help you 22:45 < krzie> !route 22:45 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 22:45 < krzie> yours is a very common question, so i made a nice writeup for it 22:46 < krzie> if you dont get anywhere from reading that i should be free in an hour or so 22:55 < jeev> yo krzie 22:55 < jeev> does that nstx stuff work at starbucks and stuff? 22:55 < razor2000> krzee: what that directed for me? if so, thank you! 23:04 < mepholic> Is there any way I can start an openvpn session before logging into windows 23:04 < mepholic> ????????????? 23:04 < mepholic> FFFFF 23:04 < mepholic> HELP OH GOD 23:50 < krzee> razor2000, yes it was 23:50 < krzee> mepholic, im not sure, you need to find out when the services start 23:50 < krzee> if services start before logging in, yes 23:50 < krzee> if not, no 23:51 < krzee> thats not really an openvpn question, it is a windows question 23:51 < krzee> !notopenvpn 23:51 < vpnHelper> krzee: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 23:51 < krzee> jeev, not at starbucks, they figured out how to stop it 23:51 < krzee> jeev, but it works at many places 23:51 < krzee> during my travels it is rare that it does not work 23:51 < krzee> btw nstx is inferior to iodine 23:52 < krzee> ive used both 23:52 < mepholic> ._.; 23:53 < krzee> gleblanc, did you fix your problem? sounded like you were on the right track 23:53 < krzee> nadio, you never pasted your logs, if you still need help you'll need to do that 23:53 < krzee> and BOOM goes the dynamite 23:53 < krzee> heh 23:59 < jeev> krzee 23:59 < jeev> damnit --- Day changed Sun Oct 19 2008 00:00 < krzee> ? 00:00 < jeev> funno 00:00 < jeev> dunno 00:06 < krzee> heh 00:19 < razor2000> krzee: nice of you... where's the write-up at? 00:19 < krzee> !route 00:19 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:19 < krzee> [23:45] but this should help you 00:19 < krzee> [23:45] !route 00:19 < krzee> [23:45] krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:19 < krzee> [23:45] yours is a very common question, so i made a nice writeup for it 00:19 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 00:20 < razor2000> yes, i read that, Very good read 00:21 < razor2000> but my issues are past that 00:21 < razor2000> however, i think i may be getting somewhere 00:21 < krzee> and whats your issues? 00:21 < razor2000> will find out quite shortly as i am presently testing 00:21 < krzee> and wow im amazed how fast you read the whole thing 00:21 < krzee> hehe 00:22 < razor2000> i read it before you posted it ;) 00:22 < krzee> ahh cool 00:22 < krzee> =] 00:22 < razor2000> ok, for the details 00:22 < razor2000> i am messing with openvpn on a freebsd box 00:22 < razor2000> and a windows xp client 00:22 < razor2000> the freebsd box is the site's main router 00:23 < razor2000> i can get the XP client to connect directly with no issues 00:23 < razor2000> i can ping all nodes from that XP machine 00:23 < razor2000> however, i want the main site to hit all nodes behind the XP machine's LAN 00:23 < krzee> nodes being machines on the lan behind the openvpn server, right? 00:23 < krzee> ahh ok 00:23 < razor2000> nodes behind the XP client 00:24 < krzee> the relevant part of my writeup for that is here: 00:24 < krzee> This assumes each client is the default gateway for machines on its lan. If that is not the case, he will need to do one of the following: 00:24 < krzee> 1: Manually add the route back to the vpn to the gateway for the openvpn client's lan. 00:24 < krzee> 2: Manually add the route back to the vpn to each machine on the lan. 00:24 < razor2000> thinking it was a routing issue 00:24 < krzee> if the windows XP machine is not the lans default gateway, theres your issue 00:24 < krzee> you need to tell the router for that lan about the route back to the vpn 00:24 < razor2000> i enabled the Internet connection sharing on XP 00:24 < krzee> umm, why? 00:24 < razor2000> i put a static route on the main router 00:25 < krzee> ok whats the static route? 00:25 < krzee> you shouldnt need ICS 00:25 < razor2000> and i have shared out the OPenVPN interface on the XP machine 00:25 < krzee> ICS is for NAT 00:25 < razor2000> that may be why i am having issues... lol! 00:25 < krzee> ya turn off ICS and tell me about the static route you added? 00:25 < razor2000> but get this 00:25 < krzee> err s/?// 00:25 < krzee> hehe 00:26 < razor2000> with the static route in place on the router 00:26 < krzee> also, i believe you need ip forwarding on 00:26 < razor2000> all clients behind the LAN can ping siteA (any mchine) 00:26 < razor2000> however, they cannot connect to TCP ports 00:26 < razor2000> only ICMP works.... no TCP socket connections 00:26 < krzee> clients behind what lan 00:26 < krzee> and what is sitea 00:26 < razor2000> if from another computer, I add a manual static route on that computer, it works fine 00:27 < razor2000> site A = freebsd network 00:27 < krzee> icmp working and tcp not, firewall issue 00:27 < razor2000> site B = xp client 00:27 < razor2000> firewalls turned off on all machines in both locations 00:27 < razor2000> if from another computer, I add a manual static route on that computer, it works fine 00:27 < razor2000> if i use the route static route option, i get ping only 00:27 < krzee> To enable TCP/IP forwarding, follow these steps: 00:27 < krzee> 1. Start Registry Editor (Regedit.exe). 00:27 < krzee> 2. In Registry Editor, locate the following registry key: 00:27 < krzee> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 00:27 < krzee> 3. Set the following registry value: 00:27 < razor2000> if i use the route static route option, i get ping only 00:27 < krzee> Value Name: IPEnableRouter 00:27 < krzee> Value type: REG_DWORD 00:27 < krzee> Value Data: 1 00:27 < krzee> A value of 1 enables TCP/IP forwarding for all network connections that are installed and used by this computer. 00:27 < razor2000> already enabled that long time ago 00:27 < krzee> 4. Quit Registry Editor. 00:28 < razor2000> could be the ICS that is screwing me up 00:28 < krzee> turn it off and tell me what happens 00:28 < razor2000> ok, i am remote to that XP client 00:28 < razor2000> so if i turn ICS off, i will lose access to it :( 00:29 < krzee> !learn winipforward as http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 00:29 < vpnHelper> krzee: The operation succeeded. 00:29 < krzee> umm 00:29 < krzee> ICS != remote login 00:29 < krzee> ICS == NAT 00:30 < krzee> its been a couple yrs since i used windows, but thats what i remember 00:31 < razor2000> that could be where the craziness is coming from 00:32 < razor2000> i will set openVPN on another windows computer then 00:34 < krzee> this could help too 00:34 < krzee> from mail list: 00:34 < krzee> It seems like the XP Firewall is on, which it is in fact not. I troubleshooted this issue recently with my primary network adapter recently, but it appears it's not worked it's way to my tap adapter as well! 00:34 < krzee> Running this at the XP Command Line fixed it. 00:34 < krzee> netsh firewall reset 00:34 < krzee> netsh int ip reset resetlog.txt 00:34 < krzee> There are also some additional steps here, 00:34 < krzee> http://forum.oscr.arizona.edu/showthread.php?t=2284 00:34 < krzee> Hope this helps someone! 00:34 < krzee> --Michael 00:36 < razor2000> i am very good at disabling the xp firewall 00:36 < razor2000> however, krzee, i dont know if you got one of my points mentioned earlier 00:36 < razor2000> when the tunnel is up from the XP client 00:38 < razor2000> at another computer at the Site B lan, if i put add a manual static route entry into that computer's routing table, pointing it to the XP client machine, i get full access from that computer as well. when i use that static route entry popped into the router, it fails at that point. ICS could be doing me in.... 00:39 < krzee> could be 00:39 < krzee> in that situation 00:39 < krzee> can a the server reach the machine with the static route? 00:39 < krzee> (not the machine reaching the server, but the server reaching the machine 00:39 < krzee> ) 00:40 < razor2000> the computer at the openvpn server side has no issues at that time.. like a clean static route, ha! 00:40 < krzee> i mean 00:41 < krzee> can the server reach the machine in site B who you added a static route back to vpn? 00:41 -!- mepholic [i=gikid@89.46.37.204] has quit [Remote closed the connection] 00:42 < razor2000> is server from siteA 00:42 < razor2000> oh, the openvpn server 00:42 < razor2000> yes, it can 00:44 < razor2000> ok, i installed oVPN on 2nd machine 00:45 < razor2000> ICS is not turned on... let me give it another whirl 00:45 < krzee> ok then it wasnt ICS 00:46 < krzee> it seems to be your router 00:46 < krzee> on site B 00:46 < krzee> cause the same ICS was there for that test that worked 00:46 < razor2000> router at site A and site B are the same... freebsd routers 00:46 < razor2000> i bet it is a static routing issue 00:46 < razor2000> meaning... 00:46 < krzee> well it seems to be the router on site B 00:46 < razor2000> source static routing 00:46 < krzee> either a problem with the route you added, or firewall 00:47 < krzee> cause when you add the route to the windows machine in siteB lan, it works 00:47 < krzee> and ALL that is doing is bypassing the router in site B 00:47 < krzee> if bypassing that router makes it work fine, you found your problem 00:50 < razor2000> however, that is my MAIN router in all my sites and locations 00:50 < razor2000> but we'll see.... 00:51 < razor2000> here's another question for you 00:51 < razor2000> in my openvpn client config file 00:51 < razor2000> i have two servers listed in the remote setting 00:51 < razor2000> remote server1.com 1194 00:51 < razor2000> and remote serve2.com 1194 00:52 < razor2000> if server1 is down, it connects to server2.com, HOWEVER, it does not add the routing table 00:52 < razor2000> i have to add it manually to the host computer 00:55 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 00:56 < krzee> !configs 00:56 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 00:56 < razor2000> ok 00:56 < krzee> you can X out the ip if you like, it does not apply to your issue 00:57 < razor2000> you bet ;) 00:57 < razor2000> you want both server and client configs? 01:05 < razor2000> you still there krzee? 01:05 < razor2000> ok... the registry setting made it possible for routing to take place.. WITHOUT using ICS... hehe 01:05 < razor2000> but now, i still get the effect of only being able to ping 01:05 < razor2000> when adding the static route to my router 01:05 < razor2000> have to go and see what could be going on there.... 01:06 < krzee> yesi want both 01:06 < krzee> and when you bypass that route with a route on the machine in the lan 01:06 < krzee> can you connect and not just ping? 01:06 < krzee> (test right now before answering) 01:06 < razor2000> nope... nremote mail2.rcdh.com 11931 01:07 < razor2000> even that 01:07 < razor2000> it just doesnt 01:07 < razor2000> this is frustrating 01:08 < krzee> ok sounds like firewall on the openvpn client machine 01:08 < razor2000> let me reset all devices 01:08 < krzee> which i bet some tcpdumps would show 01:08 < krzee> did you try running the commands i posted from mail list? 01:08 < razor2000> to clear all memory 01:08 < krzee> in his case it wasnt his fault 01:08 < krzee> he had disabled the firewall 01:08 < krzee> windows just didnt care 01:08 < krzee> til he ran those commands 01:08 < razor2000> good to know 01:09 < krzee> so even tho you know what you're doing 01:09 < krzee> its possible windows doesnt 01:09 < krzee> heheheh 01:09 < razor2000> i'd believe it! 01:16 < razor2000> ok, re-tested 01:16 < razor2000> i think it's my router 01:16 < razor2000> i can only ping... but not connect to any TCP ports 01:17 < razor2000> when i add manual static route to computer, it works great 01:18 < razor2000> weird stuff 01:20 < razor2000> i thought it may be due to me using the newest, latest beta of openVPN, but i tried with 2.09, and i get the same result 01:37 < razor2000> ok, here is latest update 01:37 < razor2000> just tried from another site that has a regular Linksys router 01:37 < razor2000> and it is working like a charm! 01:38 < razor2000> definitely something with the router at my end here... arghhh 01:39 < krzee> ok 01:39 < razor2000> my freebsd router is too secure then, hehe 01:40 < krzee> make sure your firewall rules are allowing vpn network to pass 01:40 < razor2000> but... let's get back to one thing if we can please 01:40 < razor2000> the additional remote machines 01:40 < krzee> you do have a firewall on that router 01:40 < razor2000> as to why the routing doesn't take effect if it connects to the second server on the list 01:40 < krzee> because thats how it does nat to be the gateway 01:40 < krzee> its prolly dropping vpn_network packets 01:40 < krzee> when it needs to be passing them 01:41 < razor2000> then why does it allow ICMP to go through? 01:41 < razor2000> i can run tcpdump and see it 01:41 < razor2000> just dont know why it is getting trapped 01:41 < razor2000> :( 01:42 < krzee> firewall 01:43 < razor2000> hmmmmm 01:44 < razor2000> if using shared key setup 01:44 < razor2000> and i am at a site with two internet connections 01:44 < razor2000> i can connect with my first link 01:45 < razor2000> if i disconnect, and change to my 2nd connection, i have issues trying to connect to the server until i restart the openvpn server at the remote end 01:45 < razor2000> does it tie itself to the originating, connecting ip address? 02:16 -!- ikevin [n=kevin@ANancy-256-1-113-152.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 02:21 < razor2000> anyways.... 02:22 < razor2000> i appreciate your help tonight, krzee 02:22 < krzee> [02:45] if i disconnect, and change to my 2nd connection, i have issues trying to connect to the server until i restart the openvpn server at the remote end 02:23 < krzee> you're changing the routing 02:23 < razor2000> ok 02:23 < krzee> 2 diff adapters right? 02:24 < razor2000> do i have to use the 'float' option? 02:24 < krzee> thats for the otherside changing its ip 02:24 < razor2000> one adapter... i use a router that has DUAL Wan on it 02:24 < krzee> if i remember correctly 02:24 < krzee> could try float tho 02:24 < krzee> !man 02:24 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 02:26 < krzee> hrm thats interesting 02:26 < krzee> you arent changing the routing at all on the box running openvpn then 02:26 < razor2000> no 02:27 < krzee> it doesnt break an ssh connection to do that? 02:28 < krzee> ohh wait i see what you're saying 02:28 < krzee> you want keepalive 02:28 < krzee> it will see the connection was broke and reconnect 02:28 < krzee> !sampe 02:28 < vpnHelper> krzee: Error: "sampe" is not a valid command. 02:29 < krzee> !sample 02:29 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 02:29 < razor2000> how can i better explain this... 02:29 < krzee> keepalive 10 120 02:29 < razor2000> on my router, i can change with route the xp client goes out from 02:29 < razor2000> or... here's a better example for you 02:29 < krzee> ya the connection breaks 02:29 < razor2000> the XP client i am talking about 02:29 < krzee> and you want it to reconnect 02:29 < razor2000> pretend i have a duplicate of it at another office, with the same config files 02:30 < razor2000> but of course, they have different WAN ip's 02:30 < razor2000> if XP client #1 connects and disconnects, then XP client #2 tries to connect to the server, it fails 02:30 < razor2000> until the reset the oVPN server 02:30 < krzee> umm 02:31 < krzee> they are using different certs right? 02:31 < krzee> also, i still need to see configs 02:31 < krzee> !pastebin 02:31 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 02:31 < krzee> !configs 02:31 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 02:32 < krzee> add keepalive 02:33 < krzee> it makes the server ping clients 02:33 < krzee> will check for clients that are gone 02:33 < krzee> but in your example give client2 his own cert 02:34 < razor2000> oh.. can i do it without giving it another cert 02:34 < razor2000> by the way.. i am using SHARED KEY in this setup 02:34 < krzee> you CAN, but should not 02:34 < krzee> umm, you're doing it wrong 02:34 < krzee> hehe 02:34 < krzee> you should use certs 02:34 < razor2000> i want to use shared key if possible 02:34 < krzee> why? 02:35 < razor2000> it works fine with certs 02:35 < krzee> post your configs 02:36 < krzee> you may find this nice for managing certs and whatnot 02:36 < krzee> !ssl-admin 02:36 < vpnHelper> krzee: "ssl-admin" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 02:36 < krzee> its in freebsd ports too 02:37 < razor2000> here is my overall goal... maybe you can help out if u better understand my config 02:37 < krzee> dude 02:37 < krzee> i cant understand your config 02:37 < krzee> cause you havnt posted them still 02:38 < krzee> !learn ssl-admin as http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 02:38 < vpnHelper> krzee: The operation succeeded. 02:38 < krzee> !forget ssl-admin 1 02:38 < vpnHelper> krzee: The operation succeeded. 02:39 < razor2000> i want to setup a failover vpn solution using openvpn 02:39 < razor2000> i have two sites that each have a freebsd router that have dual-wan 02:39 < razor2000> i want to make some sort of a site-2-site connection 02:39 < razor2000> if the first link fails, then connect using the 2nd link 02:39 < krzee> until i see configs, i cant help you 02:40 < krzee> we'ld prolly be done awhile ago had you posted them when i first asked 02:40 < krzee> hehe 02:40 < razor2000> lol 02:40 < razor2000> maybe so 02:40 < krzee> well im gunna start reading my book soon 02:40 < razor2000> ok 02:40 < krzee> so we're gunna hafta move this along 02:41 < razor2000> i just want you to see what i am trying to do 02:41 < krzee> just post them 02:41 < razor2000> i wanted one site to be the openvpn server (located on the router) 02:41 < razor2000> and the client a XP machine, connecting, and have a static route for it put on the server 02:41 < razor2000> every time i take a step forward, i go back 2-3 steps, :( 02:41 < krzee> if the next line isnt a pastebin link, im reading my book 02:42 < razor2000> i will post to pastebin 03:01 < razor2000> part1: http://pastebin.com/m75f1d88a 03:34 -!- ikevin [n=kevin@ANancy-256-1-168-88.w90-56.abo.wanadoo.fr] has joined ##openvpn 05:09 < razor2000> krzee: i got what i wanted working in another fashion 05:09 < razor2000> thanks for your time tonight.... 05:20 -!- bandini [n=bandini@host223-106-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 07:42 < gleblanc> krzee: Still having some trouble, but I just woke back up 08:02 -!- InsolitWork [n=daniel@89.155.32.149] has joined ##openvpn 08:02 < InsolitWork> hi 08:02 < InsolitWork> i've set a server with openvpn 08:03 < InsolitWork> a client with openvpn, i can connect the server correctly. Now my question is, shouldn't i be able to connect all resources in remote private network now? 08:06 < SilenceGold> if the routings were set up correctly, yes. 08:07 < InsolitWork> mh do you know how i can debug this? 08:07 < InsolitWork> i can see in my routes, that the remote private network is being properly routed through the VPN network 08:08 < InsolitWork> 192.168.1.0 255.255.255.0 10.0.0.5 10.0.0.6 1 08:08 < InsolitWork> 192.168.1.0 is the remote private network 08:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:33 < InsolitWork> mh i can't ping the gateway of my vpn connection 08:33 < InsolitWork> any ideas why? 08:41 < gleblanc> route print 08:41 < gleblanc> ack, wrong window 08:42 < gleblanc> InsolitWork: FWIW, I'm struggling with a similar issue 08:42 < SilenceGold> InsolitWork about 80% of openvpn problems are related to routings 08:42 < InsolitWork> it's working now 08:42 < SilenceGold> good 08:42 < InsolitWork> i know what i had wrong 08:42 < SilenceGold> I take it that you added a new route somewhere? 08:42 < InsolitWork> in the client i enabled LZO compression, in the server i hadn't 08:42 < SilenceGold> oh 08:43 < InsolitWork> enabled on both now, working perfectly on both now 08:43 < gleblanc> I wish that was my problem. :-( 08:43 < InsolitWork> gleblanc: what's your issue? 08:43 < gleblanc> I can ping the remote lan IP of my OpenVPN server, but I can't ping any machines on the remote network 08:44 < InsolitWork> what's the remote ip of your vpn server? 08:45 < gleblanc> 192.168.16.13 08:48 < InsolitWork> mhhh 08:49 < InsolitWork> and you can't connect any other hosts on that network? 08:49 < gleblanc> Nope 08:49 < InsolitWork> what's your local network? 08:50 < gleblanc> I have a route on my laptop which sends packets destined for 192.168.16.0/24 to the 10.54.20.1 gateway, which is the VPN IP address on the OpenVPN server 08:50 < gleblanc> the local network is 192.168.1..0/24 08:51 < gleblanc> Remote network is 192.168.16.0/24 08:52 < gleblanc> The OpenVPN server has a route for packets of destination 192.168.1.0/24 to the 10.54.20.2 gateway, which is the VPN IP address of my OpenVPN client 08:53 < gleblanc> The default gateway on the remote network, which is a different machine than the OpenVPN server, has a route for 192.168.1.0/24 to be sent on to 192.168.16.13 08:56 < gleblanc> brb, making another routing change 09:00 -!- gleblanc [n=chatzill@75.108.2.123] has quit [Nick collision from services.] 09:01 -!- gleblanc_ [n=chatzill@75.108.2.123] has joined ##openvpn 09:01 -!- gleblanc_ is now known as gleblanc 09:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:24 -!- gleblanc [n=chatzill@75.108.2.123] has quit [Read error: 110 (Connection timed out)] 09:25 -!- gleblanc [n=chatzill@75.108.2.123] has joined ##openvpn 09:27 -!- gleblanc_ [n=chatzill@75.108.2.123] has joined ##openvpn 09:29 < gleblanc_> So close, and yet, so far 09:31 < gleblanc_> I changed OpenVPN clients at the local side 09:31 < gleblanc_> I should draw a picture 09:45 -!- gleblanc [n=chatzill@75.108.2.123] has quit [Read error: 110 (Connection timed out)] 09:45 < gleblanc_> OK, here's a picture 09:45 < gleblanc_> http://gleblanc.skrbl.com/88338913 09:45 < vpnHelper> Title: skrbl: Your sharable online whiteboard (at gleblanc.skrbl.com) 09:46 -!- gleblanc_ is now known as gleblanc 09:54 -!- smk [n=scott@cobra.httpd.org] has joined ##openvpn 10:22 -!- gleblanc_ [n=chatzill@75.108.2.123] has joined ##openvpn 10:26 < gleblanc_> When I'm running OpenVPN on windows, should the OpenVPN adapter have a default gateway? 10:27 < gleblanc_> I think not, as that would mean that there are 2 default gateways, which would break routing 10:39 -!- gleblanc [n=chatzill@75.108.2.123] has quit [Read error: 110 (Connection timed out)] 10:49 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 10:51 -!- gleblanc_ is now known as gleblanc 11:14 < gleblanc> Is anybody in here familiar with routing on Windows Server? 11:14 < gleblanc> I have a static route added, which is supposed to send 192.168.1.0/24 traffic to 10.54.20.2. 10.54.20.2 is the VPN IP address of my OpenVPN client 11:15 < gleblanc> If I do a 'route print 192.168.1.0' the correct route is displayed 11:15 < gleblanc> if I do a 'route print 192.168.1.1' (or any other non-network address on that network) it displays no routes 11:18 < kala> the second command is not supposed to work, I think 11:29 -!- Insolit [n=daniel@89.155.32.149] has joined ##openvpn 11:30 -!- InsolitWork [n=daniel@89.155.32.149] has quit [Connection reset by peer] 11:32 < gleblanc> kala: why? 11:32 < gleblanc> Is there a way to find out what route it's going to use to connect to 192.168.1.1? 11:40 -!- gleblanc_ [n=chatzill@75.108.2.123] has joined ##openvpn 11:56 < kala> i don't know 11:56 < kala> is it supposed to work in the help? 11:56 < kala> also, does netstat -r work? 11:58 -!- gleblanc [n=chatzill@75.108.2.123] has quit [Read error: 110 (Connection timed out)] 12:13 -!- SgtPepperKSU [n=Keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 12:14 -!- SgtPepperKSU [n=Keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn [] 12:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:33 -!- gleblanc_ [n=chatzill@75.108.2.123] has quit [Read error: 110 (Connection timed out)] 12:48 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 12:51 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn [] 13:08 -!- gleblanc_ [n=chatzill@75.108.2.123] has joined ##openvpn 13:08 -!- gleblanc_ is now known as gleblanc 13:10 -!- TheSeer [n=theseer@border.office.nonfood.de] has joined ##openvpn 13:10 < TheSeer> heya... 13:10 < TheSeer> trying to compile 2.1 rc13 fails with a compile error in socket.c ... 13:11 < TheSeer> is that a known problem or specific to my box? 13:12 -!- gleblanc_ [n=chatzill@75.108.2.123] has joined ##openvpn 13:17 -!- pickcoder [n=madmax@unaffiliated/pickcoder] has joined ##openvpn 13:18 < pickcoder> Is it possible to browse windows networks over a TUN? I have Samba running on a machine inside the LAN but I'm unable browse for it. 13:29 -!- gleblanc [n=chatzill@75.108.2.123] has quit [Read error: 110 (Connection timed out)] 13:31 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 13:39 -!- TheSeer [n=theseer@border.office.nonfood.de] has left ##openvpn ["Client exiting"] 13:47 -!- pickcoder [n=madmax@unaffiliated/pickcoder] has left ##openvpn [] 13:54 -!- gleblanc__ [n=chatzill@75.108.2.123] has joined ##openvpn 13:54 -!- gleblanc__ is now known as gleblanc 14:10 -!- gleblanc_ [n=chatzill@75.108.2.123] has quit [Read error: 110 (Connection timed out)] 14:10 -!- gleblanc__ [n=chatzill@75.108.2.123] has joined ##openvpn 14:17 -!- gleblanc [n=chatzill@75.108.2.123] has quit [Read error: 110 (Connection timed out)] 14:46 -!- InsolitWork [n=daniel@89.155.32.149] has joined ##openvpn 14:48 -!- Insolit [n=daniel@89.155.32.149] has quit [Read error: 104 (Connection reset by peer)] 15:47 -!- gleblanc__ [n=chatzill@75.108.2.123] has quit [Read error: 110 (Connection timed out)] 15:48 -!- ikevin [n=kevin@ANancy-256-1-168-88.w90-56.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 15:54 -!- ikevin [n=kevin@ANancy-256-1-168-88.w90-56.abo.wanadoo.fr] has joined ##openvpn 16:39 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Connection timed out] 16:43 -!- gleblanc__ [n=chatzill@75.108.2.123] has joined ##openvpn 16:43 -!- gleblanc__ is now known as gleblanc 16:49 -!- gleblanc [n=chatzill@75.108.2.123] has quit [Read error: 104 (Connection reset by peer)] 16:54 -!- InsolitWork [n=daniel@89.155.32.149] has quit ["Fui embora"] 16:59 -!- jeev [n=email@unaffiliated/jeev] has quit ["rebewt"] 17:28 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 54 (Connection reset by peer)] 17:36 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:57 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 17:57 < PeterFA> I can't figure out why the computers at local network at the end of my bridge cannot be seen by my local computer where the tunnel starts. 17:58 < PeterFA> I set the remote computer where the bridge terminates to have packet forwarding on. 19:16 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 19:32 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 19:32 < jeev> krzee 19:32 < jeev> !menu 19:32 < vpnHelper> jeev: "menu" is please use !factoids search * 19:32 < jeev> !factoids server configuration 19:32 < vpnHelper> jeev: Error: The "Factoids" plugin is loaded, but there is no command named "server" in it. Try "list Factoids" to see the commands in the "Factoids" plugin. 19:32 < jeev> what the hell 19:33 < jeev> list Factoids 19:35 < jeev> !sample 19:35 < vpnHelper> jeev: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:35 < jeev> !config 19:35 < vpnHelper> jeev: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 19:35 < jeev> !keys 19:35 < vpnHelper> jeev: "keys" is http://openvpn.net/howto#pki 19:35 < jeev> !key 19:35 < vpnHelper> jeev: Error: You don't have the ##openvpn,op capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 20:33 < PeterFA> The howto on openvpn.net for bridging just makes converts a single interface into a bridge terminal and that causes a connection to be tossed for what I'm trying to do... 20:34 < PeterFA> Well, at any rate I've somehow ended up with a tun0, and a br0. 20:34 < PeterFA> How can I set up a bridge on a single interface system behind a firewall (that's correctly configured) at this point where all the computers behind the firewall are perfectly visible through the tunnel? 20:56 -!- sauce_ [i=sauce@ool-18be2518.dyn.optonline.net] has joined ##openvpn 20:56 < sauce_> hey everyone. i'm exhausted. i'm trying to setup an openvpn server behind a router, is there anything i need to config on the router besides forwarding port 1194/udp ? because my clients cannot see the lan beyond the openvpn server 20:57 < sauce_> i believe its called "road warrior" 21:23 < ecrist> hola, people 21:23 < jeev> hi 21:24 < ecrist> jeev: problems with the bot? 21:25 < jeev> na 21:25 < jeev> was just lookin for stuff 21:49 -!- sauce_ [i=sauce@ool-18be2518.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 21:59 -!- sauce_ [i=sauce@ool-18be2518.dyn.optonline.net] has joined ##openvpn 21:59 < sauce_> hey everyone. i'm exhausted. i'm trying to setup an openvpn server behind a router, is there anything i need to config on the router besides forwarding port 1194/udp ? because my clients cannot see the lan beyond the openvpn server 22:03 < jeev> !lzo 22:03 < vpnHelper> jeev: Error: "lzo" is not a valid command. 22:11 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 22:12 < PeterFA> How do I configure the route tables when I make a bridge to where the machines on both sides of the bridge are visible? 22:13 < oc80z> hi. 22:13 < oc80z> within the config. 22:14 < oc80z> you are able to specify routes within the config for the clients on the bridge, however, you can manualy set static routes if you are on those machines.. 22:15 < sauce_> if the openvpn server is not the LAN gateway, does the gateway need any additional configuration ? 22:16 < oc80z> TAP-Win32 adapter can now be opened from non-administrator mode. NICE 22:16 < oc80z> #openvpn PuMPiN! 22:16 < oc80z> heh 22:16 < oc80z> sauce_ in order to do what? 22:17 < oc80z> U are trying to say on connect the OpenVPN server is becoming the Gateway on connect? 22:18 < oc80z> You can just throw some routes in the config 22:19 < sauce_> i can't believe this. 22:19 < sauce_> on a whim, i went to my LAN gateway config and i added a route 22:19 < sauce_> and all of a sudden i can ping machines on the LAN now 22:20 < sauce_> but something still isn't right... 22:20 < sauce_> i guess the best way to do this is to run openvpn on the LAN gateway 22:20 < sauce_> right? 22:20 < oc80z> ;push "route 192.168.10.0 255.255.255.0" 22:20 < oc80z> ;push "route 192.168.20.0 255.255.255.0" 22:20 < oc80z> Are you trying to mess with routes? 22:20 < oc80z> PeterFA u get it? 22:21 < oc80z> sauce_ whats not right... 22:21 < oc80z> sauce_ u need to push routes 22:21 < sauce_> in my openvpn config i have push route 22:21 < oc80z> and change the subnet the BRIDge is on 22:21 < oc80z> Check it 22:21 < sauce_> however, my LAN gateway doesn't have a route yet 22:21 < oc80z> Yeah 22:21 < PeterFA> oc80z, honestly, I don't even know what is wrong, nontheless how to fix it. 22:21 < oc80z> I understand 22:21 < oc80z> if your Gateway is 10.10.10.1 22:21 < sauce_> i don't know how to add it, so i just play around 22:22 < sauce_> wait i'll tell you 22:22 < oc80z> and your OpenVPN is 10.10.10.50 (with clients *.10.51, 52, 53) 22:22 < sauce_> gw is 192.168.3.1 22:22 < oc80z> .. 22:22 < oc80z> ok 22:22 < sauce_> openvpn server is 192.168.3.10 22:22 < oc80z> ok 22:22 < oc80z> change OpenVPN server to 192.168.5.10 22:22 < sauce_> and my vpn is 10.8.0.0 22:22 < oc80z> oh 22:22 < oc80z> VPN is 10 22:22 < oc80z> Great 22:22 < oc80z> wait 22:22 < oc80z> ur OpenVPN server is 192.* 22:23 < oc80z> and yoru VPN? is 10.8? 22:23 < sauce_> my openvpn server is 10.8.0.1 on the vpn 22:23 < sauce_> and 192.168.3.10 on the lan 22:23 < oc80z> ok 22:23 < oc80z> So you need a route 22:23 < oc80z> right? 22:23 < sauce_> on the LAN gateway ? 22:23 < sauce_> i dunno i think so 22:23 < oc80z> No 22:23 < oc80z> the OpenVPN server 22:23 < sauce_> oh, ok 22:23 < oc80z> All traffic for 10.* 22:23 < oc80z> musdt go to 10.8.0.1 22:23 < oc80z> no? 22:24 < sauce_> i have to say no 22:24 < oc80z> if you add that route.. 22:24 < oc80z> your Default gateway 0.0.0.0 will stil be 192.168.3.109 22:24 < sauce_> and i'm gonna say no because, i'm using the same openvpn config i see on EVERY tutorial 22:24 < oc80z> er r -9 22:24 < sauce_> and i read them each 100 times, seriously 22:24 < oc80z> its ok 22:24 < sauce_> and convinced i need additional config on the LAN gateway 22:25 < sauce_> brb 22:25 < oc80z> hmmmm 22:25 < oc80z> PeterFA am i confused? 22:26 < PeterFA> oc80z, I don't nkow, but I know I am. 22:27 < oc80z> whats ur stance now 22:27 < oc80z> bout to break shit? 22:27 < oc80z> heh 22:27 < oc80z> sauce_ said, "things dont seem right" 22:27 < oc80z> dunno what that means. 22:28 < oc80z> whats your setup? 22:29 < oc80z> do the computers connect ? 22:40 < PeterFA> I have a computer directly connected to the internet, and a server that's behind a nat. 22:40 < PeterFA> That server has openvpn and I have a bridge that works between the two. 22:42 < PeterFA> The router stuff has me completely confounded. 22:43 < PeterFA> I don't know how to set up the interfaces, routing, subnet address and stuff... all I know is I have 192.168.30.0 on the other side. 22:44 < PeterFA> The server has only one interface. 22:46 < PeterFA> sauce_ has nothing to do with my set up, oc80z. 22:50 < sauce_> ok i'm back 22:51 < sauce_> oc80z you still here ? it didn't "feel right" because the machine on the private LAN could not ping the openvpn client, but the openvpn client could now ping any machine on the private lan 23:29 -!- sauce_ [i=sauce@ool-18be2518.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Mon Oct 20 2008 00:05 -!- razor2000 [n=razor@70.91.69.194] has left ##openvpn [] 00:14 -!- razor2000 [n=razor@70.91.69.194] has joined ##openvpn 00:14 < razor2000> sup y'all... now here's a weird one 00:15 < razor2000> i'm trying to fight two routers, by making a site-2-site connection between them (which connects) by using PKI instead of shared key 00:16 < razor2000> the only downside with this i have is... i cannot get hosts/clients behind either router to see or talk to any other device besides the (respective) remote routers. 01:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:00 -!- kala [i=kala@uba.linux.ee] has quit [Remote closed the connection] 02:08 * jeev pokes ecrist 02:09 < jeev> krzee, you there ? 03:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 03:31 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 03:32 < kala> have you seen that sometimes Windows clients do not forward all traffic to OpenVPN tunnel and therefore the tunnel doesn't get any traffic at all and times out in 30 seconds and gets restarted? 03:44 < gamla_kossan> hi guys.. it seems as if my openvpn client doesn't even reach the net. is there some way I can check this, like checking some network log on my client machine? 03:48 -!- AukeF|Weekend is now known as AukeF 04:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 05:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:05 -!- badserii [n=sergiu@host-static-89-41-127-129.moldtelecom.md] has joined ##openvpn 06:07 < badserii> Hi. I try to configure openvpn on ubuntu, using the steps on the official site. But when doing bridge-start, I can't access the internet anymore from my machine, I mean, I can ping computers from my network, but can't ping internet adresses. Is there something I missed? Thank you! 06:13 < badserii> i have two interfaces: eth0 and eth0:1 06:25 -!- badserii [n=sergiu@host-static-89-41-127-129.moldtelecom.md] has quit [Remote closed the connection] 06:35 -!- irado [n=irado@189.108.25.18] has joined ##openvpn 06:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 06:46 -!- irado [n=irado@189.108.25.18] has left ##openvpn ["xiii... ca'i?"] 06:58 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:49 < ecrist> I'm here now 07:49 < ecrist> jeev: I was gettin' some hanky from the wife when you were poking me. priorities, man. 07:50 < ecrist> gamla_kossan: check the openvpn log 08:01 < gamla_kossan> ecrist: it's already taken care of, thanks for replying though. 08:03 < ecrist> np 08:05 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:11 < kala> any idea, why my --route-up script is not executing on Windows? When I specify it with --up command, it runs. When I use --route-up command, it's not ran 08:11 < kala> or perhaps I just don't see it in the log 08:13 * ecrist shrugs 08:13 < kala> the situation seems like follows: I have Windows XP clients. I need to run several commands (ipconfig.exe /flushdns and such) after the tunnel is up. When I run the commands with --up script, they are ran before the routes are set up and it seems that quite frequently the routes are never setup and the tunnel gets restarted. And if I try to run the script with --route-up command, then the script seems not being ran at all 08:14 < kala> strange 08:18 < kala> ok. never mind, the --route-up script execution is just not logged 08:19 < kala> good. I wonder, if I have a working setup now :) 08:19 -!- dmarkey [n=dmarkey@79.97.241.103] has joined ##openvpn 08:22 < dmarkey> openvpn-auth-pam.so is causing openvpn to crash 08:22 < ecrist> what version of openvpn are you using? 08:23 < dmarkey> 2.0.9 08:23 < dmarkey> it crashes when a user needs to change their password 08:23 < ecrist> is that pam module part of openvpn, or third-party? 08:24 < dmarkey> the one in the plugin directory 08:24 < ecrist> give the 2.1 RC a try 08:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:41 -!- dmarkey [n=dmarkey@79.97.241.103] has quit [Read error: 104 (Connection reset by peer)] 08:44 -!- dmarkey [n=dmarkey@79.97.241.103] has joined ##openvpn 08:49 < dmarkey> ecrist: still the same 08:49 < ecrist> dmarkey: I don't know. sorry. 08:52 < dmarkey> is anyone here an openvpn developer? 08:52 < ecrist> not usually, no 08:52 < ecrist> mostly power users 08:52 < ecrist> does google lend any clues? 08:53 < kala> dmarkey: do you have any logs or something? 08:55 < dmarkey> i have, auth-pam is prompted for a new password, at that point the child becomes defunt 08:56 < kala> hmm. bad. I have never used auth-pam myself 08:56 < dmarkey> http://pastebin.com/m65dd0f82 08:59 < kala> is this normal usage? 08:59 < kala> you are trying to change password over openvpn? 09:00 < dmarkey> nope 09:00 < ecrist> kala: it should be handled by PAM, in this case the PAM module is just a front-end. 09:00 < dmarkey> im simply trying to auth as a user with an expired password 09:01 < dmarkey> to see how it got handles 09:01 < dmarkey> handled 09:01 < kala> ok. and openvpn shouldn't crash in such kind of situations, I suppose 09:01 < dmarkey> nope 09:01 < ecrist> right, it sounds like a problem with the module, and not openvpn, imho 09:01 < dmarkey> auth-pam 09:01 < dmarkey> the plugin... 09:02 < ecrist> right 09:02 < dmarkey> but it comes with openvpn, so therefore its a part of openvpn 09:02 < kala> perhaps you can include lots of logs and core dumps and send this to developers list 09:03 < kala> or look at the code yourself :) 09:51 < dmarkey> im using that dirty perl script for the minute 10:19 -!- sohmestra [n=sohmestr@75.150.50.65] has joined ##openvpn 10:33 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 10:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:41 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 10:41 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 10:49 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has quit ["Leaving."] 10:51 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 10:52 < ecrist> problems, SgtPepperKSU? 10:52 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn [] 11:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 11:17 -!- darkk^ [n=darkk@rw.darkk.net.ru] has joined ##openvpn 11:18 -!- nadio [n=nobody@about/philosophy/nadio] has quit [Read error: 104 (Connection reset by peer)] 11:18 < darkk^> what is the best way to configure openvpn to handle client's dynamic IP address? is there anything better than "keepalive" option that causes resync after timeout? 11:20 < kala> you mean, client moving to different network connection? 11:20 < kala> the dynamic address ADSL services usually keep the same IP-aadress for DHCP or PPPoE refreshes 11:21 < darkk^> no, my ISP changes it once in 24h 11:21 < kala> your client will discover in about 60 seconds that the tunnel doesn't work anymore and makes new connection 11:21 < darkk^> and I prefer stable connection - right now openvpn maintains stable connection but I see network lag for ${timeout} seconds, is there any way to avoid id ? 11:22 < darkk^> s/id/it/ 11:22 < kala> hmm 11:22 < kala> if the network connection itself doesn't break 11:22 < darkk^> right, it does not, but network lag annoys a bit :) 11:22 < kala> then you might be able to use "float" option at the server side 11:23 < kala> then the current SSL connection should continue working and server just accepts packets from new address 11:23 < darkk^> is it for 2.0 or is it introduced in 2.1 ? 11:23 < kala> 2.0 also has this option 11:25 < darkk^> cool, seems, that's what I want. Thank you, I could not find right options in doc without advice. 11:29 < kala> I think I have managed to experience this working for few times when laptop moved from LAN to wifi and the SSH connection stayd alive, because of running OpenVPN tunnel. 11:31 < darkk^> btw, lan and wifi share same subnet sometimes. 11:32 -!- bipolar_unsecure [n=18e50abb@67.159.35.76] has joined ##openvpn 11:33 < bipolar_unsecure> Well, I'm sitting at a remote office, on a crappy web irc client because my laptop broke. :( 11:33 < bipolar_unsecure> I need help getting two networks bridged together. 11:33 < bipolar_unsecure> I don't think I'm going about it correctly. 11:34 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Read error: 54 (Connection reset by peer)] 11:34 < bipolar_unsecure> The main office has a Linux firewall with OpenVPN running on it as a server. The gateway here is windows 2k3, and it has openvpn running as a client in bridged mode. 11:35 < bipolar_unsecure> I can ping everything at the main office from this win2k3 gateway. 11:35 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 11:36 < bipolar_unsecure> I'm trying to get the computers on this remote network to be able to access the main office though this connection, but I don't know exactly what I need to do to route the requests. 11:36 < bipolar_unsecure> can anyone help me? 11:37 < bipolar_unsecure> the win2k3 box is the gateway for this remote network, and it has a route for the main network. 11:38 < kala> whats traceroute doing? 11:38 -!- bipolar_unsecure [n=18e50abb@67.159.35.76] has quit ["CGI:IRC (EOF)"] 11:40 -!- bipolar_unsecure [n=18e50abb@67.159.35.76] has joined ##openvpn 11:40 < bipolar_unsecure> kala, sorry, this webirc thing dies once in a while 11:40 < bipolar_unsecure> kala, traceroute from a windows box on the remote network times out with no responses at all. 11:41 < bipolar_unsecure> I think my lack of windows routing knowledge is biting me 11:41 < kala> not even reaching to w2k3 gateway? 11:41 < kala> well. too bad. not openvpn problem then? 11:41 < bipolar_unsecure> I can ping the gateway, but traceroute does not return the gateway IP as part of the traceroute 11:42 < kala> how about traceroute to the internet? is this working? 11:42 < bipolar_unsecure> yes 11:43 < bipolar_unsecure> Tracing route to 192.168.0.1 over a maximum of 30 hops 1 * * * Request timed out. 11:43 < bipolar_unsecure> 192.168.0.1 is the internal firewall interface at the main office 11:43 < bipolar_unsecure> I can ping it from the remote gateway 11:44 < bipolar_unsecure> but not from this box, which is on the remote network. 11:44 < kala> whats routing table on the remote box? 11:44 < bipolar_unsecure> give me a min, I'll pull it. 11:47 -!- bipolar_unsecure [n=18e50abb@67.159.35.76] has quit ["CGI:IRC (EOF)"] 11:50 -!- bipolar_unsecure [n=18e50abb@67.159.35.76] has joined ##openvpn 11:51 < bipolar_unsecure> kala, The local network admin locked the gateway box and went to lunch :\ 11:51 < bipolar_unsecure> kala, I'll post it as soon as I can. 11:54 < kala> well. talk to the local network admin. its his problem as well 11:55 < kala> his or her 11:55 -!- bipolar_unsecure [n=18e50abb@67.159.35.76] has quit ["CGI:IRC (EOF)"] 12:20 -!- bipolar_unsecure [n=18e50abb@67.159.35.76] has joined ##openvpn 12:20 < bipolar_unsecure> kala, I have the route table, and the local admin is here. 12:20 < ecrist> sup peeps? 12:20 < bipolar_unsecure> pastebin'd at http://pastebin.ca/1232007 12:21 -!- bipolar_unsecure [n=18e50abb@67.159.35.76] has quit [Client Quit] 12:22 -!- bipolar_unsecure [n=18e50abb@67.159.35.76] has joined ##openvpn 12:23 < bipolar_unsecure> I keep getting disconnected, sorry. 12:23 < bipolar_unsecure> the local vpn IP on the gateway is 192.168.0.71 and I can ping that Ip from the local network 12:24 < kala> this is a routing table of remote gateway? 12:24 < bipolar_unsecure> kala, yes 12:24 < kala> I asked for routing table of remote lan machine 12:24 < kala> the one, where traceroute is not going anywhere 12:25 < bipolar_unsecure> confused... this is the routeing table of the windows 2k3 machine that is the remote gateway as opposed to the firewall at the main office. 12:25 < kala> anyway, the gateway has 4 interfaces? 12:25 < bipolar_unsecure> yes 12:25 < bipolar_unsecure> ok. the machine that I ran traceroute on... one sec. 12:26 < bipolar_unsecure> http://pastebin.ca/1232012 12:26 < bipolar_unsecure> that is the workstaion on the remote network 12:26 < bipolar_unsecure> the one I'm typing from 12:28 < kala> just a question, but perhaps you should have " 192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.71 30" line in the gateway table? 12:29 < kala> perhaps not. I don't know :) 12:29 -!- bipolar_unsecure [n=18e50abb@67.159.35.76] has quit ["CGI:IRC (EOF)"] 12:30 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:30 -!- bipolar_unsecure [n=18e50abb@67.159.35.76] has joined ##openvpn 12:30 < bipolar_unsecure> kala, windows routes confuse the hell outta me 12:31 < kala> well, use a wireshark on different network interfaces and check what happes to the packets 12:37 -!- bipolar_unsecure [n=18e50abb@67.159.35.76] has quit ["CGI:IRC (EOF)"] 12:55 -!- aep [n=aep@unaffiliated/aep] has joined ##openvpn 12:55 < aep> greetings 12:56 < aep> i need to restart the daemon after each broken connection. any idea how to fix this? 12:56 < aep> i'm using static pre shared keys over a dialup 12:56 < aep> every time the connection breaks, i need to ssh into the server and reset the deamon 12:56 < aep> otherwise it won' t connect 13:00 < aep> this is onyl when i choose tcp. 13:00 < aep> with udp i get alot of drops 13:00 < aep> besides i need to get through port 80 tcp anyway 13:03 -!- fanti [n=fanti@g230043013.adsl.alicedsl.de] has joined ##openvpn 13:05 -!- dmarkey [n=dmarkey@79.97.241.103] has quit [Remote closed the connection] 13:06 < fanti> hello! when using openvpn from a routed network (with gateway) it works fine. but same configuration doesn't work with a dial-up connection over ppp0 interface. the openvpn client connects and establishes the connection, a tun0 interface is create, but all outgoing traffic is still send via the ppp0 interface instead of tun0. daemon.log says:NOTE: unable to redirect default gateway -- Cannot read current default gateway from system. 13:06 < fanti> any ideas? 13:08 < ecrist> what does the error tell you? 13:08 < aep> tried setting the routes manually? 13:08 < ecrist> aep: !tcp 13:08 < ecrist> !tcp 13:08 < fanti> how do i set the route manuelly? 13:08 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:09 < aep> ow 13:09 < aep> well the firewall only lets http through though :( 13:10 < fanti> hmmm 13:11 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 13:13 < fanti> so there is no way to use openvpn via a dial-up connection? 13:13 < aep> just route manualy fanti 13:13 < aep> if the connection is established, evrything else is just basic networking skills 13:14 < aep> man route 13:17 < fanti> hmm "sudo route del default ppp0; sudo route add default tun0" did not work 13:18 < aep> yeah well. no 13:18 < aep> whats the output of "route" ? 13:18 < aep> (pastebin) 13:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:19 < aep> or route -n 13:20 < darkk^> hmm, no, `float' option did not killed network lag - server "relearned" outgoing IP only after "Inactivity timeout" 13:20 < fanti> aep: http://92.230.43.13/route.txt 13:21 < aep> yeah looks good so far 13:22 < aep> now add a route that gets to your remove vpn over ppp0 13:22 < aep> ie something like route add myserver dev ppp0 13:22 < aep> otherwise if you change the default route, things would be screwed up 13:23 < fanti> myserver is the ip of the openvpn server? or the current ip i got from my dial-up provider? 13:23 < aep> yeah 13:23 < aep> the server 13:24 < aep> if you ISP connection needs a gateway, add it. but looks like you got a public IP 13:25 < fanti> okay. the route is added. but nothing happend. i'm using still the dial-up ip address, not the openvpn? 13:25 < aep> yeah 13:25 < aep> does everything still work? 13:25 < fanti> yes 13:25 < aep> now you can start replacing the default route 13:26 < aep> "route del default" and "route add default gw 10.254.187.5 dev tun0" 13:26 < fanti> okay, mom 13:26 < aep> well loose the dev part 13:26 < aep> it'll use that automaticly 13:30 * ecrist changes name of channel to ##help_me_learn_routing 13:32 < kala> darkk^: are you using pinging ? 13:32 < darkk^> yes, I use pinging. Seems, it's impossible to avoid network lag with float: http://openvpn.net/archive/openvpn-devel/2006-03/msg00012.html 13:32 < vpnHelper> Title: Re: [Openvpn-devel] float is broken when source port changes (at openvpn.net) 13:37 < kala> darkk^: and source port changes because of your connection is NATed? 13:38 < kala> hmm. thats strange 13:38 < darkk^> http://dumpz.org/3045/ - here is full log from server, client and router's syslogs. 13:38 < vpnHelper> Title: @ dumpz.org (at dumpz.org) 13:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:39 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 13:42 < kala> darkk^: Omsk? quite far away, are you 13:43 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:44 < kala> darkk^: well, I suppose you could shorten the timeout to about 20 seconds perhaps. 13:46 < darkk^> yep, Omsk (Western Siberia) is rather far from Estonia. 13:47 -!- fanti [n=fanti@g230043013.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 13:51 -!- fanti [n=fanti@ack.spin.de] has joined ##openvpn 13:51 < fanti> aep: it works fine. thank you 13:51 * ecrist hits krzee in the balls 13:52 < jeev> ecrist 13:52 < jeev> this iroute thing, i hate. 13:52 < ecrist> jeev 13:52 < jeev> that means i have to login to the server and set my lan subnet 13:52 < jeev> or it'll drop packets 13:52 < ecrist> how come? it's a bit counter-intuitive, imho, but it works. 13:52 < ecrist> you using tun or tap? 13:52 < ecrist> brb 13:52 < jeev> tun 14:07 < aep> fanti: np 14:17 < jeev> i dont think natd is functioning on my favorite west coast bsd server :/ 14:18 < jeev> running and divert is there. hrmf. 14:25 < jeev> wewps, forgot sysctl 14:54 -!- bandini [n=bandini@host223-106-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 14:55 -!- shadowhywind [n=shadowhy@prowlnet-221-68.imt.uwm.edu] has joined ##openvpn 14:56 < shadowhywind> hay anyone around to help with some random issue? When i connect to my vpn, and try to go to a website, it says that the address is not found (the dns not working) 14:57 < darkk^> shadowhywind, seems, your default route is updated and /etc/resolv.conf is not, so old resolvers are ISP's resolvers and they forbid recursive queries from "outside" (e.g. from your VPN server) 14:58 < shadowhywind> so how would i fix that? 14:58 < shadowhywind> it just started happening last week (which is a bit odd) 14:58 < darkk^> easy way that requires no additional information: install local recursor (e.g. pdns_recursor) and write 127.0.0.1 to /etc/resolv.conf 14:59 < shadowhywind> on the client correct? 14:59 < darkk^> right 14:59 < shadowhywind> should i remove the "junk" that the network manager put in? 15:00 < darkk^> but if you encounter with this issue at more than one client it's better to tune server and read logs, of course. 15:00 < darkk^> uhhh, I know nothing about network manager, sorry. 15:00 < shadowhywind> k, hehe 15:00 < shadowhywind> brb, going to give it a shot 15:01 < shadowhywind> well looks like i should have left the network manager stuff in there.. 15:01 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 15:02 < darkk^> if you disable network manager you may have issues with your desktop application (e.g. firefox may assume that you're offline when you're online) 15:04 -!- shadowhywind_ [n=shadowhy@user-0c93gf5.cable.mindspring.com] has joined ##openvpn 15:04 < shadowhywind_> ok So i figured it out, I changed the nameserver to an opendns number, and everything is working 15:07 < krzie> !ubuntu 15:07 < vpnHelper> krzie: "ubuntu" is dont use network manager! 15:07 < jeev> i can't believe people use things like ubuntu! 15:08 < krzie> ubuntu is pretty nice for people who arent into linux 15:08 < krzie> i have it dual boot on my laptop 15:08 < krzie> (although i never ever boot into it) 15:09 < darkk^> and ubuntu is pretty nice when you have no time to install another distro 15:09 < krzie> i just wanted to setup my macbook to dual boot so i could crack WEP with the internal atheros 15:09 < krzie> once i did it, i stopped caring 15:09 < krzie> i also wanted to play with beryl 15:10 < krzie> but for the most part jeev, i agree 15:13 < shadowhywind_> hay ubuntu is nice, or at least kubuntu is.. 15:13 -!- darkk^ [n=darkk@rw.darkk.net.ru] has left ##openvpn ["Pong timeout"] 15:17 -!- shadowhywind_ [n=shadowhy@user-0c93gf5.cable.mindspring.com] has quit [Remote closed the connection] 15:19 -!- shadowhywind [n=shadowhy@prowlnet-221-68.imt.uwm.edu] has quit [Read error: 110 (Connection timed out)] 15:20 -!- ebil|work [n=andy@216.64.93.22] has joined ##openvpn 15:21 < ebil|work> Hi. quick question. if I want the following scenario: Network A can access machines on network B, Network B can access machines on network A. then Network A is a client of Network B AND a server to network B and Network B is a client of network A and a server to network A? 15:21 < ebil|work> Just wnated to make sure I understand that properly 15:24 -!- jfkw_ [n=jtk@static-64-65-249-140.buf.choiceone.net] has joined ##openvpn 15:25 < krzie> no no 15:25 < krzie> just 1 client and 1 server 15:26 < ebil|work> ok 15:26 < krzie> !route 15:26 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:26 < krzie> that will help you 15:26 < krzie> !sample 15:26 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:26 < krzie> that will give you somewhere to start 15:26 < ebil|work> so the tunnel is a two way tunnel and I can just set up routes in both directions then? 15:26 < ebil|work> I appreciate it 15:26 < krzie> if you use *nix, this will help you manage certs, 15:26 < krzie> !ssl-admin 15:26 < vpnHelper> krzie: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 15:26 < ebil|work> I'll be using debian on both routers 15:26 -!- jfkw [n=jtk@static-64-65-249-140.buf.choiceone.net] has quit ["leaving"] 15:26 -!- jfkw_ [n=jtk@static-64-65-249-140.buf.choiceone.net] has quit [Client Quit] 15:27 < ebil|work> cool. So I just have to sit down and decide which I want to be the 'server' and which systems I want to have as 'clients' then? 15:27 < krzie> thats fine, the certs dont even need to be managed on one of those 15:27 < krzie> can be generated anywhere 15:27 < krzie> only 1 machine from each network needs to be a client 15:28 < krzie> and 1 machine needs to be a server on its network 15:28 < ebil|work> I guess what I'm trying to get at is this: openvpn kind of leans towards a 'star' topoloigy 15:28 < ebil|work> topology rather 15:28 < krzie> ya like hub and spoke 15:29 < krzie> and all traffic flows through server, even when clients communicate with eachother 15:29 < krzie> so lets say you have 3 networks... 15:29 < krzie> 1 machine is a server 15:29 < ebil|work> ok. cool. so I just have to decide which system is the 'hub' (I will 'run' 2 of the networks on the vpn, I'm just trying to decide which to call the 'server') 15:29 < krzie> then on the other 2 lans, 1 machine is a client on each 15:29 < ebil|work> yeah 15:30 < ebil|work> so if client 1 talks to client 2, the data goes through the server 15:31 -!- jfkw [n=jtk@static-64-65-249-140.buf.choiceone.net] has joined ##openvpn 15:31 < ebil|work> right? 15:34 < ebil|work> another question then, is there any way around the star topology (to be more like, say, ipsec) 15:35 < krzie> so if client 1 talks to client 2, the data goes through the server 15:35 < krzie> so if client 1 talks to client 2, the data goes through the server 15:35 < krzie> correct 15:35 < krzie> sorry for 2x psate 15:35 < krzie> no 15:35 < ebil|work> oh well. it IS easier to set up :) 15:35 < krzie> due to the nature of public key encryption it couldnt be like ipsec and still as secure 15:36 < krzie> and ipsec isnt secure either, lol 15:36 < jeev> pump 15:36 < ebil|work> I just don't have a machine with fat enough pipes to handle being the hub of a vpn with say, 5 other networks 15:38 < krzie> well it is possible to have a couple servers in that sort of setup, but gets a little more complex in getting the routing right 15:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 15:38 < krzie> and more 'expensive' to manage 15:38 < krzie> not in terms of $ 15:39 < ebil|work> routing I can handle :) I just wanted to be able to distribute the traffic. so it is possible to have a computer be a server + client, just it might not be the best solution 15:39 < ebil|work> yeah, in terms of time and effort and CPU 15:39 < krzie> but like time, understanding, and thought needed 15:39 < krzie> not really cpu 15:39 < krzie> but ya 15:39 < krzie> you got the idea 15:39 < ebil|work> cool, I really appreciate the help. 15:41 -!- bandini [n=bandini@host223-106-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 15:42 < krzie> np 15:42 < krzie> the thing is 15:43 < krzie> for the different servers, you want different vpn networks 15:43 < krzie> like ips 15:43 < krzie> and you'll need to have an understanding of route, iroute, push, ccd 15:43 < krzie> all explained in my !route document 15:43 < krzie> which was posted above 15:43 * ecrist slaps krzie with a large trout. 15:44 < ebil|work> currently I have 1 network on 192.168.183.x and 173.x 15:44 < krzie> lol 15:44 < krzie> i havnt seen that one in quite a few yrs 15:44 < ecrist> ;) 15:44 < krzie> 173.? 15:44 < ebil|work> krzie, my dad always used to threaten a 'slap in the belly with a wet fish'... I think that's probably where MY sense of humor came from 15:44 < ebil|work> 192.168.173.x 15:44 < ebil|work> sorry :) 15:45 < krzie> ohhh ok 15:45 < ebil|work> I made up my OWN CIDR address! I wish I owned 173.x.x.x 15:45 < krzie> ecrist hows it goin man? the wifey fealin better? 15:45 < ebil|work> that would be cool 15:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:00 -!- Kevin` [n=kevin@etmalec.net] has quit [Remote closed the connection] 16:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Remote closed the connection] 16:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:34 -!- ebil|work [n=andy@216.64.93.22] has quit [Read error: 110 (Connection timed out)] 17:19 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:43 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 17:48 -!- fanti [n=fanti@ack.spin.de] has quit ["using sirc version 2.211+KSIRC/1.3.12"] 17:51 < ecrist> krzie: she's doing a lot better. 17:55 < krzie> food to hear 17:55 < krzie> lol 17:55 < krzie> good to hear too 19:20 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 19:20 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:20 < Dougy> JEEV 19:20 < Dougy> SEXUAL HARASSMENT MANDA 19:20 < Dougy> s/MANDA/PANDA/ 20:29 * Dougy pokes jeev 20:42 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Read error: 104 (Connection reset by peer)] 20:45 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 20:52 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 21:38 < jeev> sup foo 21:38 < jeev> ah 21:38 < jeev> he left 21:38 < jeev> got a customer who has a borke dell laptop 21:38 < jeev> it turns on SOMETIMES 21:38 < jeev> most of the time it doesn't 21:38 < jeev> wtf is the prob 21:38 < jeev> proably bad board 21:39 < Dryanta> or psu 21:42 < jeev> if i leave unplugged for a while, it'll turn on. 21:42 < jeev> then i turn off 21:42 < jeev> i mean i dont boot into windows 21:42 < jeev> friend said it'll shut off sometimes 21:42 < jeev> i dont think they sell them separately 21:43 < jeev> guy says he spilled water on keyboard or some shit 21:44 < Dryanta> well my hp is posessed 21:44 < Dryanta> it turns itself on by itself hah 21:44 < jeev> i dont know 21:44 < jeev> i did the function power thing 21:44 < jeev> it showed bad memory 21:44 < jeev> it had no memory, but earlier it did 21:44 < jeev> so i'm gonna let it stay powered off 21:44 < jeev> and try it again 21:50 < ecrist> ssh 21:50 < jeev> shit 21:50 < jeev> it turned on but gave no memory installed error 21:50 < jeev> board, eh? 22:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 22:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:57 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 23:13 < Dryanta> http://gizmodo.com/gadgets/robot-sex/people-of-massachusetts-to-be-having-sex-with-robots-by-2012-310568.php 23:13 < vpnHelper> Title: Robot Sex: People of Massachusetts to be Having Sex With Robots by 2012 (at gizmodo.com) 23:14 < krzee> hah 23:36 -!- SerajewelKS [i=devnull@wikipedia/Crazycomputers] has joined ##openvpn 23:36 < SerajewelKS> are there any plans to add STUN support to openvpn? 23:42 < krzee> how would that be possible? 23:42 < krzee> clients dont need to be contacted randomly 23:42 < krzee> once the client connects to the server it keeps the connection open the whole time 23:42 < krzee> STUN exists for voip because that is not the case 23:43 < krzee> STUN is a voip thing, even with STUN the voip server must have an open port 23:43 < krzee> and that is the only thing that needs to be opened for OpenVPN too 23:43 * jeev pokes krzee 23:44 < krzee> the client does not need to have a port open, or even bind 23:44 < krzee> wassup jeev 23:45 < SerajewelKS> no, STUN is a dual-NAT thing 23:45 < krzee> stun is for nat discovery 23:45 < SerajewelKS> and traversal 23:45 < krzee> so the client doesnt send its 1918 ip in its voip packets 23:45 < krzee> that is un-necessary for openvpn 23:46 < SerajewelKS> ok 23:46 < krzee> you arent the first to ask 23:46 < SerajewelKS> what configuration should i use to connect to my network in my dorm room, which is behind a university NAT device, to this laptop, which is behind a NAT device out of my control? 23:46 < krzee> and it always leads me to wonder why someone would think stun would help their openvpn setup 23:46 < krzee> it should connect to your server 23:47 < krzee> connect out from there 23:47 < SerajewelKS> yes... which is behind a NAT device... 23:47 < krzee> both sides you have no access to the nat device? 23:47 < SerajewelKS> no access to the configuraion, correct 23:47 < krzee> hah 23:47 < SerajewelKS> i don't think either institution is going to give me access to their external firewall 23:47 < jeev> my voip system rulez 23:47 < krzee> you need a server at a location where you can open a port 23:47 < krzee> even in voip with stun that would be the case 23:48 < SerajewelKS> i do have an external server, yes, but i don't want it proxying 23:48 < SerajewelKS> when UDP NAT traversal is trivial 23:48 < krzee> cause one server must initiate the connection 23:48 < jeev> you have external - internal server? 23:48 < jeev> what are you running, asterisk ? 23:48 < krzee> all stun does is allows your client to tell the server its inet ip in voip packets 23:48 < SerajewelKS> i have three devices i can play with 23:48 < krzee> it still must contact the server normally 23:48 < krzee> otherwise i would close my voip servers ports 23:48 < krzee> lol 23:48 < SerajewelKS> right, but STUN can facilitate UDP NAT traversal as well 23:49 < jeev> my thing was awesome, dual wan. so i had issues with nat and pf, so i set up a gre tunnel for interface 1 with external and interface 2 with external ;) 23:49 < krzee> jeev, i run freeswitch 23:49 < jeev> freeswitch is WACKKKKKKKKKKKKKKK 23:49 * jeev smacks krzee 23:49 < krzee> LOL 23:49 < jeev> eh, i dunno if it's wack 23:49 < krzee> check it out again 23:49 < jeev> i dont care frankly 23:49 < jeev> i love asterisk 23:49 < jeev> heh 23:49 < krzee> its WAY better than asterisk 23:49 < jeev> :0 23:49 < krzee> it was coded by people who wrote tons of code in asterisk 23:49 < SerajewelKS> i have two boxes behind NAT that i want to have communicate with openvpn, and a third where i can open arbitrary ports 23:49 < jeev> yes, i know, the one person blah blahlhbahlbab 23:49 < SerajewelKS> the bandwidth to this server is much more limited 23:49 < krzee> they decided to get a high quality phone app they needed to rework from the start 23:49 < SerajewelKS> so i do not want to proxy the connection through this server 23:50 < SerajewelKS> i would like to traverse the NAT 23:50 < jeev> here's a story, about a lovely lady, blahblahbhlalbh 23:50 < SerajewelKS> which is exactly what STUN does 23:50 < SerajewelKS> or facilitates anyway 23:50 < krzee> ive seen freeswitch setups take out metaswitch cause metaswitch couldnt handle the CPS freeswitch could send at it 23:50 < krzee> metaswitch is carrier grade and STARTS at 250K 23:50 < SerajewelKS> (which, interestingly, is why STUN is called Simple Traversal of UDP over NATs) 23:50 < krzee> SerajewelKS, then you want client-to-client 23:51 < krzee> !route 23:51 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 23:51 < krzee> that dos will help you 23:51 < krzee> each lan behind untouchable nat routers will need to be a client 23:51 * jeev smacks krzee with an overweight and sick trout 23:51 < krzee> SerajewelKS, you do not understand STUN 23:52 < krzee> just by initiating the connection you will traverse your NAT 23:52 < krzee> and the connection will remain, all data will go over that connection 23:52 < krzee> if voip worked that way they wouldnt need STUN 23:52 < SerajewelKS> krzee: directly through the other NAT? 23:52 < krzee> the NATS wont even come in to play 23:52 < krzee> they arent on the same network addresses right? 23:53 < SerajewelKS> the two boxes i want to connect, A and B, are on completely different LANs and NATed to the public Internet, if that's what you're asking 23:53 < krzee> right, and their different lans use different network addresses right? 23:54 < krzee> like both arent 192.168.0.x 23:54 < SerajewelKS> i have control over both of them, so i can pick different ones, yes 23:54 < krzee> umm 23:54 < krzee> you have control over them now? 23:54 < krzee> oh right, dorm style setup 23:54 < SerajewelKS> over the machines i am linking, yes... 23:54 < SerajewelKS> we're not bridging here 23:54 < krzee> double nat 23:54 < krzee> gotchya 23:54 < SerajewelKS> just point-to-point 23:55 < krzee> no 23:55 < krzee> not ptp 23:55 < krzee> server/client 23:55 < krzee> !sample 23:55 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 23:55 < krzee> like that 23:55 < SerajewelKS> i have configured openvpn before 23:55 < krzee> use this to understand your setup 23:55 < krzee> !route 23:55 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 23:55 < SerajewelKS> just not between two NATed computers 23:55 < krzee> well your setup you're asking for is standard 23:55 < krzee> very common setup 23:55 < krzee> dude yours NATs dont matter 23:55 < krzee> just put the server on a machine you control the NAT/ip 23:55 < krzee> one where you can open the port 23:56 < krzee> thats all that matters 23:56 < SerajewelKS> this is still sounding like some third computer is going to have to proxy the data packets 23:56 < krzee> your clients both connect to the server 23:56 < krzee> dude, the server will be on the third computer 23:56 < krzee> thats the only way this works 23:56 < krzee> cause you cant port forward on either LAN 23:56 < SerajewelKS> no, but you can do UDP NAT traversal 23:56 < krzee> DUDE 23:57 < SerajewelKS> i've implemented a proof-of-concept that works, i'm asking if openvpn has anything integrated 23:57 < krzee> nat traversal has nothing to do with this 23:57 < SerajewelKS> "works" in the context of i can push my own data, not run openvpn, since i'm not double-binding the port 23:57 < krzee> you implimented 2 machines using nat traversal to reach eachother? 23:57 < SerajewelKS> yes 23:57 < jeev> why dont you just set up an ipsec tunnel 23:57 < jeev> or something 23:57 < krzee> i dont believe you 23:58 < SerajewelKS> i can dig up the sources 23:58 < SerajewelKS> it was some time ago 23:58 < krzee> nah its fine 23:58 < krzee> if you coded it you dont need help 23:58 < SerajewelKS> but i got my computer and my brothers' at two different universities talking through NAT, with a third server to help with the rendezvous 23:58 < krzee> as far as official stance (which cant come from me) try sending the list your code 23:58 < krzee> see if they impliment it 23:59 < SerajewelKS> once the third server (which, yes, was essentially a STUN server) helped them get started there was no proxying of anything 23:59 < SerajewelKS> btw, this might help you figure out the application i'm using for STUN: http://en.wikipedia.org/wiki/Simple_traversal_of_UDP_over_NATs 23:59 < vpnHelper> Title: Simple traversal of UDP over NATs - Wikipedia, the free encyclopedia (at en.wikipedia.org) 23:59 < krzee> ive run a stun server before --- Day changed Tue Oct 21 2008 00:00 < jeev> i really should check out stun 00:00 < jeev> i dunno wtf it does 00:00 < krzee> i used to be part owner of a voip co 00:00 < SerajewelKS> then i'm very confused why you say it has nothing to do with traversal of UDP data over NATs.. isn't that the point? 00:00 < SerajewelKS> i mean, that's what it's called 00:01 < krzee> jeev, it lets you punch a hole in your udp for the voip packets to reach you, after you register with the voip server you send your inet ip instead of your 1918 ip in your packets so it knows how to reach you 00:01 < SerajewelKS> yes, exactly 00:01 < krzee> BUT 00:01 < SerajewelKS> you know what, i think i did in fact use openvpn with this system, i don't recall how 00:01 < krzee> you must first reach the server and register 00:01 < SerajewelKS> nod 00:02 < SerajewelKS> that's why i mentioned that i have a third server i can reach from both NAT'd boxes 00:02 < SerajewelKS> it's the rendezvous point 00:02 < krzee> SerajewelKS, you're saying you wrote code to not need to reach the server and register 00:02 < krzee> which im saying, nope 00:02 < jeev> oh cool 00:02 < jeev> i should look int o it 00:02 < SerajewelKS> no, hell no 00:02 < krzee> SerajewelKS, client-to-client MUST route through the server 00:02 < jeev> is that what people like speakeasy use for their business voip and shit ? 00:02 < SerajewelKS> i wrote code to implement UDP NAT traversal using a third server 00:02 < SerajewelKS> krzee: perhaps i should be a bit more clear 00:02 < SerajewelKS> krzee: one of the two NAT'd boxes *will* be a server 00:03 < SerajewelKS> that will be reached by NAT traversal using the external server to help with the process 00:03 < krzee> it must first be able to initiate a session with the other machine 00:03 < krzee> outbound 00:03 < SerajewelKS> right 00:03 < krzee> to punch the hole 00:03 < SerajewelKS> i can easily proxy that request through the external server, C 00:03 < SerajewelKS> A listens for requests from C 00:03 < krzee> and the other machine cant punch a hole without initiating a session to the other server 00:03 < SerajewelKS> B tells C to tell A to start the process while it does too 00:03 < krzee> so niether can reach the other 00:04 < SerajewelKS> shit happens, hole is punched 00:04 < SerajewelKS> profit 00:04 < krzee> pls send the patch to the maillist for testers 00:04 < SerajewelKS> see i'm not entirely dumb, it's just a combination of bad communication from me and assumptions from you :) 00:04 < krzee> if that works like you're saying ild like to see it tested 00:05 < SerajewelKS> nod 00:05 < krzee> and thats its path to being implimented 00:05 < SerajewelKS> it was pretty sweet, we played a "LAN" game of total annihilation 00:05 < SerajewelKS> anywho 00:05 < SerajewelKS> all that to determine 00:05 < SerajewelKS> nope, no support for this in openvpn 00:05 < SerajewelKS> not yet, that is 00:06 < SerajewelKS> i should just write a generic system that will work with any UDP service 00:06 < SerajewelKS> if it hasn't been done 00:06 < krzee> thats true 00:06 < SerajewelKS> essentially ssh tunnels for UDP, across NATs 00:07 < SerajewelKS> and without the encryption, but certainly with the bad-ass cool shit factor 00:08 < jeev> http://www.floridaventureblog.com/uploaded_images/funny-sign.jpg 00:08 < jeev> hahahahaha 00:08 < SerajewelKS> nice 00:08 < SerajewelKS> i like this one: http://failblog.files.wordpress.com/2008/10/fail-owned-holiday-inn-welcome-fail.jpg 00:09 < krzee> lol 00:09 < krzee> nice one 00:11 < jeev> lol 00:11 < jeev> i hate the words fail 00:11 < jeev> and that other one 00:11 < jeev> epic * 00:13 < SerajewelKS> epic fail can be annoying but used in the right context is priceless 00:15 < SerajewelKS> so it looks like as long as at least one side is using any type of cone NAT, traversal is possible 00:16 < SerajewelKS> been a while since i've done this stuff 00:16 < krzee> SerajewelKS, do you need help with anything openvpn related before i head back to idle and read my book? 00:17 < SerajewelKS> nah, actually i need to go pee and sleep 00:17 < SerajewelKS> thanks for the discussion though 00:21 < krzee> ya np 00:21 < krzee> i look forward to seeing what you come up with 00:29 < SerajewelKS> me too :) 01:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:44 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 02:04 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 02:54 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 03:24 < kala> by default is the openvpn tunnel PINGER timeout 60 seconds. Have anyone tryed with shorter timeout, like 20 or 30 seconds? 03:24 < kala> It seems that some of my clients is not able to finish all required tasks in 30 seconds in every time and the tunnel gets restarted 03:31 < krzee> you can change that with --keepalive more comprehensively 03:32 < krzee> cause you want to have a certain number of pings fail before you kill it 03:32 < krzee> !man 03:32 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 03:33 < krzee> --keepalive n m 03:33 < krzee> A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations. 03:33 < krzee> For example, --keepalive 10 60 expands as follows: 03:33 < krzee> 03:33 < krzee> if mode server: 03:33 < krzee> ping 10 03:33 < krzee> ping-restart 120 03:33 < krzee> push "ping 10" 03:33 < krzee> push "ping-restart 60" 03:33 < krzee> else 03:33 < krzee> ping 10 03:33 < krzee> ping-restart 60 03:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:06 -!- patphone [n=smash@193.196.7.49] has joined ##openvpn 04:08 < patphone> hello .. I have a weird problem which I cant resolve: I cna ping the vpnD, the other peers in the network .. everything works fine, I just cant ping myself. Since tcpdump doesnt show anything I suppose it's a route issue 04:08 < patphone> but then again I wonder why openvpn doesnt work correctly by default 04:08 < patphone> here are my routes (did not push/set anything in the config): http://paste.debian.net/19676/ 04:12 < kala> krzee: yep. The problem seems to be that the whole initialization process takes sometimes about 40-90 seconds on the Windows machine. 04:12 < kala> However, after the tunnel is successfully running, I would like to discover the broken tunnel, quite quickly , like 20-30 seconds and then re-start the initiation process 04:14 < kala> The main problem is that I need to run two netsh.exe, two ipconfig.exe and two nbtstat.exe commands during the tunnel initiation to make sure everything is good with Windows name resolution and registration 04:14 < kala> the script takes about 13-80 seconds to run 04:15 < kala> tunnel itself and the routes and everything else gets setup with 11 seconds and is quite constant with machines 04:15 < kala> "constant among machines" 04:24 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 04:32 -!- patphone [n=smash@193.196.7.49] has quit [Read error: 104 (Connection reset by peer)] 04:41 < krzee> kala, did you try that tho? 05:45 -!- Xchange2 [n=change@port-212-202-143-246.static.qsc.de] has joined ##openvpn 05:46 < Xchange2> hi, someone here who could help me with an advanced routing configuration? 05:47 < Xchange2> i want to offer 2 connection types to our employees, one using the standard udp port and one using tcp 443 for connections over http proxys 05:48 < Xchange2> would it be possible to use a shared virtual network for both servers? 05:50 < krzee> what do you mean? 05:50 < Xchange2> at the moment i have three virtual networks (admins, employees and contractors) 05:50 < krzee> like where clients can communicate with eachother? 05:51 < Xchange2> no 05:51 < krzee> where admins have access to more routes than employees? 05:51 < Xchange2> i start an openvn server with proto udp and port 1194 that uses those three networks 05:51 < Xchange2> yes 05:51 < krzee> !policy 05:51 < vpnHelper> krzee: "policy" is http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies 05:51 < Xchange2> that works already fine :) 05:51 < Xchange2> but i want to offer proto tcp and port 443 too 05:51 < krzee> then what are you missing? 05:52 < krzee> then put the same setup on another proc on tcp port 443 05:52 < Xchange2> hm 05:52 < krzee> with diff internal vpn network address 05:52 < Xchange2> yes that whats i mean 05:52 < krzee> like 10.9.0.x instead of 10.8.0.x 05:52 < Xchange2> so i would need to have 6 networks insteadt of 3? 05:52 < krzee> and if the clients on diff ones need to communicate, push the route 05:53 < krzee> well depending on # of clients you could break it in half 05:53 < Xchange2> hm 05:53 < krzee> instead of 255.255.255.0 05:53 < Xchange2> good idea 05:53 < krzee> still 6 networks 05:53 < krzee> but smaller ones 05:53 < Xchange2> yes 05:54 < Xchange2> hm 05:54 < krzee> ? 05:56 < Xchange2> one question of theory, if i would break them in half (so instead of /24 i use /25 subnet) 05:56 < krzee> !google cidr cheatsheet 05:56 < vpnHelper> krzee: http://www.oav.net/mirrors/cidr.html - CIDR SUBNET MASK CHEATSHEET & ICMP TYPE CODES 05:57 < Xchange2> do i need to add a route in my gateway for each /25 network or would /24 suffice? 05:57 < krzee> if both go to same server, /24 would suffice 05:58 < krzee> if it would not, 0.0.0.0 wouldnt be a default route../. 05:58 < Xchange2> yes both to the same server 05:58 < krzee> you'd need routes to every network 05:58 < krzee> etc.. 05:59 < krzee> in fact, if you are using 10.x and your normal lan uses 192.168.x you could cover all 6 routes with just using 10.0.0.0 255.0.0.0 06:00 < krzee> or whatever variation works for you 06:00 < Xchange2> so roughly i would use my existing virtual network (i.e. 172.17.10.0/24), split it in the half (172.17.2.0/25 and 172.17.2.128/25), and assign them to each of the servers 06:00 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 06:00 < Xchange2> eh sorry, 172.17.10.0/25 + 172.17.10.128/25 06:00 < krzee> just go try it 06:00 < Xchange2> and in my gateway default route 172.17.10.0/24 to my openvpn server machine 06:00 < krzee> no reason to sit here double checking when you could be trying 06:00 < Xchange2> hm 06:01 < krzee> but ya 06:01 < Xchange2> k ;) 06:01 < krzee> except 06:01 < krzee> .129/25 06:01 < Xchange2> ah 06:01 < Xchange2> yes 06:02 < Xchange2> brb trying ;) 07:02 < ecrist> morning kids 07:36 < kala> krzee: oh, I manager to solve the problem all together. I put the time-expensive command to separate .bat file and scheduled this execution by Windows Scheduled Tasks 07:53 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 07:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:52 -!- gamla_kossan is now known as asdf9000 08:58 -!- asdf9000 is now known as gamla_kossan 09:06 -!- aep [n=aep@unaffiliated/aep] has left ##openvpn ["->"] 09:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:40 -!- Xchange2 [n=change@port-212-202-143-246.static.qsc.de] has quit ["Wenn ich in 2 Stunden nicht zurück bin, ruft den Verteidigungsminister an und sagt ihm das Hitler in meinem Haus wohnt."] 10:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:34 -!- GreenCult [n=greencul@200.48.85.21] has joined ##openvpn 10:34 < GreenCult> !menu 10:34 < vpnHelper> GreenCult: "menu" is please use !factoids search * 10:34 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 10:40 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 10:41 -!- AukeF is now known as AukeF|away 11:03 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 11:20 -!- SerajewelKS [i=devnull@wikipedia/Crazycomputers] has left ##openvpn [] 11:23 -!- dpetrek [n=delfince@93-136-127-85.adsl.net.t-com.hr] has joined ##openvpn 11:23 < dpetrek> howdy 11:24 < dpetrek> so i have a working tun-based routed openvpn network with 3 subnets 11:25 < dpetrek> there is one central openvpn instalaltion and 2 openvpn clients connect to it and provide routing to devices on their subnets 11:25 < dpetrek> and my question is 11:26 < dpetrek> if i ping a machine in one of vpn clients subnets from server hosting central openvpn 11:27 < dpetrek> and that machine pinged not being a vpn client itself, 11:27 < dpetrek> i cannot get reply from central server 11:28 < dpetrek> ofcourse that makes sense becouse when i ping from central server, packets get sent with source ip address of openvpn tun interface 11:28 < dpetrek> and they can't come back becose machine pinged does know how to return 11:29 < dpetrek> so what do i have to do to make this pings work 11:29 < dpetrek> i know source address of packets would have to be lan address of central server, then machine pinged would know how to return packets 11:29 < dpetrek> but how do i accomplish that? 11:30 < dpetrek> i can provide more information if anyone would care to help me 11:32 < dpetrek> would it have to do with tun adapter being default adapter for pinging? 11:32 < dpetrek> how can i fix that 11:51 -!- dpetrek [n=delfince@93-136-127-85.adsl.net.t-com.hr] has quit [] 12:08 < ecrist> wow, impatient 12:09 -!- noriX [i=noriX@csbnc0002.229.162.clanserver4u.de] has joined ##openvpn 12:10 < noriX> Hi is it possible to create from a pkcs12 cert, a private key(pem) file? At the moment, i have to enter my private key every time, manually 12:12 -!- ikevin [n=kevin@ANancy-256-1-168-88.w90-56.abo.wanadoo.fr] has quit [Remote closed the connection] 12:13 < ecrist> noriX: not that I know of. I think there's a way to change the password on an existing key, but you have to know the current password. You can remove the password by simply setting to being empty 12:14 < noriX> ecrist, i'm just looking for a way to avoid the manual input of my private key 12:15 < noriX> is ist possible to store my private key in a file, and automaticly load it with a openvpn parameter ? 12:15 < noriX> or argument 12:17 -!- ikevin [n=kevin@ANancy-256-1-168-88.w90-56.abo.wanadoo.fr] has joined ##openvpn 12:20 < kala> noriX: if the private key is included in the pkcs12 certificate, then you can use openssl to create two different files, certificate and private key, in PEM or DER format 12:21 < noriX> how ? 12:22 < kala> look at the pkcs12 manual page 12:23 < kala> http://openssl.org/docs/apps/pkcs12.html 12:23 < vpnHelper> Title: OpenSSL: Documents, pkcs12(1) (at openssl.org) 12:38 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:42 < ecrist> noriX: yes, there is. 12:43 < ecrist> iirc, openvpn even allows for this, but I might be mistaken. 12:46 -!- ikevin [n=kevin@ANancy-256-1-168-88.w90-56.abo.wanadoo.fr] has quit [Remote closed the connection] 12:52 -!- ikevin [n=kevin@ANancy-256-1-168-88.w90-56.abo.wanadoo.fr] has joined ##openvpn 12:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:18 * ecrist wants to mount Kate Bekinsale from behind. 13:18 < ecrist> god what an ass on that gal. 13:20 < ecrist> http://www.secure-computing.net/kate.jpg 13:20 < ecrist> great desktop background 13:20 < razor2000> hehe 13:21 < ecrist> for dual head setup, I guess 13:21 < razor2000> ecrist: nice pic! 13:21 < jeev> what's her name 13:21 < jeev> and where is the ass? 13:21 < jeev> oh 13:21 < razor2000> lol 13:21 < jeev> kate bekinsale 13:21 < jeev> wack 13:21 < razor2000> kate 13:21 < ecrist> http://www.secure-computing.net/kate2.jpg 13:21 < ecrist> another good one 13:22 < razor2000> better than the first pic you linked! :) 13:22 < ecrist> http://www.lazygirls.info/Kate_Beckinsale/Kate_Beckinsale_Ass_icABnbM 13:22 < vpnHelper> Title: Kate Beckinsale - Kate Beckinsale Ass (at www.lazygirls.info) 13:23 < ecrist> here's another post from digg a while back: http://searchpics.blogspot.com/2008/03/kate-beckinsale.html 13:23 < vpnHelper> Title: Sexy celebrity pics: kate beckinsale (at searchpics.blogspot.com) 13:25 < ecrist> god I love my mac and how great terminal works with everything else. 13:25 * ecrist is in a good mood today. 13:25 -!- ikevin [n=kevin@ANancy-256-1-168-88.w90-56.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 13:26 < razor2000> hehe 13:26 < ecrist> http://www.secure-computing.net/kate_ass.jpg 13:29 < jeev> stop looking at the one in the middle 13:29 -!- ikevin [n=kevin@ANancy-256-1-147-219.w90-33.abo.wanadoo.fr] has joined ##openvpn 13:33 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:46 -!- ikevin [n=kevin@ANancy-256-1-147-219.w90-33.abo.wanadoo.fr] has quit [Remote closed the connection] 13:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:17 -!- ebil [n=ebil@ip70-174-136-104.dc.dc.cox.net] has joined ##openvpn 14:18 < ebil> krzee, thanks for the assistance the other day (I think it was you, pretty sure anyhow) I was just wondering, I've finally got the firewalls set up, but if I have a question about security 14:18 < ebil> if I have a server S with two clients A and B 14:18 < ebil> (S is a router to network C let's say) 14:19 < ebil> (and A and B are also networks) Is there any way to prevent someone connecting from network B from seeing the systems on network A? or am I asking way too much :) (I suppose I could prevent them from connecting directly easily enough, but I'm worried about them 'bouncing' off my network so to speak 14:22 < krzee> np 14:22 < krzee> well 14:22 < krzee> you could with a firewall 14:22 < krzee> cause machines in network B will still be showing up with their LAN ips 14:22 < krzee> (which works because you setup routing correctly 14:22 < krzee> ) 14:23 < ebil> but if someone from network B logs into network C (which I want to be able to connect to network A) I'm screwed right? 14:23 < krzee> so you could always say that packets from from 10.0.0.101 (untrusted machine in network B) headed for 10.0.1.x (network A) dont get to pass 14:23 < ebil> because the NEW connection will originate from network C 14:24 < krzee> no 14:24 < krzee> the new connection still has old IP 14:24 < krzee> server just forwards the packets 14:24 < krzee> it doesnt create a new connection, it forwards the old one 14:24 < ebil> so if I ssh into a machine on network C (from B) I wouldn't be able to ssh into network A? 14:24 < krzee> it routes it 14:24 < krzee> oh 14:24 < krzee> like that 14:24 < ebil> yeah. :) I figured I was asking for too much 14:25 < krzee> haha ya 14:25 < krzee> once they're logged into a machine like that on network C, they are no longer a user in network B 14:25 < krzee> they are then a user in network C 14:25 < ebil> that's what I figured. even though the data is still comming IN from network B 14:25 < ebil> (technically) 14:26 < krzee> you can stop B from connecting to A even though packets go through C 14:26 < ebil> yeah 14:26 < ebil> that should do well enough for now 14:26 < krzee> but if you allow login to C, and C needs to be able to connect to A 14:26 < krzee> then your design mandates they can login to A 14:26 < ebil> yeah 14:26 < ebil> unless I give users from B access to a machine on C that doesn't have access to A. that would fix it 14:27 < krzee> yup 14:27 < ebil> or I could just hand out beat-downs for people who log into A :D 14:27 < ebil> ipHammer 14:27 < krzee> as long as they cant access another machine that can access A, and you have firewalls stopping their direct access 14:28 < ebil> yep. cool. this is actually a really awesome system. it was really easy to set up 14:28 < krzee> ya ovpn gets that way after you've played with it a lil =] 14:29 < krzee> i found myself saying that exact same thing about freeswitch last weekend 14:29 < ebil> freeswitch? (googles) 14:29 < krzee> its a badass voip pbx 14:29 < krzee> open source 14:29 < krzee> makes asterisk look like a rookie attempt 14:30 < krzee> (im'h'o) 14:30 < krzee> its actually much more than a pbx tho 14:30 < krzee> i just say that to be understood 14:30 < krzee> its really a soft-switch 14:53 -!- plaerzen [n=cam@vip2.tundraeng.com] has joined ##openvpn 14:53 * plaerzen waves. 14:58 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 15:22 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 15:48 < ebil> krzee, that's pretty cool (sorry, at work/studying for an AI exam 15:56 < krzee> all good 16:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:33 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Nick collision from services.] 16:51 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:54 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 16:56 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 17:01 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Connection reset by peer] 17:13 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:37 < jeev> where the hardware guru's at 18:12 -!- GreenCult [n=greencul@200.48.85.21] has quit ["Saliendo"] 19:17 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 19:41 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 20:02 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 20:02 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:21 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 20:32 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 21:30 < ecrist> jeev: what you need? 22:10 < ebil> is it possible to have multiple iroute definitions in a client config file? --- Day changed Wed Oct 22 2008 00:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:03 -!- ebil [n=ebil@ip70-174-136-104.dc.dc.cox.net] has quit ["Leaving"] 01:38 < Dryanta> http://www.youtube.com/watch?v=_5Qtt4MBt084 01:38 < Dryanta> http://www.youtube.com/watch?v=_5Qtt4MBt084 01:38 < vpnHelper> Title: YouTube - Broadcast Yourself. (at www.youtube.com) 01:38 < Dryanta> funniest myspace post ive gotten in a whie 01:55 < jeev> ecrist 01:55 < jeev> there? 02:01 < Dryanta> jeev: ur fgt 03:41 -!- gfather [n=gg@79.173.205.65] has joined ##openvpn 03:41 < gfather> hello guys 03:42 < gfather> there was a security gateway server that includes openvpn , i used to see it on the old website, anyone remembers it ? 04:06 -!- AukeF|away is now known as AukeF 04:08 < gfather> common guys , non remember it ? 04:39 -!- AukeF [n=auke@x154.flex.surfnet.nl] has quit [Remote closed the connection] 04:56 -!- ilreds [i=552b95f5@gateway/web/ajax/mibbit.com/x-1673670227f4bb8a] has joined ##openvpn 04:56 < ilreds> hi to all 04:57 < gfather> hello 04:57 < ilreds> which is the best place to put openvpn server? inside? dmz? dedicated subnet manged by firewall with port forwarding? 05:05 < gfather> it depends on ur needs 05:05 < gfather> what do u want to do ? 05:10 < ilreds> gfather: i want permit our customer to reach our dedicated servers from internet 05:11 < gfather> do u have firewall and stuff ? 05:12 < gfather> well if ur allowing unkown person to connect to ur openvpn , try to use http://www.untangle.com 05:12 < vpnHelper> Title: Open Source Network Gateway | UntangleHome (at www.untangle.com) 05:12 < gfather> ;) 05:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:14 < ilreds> gfather: i have firewalls, i want to allow "allowed" and known users, i'm searching suggestions about the right place to deply openvpn server 05:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 05:17 < gfather> then u could put the openvpn after the firewall , and open the openvpn on the firewaal 05:17 < gfather> that way ur network will still be safe , and the vpn is after the firewall 05:39 -!- AukeF [n=auke@x231.flex.surfnet.nl] has joined ##openvpn 05:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:49 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 06:06 -!- nicu [n=nicu@office.adfinis.com] has joined ##openvpn 06:15 < nicu> hi, can someone give me an idea, how many clients I can connect to a single openvpn server? I don't need exact numbers. Only a range. More than 10, more than 100, more than 500, more than 1000...? Let's assume it's a standard setup, dual xeon 2.8GHz, 4gigs memory, recent kernel. Would be glad if someone could provide me with such numbers. 06:24 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:09 -!- Spike1506 [n=Joshua@unaffiliated/spike1506] has joined ##openvpn 07:09 -!- Spike1506 [n=Joshua@unaffiliated/spike1506] has left ##openvpn ["Leaving"] 07:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:21 < ecrist> morning, kids 07:22 < krzee> *growl* 07:22 < krzee> why do people think they can call me this early 07:23 < krzee> i wish that guy had just shown up so i coulda shown him how much i like mornings upside his head 07:24 -!- gfather1 [n=gg@79.173.221.224] has joined ##openvpn 07:25 < krzee> but ya, good morning 07:25 < krzee> heheh 07:25 < gfather1> did u get ur answer ? 07:25 < nicu> gfather1, no, not yet 07:26 < gfather1> can u ask it again , i just came back , so im not sure what did u ask :) 07:26 < nicu> would be cool to hear any realistic numbers 07:26 < nicu> gfather1, sure 07:26 < nicu> i'll just copy/paste if this is ok 07:26 < gfather1> ok 07:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 07:26 < nicu> hi, can someone give me an idea, how many clients I can connect to a single openvpn server? I don't need exact numbers. Only a range. More than 10, more than 100, more than 500, more than 1000...? Let's assume it's a standard setup, dual xeon 2.8GHz, 4gigs memory, recent kernel. Would be glad if someone could provide me with such numbers. 07:27 < gfather1> as much as u want ;) 07:27 < gfather1> i know some vpn companes who uses openbravo 07:27 < nicu> sounds good :) 07:27 < gfather1> si imagine how many clints they have to provide u with vpn , using openbravo 07:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:28 < gfather1> so , how much u connect and how is up too you 07:29 < gfather1> any other questions :) 07:29 < nicu> do you think it's realistic to have 1500 simultaneously connected users on such a machine? 07:29 < gfather1> yes 07:29 < nicu> ok 07:30 < gfather1> i told u , openvpn gives u everything 07:30 < nicu> i'm glad to hear this! 07:30 < gfather1> but to connect 1500 useres u need atleast hell of a bandwidth and a good server 07:30 < gfather1> waht u need for ? 07:31 < nicu> of course :) 07:31 < gfather1> what do u want it to use for 07:31 < gfather1> company , enterprise , vpn company ? 07:31 < gfather1> game server ? 07:31 < nicu> it's a company who likes to tunnel HTTP over it 07:31 < nicu> "tunnel" 07:32 -!- gfather [n=gg@79.173.205.65] has quit [Read error: 110 (Connection timed out)] 07:32 < nicu> they want to provide some financel services over it 07:32 < nicu> i don't know all the details 07:32 < nicu> the project is at an early stage 07:32 < gfather1> u mean like to emplement erp in vpn ? 07:33 < krzee> 1500 users all in different areas? 07:33 < gfather1> well whatever is the case 07:33 < krzee> not groups of them on the same LAN? 07:34 < nicu> krzee, no from different places 07:34 < krzee> entire LANs can route over the same connection 07:34 < krzee> ok 07:34 < krzee> so an extremely large virtual office 07:34 < nicu> right :) 07:34 < gfather1> i think that what he wants 07:35 < nicu> exactly 07:35 < gfather1> well using udp and small configrastions ur on the go ;) 07:35 < nicu> but my job is only to find out if they need 1, 10 or 100 servers furch such a setup ;) 07:35 < krzee> hell you could even install freeswitch on the vpn box and have a voip client login to the local ip for a virtual office phone with extension too 07:35 < nicu> *for such a setup 07:36 < ecrist> nicu: be aware that your hardware will be the limiter. 07:36 < krzee> and your bandwidth 07:36 < gfather1> 1 hell of a server can handel all that 07:36 < nicu> ecrist, yes i think so 07:36 < gfather1> what u need is a bandwidth 07:36 < krzee> its better to have a couple servers than 1 badass one 07:36 < nicu> =) 07:36 < krzee> will help you get through the times a box is down 07:37 < krzee> instead of the sky falling and whatnot 07:37 < gfather1> thats a good point :) , mostly if 1 server crashed the other will keep going 07:37 < nicu> yes of course 07:37 < gfather1> in such case i would recomend a web server , like he can get 100 mb unmetered bandwith 07:37 < ecrist> honestly, though, if I was managing 1500 VPN users, I wouldn't be using OpenVPN 07:38 < krzee> i agree, ild go cisco 07:38 < krzee> for that many 07:38 < nicu> nice input! 07:38 < ecrist> gfather1: 100mb is nothing 07:38 < krzee> openvpn is great 07:38 < krzee> but 1500 users is a TON 07:38 < nicu> i think of 1Gbit 07:38 < ecrist> on a small scale 07:38 < krzee> and openvpn can do this, but cisco is made for it 07:38 < nicu> okay 07:38 < ecrist> nicu 1Gbit would probably be sufficient. A lot depends on what you're doing across that VPN, too 07:38 < gfather1> i know , but im giving the guy an option , hes asking for 10 , 100 , 1000 , 10000 07:38 < krzee> yup, whats the expected bw / user? 07:39 < ecrist> well, Cisco VPN gear has crypto off-load hardware, so you can simply slam in another crypto proc if you box gets bogged down 07:39 < nicu> krzee, they are meassuring it at the moment. But the user will only use the webpages of some banks 07:39 < gfather1> not heavy network traffic 07:40 < ecrist> gfather1: http is youtube. http is also a google search. 07:40 < ecrist> http means nothing 07:40 < krzee> nicu, if they default route over the vpn, i bet you see more than expected 07:40 < krzee> myspace, facebook, google, etc 07:40 < nicu> the will use a proxy and whiteliste only some bank pages 07:40 < krzee> k 07:40 < gfather1> well if u reading from the start , ull get the effect hes not thinking of allot of load 07:40 < ecrist> I would recommend *not* redirecting your users' gateway, route interesting traffic only. 07:40 < gfather1> hes thinking of number of users 07:40 < gfather1> if he can give more details 07:41 < krzee> yup 07:41 < ecrist> gfather1: I don't read up. 07:41 < krzee> you can choose which ips to route over vpn 07:41 < gfather1> read down 07:41 < krzee> good call ecrist 07:41 < nicu> i can give u more details later.. the main point at the momen is, if they need 1, 10 or 100 servers for such a setup 07:41 < nicu> and i'm fine if I can tell them that the number will be smaller than probably 10 07:41 < krzee> 5 would be overkill 07:41 < ecrist> nicu - 2 or 3 higher-end commodity servers would suffice for ~1500 users 07:42 < ecrist> bw being the limiter 07:42 < gfather1> if u need 100 servers , contact openvpn team :D 07:42 < nicu> hehe :D 07:42 < nicu> you're great guys! 07:42 < nicu> thank you very much for your help! I do really appreciate 07:42 < ecrist> gfather1: I am reading down. I don't know what kind of client you've got, but mine scrolls up. ;) 07:42 < krzee> thats what she said ;] 07:43 < gfather1> ;) 07:43 < gfather1> guys i need a pro openion for both of u 07:43 < ecrist> speaking of, my wife has been so friggin' horny since her accident. it's awesome. 07:43 < krzee> lol 07:43 < gfather1> looool 07:43 < gfather1> thats cool m8 07:43 < ecrist> she's far from keeping up, but one hell of an improvement. 07:44 < gfather1> try learning squirt method , very effective ;) 07:44 < krzee> was she that pic named kate? 07:44 * ecrist does a happy dance. 07:44 < ecrist> krzee: I wish. 07:44 < krzee> hahah 07:44 < ecrist> hell, my wife would watch me fuck her. 07:44 < gfather1> www.endian.com/ and www.untangle.com 07:44 < ecrist> she's told me so. 07:45 < gfather1> wich one of these would u recomend for mid size companies 07:45 < krzee> gfather1, i dont know of either previous to you asking 07:45 < gfather1> loool . these are security servers that uses openbravo for vpn 07:45 < krzee> and ild just set that stuff up myself 07:46 < krzee> instead of taking some pre-packaged setup 07:46 < gfather1> i know , but the hell place i live in , they want brand names to buy stuff 07:46 < gfather1> so im thining of one of those 07:46 < krzee> theyd be buying the krzee brand 07:47 < gfather1> like to give firewall and vpn service 07:47 < ecrist> gfather1: run FreeBSD with pf/openvpn on Dell hardware. 07:47 < krzee> haha how are either of those 2 open source apps brand names? 07:47 < gfather1> i know , thats what i do mostly 07:47 < krzee> all they are is packages of opensource programs 07:47 < gfather1> but people dosent get that convinced , becouse they are stupid 07:47 < krzee> basically same thing im saying only you dont get to set it up your way 07:48 < krzee> well if you cant sell them on you knowing what you're doing how you gunna sell them on a bundle of opensource apps? 07:48 < gfather1> i know :( , i swear i know that it can be don in linux with a 30 minuts of configration 07:48 < krzee> ild also do what ecrist said 07:48 < ecrist> well, I haven't used either - I won't use either any time soon, so my professional opinion is FreeBSD + PF + OpenVPN 07:48 < krzee> fbsd, pf, spamassassin for filtering spam/virii 07:49 < krzee> openvpn for the vpns 07:49 < krzee> etc 07:49 < krzee> basically, i dont do those bundle setups 07:49 < gfather1> and ipcop 07:49 < ecrist> krzee: I haven't used it, but some associates of mine have, go Postini (google) for spam filtering 07:49 < krzee> and the people i see use those seem to be the people with the most questions 07:49 < ecrist> and, as we told nicu, go Cisco for VPN if you have a high number of users. 07:50 < krzee> well ecrist, he might not get paid for going cisco 07:50 < krzee> sounds like his job with them is to bust the vpn for cheaper 07:50 < gfather1> nothing beat cisco in high preforance , :) 07:51 < krzee> Google has acquired Postini, a global leader in on-demand communications security and compliance solutions. 07:51 < krzee> "With the addition of Postini, our apps can streamline the complex information security mandates within organizations," Eric Schmidt, CEO of Google. 07:51 < krzee> thats all i needed to hear, im sure postini is a good app, lol 07:51 < krzee> google doesnt do stuff that sucks, so im sure its great 07:52 < nicu> ecrist, krzee yes thank you. I'll also check the cisco option. The project is really at an early stage so all opinions are open 07:52 < nicu> *all options are open 07:52 < krzee> ahh 07:52 < krzee> then ya, less work to go cisco 07:53 < nicu> ok 07:53 < krzee> in the long run its worth it 07:53 < krzee> just costs more up front 07:54 < nicu> yeah 07:54 -!- T_X [i=linus@gateway/tor/x-79a723f2f20ac4c9] has joined ##openvpn 07:55 < T_X> hi there! I have three questions according to openvpn :) 07:55 < krzee> fire away 07:55 < T_X> number on 1: I've sent an ip-pool in the server so matching one ip to every client-key. is it possible to spoof an ip-address? 07:56 < T_X> *set 07:56 < krzee> routed, or bridged? 07:56 < krzee> routed = no, bridged = yes 07:56 < T_X> tap, that's bridged, right? 07:56 < krzee> thats bridged except on windows its both 07:57 < krzee> is it windows? 07:57 < T_X> it's mixed. linux and windows 07:57 < krzee> do you use server or server-bridge in your server config? 07:57 < T_X> the server is linux and some clients are as well 07:58 -!- gfather [n=gg@79.173.221.224] has joined ##openvpn 07:58 < gfather> im back 07:58 < gfather> :) 07:59 < gfather> one point i didnt mention , is like nobody knows how to use linux in my region , so to give them a bundeld seluotions 07:59 < gfather> is the best option for me , as its easy configured , and i dont have to get a call from them every 5 minutes becouse they dont know how to use linux 07:59 < krzee> none of my clients knew how to use bsd, or fix networks 08:00 < krzee> thats why they hired me 08:00 < krzee> and once you configure the server they shouldnt need to change things 08:00 < ecrist> gfather: encourage them to learn. the bundled solutions will just have a not-as-configurable web front end. 08:00 < gfather> yes but hired u as a employe , right ? 08:00 < krzee> hell no 08:00 < krzee> as a $100/hr tech 08:00 < ecrist> sounds to me like you're sold on those bundled options, anyway. 08:00 < gfather> man they can berlly use windows, even the it guys they have dont know how to use windows 08:00 < krzee> even if they wanted to change things, they damn well shouldnt be changing them... thats how idiots break stuff 08:00 < ecrist> pft, $125/hour, 1.5x for emerg service. ;) 08:01 < ecrist> sounds to me like you're sold on those bundled options, anyway. 08:01 < krzee> ecrist, ya i coulda made more in retrospect 08:01 < krzee> totally 08:01 < gfather> people are shitty here , and dont pay by the hours like usa/cana or europe 08:02 < krzee> T_X, you still here...? 08:03 < gfather> and mostly , they are not good speaking english too :) 08:03 < ecrist> gfather: nature of doing business. do what's most profitable for you. 08:03 < T_X> krzee, grr, yeah, my server is down at the moment, but I think it was just 'server' 08:03 < krzee> if its just server you prolly want to use tun 08:04 < krzee> (on the non windows machines) 08:04 < gfather> well the most is what u suggested , dell or hp , with linux and some stuff installed in it 08:04 < krzee> otherwise you're using a routed setup over an ethernet encapsulation 08:04 < T_X> are there any disadvantages in switching to tun? I think I only read something ages ago, that linux computers use an ip-range of four addresses or something like that? 08:04 < krzee> which is just pointless i believe 08:04 < gfather> but im having the non-understanding issue from them , so i wanted to know which ull prefer most 08:04 < krzee> no, there are disadvantages to sticking to bridging 08:04 < krzee> !/30 08:04 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 08:05 < krzee> see #2 08:06 < T_X> ah, ok, thx, I'll have a look at that 08:06 < krzee> np 08:06 < T_X> I'm really curious about that thing :D 08:06 < krzee> !bridge 08:06 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 08:06 < krzee> see #3 there 08:06 < krzee> !more 08:06 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 08:06 < krzee> and #4 08:07 < krzee> T_X, you had 2 more questions, right? 08:08 -!- gfather1 [n=gg@79.173.221.224] has quit [Read error: 110 (Connection timed out)] 08:10 < T_X> yes, hehe. Is it very complicated to set up an authorisation scheme with smart-cards and how expensive is it? 08:10 < ecrist> it's free, if you have the hardware. 08:10 < T_X> what's the average price per client? 08:10 < krzee> depends what smartcards you buy 08:10 < krzee> basically, thats up to you 08:11 < T_X> no, I haven't got the hardware, that's what I wanted to know. well, it's for private use, so, doesn't need to be too professional, just a little more secure 08:11 < krzee> look into the openvpn security model 08:11 < krzee> you might find you feel secure without smartcards 08:11 < krzee> !security 08:11 < vpnHelper> krzee: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 08:11 < ecrist> T_X: if it's for private use, I think hardware authentication tokens are more expensive than the benefit they provide. 08:11 < krzee> #2 08:11 < krzee> i agree 08:12 < krzee> i mean hell, my setup is super paranoid and i see no need for HW 08:12 < krzee> 4096 TLS hmac sigs, 4096 RSA certs, 256 blowfish for data channel, 4096 DH keyx 08:12 < T_X> are smartcards a good solution, if I think that some clients might not take enough care about their own keys on their harddisk? (I once had someone, who had his key in the smb-share readable for everyone) 08:12 < ecrist> theoretically, you could have an encrypted USB drive which stored your VPN certificates, which are password protected, and you'd get about the same benefit for the cost of an 8 MB flash drive 08:12 < krzee> server cert signed as a server 08:14 < krzee> T_X, sounds like the same moron would leave their smartcard laying out 08:14 < T_X> so these smart-card readers with integrated pin-number verification do not really add that much more security for private use? 08:14 < T_X> hmm, maybe I'll think about a flashdrive 08:14 < krzee> with the PW taped to it 08:15 < ecrist> T_X: for the benefit you're looking to gain, you'd need biometric tokens, which get very price, very quick. 08:15 < ecrist> I can look into an RSI hand geometry scanner for you, if you'd like. ;) 08:16 < krzee> security is basically broken down into 3 things; something you know (password), something you have (certs, hardware tokens, whatever), something you are (biometric) 08:16 < krzee> for good security, use 2 08:16 < T_X> well, if you got some promo ones for free and don't need them, feel free to send me that stuff ;) 08:16 < krzee> T_X, same goes for you, free to send us that stuff 08:17 < ecrist> T_X: those scanners start at around $1200. 08:17 < T_X> hmm, maybe I hire a person instead, that checks the fingerprints manually :D 08:17 * krzee prototypes the genital biometric scanner 08:17 < ecrist> a place that uses them, for example, is Wells Fargo's data centers 08:18 < ecrist> krzee: as long as it soft and wet, I'm game. ;) 08:18 < T_X> what genital biometric scanner??? 08:18 < T_X> ah, no, the one before I guess 08:18 < krzee> lol 08:18 < T_X> :) 08:18 < ecrist> deposit required? 08:19 < krzee> of course, thats how it knows 08:19 < krzee> dna based 08:19 < krzee> lol, that would actually work 08:20 < T_X> well, as long as you don't have to do the authorisation procuder too often... 08:20 < T_X> *procedure 08:20 < kala> authentication in the public places might be problematic 08:21 < krzee> ok, question #3? 08:21 < krzee> lol kala 08:21 < T_X> no, that increases the trust in the verification 08:21 < T_X> ok, number 3: can I use gpg/pgp-keys intead of the client-server-certificates? 08:22 < krzee> not that i know of, why would you feel the need to? 08:22 < krzee> you can choose the encryption for the certs... 08:22 < T_X> for example, I now want to add a certain person to the network and it would be nice, if as an administrator I just needed to add the ID of the key 08:23 < krzee> [09:16] security is basically broken down into 3 things; something you know (password), something you have (certs, hardware tokens, whatever), something you are (biometric) 08:23 < krzee> [09:16] for good security, use 2 08:23 < kala> T_X: if you implement some awsome hack with your own scripts, passing PGP signed and encrypted password to server and then server checking the signature 08:23 < krzee> you would be taking away the "something you have" 08:23 < T_X> otherwise I'll have to send him the certificates over gpg-mails first. but if my pc already knows, that it can trust this clients gpg-key 08:24 < kala> T_X: but with certificates, you have the same thing. You can decide, which certificates to allow to connect and which not. based on the certificate serial for example 08:24 < krzee> yup 08:24 < krzee> plus, if you use HMAC 08:24 < krzee> you need to get them the static key too 08:25 < T_X> that's why I was wondering if there already might be working and trusted solution inside of openvpn. so that openvpn would communicate via the gpg command as enigmail does for firefox for example 08:25 < krzee> no 08:25 < kala> probably not 08:25 < krzee> besides 08:25 < krzee> if you are looking to add HW auth 08:25 < krzee> then you obviously care about adding "something you have" auth 08:26 < krzee> so why would you then be looking to get rid of the already built in "something you have" 08:26 < T_X> ah, yeah, the person could make their own key and I would just have to check the fingerprint send over gpg, right? 08:26 < krzee> they make their cert 08:26 < krzee> CSR 08:26 < kala> T_X: do you have machine readable and biometric information passports in your country? You could perhaps hack this authentication into OpenVPN 08:26 < krzee> you sign it 08:26 < krzee> you send it back to them signed 08:27 < krzee> they'll have their .key 08:27 < krzee> you'll give them the .crt 08:27 < krzee> after they give you the .csr 08:28 < krzee> from the howto: 08:28 < krzee> Now wait, you may say. Shouldn't it be possible to set up the PKI without a pre-existing secure channel? 08:28 < krzee> 08:28 < krzee> The answer is ostensibly yes. In the example above, for the sake of brevity, we generated all private keys in the same place. With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could 08:28 < krzee> have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret .key file leave the hard drive of the machine on which it was generated. 08:28 < nicu> cu, and thanks again 08:28 -!- nicu [n=nicu@office.adfinis.com] has left ##openvpn ["Verlassend"] 08:33 < T_X> eh, by the way, could you give me a link about what all these files are for exactly? so far I did most of the stuff just by following some howtos. I don't understand yet, why someone would need more then 2 keys(as in gpg i.e.) 08:33 < krzee> they only get 1 key 08:33 < krzee> its named .key 08:34 < krzee> 1sec 08:34 < krzee> !howto 08:34 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:34 < kala> client gets 1 private key, 1 client certificate and 1 CA certificate 08:34 < krzee> http://openvpn.net/howto#pki 08:34 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 08:35 < krzee> skip down to keyfiles 08:35 < krzee> you'll see they .key is the only secret files 08:35 < T_X> and another useful thing about gpg-keys would be, that I don't have to manage and don't have to take care of more and more keys. GPG, OTR, VPN... 08:35 < krzee> and NEVER does a key NEED to leave the machine it will be used on 08:36 < krzee> *shrug* if you're so bent on doing it your way you can script it 08:36 < krzee> but theres already an openvpn way 08:36 < krzee> !man 08:36 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 08:37 < krzee> --auth-user-pass-verify script method 08:37 < krzee> thats what you'll use to script it 08:37 < T_X> hmm, hmm, yeah, I'll probably stick to the normal way. I would probably hack too many bugs in such a script which makes it too insecure again :D 08:38 < T_X> I already had my three questions right? :D 08:38 < krzee> haha 08:38 < T_X> well, I'll just ask the next two spontanious ones :) 08:39 < T_X> I read something about a redundant setup for openvpn. it's not officially implemented, is it? I need extra software, right? 08:39 < krzee> as in, connecting to a second server if first is down? 08:40 < krzee> (or randomizing the list even) 08:40 < T_X> no, with load balancing and stuff like that 08:40 < krzee> umm 08:40 < krzee> like true load balancing? 08:40 < krzee> or like poor mans round robin load balancing 08:40 < T_X> so too working ones at the same time, and clients form both servers should built up one network 08:41 < T_X> *from 08:41 < krzee> yes and no 08:41 < krzee> you can have 2 running 08:41 < T_X> or even more then two servers... 08:41 < krzee> give each a seperate network (can be same /24, you would just use a /25 for each) 08:41 < krzee> clients could talk to eachother still 08:41 < krzee> then youd just use 2 --remote statements 08:42 < krzee> and --remote random to randomize the remote statements 08:42 < T_X> and one server could somehow connect to the other? the servers wouldn't be in the same LAN 08:42 < krzee> --remote-random 08:42 < krzee> When multiple --remote address/ports are specified, initially randomize the order of the list as a kind of basic load-balancing measure. 08:42 < krzee> sure but that kills the redundancy 08:42 < T_X> yeah, that would be suffiecient I guess 08:43 < krzee> then sure 08:43 < krzee> its just multiple --remote statements 08:43 < krzee> note, this can also be done using round robin DNS 08:43 < krzee> or a mix can be used 08:43 < kala> T_X: you could simultanously run two tunnels and then run some kind of routing protocol over these tunnels even :) 08:43 < krzee> read --remote and --remote-random in the manual 08:44 < krzee> routing protocol? 08:44 < T_X> I just thought about such a setup to make it redundant and decentral somehow. so that nobody complains, if my internet line here is broken (again) and stuff like that 08:44 < krzee> you just have the server specify the routes to the client when it connects 08:44 < krzee> no routing protocol needed 08:45 < krzee> it wouldnt be redundant, but it would be de-centralized 08:45 < krzee> if 1 lan went down, other would be up and clients would connect to it 08:45 < krzee> in which case you need to be sure each machine can handle everyone connecting to it 08:45 < kala> krzee: right, with OpenVPN you could do re-connect with about 30 seconds, I think no routing protocol works so quickly 08:46 < krzee> but sure, you could connect the sites 08:46 < krzee> 1 machine which ran a server would also run a client that connects to the other server 08:46 < krzee> and it would get an iroute with the other VPN lan 08:47 < krzee> and the server being connected to by other server would push the route to other server's network to all its clients 08:47 < krzee> in fact both would push eachothers routes to their clients 08:47 < krzee> 1 being 10.8.0.x one being 10.9.0.x for example 08:48 < krzee> or 10.8.0.0/25 and 10.8.0.129/25 08:48 < krzee> depending on # of clients and what makes you happy 08:49 < krzee> t_x before attempting such a setup, be sure to read this: 08:49 < krzee> !route 08:49 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 08:50 < krzee> the example isnt the same as your setup, but you'll very much need to understand the ideas presented there 08:50 < T_X> ah, yeah, ok. so two different subnets and each server routing to the other server for the other subnet. maybe I got :D. I didn't do so much with routing yet, but maybe I'll give it a try with something like that soon 08:51 < T_X> kk, thx 08:51 < krzee> each vpn gets internal vpn subnet 08:51 < krzee> then you handle everything with routing 08:51 < T_X> mkay 08:51 < krzee> everything gets pushed to clients so it doesnt matter which they connect to 08:52 < krzee> their configs dont get anything with routes or internal ips 08:52 < krzee> the servers push that all to them 08:52 < krzee> !push 08:52 < vpnHelper> krzee: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 08:52 < krzee> !ccd 08:52 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 08:53 < T_X> and then the really last question for today :D: I googled a bit about using OpenVPN+Tor one year ago or so. has anything changed in this point? I remember that I had to specify certain exit-nodes (which of course weakens the anonymity a lot) to make it work 08:53 < T_X> hidden vpn-servers would be kind of freaky :) 08:53 < krzee> no idea 08:56 < T_X> and hidden+redundant vpn-servers would make it veeery robust 08:56 < T_X> slow, but robust 08:57 < krzee> i miss what tor would add really 08:57 -!- ilreds [i=552b95f5@gateway/web/ajax/mibbit.com/x-1673670227f4bb8a] has quit ["http://www.mibbit.com ajax IRC Client"] 08:57 < krzee> with HMAC keys packets arent even processed when not signed by the TLS static key 08:58 < krzee> which in my case is 4096 bit TLS 09:05 < T_X> it would be very difficult to integrate a decentral conecpt into openvpn, wouldn't it? 09:05 < T_X> so that I could say, hey, I wanna be in the same network as alice and bob but not andrew 09:07 < krzee> !policy 09:07 < vpnHelper> krzee: "policy" is http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies 09:07 < krzee> thats just a matter of firewalling correctly 09:07 < krzee> !wiki 09:07 < vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 09:07 < T_X> no, but without needing a server for the authentication, the clients should do the authentication with each other 09:08 < krzee> !learn policy as http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 09:08 < vpnHelper> krzee: The operation succeeded. 09:08 < krzee> no 09:08 < krzee> that would brea security 09:08 < krzee> break 09:09 < krzee> --ns-cert-type client|server 09:09 < krzee> Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". 09:09 < krzee> This is a useful security option for clients, to ensure that the host they connect with is a designated server. 09:09 < krzee> See the easy-rsa/build-key-server script for an example of how to generate a certificate with the nsCertType field set to "server". 09:09 < krzee> If the server certificate's nsCertType field is set to "server", then the clients can verify this with --ns-cert-type server. 09:09 < krzee> This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert-type, --tls-remote, or --tls-verify. 09:10 < T_X> would it? I could do it in a way gpg does or not? so let's say, I can only allow the communication with other clients that I signed before 09:11 < T_X> or only clients that have a 'suffiecient' trustpath, but maybe that's a bit too subjective 09:11 < krzee> again, if you want to attempt to hack it up have fun 09:11 -!- gfather1 [n=gg@79.173.205.57] has joined ##openvpn 09:14 < T_X> well, maybe I should wait a little more for that, just started studying at a university two weeks ago ;). I did some programming before, of course, but nothing specific with networking yet 09:14 < T_X> hehe 09:14 < krzee> its not going to be getting put into openvpn 09:14 < krzee> its not an accident that it doesnt exist 09:14 < krzee> it goes against how PKI works 09:15 < krzee> openvpn is not a decentralized vpn 09:15 < T_X> hmm, okay 09:15 < krzee> it is a centralized vpn solution 09:16 < krzee> which allows multiple servers to be used by a single client in round-robin style setup (optionally randomized) 09:16 < krzee> and each of those hosts could be further randomized with round robin DNS 09:18 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:19 < krzee> although i do have an idea of how it could be done 09:19 < krzee> im not sure how well it would work, but it seems do-able through a round-about method 09:20 -!- gfather [n=gg@79.173.221.224] has quit [Read error: 110 (Connection timed out)] 09:20 < krzee> if the server cordinated it over the existing control channel 09:21 < krzee> so the client only was willing to accept a connection from the other client at the time it was expected to receive one 09:21 < krzee> with keys negotiated over the control channel 09:21 < krzee> only if a certain config option existed 09:22 < krzee> NAT traversal could be done as well by instructing the first to make an outbound connection to the other, then the other to connect back via the port that was opened by the outbound connection 09:22 < krzee> but ya, as far as i know i came up with that, dont know how well it would work and doubt its being planned 09:23 < krzee> and definitely dont have the skill to code it myself 09:25 -!- gfather1 [n=gg@79.173.205.57] has quit [Read error: 54 (Connection reset by peer)] 09:27 < T_X> hehe, well thanks a lot for all the answers, got a visitor. I'll come again, if I come up with some new questions ;) 09:30 < ecrist> rawr 09:33 < krzee> cool, later 09:34 * krzee goes back to exercise 1-21 09:34 < ecrist> 1-21? 09:39 < krzee> Exercise 1-21. Write a program entab that replaces strings of blanks by the minimum 09:39 < krzee> number of tabs and blanks to achieve the same spacing. Use the same tab stops as for detab. 09:39 < krzee> When either a tab or a single blank would suffice to reach a tab stop, which should be given 09:39 < krzee> preference? 09:39 < krzee> so far its a PITA 09:39 < krzee> i got all spacing right, tabs in input are no longer a problem, just got 1 lil bug im workin on 09:43 < ecrist> what're you doing that for? 09:44 < krzee> Kernighan & Ritchie - The C Programming Language.pdf 09:47 < ecrist> ah, 09:48 < ecrist> was going to say, if that's just a stupid adminy thing, I can write something in perl for ya 09:48 < krzee> ahh thanx 09:48 < krzee> ya i just figured it was time to learn c 09:49 < ecrist> you have a real reason to do so? 09:49 < krzee> nope 09:50 < ecrist> I've staved off learning languages until I have a use for them. 09:50 < krzee> so had i 09:50 < krzee> turns out i may never have one 09:50 < krzee> so im teaching myself c 09:50 < krzee> hehe 09:51 < krzee> if nothing else maybe ill start helping some OS projects someday 09:51 < krzee> i know i wouldnt mind contributing to projects like openvpn/freeswitch 09:51 < krzee> although anything like that would be a long way off 09:51 < ecrist> I'm ordering http://ecomm.dell.com/dellstore/basket_retrieve.aspx?c=us&cs=04&l=en&s=bsd&itemtype=CFG&cart_id=1006988238719&toEmail=ecrist@claimlynx.com today 09:52 < vpnHelper> Title: The Dell Online Store (at ecomm.dell.com) 09:55 < krzee> powervault looks dopeness 09:55 < krzee> at least the price makes it looks that way 09:55 < krzee> lol 09:55 < ecrist> 12x500GB SATA 09:56 < ecrist> going to run RAID 50 09:56 < krzee> erm 09:56 < krzee> damnnnn 09:56 < krzee> haha werd 09:56 < krzee> that would be 5+0 right? 09:56 < ecrist> we have a box now that runs 12x300GB in RAID 50 09:56 < krzee> like 2 5's mirrored? 09:56 < ecrist> yes 09:56 < krzee> werd 09:56 < ecrist> just under 5TB of usable storage 09:56 < krzee> thats sweet 09:56 < krzee> all i have is 1.3 usable 09:56 < ecrist> that's our backup box. we strictly run disk backups 09:57 < krzee> 4 50gb in a zfs raidz 09:57 < ecrist> our current systems has 2.6TB usable 09:57 < krzee> but then again im just a lil home user 09:57 < krzee> *pouts* 09:57 < ecrist> Filesystem Size Used Avail Capacity Mounted on 09:57 < ecrist> /dev/ufs/3warearray 2.6T 1.0T 1.4T 42% /d 09:59 < krzee> ild paste mine but power went off yesterday and i dont wanna boot the nfs back up til im gunna use it 09:59 < krzee> but basically 600gb free of 1.3 usab;e 09:59 < krzee> usable 09:59 < krzee> on zfs on 7-stable 09:59 < krzee> zfs is pretty impressive and still young 09:59 < krzee> well still opensource young 10:01 < ecrist> all on FreeBSD, too. ;) 10:04 < krzee> =] 10:30 < plaerzen> my background is as a developer, and I was working at a dev shop when their admin quit and no one new admin/linux as well as me. so I became the admin. Now year and a half later... I have a totally different career. 10:30 < plaerzen> s/new/knew 10:31 < ecrist> plaerzen: how do you like the admin job? 10:35 < plaerzen> it pays more 10:35 < plaerzen> I actually left that other company and now I'm a dedicated system admin for a larger company. I'm liking it, doing some cool shit 10:39 < kala> admin pays more than developer? 10:39 < plaerzen> well, I am working for a richer company too 10:39 -!- asyd [n=asyd@88.191.25.81] has joined ##openvpn 10:39 < asyd> hello guys 10:40 < kala> plaerzen: ah 10:40 < asyd> I have a strange behavior in rc13 10:42 < kala> and? 10:42 < plaerzen> I have a strange behavior in my girlfriend 10:43 < asyd> in this line: 10:43 < asyd> string_mod (subject, X509_NAME_CHAR_CLASS, 0, '_'); 10:43 < asyd> well, here the logs I have: 10:43 < asyd> Wed Oct 22 16:57:54 2008 us=417000 VERIFY OK: depth=1, /CN=ac_test 10:43 < asyd> Wed Oct 22 16:57:54 2008 us=417000 VERIFY ERROR: could not extract Common Name from 10:43 < asyd> X509 subject string ('') -- note that the Common Name length is limited to 64 10:43 < asyd> characters 10:44 < plaerzen> !pastebin 10:44 < vpnHelper> plaerzen: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:44 < asyd> yeap sorry I paste before copy the pastebin url.. 10:44 < kala> asyd: you have certificate with empty common name? 10:44 < asyd> nop, that's the strange thing 10:45 < asyd> but the subjectDN's CN component have a . 10:46 < asyd> string_mod is used to replace all chars within X509_NAME_CHAR_CLASS except 0 by a _, right? 10:47 -!- T_X [i=linus@gateway/tor/x-79a723f2f20ac4c9] has quit ["using sirc version 2.211+socks.pl+ssfe"] 10:47 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 10:48 < kala> have no idea 10:49 < asyd> the certificate have issuerdn "cn=ac_test" and subjectdn "cn=name.firstname" 10:49 < asyd> I'm suprised however that the subject display in the error message is empty 10:50 < asyd> (and by the way I didn't paste more than 5 lines ;p) 11:06 < plaerzen> yeah I know asyd, I just wanted to see if there was a !pastebin command 11:09 < krzee> !menu 11:09 < vpnHelper> krzee: "menu" is please use !factoids search * 11:09 < krzee> !factoids search * 11:09 < vpnHelper> krzee: 'krzee', 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'liar', 'ask', 'winroute', 'kraut', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', 'routeing', '1918', 'router', 'netman', 'notopenvpn', 'path', 'paths', 'keys', 'ssl-admin', 'push', 'routes', 'tls-cipher', 'multi', 'configs', 'tls- (1 more message) 11:09 < krzee> !more 11:09 < vpnHelper> krzee: auth', 'cidr', '/30', 'samba', 'betaman', 'download', 'assumption', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'someclient2client', 'menu', 'fool', 'bridge-dhcp', 'win_noadmin', 'dousafavor', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'mitm', 'hmac', 'Dougy', and 'winipforward' 11:09 < krzee> !forget dougy 11:09 < vpnHelper> krzee: The operation succeeded. 11:12 < plaerzen> awe, I wanted to try that one 11:12 < plaerzen> !ubuntu 11:12 < vpnHelper> plaerzen: "ubuntu" is dont use network manager! 11:17 -!- ebil|work [n=andy@216.64.93.22] has joined ##openvpn 11:19 < ebil|work> hello again. I'm having issues getting my work laptop to connect to the openVPN at my house (work laptop is win32) I get this on the server: TLS: Initial packet from 216.x.x.x:4076, sid=ccbe247e 862xxx66 (yes, I'm paranoid) and then I get TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 11:20 < ebil|work> I know there's not a connectivity issue there... but if it's an error on the windows side, I'm at a loss 11:27 < krzee> whats verb set to on server? 11:27 < ebil|work> 1 sec. 3 probably 11:27 < ebil|work> (default) 11:27 < ebil|work> double checking now 11:27 < krzee> turn it up to 6 11:27 < krzee> then look at logs again 11:27 < krzee> should be more useful 11:28 -!- sohmestra [n=sohmestr@75.150.50.65] has left ##openvpn [] 11:29 < ebil|work> just a bunch of "P_CONTROL_HARD_RESET_SERVER_V2" being passed back and forward 11:29 < ecrist> foobeans 11:30 < krzee> theres likely something else 11:30 < krzee> !logs 11:30 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 11:30 < jeev> ecrist 11:30 < ecrist> jeev 11:30 < jeev> the prob is an e1705 dell laptop at my store, someone brought it in saying eh spilled water 11:30 < krzee> jeev, ecrist 11:30 < jeev> a while back 11:30 < jeev> krzee. 11:30 < jeev> we took it apart, it had literally no thermal paste. 11:31 < jeev> but either way, it'll come up for a little bit and then the screen'll shut off 11:31 < jeev> everything else will turn off 11:31 < jeev> but the led stays up 11:31 < ecrist> prolly need a new main board 11:31 < jeev> now before we put thermal paste, we'd have to wait like 10-15 min before we could turn it off 11:31 < jeev> yea 11:31 < ecrist> water is teh debil 11:32 < krzee> there is no spoon 11:32 < ebil|work> I had a phone that fell in a bucket of water 3x in one night. worked just fine afterwards (don't ask the circumstances LOL I was being dumb and kept forgetting to take it out of my front shirt pocket while I was washing a car) 11:35 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:35 < ebil|work> on the windows (client) side I think this may be it? Wed Oct 22 12:35:02 2008 us=43736 UDPv4 READ [-1] from [undef]: DATA UNDEF len=-1 11:35 < ebil|work> but I'm pastebining it just the same 11:39 < ebil|work> krzee, ok, I pastebind it 11:40 < ebil|work> http://pastebin.com/dcd1e047 11:41 < ebil|work> The server side is interesting in that it mentions noodles (a different client that was not connecting at the time) 11:42 < krzee> Wed Oct 22 12:36:38 2008 us=621314 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 11:42 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 11:42 < krzee> you'll wanna fix that 11:42 < krzee> but its not your problem 11:42 < ebil|work> ok 11:43 < krzee> noodles is in ipp.txt 11:43 < krzee> thats no problem 11:43 < ebil|work> ok 11:43 < krzee> !configs 11:43 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 11:43 < ebil|work> k 11:48 < krzee> !configs 11:48 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 11:48 < krzee> oops 11:49 < ebil|work> ? 11:49 < ebil|work> oops? 11:51 < krzee> / 11:51 < krzee> .......................... 11:51 < krzee> /////////////////// 11:51 < krzee> bleh sorry 11:51 < ecrist> /kick krzee 11:52 < krzee> problem fixed 11:52 < ecrist> damn extraneous spaces 11:52 < krzee> hey you need ops to kick me! 11:52 < ecrist> ##openvpn You need to be a channel operator to do that 11:52 < ecrist> damn 11:52 * ecrist goes and pouts 11:54 -!- mode/##openvpn [+o ecrist] by ChanServ 11:54 < krzee> there ya go 11:54 < krzee> heheh 11:54 < ebil|work> lol 11:54 < ebil|work> do you still need my config files? 11:54 -!- mode/##openvpn [-o ecrist] by ChanServ 11:54 < krzee> ebil|work, that depends 11:54 < krzee> do you still need help? 11:55 < ebil|work> http://pastebin.com/d2c2404d8 does that answer your question? 11:55 < ebil|work> ;) 11:55 < ebil|work> lol 11:55 < ebil|work> server is debian 4.0R0 client is winxp sp2 11:55 < ebil|work> with firewalling OFF on the tun adapter 11:56 < krzee> and no ccd entries? 11:56 < ebil|work> not for worktop 11:56 < ebil|work> just for noodles 11:56 < krzee> k 11:57 < ebil|work> noodles is an interesting beast (called such beause its first incarnation at college didn't have a case, and lived in a ramen noodles box) 11:57 < ebil|work> it routes the last bits of my network at my parents house, and my dad's network 11:58 < ebil|work> so linking it up to the VPN was interesting (actually a LOT easier than I expected) 11:58 < ebil|work> but noodles works fine. worktop doesn't 12:01 < krzee> try this on worktop 12:01 < krzee> netsh firewall reset 12:01 < krzee> netsh int ip reset resetlog.txt 12:02 < krzee> in commandline 12:02 < ebil|work> done 12:02 < krzee> then try to connect again 12:03 < ebil|work> nope :( I still get the line: READ [-1] from [undef]: DATA UNDEF len=-1 12:03 < ebil|work> which I think may be the problem 12:03 * jeev smacks krzee 12:04 < krzee> lower 12:04 < jeev> this sucks 12:04 < jeev> i use viatalk.net at home. 12:04 < ebil|work> krzee, but, my 'thinking' may have been what caused the problem in the first place so... :) 12:04 < jeev> for 30 months, poifect. 12:04 < jeev> i also use it on my asterisk box 12:04 < jeev> but i *67 the calls acuse i can't set caller id 12:05 < jeev> now the office that uses 8000 min wants to enable caller id 12:05 < jeev> and i can't do that!!! 12:05 < krzee> you need another provider 12:05 < jeev> i have many 12:05 < jeev> but other providers charge $ 12:05 < krzee> some pass arbitrary CID 12:05 < jeev> this one is free 12:05 < krzee> ohhh 12:05 < krzee> lol 12:05 < jeev> get it 12:05 < krzee> free outbound?? 12:05 < jeev> the $150/mnonth i'm saving 12:06 < jeev> i'm putting towards more servers 12:06 < jeev> dood, it's residential service like vonage. 12:06 < krzee> free OUTbound? 12:06 < krzee> oh ok 12:06 < jeev> lol 12:06 < jeev> www.viatalk.net 12:06 < krzee> not free, just a monthly charge 12:06 < krzee> gotchya 12:06 < jeev> well 12:06 < jeev> i paid 200/2year 12:07 < krzee> tell the company you can do it but you'll need to charge more because you're only able to give them the price they have now because you have a good deal with a provider that doesnt let you set CID 12:07 < jeev> they're like kind of close 12:07 < jeev> my gf's cousins office 12:07 < krzee> or bite the bullet 12:07 < jeev> i got them from 900/month to 12:08 < jeev> i charge them $250/month 12:08 < jeev> for server bandwidth + min 12:08 < ebil|work> krzee, one message on the openvpn list suggests using tcp instead of UDP to fix the problem. 12:08 < jeev> but no more min charges unless if it's incoming, 300 month incoming 12:08 < jeev> heh 12:08 < jeev> 300 min incoming per month, a lot outgoing. 12:08 < krzee> besides you can do free incoming easy 12:08 < krzee> free 12:09 < krzee> any area code, just not toll-free 12:09 < jeev> yea, i dont feel like transferring 12:09 < krzee> ebil|work, try it 12:10 < krzee> tcp isnt a good longterm fix, but see if it works 12:10 < krzee> jeev, ahh, you already know how to bust free inbound for any area code? 12:13 < krzee> ebil|work, is windows machine behind a nazi-work firewall? 12:13 < krzee> or a standard home router 12:13 < ebil|work> might be... though my vpn to my 'real' work is working 12:14 < krzee> could be the firewall 12:14 < krzee> try tcp 12:15 < ebil|work> helps when you add that -j ACCEPT to your iptables rules *grumbles* 12:15 < krzee> cause server is receiving packets and responding 12:15 < ebil|work> (trying tcp now) 12:15 < krzee> but client is just getting nada 12:15 < krzee> ohhh thought you said no firewall 12:15 < ebil|work> tcp works 12:15 < ebil|work> sorry 12:15 < ebil|work> I poked the hole in my HOME firewall for tcp 12:16 < ebil|work> but forgot to add -j ACCEPT (the hole for UDP was already there) 12:16 < ebil|work> I can ssh into the firewall at home, I just have to 'hop' to internal machines. I'm using openvpn to avoid that 12:16 < krzee> ok if tcp works it could be a problem with the firewall worktop is behind 12:16 < ebil|work> ok. I'll go kill them. err. taaaaalk to them... niiiiicely 12:16 < ebil|work> ;) 12:17 < krzee> but you must know tcp has its own limitations 12:17 < krzee> !tcp 12:17 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:17 < ebil|work> yeah I had read that. which is why I'm going to still attempt to get it working over UDP :) 12:17 < krzee> you could always run 2 instances 12:17 < krzee> 1 for tcp, 1 for udp 12:17 < ebil|work> true. 12:17 < krzee> tcp one on 443 btw, for even worse firewalls 12:18 < ebil|work> yeah 12:18 < ebil|work> nice 12:18 < ebil|work> well awesome. the vpn not only connects, it routes correctly too! 12:18 < ebil|work> thanks a bunch :) 12:18 < krzee> just make sure to use diff internal vpn networks for the 2 instances 12:19 < ebil|work> like 10.8 and 10.9? 12:19 < krzee> sure 12:19 -!- ikevin [n=kevin@ANancy-256-1-147-219.w90-33.abo.wanadoo.fr] has joined ##openvpn 12:19 < krzee> or 10.8.0.0/25 and 10.8.0.129/25 12:19 < krzee> whatever floats your boat 12:19 < ebil|work> should I have my config files in a seperate directory? I'm still running the server manually 12:20 < krzee> again, whatever works for you 12:20 < ebil|work> can 2 processes share the same ipp.txt file? (or whatever it was) 12:20 < krzee> they shouldnt 12:20 < krzee> but they can share same keyfiles 12:20 < krzee> and same ccd/ 12:20 < ebil|work> ok. cool 12:20 < ebil|work> thanks again. I think this might work out nicely :) 12:20 < krzee> you dont happen to be a C coder do you? 12:21 < krzee> np 12:21 < ebil|work> currently I'm doing java, I'm a little rusty in C but I can get around 12:21 < ebil|work> how come? 12:21 < krzee> im trying to debug something 12:21 < krzee> im teaching myself C 12:21 < ebil|work> ahh cool 12:21 < ebil|work> what are you trying to debug? 12:21 < krzee> exercise 1-21 12:22 < krzee> http://pastebin.com/d7d42cee8 12:25 < ebil|work> that has some... interesting results 12:26 < krzee> ya 12:28 < krzee> i know my if/else stuff would be better as a case, but as the book hasnt gone over case yet (i know it from shell scripting) im not using it 12:29 < ebil|work> Hmm 12:30 < ebil|work> without really thinking about it. I don't really like the modifying i from within the for loop... 12:30 < ebil|work> I think you may be writing past where you wanted to write... 12:31 < krzee> ok let me comment all those 12:31 < krzee> that breaks it pretty bad 12:32 < ebil|work> I'll definitely take a look at it tonight (unfortunately I'm also working on a project at work that ends at the end of this month. and the run I was doing just finished while I was switching openvpn to use TCP) lol 12:32 < krzee> oh wait, i think i should remove all but in the sp look 12:32 < krzee> loop 12:32 < krzee> hehehe 12:33 < krzee> gotchya 12:33 < krzee> gl with the project 12:33 < ebil|work> thanks 12:33 < krzee> my thing is just for fun, so no biggie 12:33 < krzee> thanx for looking at it tho 12:33 < ebil|work> hey, my openvpn is just for fun too ;) same 'no biggie' applies. but thanks a lot for your help. 12:34 < krzee> np 12:34 < ebil|work> my logic would be, have 2 different counters. 1 for the for loop, and 1 for your position in the line array 12:35 < ebil|work> so, the for loop should only deal with input coming in, and the other (say, 'j') would ONLY deal with your position in the line array. so every time you add a character (either a space, tab or other) just increment j. 12:35 < ebil|work> that way you can still use your other logic for the tab conversion using i 12:36 < krzee> i dont fully follow, which one would i change? 12:36 < ebil|work> so. you're using line[i] to 'insert' your new characters 12:36 < krzee> right 12:36 < ebil|work> but you're also using i to determine where in input you are 12:37 < krzee> ya, which i think gets all f'ed up when i add a tab 12:37 < ebil|work> but because you may be replacing up to 8 characters (spaces) with a single tabstop, your position in input and your position in line can't be dealt with by a single counter variable 12:37 < ebil|work> so, just add a new one. any time you add a character to line, do j++; (or ++j, the only difference is WHEN the increment occurs) 12:38 < ebil|work> j++; and ++j; are pretty much the same. ++j is incremented then evaluated, j++ is evaluated THEN incremented. 12:38 < ebil|work> (if I remember correctly) 12:39 < krzee> ya thats my understanding too 12:39 < krzee> so you saying to have a j for my REAL position? 12:39 < krzee> like if i add a tab which takes up 4 spots, add 4 to j 12:40 < krzee> then use j for all evaluations based on location in the line 12:40 < krzee> i thought my setting of tabs var would take care of that for me 12:41 < krzee> ohhhh i see why its not 12:41 < krzee> after i add a tab that takes up 4 positions, im still evaluating it as if it was 1 12:42 < krzee> that idea popped in last night but i false-logic'ed myself out of it 12:42 < krzee> i think you're right 12:42 < krzee> thanx 12:45 -!- xattack [i=xattack@132.248.108.239] has quit [] 12:49 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:53 -!- Bagoor [n=Moeen@92.96.242.73] has joined ##openvpn 12:54 < Bagoor> I want to start a VPN server. Which one is better, TCP or UDP ? 12:58 < krzee> UDP 12:58 < krzee> for this reason: 12:58 < krzee> !tcp 12:58 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:59 * ecrist slaps krzee with a small-mouth bass. 12:59 < krzee> =[ 12:59 < krzee> what happened to the trout 13:00 < Bagoor> krzee, thanks 13:00 < ecrist> I ate the trout. 13:01 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 13:01 < reiffert> Hi. Anyone knows a "Christian Thiel"? 13:04 < ecrist> no 13:05 < krzee> !google "Christian Thiel" 13:05 < vpnHelper> krzee: http://www.linkedin.com/pub/1/658/317 - Christian Thiel - LinkedIn 13:06 < jeev> grr, i'm having a pf issue i think 13:06 < krzee> seems to live in the munich area, germany 13:07 < krzee> Christian Thiel, Almenrauschstr. 14b, D-86179 Augsburg, Germany 13:07 < reiffert> Well actually I'm searching for him related to openvpn. http://code.google.com/p/tunnelblick/updates/list 13:07 < vpnHelper> Title: tunnelblick - Google Code (at code.google.com) 13:09 < krzee> oh i see 13:09 -!- Bagoor [n=Moeen@92.96.242.73] has quit ["Leaving"] 13:13 -!- Pretto [n=pretto@ubuntu/member/pretto] has joined ##openvpn 13:13 < Pretto> hi guys... i am having the folling erro message Oct 22 15:08:58 localhost openvpn[6910]: borborema/10.69.70.212:2128 Authenticate/Decrypt packet error: cipher final failed 13:13 < Pretto> anybody could help me? 13:13 -!- xattack [i=invitado@132.248.108.239] has quit [Remote closed the connection] 13:14 < krzee> comment out cipher statements in your config files 13:16 < Pretto> krzee, i will try that.. thank you 13:18 < plaerzen> ahh, shawarma for lunch 13:19 -!- plaerzen is now known as egreppy 13:19 -!- egreppy is now known as plaerzen 13:21 < jeev> this is so weird, i got 2 asterisk servers, dual wan at the office, i can ping both wan from 1 of the servers but i can't ping one of the wan's from the other server 13:21 < jeev> and pf is matching and passig. 14:11 < ecrist> return route borked? 14:12 < reiffert> hmmm, shawarma! 14:21 -!- plaerzen [n=cam@vip2.tundraeng.com] has quit [Read error: 113 (No route to host)] 14:27 -!- plaerzen [n=cam@vip2.tundraeng.com] has joined ##openvpn 14:29 < ecrist> is that like a shamwow http://www.youtube.com/watch?v=QwRISkyV_B8 14:30 < vpnHelper> Title: YouTube - ShamWow (Full Length) (at www.youtube.com) 14:31 < reiffert> http://en.wikipedia.org/wiki/Shawarma 14:31 < vpnHelper> Title: Shawarma - Wikipedia, the free encyclopedia (at en.wikipedia.org) 14:46 * ecrist goes home 15:01 < ebil|work> krzee, at risk of sounding stupid. how do you know so much about openvpn? 15:02 -!- GreenCult [n=greencul@200.48.85.21] has joined ##openvpn 15:20 < cpm> krzee is an extraterrestrial intelligence. 15:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:32 < jeev> i dunno ecrist 15:32 -!- Pretto [n=pretto@ubuntu/member/pretto] has quit ["Saindo"] 15:38 -!- bandini [n=bandini@host143-106-dynamic.40-79-r.retail.telecomitalia.it] has joined ##openvpn 15:43 -!- bandini [n=bandini@host143-106-dynamic.40-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:16 -!- SplendiD [n=anon@nl104-207-11.student.uu.se] has joined ##openvpn 16:16 < SplendiD> !menu 16:16 < vpnHelper> SplendiD: "menu" is please use !factoids search * 16:18 < SplendiD> Hi everyone! I've been trying to configure OpenVPN on my router for a few days and ca'nt get it to work 16:18 < SplendiD> On verbosity level 5 or 6 i get the following from the client 16:18 < SplendiD> "UDPv4 WRITE [14] to xxx.xxx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0" 16:18 < SplendiD> Anyone know whats wrong? 16:20 < SplendiD> Nothing shows up in the serverside logs... 16:20 < SplendiD> And i have set the firewall to accept connections on that udp port "iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT" 16:23 -!- ebil|work [n=andy@216.64.93.22] has quit [Read error: 110 (Connection timed out)] 16:40 < ecrist> jeev: what don't you know? 16:45 < jeev> ok. so, i got 3 systems, 2 at different datacenters, 1 at an office, the one at the office has dual wan, each wan link has a gre tunnel to each server. so 4 total gre tunnels on office, 2 gre tunnels to each wan on the datacenter systems. 16:45 < jeev> server A (datacenter) can ping wan A and wan B, gre or not. server B (datacenter 2) can ping wan A but not wan B, gre or not. 16:45 < jeev> if the return route is borked or not 16:51 < ecrist> this isn't #gre_tunnel_trouble_shooting_for_people_who_dont_know_routing_and_want_the_easy_way_out_so_they_hope_ecrist_will_help_them_solve_all_their_problems 16:51 < ecrist> :P 16:53 -!- Irssi: ##openvpn: Total of 42 nicks [0 ops, 0 halfops, 0 voices, 42 normal] 16:53 * ecrist trims access list for ##openvpn 16:55 < jeev> damnit 16:55 * jeev starts smackin' people 16:55 * jeev phews 16:57 < ecrist> ChanServ(ChanServ@services.)- Flags -votiA were set on jeev in ##openvpn. 16:57 < ecrist> :P 16:58 < jeev> ;( 16:58 < jeev> liAR 16:58 < ecrist> nah, I removed a few people who I thought would stick around and didn't. 16:58 * ecrist eyes up SilenceGold 16:58 < jeev> ChanServ(ChanServ@services.)- kicking butt of ecrist in ##openvpn. 16:58 * jeev eyes EVERYONE up 16:58 < jeev> dood, read his nick 16:59 < jeev> silence is golden. 16:59 < ecrist> jeev, he's deaf. 16:59 < ecrist> o.O 16:59 < jeev> ah 17:01 < jeev> my gf's cousin made me 17:01 < jeev> a pumpkin thingy pie 17:01 < jeev> it's SO freaking good 17:01 < jeev> caramel crust 17:39 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 17:54 -!- pewsh [n=pjf@obey.org] has joined ##openvpn 17:55 < pewsh> Hi 17:55 < pewsh> I'm trying to compile 2.1_rc13 in openbsd 4.3 17:55 < pewsh> I've looked through some of the mailing list and have not found a work-a-round for: 17:55 < pewsh> tun.c: In function `open_tun': 17:55 < pewsh> tun.c:1628: error: `IFF_MULTICAST' undeclared (first use in this function 17:56 < pewsh> I don't think the tun device has a multicast flag in openbsd? 17:56 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 17:56 < pewsh> any suggestions would be appreciated 18:08 -!- pewsh [n=pjf@obey.org] has quit ["hi"] 18:17 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:20 -!- GreenCult [n=greencul@200.48.85.21] has quit ["Saliendo"] 18:23 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 18:52 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:52 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 18:52 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:57 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 19:01 < SilenceGold> I never saw a reason to use an op 19:04 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:04 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 19:05 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:10 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 19:11 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Connection reset by peer] 19:15 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 19:55 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:00 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 20:15 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:15 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 20:15 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 20:20 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 20:20 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 20:21 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 20:25 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 20:26 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:30 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 20:33 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:35 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 20:41 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 20:47 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 21:07 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 21:08 < Dryanta> dude 21:09 < Dryanta> fix ur fuckin host :P 21:09 < jeev> temporary ban ? 21:10 < Dryanta> id suggest one if i was +o on chanserv 21:10 < jeev> it's not frequent. hm 21:11 < jeev> tom leykus rules 21:12 < Dryanta> tom leykus? 21:12 < jeev> www.blowmeuptom.com 21:12 < Dryanta> you gotta check out foxy shazam 21:12 < jeev> stream for another 48 min. he's 3-7 PM PST live 21:12 < Dryanta> they are insane, like a punk version of mars volta hahah 21:12 < jeev> 7-8 rerun 21:12 < jeev> no, he's a guy 21:12 < jeev> talks about everything 21:12 < Dryanta> i caught that 21:12 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 21:12 < jeev> he's fat 21:12 < jeev> xattack, are you there? 21:12 < Dryanta> xattack: fix ur host 21:12 < Dryanta> srsly 21:14 < jeev> brb 21:18 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 21:19 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 113 (No route to host)] 21:21 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 21:23 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: jfkw 21:24 -!- Netsplit over, joins: jfkw 21:28 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: jfkw 21:29 -!- Netsplit over, joins: jfkw 21:38 < jeev> well 21:38 < jeev> he didn't die again 21:45 -!- glguy [n=eric@unaffiliated/glguy] has joined ##openvpn 21:49 < glguy> Is there any way to specify an OpenSSL engine for OpenVPN to use in the config file? 21:51 < jeev> config file ? wow 21:51 < jeev> dunno 21:51 < jeev> i'm sure you can build it with specific openssl engine...... 21:52 < jeev> you have two diff on your system / 21:52 < glguy> no, you can specify with a flag 21:52 < glguy> I'm asking if that functionality is also in the config file 21:54 < jeev> i dont know, sorry 21:55 < glguy> After the first line I thought you were impressed that I was using a config file :) 21:55 < jeev> hahah 22:17 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 23:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:10 -!- n3kl [n=n3kl@unaffiliated/n3kl] has quit [Read error: 110 (Connection timed out)] 23:34 -!- ebil [n=ebil@ip70-174-136-104.dc.dc.cox.net] has joined ##openvpn 23:34 < ebil> krzee, hey, sorry I didn 23:35 < ebil> 't get a chance to take a look at that C stuff (hope you figured it out) my gf was sick tonight so I had to take care of that :\ I did manage to get the vpn working automatically, it's so much nicer not having to figure out the external IP of my parents network anymore :) 23:35 < krzee> hey 23:36 < krzee> im actually very close 23:36 < krzee> my problem was in a while, i was writing every space over the last cause i didnt increment where i was (the loop does it otherwise) 23:36 < ebil> cool. I'm headed to bed (12:30 here) because I have to take my gf to the doctors in the AM. she's been having dizzy spells :\ 23:37 < ebil> Ahh, yes. forgetting to increment will cause problems... 23:37 < ebil> one nice thing about character arrays in C. they're all contiguous memory locations :) makes for some nasty hackery later 23:38 < ebil> I also called the IT guys at the rented office spaces I work in, they think they fixed the problem so I'll try the UDP version of the vpn again tomorrow at work 23:39 < krzee> ahh sweet 23:40 < krzee> but since you ran into that 23:40 < krzee> even when you get yourself fixed 23:40 < krzee> consider running the tcp one as well 23:40 < ebil> they both run by default (and use two different ipp files too) 23:40 < ebil> and they're on different vpn subnets 23:40 < krzee> you never know where you'll be 23:40 < ebil> so, it should be good :) 23:40 < krzee> nice 23:40 < ebil> exactly 23:41 < krzee> sounds like you're good to go 23:41 < krzee> nice app, isnt it 23:41 < ebil> yeah, this was a breeze to set up. I've been avoiding setting up a VPN for years (literally) because I could never convince myself to delve into ipsec 23:41 < ebil> it is a nice app. so, my question from before. how do you know so much about it? 23:41 < krzee> and this is so much more secure and configurable than ipsec 23:41 < ebil> (I apoligize if you're one of the developers LOL) 23:41 < krzee> haha no 23:42 < ebil> I didn't think so with you learning C 23:42 < ebil> but you never know 23:42 < krzee> as you know im learning c 23:42 < krzee> haha ya 23:42 < ebil> see, I'm a comp-sci guy (working on my masters) with a hobby in IT 23:42 < krzee> i started off using it cause a client wanted to link his offices 23:42 < ebil> (I run my own networks and noone elses thank you very much! (lol)) 23:42 < kala> ebil: btw, woulod you be interested about automatic failover from UDP transport to TCP transport? 23:43 < krzee> so his legal guy could access the loan files from his office 23:43 < krzee> then i had to do some complex setups 23:43 < krzee> so i got an understanding of it 23:43 < ebil> krzee, so you're in IT then? 23:43 < krzee> then i decided to help others cause it took awhile to gain that understanding 23:43 < krzee> and helping others has taught me a lot as well 23:43 < krzee> i was 23:43 < ebil> kala, that would be interesting to look at... 23:43 < krzee> i did networks, hosting, and voip 23:44 < krzee> was 1/2 owner of a voip co that used ilecs to get access charges 23:44 < ebil> krzee, I figured the voip stuff. I caught the asterisk talk and whatnot 23:44 < kala> ebil: it seems its not possible at the moment, but it should be rather simple patch. :) 23:44 < krzee> ya 23:44 < krzee> we used asterisk 23:44 < krzee> when freeswitch was being born 23:44 < ebil> I used to be friends with mark spencer 23:44 < ebil> (kinda haven't talked with him in ages) 23:44 < krzee> i knew how good it would be, and am so excited to see it growing up 23:44 < krzee> asterisk was pretty bad 23:45 < krzee> when you run lots of calls 23:45 < krzee> and interconnect with real CLECs 23:45 < ebil> I am VERY interested in voip stuff too (mainly because I don't have a land line) 23:45 < krzee> would crash and whatnot, couldnt handle many calls 23:45 < krzee> we had to run xen to run multiple asterisk setups as if it was more computers 23:45 < ebil> yeah, I never got around to messing with it, hardware was expensive 23:45 < ebil> ok. cool 23:45 < krzee> so asterisk could handle more calls 23:45 < krzee> it was bad 23:46 < ebil> yeah. sounds like my current problem with java... 23:46 < krzee> so now im learning freeswitch too 23:46 < ebil> the heap keeps running out... let's see... I KNOW! MAKE IT BIGGER! 23:46 < krzee> cause it can keep up with enterprise equip, and is still somewhat young 23:46 < ebil> (that solution only works for so long...) 23:46 < krzee> hahahah 23:46 < krzee> ya 23:46 < ebil> forced scalability isn't REAL scalability 23:47 < ebil> but that's cool. so I'll have to look into freeswitch as well. 23:47 < krzee> ive heard of a freeswitch box taking out a metaswitch box because of the CPS 23:47 < krzee> (calls per second) 23:47 < ebil> nice 23:47 < krzee> metaswitch starts at 250K 23:47 < ebil> wow 23:47 < krzee> serious LEC equip 23:47 < ebil> I used to work for sprint (contractor for openwave) but we dealt with the wireless web side of things :) 23:48 < krzee> hehe 23:48 < krzee> right on 23:48 < ebil> interesting stuff... only lasted 6 months. then they cut 25% of the employees and the stock dropped from $11 to where it is now: ~$0.85 23:48 < ebil> I'm doing pretty well now, at least I enjoy where I am 23:49 < ebil> anyhow. I gotta get to bed. like I said, I appreciate the help, and I'll have to hang around in here and offer what help I can to anyone else whose new. 23:49 * ebil goes to bed. 23:50 < krzee> right on man 23:51 < krzee> have a gnite 23:57 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 23:57 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn ["Leaving."] --- Day changed Thu Oct 23 2008 00:06 < PeterFA> How do I make a bridge that terminates onto a server with only one Interface? 00:06 < PeterFA> Like what does that look like? 00:06 < PeterFA> What tap interfaces? 00:07 < PeterFA> Do I make a fake interface? 00:08 < krzee> im not so familiar with bridges 00:08 < krzee> !bridge 00:08 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 00:09 < krzee> basically you install openvpn, install the interface, bridge them using OS's method, run openvpn in bridge mode 00:09 < krzee> !more 00:09 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 00:09 < krzee> but if you dont need a bridge for a specific reason, use routed setup 00:11 < krzee> [00:42] ebil: btw, woulod you be interested about automatic failover from UDP transport to TCP transport? 00:11 < krzee> kala, i would be interested in that too 00:33 -!- SplendiD [n=anon@nl104-207-11.student.uu.se] has quit [] 00:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:08 -!- SplendiD [n=anon@nl104-207-11.student.uu.se] has joined ##openvpn 02:09 -!- SplendiD [n=anon@nl104-207-11.student.uu.se] has quit [Client Quit] 02:10 -!- glguy [n=eric@unaffiliated/glguy] has left ##openvpn [] 02:41 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Operation timed out] 04:37 < kala> krzee: well, thats very nice. Someone has to program a patch then or make a compelling request to OpenVPN developers 04:38 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit ["leaving"] 04:38 < krzee> lol 04:38 < krzee> i thought he was saying he had a script for it 04:48 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:51 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 05:36 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 06:44 -!- strongfrakk[away [i=strongfr@catv54031064.pool.t-online.hu] has joined ##openvpn 06:44 < strongfrakk[away> hi 06:45 < strongfrakk[away> i have installed a openvpn between my computer and the webserver which is in a remote server room 06:46 < strongfrakk[away> the ping is working between them, but i cant access the server side directories by openvpn 06:48 < strongfrakk[away> how can i test where is the problem ? 07:19 -!- strongfrakk[away [i=strongfr@catv54031064.pool.t-online.hu] has left ##openvpn [] 08:07 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:40 -!- AukeF [n=auke@x231.flex.surfnet.nl] has quit [Remote closed the connection] 08:53 -!- AukeF [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 08:56 < ecrist> ok, so who's the frenchy asshole that was eating all my bandwidth last night? 08:58 < ecrist> meh, no mind, I'll just block you at my firewall mr I'm gonna crawl ecrist's entire website. 09:20 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 09:22 * cpm crawls up ecrist's bandwidth 09:25 < ecrist> :P 09:33 < ecrist> while it's not much, that dude racked up 140MB by himself. 09:33 < ecrist> wtf? 09:33 -!- asyd [n=asyd@88.191.25.81] has left ##openvpn [] 09:33 < ecrist> which is more than my web server typically uses in an entire month 09:39 -!- plaerzen [n=cam@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 10:15 -!- plaerzen [n=cam@vip2.tundraeng.com] has joined ##openvpn 10:38 -!- plaerzen [n=cam@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 10:40 -!- plaerzen [n=cam@vip2.tundraeng.com] has joined ##openvpn 11:05 -!- fpletz [n=fpletz@moinmoin/student/franz] has joined ##openvpn 11:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:49 -!- SplendiD [n=anon@nl104-207-11.student.uu.se] has joined ##openvpn 11:52 < SplendiD> does anybody know what the error code "P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0" means? 11:52 < ecrist> nope 11:53 < SplendiD> i got this really annoying problem when trying to connect to my homw computer from work 11:54 < SplendiD> strange thing is that i got SSH working w/o any trouble 11:55 < SplendiD> been trying for two weeks trying lots of stuff and still cant get it to work 11:57 < SplendiD> I made a long post on the forum, this thing is really getting quite annoying :P 11:58 < SplendiD> If someone could help I'd be really thankful 12:02 < krzee> !forum 12:02 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 12:04 < reiffert> SplendiD: try the mailing list 12:04 < reiffert> SplendiD: and give it a search 12:05 < SplendiD> I tried searching alot on google, and a few mailing list entries came up, but nothing informative 12:05 < SplendiD> Is there a special mailing list, and in that case where can I find it? 12:06 < reiffert> the results I got were all about the TLS ahndshake has failed? 12:06 < reiffert> SplendiD: there is openvpn-users on openvpn.net 12:06 < krzee> umm dude 12:06 < krzee> your config SplendiD 12:06 < krzee> are you trying to bridge or setup routed? 12:06 < SplendiD> bridge 12:06 < krzee> you're using tap with server 12:06 < SplendiD> tap 12:06 < krzee> you want server-bridge 12:06 < krzee> !bridge 12:06 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 12:07 < krzee> !more 12:07 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 12:07 < reiffert> SplendiD: https://lists.sourceforge.net/lists/listinfo/openvpn-users 12:07 < vpnHelper> Title: Openvpn-users Info Page (at lists.sourceforge.net) 12:07 < krzee> reiffert, aka !mail 12:07 < krzee> ;] 12:07 < reiffert> krzee: sorry? 12:07 < krzee> !mail 12:07 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 12:08 < krzee> for future laziness if you like 12:08 < reiffert> !google 12:08 < vpnHelper> reiffert: (google [--{language,restrict} ] [--{notsafe,similar}]) -- Searches google.com for the given string. As many results as can fit are included. --language accepts a language abbreviation; --restrict restricts the results to certain classes of things; --similar tells Google not to filter similar results. --notsafe allows possibly work-unsafe results. 12:08 < reiffert> !google openvpn-users 12:08 < vpnHelper> reiffert: http://openvpn.net/archive/openvpn-users/2006-09/msg00031.html - Re: [Openvpn-users] how to do NAT on Windows XP? 12:08 < SplendiD> krzee: so i want server-bridge instead of tap or? I dont understand 12:08 < reiffert> !google openvpn-users list subscription 12:08 < vpnHelper> reiffert: http://lists.sourceforge.net/mailman/listinfo/openvpn-users - Openvpn-users Info Page 12:08 < reiffert> ah! 12:08 < krzee> SplendiD, read the manual for server and server-bridge 12:08 < SplendiD> ok 12:08 < krzee> !man 12:08 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 12:09 < reiffert> vpnHelper: !ah is ah! 12:09 < vpnHelper> reiffert: Error: "!ah" is not a valid command. 12:09 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:09 < krzee> haha 12:09 < reiffert> vpnHelper: !help 12:09 < krzee> !learn ah as ah! 12:09 < vpnHelper> reiffert: Error: "!help" is not a valid command. 12:09 < vpnHelper> krzee: The operation succeeded. 12:09 < krzee> !ah 12:09 < vpnHelper> krzee: "ah" is ah! 12:09 < krzee> !forget ah 12:09 < vpnHelper> krzee: The operation succeeded. 12:11 < reiffert> !learn help as My owner did not give me a help command 12:11 < vpnHelper> reiffert: The operation succeeded. 12:11 < SplendiD> so should i always use --server-bridge when using tap? 12:11 < reiffert> SplendiD: yes. tun = routed, tap = bridged 12:11 < krzee> !menu 12:11 < vpnHelper> krzee: "menu" is please use !factoids search * 12:11 < SplendiD> I haven't found that in the sample configs others are using... 12:11 < krzee> !factoids search * 12:11 < vpnHelper> krzee: 'krzee', 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'liar', 'ask', 'winroute', 'kraut', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', 'routeing', '1918', 'router', 'netman', 'notopenvpn', 'path', 'paths', 'keys', 'ssl-admin', 'push', 'routes', 'tls-cipher', 'multi', 'configs', 'tls- (1 more message) 12:12 < krzee> !more 12:12 < vpnHelper> krzee: auth', 'cidr', '/30', 'samba', 'betaman', 'download', 'assumption', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'someclient2client', 'menu', 'fool', 'bridge-dhcp', 'win_noadmin', 'dousafavor', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'mitm', 'hmac', 'winipforward', and 'help' 12:12 < reiffert> !nice 12:12 < vpnHelper> reiffert: Error: "nice" is not a valid command. 12:12 < ecrist> damn, krzee, you're noisy 12:12 < reiffert> SplendiD: do you know that page: http://openvpn.net/index.php/documentation/howto.html 12:12 < vpnHelper> Title: HOWTO (at openvpn.net) 12:12 < krzee> ecrist, reiffert is learning the bot 12:13 < SplendiD> reiffert: yeah i read printed it and read it 12:13 < reiffert> !kraut 12:13 < vpnHelper> reiffert: "kraut" is moin 12:13 < reiffert> :) 12:14 < krzee> hhaha wheres he been anyways 12:14 < krzee> i miss his 3am "moin" 12:14 < reiffert> Well I think he's on #fritzbox on ircnet 12:14 < krzee> lol i didnt know you knew him 12:16 < SplendiD> krzee: so i just have to add "ifconfig-pool 192.168.1.50 192.168.1.55 255.255.255.0" amd "push "route-gateway 192.168.1.1" to my config? 12:17 < krzee> no 12:17 < reiffert> SplendiD: depends on what you wanna do. routed or bridged networking? 12:17 < krzee> did you really read --server-bridge in the manul? 12:17 < SplendiD> bridged 12:17 < krzee> manual 12:17 < reiffert> SplendiD: allright, then have a look in the howto, at paragraph 12:17 < SplendiD> yeah it says that it expands to that in the config.. + what i already got 12:17 < reiffert> http://openvpn.net/index.php/documentation/howto.html#vpntype 12:17 < vpnHelper> Title: HOWTO (at openvpn.net) 12:18 < reiffert> and especially http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 12:18 < krzee> --server-bridge gateway netmask pool-start-IP pool-end-IP 12:18 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 12:18 < krzee> A helper directive similar to --server which is designed to simplify the configuration of OpenVPN's server mode in ethernet bridging configurations. 12:18 < SplendiD> Yeah i tried that for two weeks .. i think i did it all by the book, but im, stuck 12:19 < krzee> first of all, why do you want a bridge? 12:19 < SplendiD> So i add that into the config or when the server is started? 12:19 < reiffert> ok, let me show you a client and server.conf right after my lunch. 12:19 < SplendiD> I dont really need it bridged i guess.. 12:20 < krzee> then why add the overhead...? 12:20 < krzee> !sample 12:20 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 12:20 < krzee> theres an example routed config 12:20 < SplendiD> I juist want it to work.. atm im using SSH to my router and remote desktop through the SSH channel, but VPN seems cooler 12:20 < krzee> shit my UPS is beeping fast 12:20 < krzee> ill bbl 12:20 < krzee> !bridge 12:20 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 12:20 < krzee> see #2 12:20 < krzee> err wait 12:20 < krzee> see #3 i mean 12:21 < SplendiD> ok :) 12:22 < SplendiD> Ill try your config tomorrow 12:22 < SplendiD> Do i need a tls-auth key? 12:22 < SplendiD> Or is it optional? 12:22 < krzee> optional but stops MITM attacks 12:23 < krzee> adds an HMAC sig to every packet 12:23 < krzee> err wait, doesnt stop MITM, thats the nscerttype command in client 12:23 < SplendiD> Ok so i can try to get it working and then add the tls-auth key then 12:23 < krzee> tls-auth adds an HMAC sig to every packet 12:23 < krzee> totally 12:23 < krzee> HMAC sigs will stop DOS attacks from hurting as much cause packets dont get processed if they dont have the HMAC sig 12:24 < krzee> good for security too 12:24 < SplendiD> Ok, will add it later, but right now i'd really just like it to start working.. atm im getting nowhere 12:24 < krzee> !hmac 12:24 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the (1 more message) 12:24 < krzee> !more 12:24 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 12:25 < SplendiD> I use tomato 1.21 with an ovpn addon, so it would be really cool to get this tunnel working 12:25 < SplendiD> tomato firmware for linksys wrt54gl router that is 12:25 < krzee> i dont know anything bout that, but ive seen a few of those gui's work against people's learning 12:25 < krzee> oh ok 12:25 < krzee> !linksys 12:25 < vpnHelper> krzee: Error: "linksys" is not a valid command. 12:25 < krzee> !router 12:25 < vpnHelper> krzee: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 12:26 < krzee> thats not the case now 12:26 < krzee> but if you run into problems with the routing config be sure to do that 12:26 < SplendiD> Will do 12:27 < SplendiD> Too bad i cant try this at home.. i get it working locally, and have to wait til i get to work to try it remotely 12:28 < SplendiD> But i guess that means that my rsa keys are allright at least 12:28 < reiffert> http://snap.reifferscheid.org/client.ovpn 12:28 < krzee> reiffert, turns out routing is better for him 12:29 < krzee> he falls into !bridge #3 12:29 < reiffert> no, bridged is much cooler. 12:29 < krzee> (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better. 12:29 < krzee> reiffert, how so? add an extra layer of traffic for no reason 12:29 < reiffert> but all the multicast and broadcasts are lost. 12:29 < SplendiD> reiffert: That looks exactly like my config 12:29 < reiffert> SplendiD: hang on. 12:30 < SplendiD> If you have a minute, read this https://ovpnforum.com/showthread.php?t=13 12:31 < SplendiD> I will try if the tun works tomorrow and see 12:32 < reiffert> http://snap.reifferscheid.org/server.conf 12:32 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 12:32 < SplendiD> Btw, do you know what the "P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0" error means? 12:33 < reiffert> SplendiD: bridged networking will work much better with windows networking and os x and firewalls dont think you are an attacker to the network. 12:33 < reiffert> SplendiD: my google search turned out: tls handshake failed is an error right before the P_CONTROL_HARD_RESET 12:34 < SplendiD> so the problem is actually with the tls handshake.. 12:34 -!- ebil|work [n=andy@216.64.93.22] has joined ##openvpn 12:35 < SplendiD> but could the tls handshake fail becouse i didnt have the server-bridge in my server config? 12:35 < reiffert> SplendiD: just follow the howto that I was mentioning twice. It's a step by step "make it work" 12:35 < SplendiD> ok 12:35 < reiffert> !howto 12:35 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 12:36 < reiffert> an excellent howto. It's one of my favourite howtos all over the net. 12:36 < reiffert> "it just works" 12:37 < reiffert> Another one is the advanced bash scripting guide ... 12:38 < SplendiD> Well it wasn't that easy for me.. I have read it over and over and been on a long thread on linksysinfo.net before i cane here for help.. 12:39 < SplendiD> But then again i am a noob to openvpn :P 12:39 < reiffert> I can remember my openvpn beginnings quite well. It wasnt working out of the box 2 weeks. 12:39 < reiffert> But then suddenly I was discovering the openvpn howto. 12:40 < SplendiD> I have gone through it step by step several times now.. but can't figure out where im gouing wrong 12:41 < SplendiD> but i will try krzee:s config tomorrow and se if i get lucky 12:41 < SplendiD> Thanks for the help :) 12:41 < reiffert> bridged networking requires that you actually bridge the networks. 12:42 < reiffert> that gets done by shell scripts. 12:42 < reiffert> but it's all in the howto. 12:42 < SplendiD> they are bridged i can see that the tap21 is at least 12:43 < reiffert> unix? 12:43 < SplendiD> yeah.. its linux on a linksys router 12:43 < reiffert> brctl show 12:44 < SplendiD> tomato 1.21 firmware 12:46 < SplendiD> hmm br0 8000.001ee5467644 12:46 < SplendiD> what does that mean? 12:47 < reiffert> that the tap device is missing. 12:47 < SplendiD> crap.. 12:47 < SplendiD> ok.. ill go back to reading the manual 12:47 < SplendiD> thanks again! 12:48 -!- SplendiD [n=anon@nl104-207-11.student.uu.se] has left ##openvpn [] 12:52 -!- xattack [i=invitado@132.248.108.239] has quit [Remote closed the connection] 12:59 < ebil|work> reiffert, yeah, that is an awesome howto 13:11 < ecrist> now, if there were a howto on his mom... 13:19 < reiffert> !mom 13:19 < vpnHelper> reiffert: Error: "mom" is not a valid command. 13:23 -!- iulius [n=iulius@mail1.technologieshq.com] has joined ##openvpn 13:23 < ecrist> !learn mom as reiffert's mom needs a howto 13:23 < vpnHelper> ecrist: The operation succeeded. 13:27 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 13:32 < Dryanta> win 12 13:44 < SgtPepperKSU> Hi, I'm trying to create a bridged site-to-site VPN, but am having trouble on the client side 13:44 < SgtPepperKSU> As long as I don't bridge the tap interface on the client side I can reach the server side and all bridged devices 13:45 < SgtPepperKSU> but, as soon as I bridge the client side, I cannot reach anything on the server side 13:45 < SgtPepperKSU> I have found lots of how-to documents that go into the server side configuration, but none on bridging the client side 13:45 < SgtPepperKSU> is there anything in particular I need to do to get it to work? 13:52 -!- iulius [n=iulius@mail1.technologieshq.com] has quit ["Leaving"] 13:53 -!- bandini [n=bandini@host143-106-dynamic.40-79-r.retail.telecomitalia.it] has joined ##openvpn 14:03 < ecrist> SgtPepperKSU: what are you trying to bridge on the client side? 14:04 < SgtPepperKSU> I'm trying to bridge the TAP interface to the LAN-side ethernet devices (the client is a router) 14:06 < SgtPepperKSU> The point is to bridge the LANs on each end together 14:09 < SgtPepperKSU> I am using the server-bridge directive on the server side 14:12 < ebil|work> wow, I'm impressed... 14:12 < ebil|work> I'm actually able to stream MP3's across a samba share over the vpn (UDP) to my work laptop in real-time. no lag or distortion! I'm happy/sold on openvpn now LOL 14:13 < reiffert> SgtPepperKSU: client side bridging: 14:13 < reiffert> stony: unix? 14:13 < reiffert> SgtPepperKSU: unix? 14:14 < SgtPepperKSU> linux 14:14 < reiffert> use an up script like this: 14:14 < reiffert> #!/bin/bash 14:14 < reiffert> device=$1 14:14 < reiffert> ip=$4 14:14 < reiffert> mask=$5 14:14 < reiffert> ifconfig $device 0.0.0.0 promisc up 14:14 < reiffert> brctl addif br0 $device 14:15 < reiffert> ifconfig br0 $ip up 14:15 < reiffert> and befor starting openvpn do (once per system startup): 14:16 < reiffert> brctl addbr br0 14:16 < reiffert> brctl addif br0 eth0 (or whatever) 14:16 < reiffert> ifconfig eth0 0.0.0.0 promisc up 14:16 < reiffert> ifconfig br0 192.168.local.ip up 14:17 < reiffert> thats ut 14:17 < reiffert> it 14:27 < ebil|work> I did something like that once 14:27 < ebil|work> except I was bridging bluetooth dongles (PAN) over an ethernet device 14:27 < ebil|work> it was evil 14:27 < ebil|work> completely 14:27 < ebil|work> every time you plugged in a new bluetooth dongle, it added it to the ethernet bridge 14:30 < SgtPepperKSU> Do both LANs have to be on the same subnet for this to work? 14:31 < SgtPepperKSU> If I'm not mistaken, that up script will assign a server side ip address to the client's br0 14:31 < SgtPepperKSU> This will make it unreachable by the client side devices 14:32 < ecrist> SgtPepperKSU: yes. that's what bridging is 14:32 < ecrist> otherwise, it's routed 14:36 < SgtPepperKSU> at one point, I had a tap site-to-site between different subnets, bridging both sides. I had to manually add routes to do this, and was really just seeing if it could be done just in the openvpn config files. I guess not. Thanks 14:36 < ecrist> why the fuck would you want to do that? it can be done by simply creating a routed vpn. 14:37 < ecrist> that's really all you're doing. 14:38 < SgtPepperKSU> Doesn't a routed (tun) VPN have limitations with non IP traffic (windows share browsing)? 14:38 < ecrist> no limitions your conflustered example would have. 14:38 < SgtPepperKSU> Or is it the routes that add that limitation, and I've combined the worst of both worlds? 14:38 < ecrist> routing is the limitation 14:39 < SgtPepperKSU> okay, so if the subnets are different - use TUN. If they're the same - use TAP. Is that a pretty fair assessment? 14:39 < ecrist> sure 14:42 < SgtPepperKSU> Thanks. That's a distinction I hadn't seen. Makes sense, though. 14:43 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 15:03 -!- ebil|work [n=andy@216.64.93.22] has quit ["Leaving"] 15:29 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 15:51 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 16:30 -!- exes [n=exes@mercury.exes.org] has joined ##openvpn 16:30 < exes> I'm looking for an appliance that will let me connect to it via openvpn using a routed tunnel... I've been looking online with little luck, any thoughts? 16:42 -!- squirrelpimp [n=squirrel@HSI-KBW-091-089-006-049.hsi2.kabelbw.de] has quit [Remote closed the connection] 16:43 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 16:43 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 16:48 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 16:51 -!- fpletz [n=fpletz@moinmoin/student/franz] has quit [Read error: 104 (Connection reset by peer)] 16:52 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 16:53 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 17:05 -!- thomas [i=tm@tm.muc.de] has quit [Connection reset by peer] 17:05 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:05 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 17:05 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:10 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 17:14 -!- ebil [n=ebil@ip70-174-136-104.dc.dc.cox.net] has quit ["Leaving"] 17:15 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:18 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:46 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 18:26 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 18:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 19:56 -!- timlarson [n=timlarso@user-12l37rb.cable.mindspring.com] has quit ["Leaving"] 21:03 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 21:38 -!- near [n=near@83-155-185-170.rev.libertysurf.net] has joined ##openvpn 21:46 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 22:35 < ecrist> exes: there's a ton of them out there. 22:36 < ecrist> tomatoe and dd-wrt have support for such a thing, iirc 23:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] --- Day changed Fri Oct 24 2008 00:03 < PeterFA> When has an ordinary router, the router has both interfaces. When I use OpenVPN routing, is it true that one interface is on one computer, the other is on the other, and the two sandwich a P-t-P connection? 00:06 < PeterFA> I finally got a concept of the bridge down, and now I'm working on the routing. 00:10 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:52 -!- bandini [n=bandini@host143-106-dynamic.40-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:06 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 01:42 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 03:22 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:27 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit ["Ik ga weg"] 03:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:44 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:58 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 04:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 113 (No route to host)] 05:10 -!- jriachi [n=chatzill@157.88.130.187] has joined ##openvpn 05:10 < jriachi> hello 05:11 < jriachi> I am using OpenVPN in windows XP, is there a way to sniff the packets i send and receive (seeing them un-encripted)? 05:14 < kala> yep. sniff on the TAPinterface 05:18 -!- AukeF [n=auke@x154.flex.surfnet.nl] has quit [Remote closed the connection] 05:19 -!- AukeF [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 05:19 < jriachi> ok, thanks 05:52 -!- SilenceGold [n=chris@71.143.178.16] has quit [Read error: 110 (Connection timed out)] 05:55 -!- fpletz [n=fpletz@moinmoin/student/franz] has joined ##openvpn 06:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 06:24 -!- SilenceGold [n=chris@70.232.67.16] has joined ##openvpn 07:01 -!- jriachi [n=chatzill@157.88.130.187] has quit [Read error: 104 (Connection reset by peer)] 07:09 < ecrist> good morning, bitches 07:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 08:09 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:58 -!- scfe [n=scfe@f053000197.adsl.alicedsl.de] has joined ##openvpn 09:01 < scfe> Hi guys, just a short question: Is the 'route' option implemented for windows? In 2.1 RC13? 09:02 < scfe> e.g. I do 'route-nopull; route 10.231.0.0 255.255.0.0 vpn_gateway' and I get " Options error: option 'route' cannot be used in this context" 09:02 < scfe> with Linux everything works. 09:03 < scfe> so is this just because Windows is crap/no one liked to implement it? Or is it just me? (again) 09:06 < ecrist> hrm 09:07 < ecrist> I dont' know 09:27 -!- scfe [n=scfe@f053000197.adsl.alicedsl.de] has left ##openvpn ["Leaving."] 09:27 -!- scfe [n=scfe@f053000197.adsl.alicedsl.de] has joined ##openvpn 09:27 -!- scfe [n=scfe@f053000197.adsl.alicedsl.de] has left ##openvpn ["Leaving."] 09:28 -!- scfe [n=scfe@f053000197.adsl.alicedsl.de] has joined ##openvpn 09:28 -!- scfe [n=scfe@f053000197.adsl.alicedsl.de] has left ##openvpn ["Leaving."] 09:28 -!- scfe [n=scfe@f053000197.adsl.alicedsl.de] has joined ##openvpn 09:28 -!- scfe [n=scfe@f053000197.adsl.alicedsl.de] has left ##openvpn ["Leaving."] 09:28 -!- scfe [n=scfe@f053000197.adsl.alicedsl.de] has joined ##openvpn 09:44 -!- scfe [n=scfe@f053000197.adsl.alicedsl.de] has left ##openvpn ["Leaving."] 09:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:23 -!- AukeF [n=auke@x154.flex.surfnet.nl] has quit [Remote closed the connection] 10:30 -!- scfe [n=scfe@f053000197.adsl.alicedsl.de] has joined ##openvpn 10:30 -!- scfe [n=scfe@f053000197.adsl.alicedsl.de] has left ##openvpn ["Leaving."] 11:04 * ecrist considers blacklisting yahoo on his mail server 12:03 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 12:09 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:18 -!- xattack [i=invitado@132.248.108.239] has quit [Remote closed the connection] 12:24 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 13:04 < ecrist> really quiet in here today. 13:16 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 13:17 < jeev> :> 13:17 * jeev considers blacklisting ecrist from life 13:24 < ecrist> lol 13:44 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:46 < krzee> good morning 13:46 < ecrist> eat a dick 13:47 < krzee> no thanx 13:47 < ecrist> weren't expecting *that* when you logged on to IRC, were you. 13:47 < krzee> haha not really 13:47 < krzee> but it IS irc 13:47 < krzee> so it didnt catch me off guard either 13:49 < ecrist> oh, wait 13:49 < ecrist> 13:46 -!- krzee i=nobody@unaffiliated/krzee 13:49 < ecrist> 13:46 -!- ircname : krzee king 13:49 < ecrist> 13:46 -!- channels : ##openvpn #eat-a-dick #up-the-butt #from-behind 13:49 < ecrist> 13:46 -!- server : irc.freenode.net [http://freenode.net/ 13:49 < vpnHelper> Title: About the Network (at freenode.net) 13:49 < krzee> what what 13:50 < krzee> in the butt 13:50 < jeev> aha 13:50 < jeev> did you seee that thing 13:50 < jeev> the girl gets in trouble for seeing someone from myspace 13:50 < jeev> the brother keeps saying 13:50 < jeev> in the butt 13:50 < krzee> did he say what what in the butt? 13:51 < jeev> in the butt 13:51 < krzee> nah nvr saw that 13:52 < krzee> did you see the south park butters song? 13:52 < jeev> no 13:52 < krzee> http://www.youtube.com/watch?v=CgRXAyBHZm8 13:52 < vpnHelper> Title: YouTube - Butters - " What What ( In the Butt ) " SouthPark (at www.youtube.com) 13:54 < jeev> too lazy lol 13:54 < jeev> i'm rdp'd in 13:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:01 -!- kervan [n=chatzill@unaffiliated/kervan] has joined ##openvpn 15:04 < kervan> Hi. I wan to sell internet over VPN. If user payed for this month he can connect to vpn server. If he didn't pay for this month he can't connect to vpnserver. do you know a script that can do this for me and works with openvpn? 15:47 -!- kervan [n=chatzill@unaffiliated/kervan] has quit ["ChatZilla 0.9.83 [Firefox 3.0.2/2008091618]"] 15:47 < kala> young enterpreuneurs 15:52 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:14 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 16:54 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit ["You call it ADD, I call it multitasking"] 17:02 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 17:19 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit ["Leaving"] 17:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:34 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 17:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:35 < krzee> that guy who asked about blocking people based on payment still here? 17:35 < krzee> should be very easy to do using a CRL 17:35 < jeev> dood 17:35 < jeev> i'm getting really annoyed 17:36 < krzee> oh ya? 17:36 < jeev> do you know my situation 17:36 < jeev> http://x.jeev.net/diag.jpg 17:36 < jeev> okay? 17:36 < krzee> i do not 17:36 < jeev> check it out 17:37 < krzee> thaqt drawing hurts my eyes 17:37 < jeev> lol 17:37 < jeev> so 17:38 < jeev> when i switch route to cable modem 17:38 < jeev> defaultroute 17:38 < jeev> the dsl - jupiter route dies 17:38 < jeev> and i can't find out why 17:38 < jeev> if dsl == defaultroute; all 4 routes work 17:38 < jeev> if cable == defaultroute; 3/4 routes work 17:39 < krzee> the machines connecting dont even know about the cable/dsl routes right? 17:39 < krzee> they just route to LAN router who knows about both 17:39 < krzee> (right?) 17:41 < krzee> that drawing would be so much better if there were 2 vertical lines and an X 17:41 < jeev> lol 17:41 < jeev> what machines connecting 17:42 < krzee> i take it you're using openvpn to connect 2 machines to your lan with redundant routes... 17:42 < jeev> no openvpn 17:42 < krzee> oh 17:42 < jeev> i can't afford the latency issues 17:42 < krzee> what are you doing? 17:42 < jeev> this is just a rant 17:42 < jeev> it's just a gre tunnel 17:42 < jeev> asterisk 17:42 < jeev> ;D 17:42 < krzee> ahh 17:42 < jeev> the issue is 17:42 < jeev> why is this happening 17:42 < krzee> im tellin ya, you gotta play with freeswitch when you get bored 17:43 < krzee> its the ++ 17:43 < jeev> no 17:43 < jeev> it's not asterisk's fault 17:43 < jeev> and i did try freeswitch 17:43 < krzee> i know 17:43 < jeev> i dont want to change!!! 17:43 < jeev> help me fix this route 17:43 < jeev> i'll give you a cookie 17:44 < krzee> http cookie? 17:44 < jeev> dcc cookie 17:44 < krzee> mmm cookie 17:44 < krzee> galleta 17:44 < jeev> what do you think thep rob is 17:44 < jeev> i think it's the network. 17:45 < krzee> [18:39] the machines connecting dont even know about the cable/dsl routes right? 17:45 < krzee> [18:39] they just route to LAN router who knows about both 17:45 < krzee> [18:39] (right?) 17:45 < krzee> in this case im talking bout the machine on the LAN running the gre tunnels 17:45 < krzee> its not the router, right? 17:45 < jeev> it's a freebsd router. 17:45 < krzee> try doing it from behind the router 17:46 < krzee> that way it just routes through the router and lets the router decide what to do 17:46 < krzee> then if one goes down it just re-establishes using the other route 17:46 < krzee> (that work for you?) 17:47 < jeev> WHAT 17:47 < jeev> look d00d 17:47 < jeev> default, dsl = defaultroute 17:47 < jeev> but i manually change it to cable 17:47 < jeev> and it pmses 17:47 < jeev> what do you want me to do 17:50 < krzee> im just trying to understand your real goal and its purpose 17:50 < jeev> ok 17:50 < jeev> real goal is 17:50 < jeev> i'd like to switch default gateway to cable modem 17:50 < jeev> without changing interfaces 17:50 < jeev> a) set up failover if dsl goes down, cable takes place 17:51 < jeev> and vice versa 17:51 < krzee> right 17:51 < jeev> but if 17:51 < jeev> cable modem is down 17:51 < jeev> or whatever is down 17:51 < krzee> and you know existing connections will die 17:51 < jeev> that's fine 17:51 < krzee> and need to re-establish 17:51 < jeev> as long as it hops back on 17:51 < krzee> ok so... 17:51 < krzee> leave your router as is 17:51 < krzee> do not make the tunnels on the router 17:52 < krzee> use a machine behind the router to make the tunnels 17:52 < jeev> ohhhhhh my god 17:52 < krzee> and when the tunnel goes down, it should re-establish itself 17:52 < jeev> i think that's too much 17:52 < jeev> but 17:52 < jeev> the POINT here is that 17:52 < krzee> it makes so much more sense 17:52 < jeev> ultimately, whatever is allowed on pf 17:52 < jeev> comes through, except for this ONE server 17:52 < jeev> maybe it's cause this one server doesn't have a direct route or something.. someone said earlier to me in msg 17:53 < krzee> how could it have a direct route, youd hafta give it one through your gateway 17:53 < krzee> and gateway is changing 17:53 < krzee> whereas my way the default route for GRE tunneling machine would never change 17:54 < krzee> only the one on router would 17:54 < krzee> making it way easy 17:54 < jeev> i dunt remember what he said 17:54 < jeev> something about bgp 17:54 < krzee> ahh 17:54 < krzee> ya i dunno much bout routing protocols 17:54 < jeev> 6 lax1_cr1_gig_10_117.dslextreme.com (66.51.198.181) 9.599 ms 10.084 ms 9.731 ms 17:54 < jeev> 7 lax1_rback21_eth2_0.dslextreme.com (66.51.203.13) 9.849 ms 10.209 ms 9.856 ms 17:54 < jeev> 8 * * * 17:54 < krzee> never had situations where i could use them 17:54 < jeev> when default gateway is cable 17:54 < jeev> i can't reach my dsl from that one server (and it is allowed in pf) 17:55 < jeev> 8 g7-0.gsr.cr1.lax1.extremetele.com (63.209.70.134) 1.511 ms 1.518 ms 1.355 ms 17:55 < jeev> 9 66.51.203.13 (66.51.203.13) 1.514 ms 1.674 ms 1.513 ms 17:55 < jeev> 10 netblock-68 17:55 < jeev> same thing.. but goes through. 17:55 < jeev> but pflog shows both as pass. 17:56 < krzee> extreme seems to be a popular name for isps where you are 17:57 < jeev> lol 17:57 < jeev> like what 17:57 < jeev> i dunno why it says extremetel 17:57 < jeev> i neverk new they had that 18:00 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: jfkw, krzee, fpletz 18:00 -!- Netsplit over, joins: krzee, fpletz, jfkw 18:03 -!- fpletz [n=fpletz@moinmoin/student/franz] has quit [Read error: 101 (Network is unreachable)] 18:06 < krzee> weeeee 18:07 < jeev> wack 18:23 -!- Burn [n=burn@alpha343.server4you.de] has quit [Read error: 104 (Connection reset by peer)] 21:22 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 60 (Operation timed out)] 21:38 -!- near [n=near@83-155-185-170.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:38 -!- near [n=near@88-122-27-128.rev.libertysurf.net] has joined ##openvpn 22:03 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: RexMundi 22:04 -!- Netsplit over, joins: RexMundi 22:04 -!- jeev_ [n=email@unaffiliated/jeev] has joined ##openvpn 22:04 < jeev_> hey 22:18 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 22:22 -!- jeev [n=email@unaffiliated/jeev] has quit [Connection timed out] 22:30 < PeterFA> Well, getting OpenVPN to work was a lot of learning, but now I'm glad and it's so simple in the end. 22:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:32 < krzee> hey jeev 22:32 < krzee> let me see your routing tables? 22:33 < krzee> when everything works, and when it doesnt 22:50 -!- jeev_ is now known as jeev 22:50 < jeev> hey 23:39 < PeterFA> How do I destroy tun1 or tap0? --- Day changed Sat Oct 25 2008 00:34 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: jfkw 00:34 -!- Netsplit over, joins: jfkw 02:00 < reiffert> --rmtun 02:29 < paruchuri> hi krzee 02:35 < krzee> paruchuri, hey 02:38 < paruchuri> i think you remembered me 02:38 < paruchuri> thanks for that 02:43 < krzee> hehe np 02:43 < krzee> wassup man 02:46 < paruchuri> just a moment 02:46 < paruchuri> i will be back in 2 min 02:55 < paruchuri> normally what are the required in clients system 02:55 < paruchuri> client crt,client key and openvpn config file right/ 02:55 < paruchuri> in windows 03:08 < krzee> os doesnt matter 03:08 < paruchuri> these are enough right? 03:08 < krzee> !factoids search * 03:08 < vpnHelper> krzee: 'krzee', 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'liar', 'ask', 'winroute', 'kraut', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', 'routeing', '1918', 'router', 'netman', 'notopenvpn', 'path', 'paths', 'keys', 'ssl-admin', 'push', 'routes', 'tls-cipher', 'multi', 'configs', 'tls- (2 more messages) 03:08 < krzee> !more 03:08 < vpnHelper> krzee: auth', 'cidr', '/30', 'samba', 'betaman', 'download', 'assumption', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'someclient2client', 'menu', 'fool', 'bridge-dhcp', 'win_noadmin', 'dousafavor', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'mitm', 'hmac', 'winipforward', 'help', and (1 more message) 03:09 < krzee> !keys 03:09 < vpnHelper> krzee: "keys" is http://openvpn.net/howto#pki 03:09 < paruchuri> ok 03:12 < paruchuri> the error is like this unrecognized option or missing parameter(s) in client1.ovpn:16 client1 (2.1_rc9) 03:12 < krzee> and line 16 is...? 03:13 < paruchuri> client1 03:13 < krzee> line 16 just says client1? 03:13 < paruchuri> yes 03:13 < krzee> that seems correct to you? 03:14 < paruchuri> this is the 1 client 03:14 < krzee> !sample 03:14 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:14 < krzee> post yours 03:14 < krzee> im gunna go drive this girl home 03:14 < paruchuri> i created 5 clients in server named client1,2,3,4,5 03:14 < krzee> then ill take a look 03:15 < paruchuri> ok 03:15 < krzee> !configs 03:15 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 03:16 < paruchuri> i got that 03:17 < paruchuri> we have to give client instead of client1 03:17 < paruchuri> i can connect 03:17 < paruchuri> sorry for confusion 03:38 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 04:06 -!- plaerzen [n=cam@vip2.tundraeng.com] has quit [Read error: 60 (Operation timed out)] 04:07 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 04:08 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 04:09 < krzee> cool, glad ya got it working 04:12 < paruchuri> SIGUSR1(softtls-error)received,process restarting 04:13 < paruchuri> i open port 1194 udp port in my router 04:15 < krzee> theres likely more to that error, turn up both verb's to 6 04:15 < krzee> and check you have a keepalive statement in the client 04:36 -!- Huza [n=cristian@78.96.46.99] has joined ##openvpn 04:47 < paruchuri> thanks i will be back in 5 min 04:47 < paruchuri> i am checking the connectivity 04:47 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 04:49 -!- paruchuri [i=paruchur@220.226.19.3] has joined ##openvpn 04:57 < paruchuri> hi krzee can you check this http://pastebin.com/d10f7be 04:57 < paruchuri> i am getting this error 04:57 < paruchuri> if you have any idea about this error let me know 05:27 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: jfkw 05:28 -!- Netsplit over, joins: jfkw 06:08 < ecrist> paruchuri: I would follow the directions in the error message: 06:08 < ecrist> Sat Oct 25 15:02:11 2008 There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter 06:44 < paruchuri> ok thanks for your suggestion 06:48 < paruchuri> hi ecrist 06:49 < paruchuri> i am using a network in server side 06:49 < paruchuri> so i am able to ping server local ip but not rest ips 06:50 < paruchuri> so how can i add route or where i have to add route 06:54 < paruchuri> and how to add wirtual ethernet adaptor in linux 07:23 -!- paruchuri [i=paruchur@220.226.19.3] has quit [Read error: 113 (No route to host)] 07:35 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:36 < paruchuri> i am using a network in server side 07:36 < paruchuri> so i am able to ping server local ip but not rest ips 07:36 < paruchuri> so how can i add route or where i have to add route 07:36 < paruchuri> and how to add wirtual ethernet adaptor in linux 07:37 < paruchuri> is there any one help me in this problem 07:42 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:45 < Huza> Hello everyone, I need some help with the following. 07:45 < Huza> My friend lives in a hostel, where his internet connection is limited. 07:46 < Huza> He only has access to http (80) ftp(21) and https(443). 07:46 < Huza> I have already installed openvpn on my machine, and I would like to create a tunnel for him on port 443. 07:46 < Huza> Can you help me? 08:10 < SilenceGold> no but you can help yourself by reading the documentations 08:16 < Huza> Tried that before, wasn't any good :( 08:16 < Huza> Even if I set the port in the config file to 443 it won't work, I have no idea why. 08:19 < kala> what happens? 08:19 < Huza> I have no idea :( 08:19 < kala> try to get some. look at the log files 08:20 < kala> what exactyly happens. "wont'w work " will not help us as well, we don't know why it doesnt work 08:20 < Huza> Locally works ( I used a notebook to connect to my pc, but if I try to connect from the outside it fails :() 08:20 < Huza> I ever reinstalled the OS, reinstalled openvpn... 08:20 < Huza> :( 08:21 < kala> "outside" means what? 08:23 < Huza> Outside my LAN. 08:23 < Huza> I will try again... and I hope I won't die trying! 08:29 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 08:57 -!- Huza [n=cristian@78.96.46.99] has quit ["Ex-Chat"] 10:12 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 10:31 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: vpnHelper 10:32 -!- Netsplit over, joins: vpnHelper 10:37 -!- near [n=near@88-122-27-128.rev.libertysurf.net] has quit [Remote closed the connection] 11:10 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:44 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: vpnHelper 11:45 -!- Netsplit over, joins: vpnHelper 11:55 -!- paruchuri [n=kalyan@123.176.41.152] has joined ##openvpn 11:56 < paruchuri> hi all i am getting this error debug: OpenvpnManagementHandler: Connecting to the OpenVPN manage port (2222). 11:56 < paruchuri> please help me 11:58 < paruchuri> hi krzee 11:58 < paruchuri> do you have any idea about this 12:00 < paruchuri> http://pastebin.com/d37c9c87 12:00 < paruchuri> this is the output what i got from client side 12:01 < paruchuri> any one can help me in this 12:41 < kala> you are running kde as root. this is bad 12:58 -!- Dougy [n=doug@64.18.159.247] has joined ##openvpn 12:59 < Dougy> hey 13:08 -!- dmhardison [n=derek@pool-96-240-162-194.ronkva.east.verizon.net] has joined ##openvpn 13:10 < dmhardison> Using routing is it possible to push a domain that lies behind the openvpn server? 13:10 < dmhardison> I would like when our domain is used that the hosts be resolved via the openvpn, but I don't want to redirect all my traffic through the openvpn server. 13:15 < dmhardison> I suppose I figured it out. 13:24 < paruchuri> where is the actual problem 13:25 < dmhardison> Well, I was trying to keep traffic to a minimum... And I didn't know if pushing another dns server would actually cause the client machine to make dns requests for sites like google.com through the openvpn server--which i don't want. 13:37 -!- dmhardison [n=derek@pool-96-240-162-194.ronkva.east.verizon.net] has quit ["Goodbye"] 13:39 < Dougy> ecrist: ping 13:39 < Dougy> krzee: ping 13:40 < Dougy> when you guys get here, read: 13:40 < Dougy> <+cubision> Updated | 12:20 p.m. Who was the highest paid individual in Senator John McCain's presidential campaign during the first half of October as it headed down the homestretch? 13:40 < Dougy> <+cubision> Not Randy Scheunemann, Mr. McCain's chief foreign policy adviser; not Nicolle Wallace, his senior communications staffer. It was Amy Strozzi, Gov. Sarah Palin's traveling makeup artist, according to a new filing with the Federal Election Commission on Thursday night. 13:40 < Dougy> <+cubision> paid almost $23,000 for 2 weeks of work 13:40 < Dougy> <+cubision> and her hair stylist got $10,000 for those 2 weeks :) 13:43 < krzee> ? 13:45 < krzee> paruchuri, the last error message is pretty clear 13:45 < krzee> it cant read the file it says it cant read 13:46 < krzee> check its not empty, check file permissions 13:46 < krzee> Dougy, i know about that stuff already, they spent around 150k on that stuff for her, and i just dont care 13:46 < krzee> let them spend all of the $ on her 13:51 -!- paruchuri [n=kalyan@123.176.41.152] has quit [Read error: 113 (No route to host)] 13:54 -!- bsdbandit [n=bwell@wsip-70-169-130-78.hr.hr.cox.net] has joined ##openvpn 13:54 < bsdbandit> im running openbsd vpn server and trying to connect using a windows xp client and the connection keeps timing out 13:55 < bsdbandit> im not sure what else the check 13:55 < bsdbandit> can someone help me out on this one 13:55 < bsdbandit> ? 13:55 < krzee> firewall 13:55 < bsdbandit> on win xp 13:55 < bsdbandit> ive tried disabling the firewall 13:55 < bsdbandit> but nothing is happending 13:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:58 < krzee> openbsd firewall 13:58 < krzee> windows xp client at home or behind a work firewall? 13:59 < bsdbandit> well im testing the win xp client from an outside wireless network 13:59 < bsdbandit> my openvpn server is running on my openbsd firewall 14:00 < krzee> ok 14:01 < krzee> openbsd firewall is blocking 14:01 < krzee> gotta go, bbl 14:01 < krzee> but ya, thats where the problem is assuming your configs make sense 14:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:01 < krzee> (ie connecting to right ip on right port, etc) 14:35 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 104 (Connection reset by peer)] 14:51 < bsdbandit> i keep getting the tls error handshake failed check network connectivity 14:52 < bsdbandit> ive checked my pf configuration 14:52 < bsdbandit> and im still have the same issue 14:55 < bsdbandit> any ideas on this one 14:55 < bsdbandit> ? 15:10 < Dougy> nope 15:19 < krzie> !configs 15:19 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 15:21 < Dougy> sup krzie 15:22 < krzie> werd 15:26 < Dougy> lol 15:30 < krzie> !factoids search bsd 15:30 < vpnHelper> krzie: 'bsdnat' and 'freebsd' 15:30 < krzie> hrmz 15:30 < Dougy> !factoids search forum 15:30 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 15:30 < Dougy> !forum 15:30 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 15:30 < Dougy> oh 15:30 < Dougy> win 15:31 < Dougy> krzie: 21 members 15:31 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 15:32 -!- bsdbandit [n=bwell@wsip-70-169-130-78.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 15:34 -!- Carop [n=koa@93.1.82.236] has joined ##openvpn 15:34 < Carop> hello 15:36 < Carop> I'm trying to set up openvpn between two computers. Right now I can only access one computer but nevertheless there is already something I do not understand. I have two config files, server.conf and client.conf. When I run "openvpn client.conf" (without having run openvpn on server.conf -- I am not running openvpn twice) it sets up a tun interface and doesn't complain that it cannot connect to the server. Shouldn't it complain ? it seems it doesn't even try 15:36 < Carop> to connect. 15:37 < Carop> I have adapted one of the standard configuration files. in particular my client.conf contains the line "tls-client" and "remote somehostname". 15:37 < krzie> !configs 15:37 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 15:37 < Carop> ok 15:39 < Carop> http://pastebin.com/d19e10e63 15:42 < Carop> I guess I am missing something ? 15:43 < krzie> ya, the server config 15:43 < krzie> haha 15:43 < Dougy> lmao 15:43 < krzie> !man 15:43 < Dougy> i need a beer 15:43 < vpnHelper> krzie: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 15:43 < Dougy> or three 15:44 * krzie checks dougy's ID 15:44 < Carop> well, the server is not running at all. so the server config doesn't matter. what I don't understand is that the client does not seem to even try to connect to the server. 15:44 < Dougy> krzie, most kids younger than me drink regularly 15:44 < krzie> Carop i take it you didnt check your logs 15:44 < Dryanta> Dougy: how old are you 15:44 < Dougy> Dryanta: 16 15:45 < krzie> i garuntee they're complaining about # 15:45 < Dryanta> i wouldnt say MOST 15:45 < krzie> remote-cert-tls server 15:45 < Dougy> Dryanta, a LOT of 15:45 < Dryanta> thats silly 15:45 < krzie> cause you made that up out of nowhere 15:45 < krzie> !betaman 15:45 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 15:45 < Dougy> I know 14 and 15 year olds that party and get trashed every single weekend 15:45 < Dougy> 16 year old drink more than some adults i know 15:45 < Dryanta> i didnt start drinking until i was about 18 15:45 < krzie> Dryanta i was 14 15:45 < krzie> most my freshman yr was spent puking out the side of older kids cars 15:46 < Dryanta> i drank a bit when i was like 16 15:46 < Dougy> Dryanta: here you go 15:46 < Dryanta> just me and my friend chris 15:46 < Dougy> there are about 100 kids at this party 15:46 < Dougy> http://photos-h.ak.facebook.com/photos-ak-snc1/v347/92/49/1331670606/n1331670606_30357727_9251.jpg 15:46 < Dougy> theres just a little example 15:46 < Dryanta> facebook is gay, myspace is win 15:46 < Dryanta> just so you know 15:46 < krzie> Carop, you want to check your logs 15:46 < Dougy> yeah 15:46 < Dougy> Dryanta, they have funnels and everything 15:46 < Dougy> already 15:46 < Dougy> at 15-16 15:46 < Dryanta> thats pretty recockulous 15:47 < Dryanta> i think its dumb for kids that young to be drinking, srsly 15:47 < Dougy> Dryanta: http://photos-g.ak.facebook.com/photos-ak-snc1/v347/92/49/1331670606/n1331670606_30357718_5522.jpg 15:47 < Dryanta> why didnt i go to parties like that when i was a kid 15:47 < Carop> krzee, ah, you're right that removing "remote-cert-tls server" helps. thanks. but I put "remote-cert-tls server" because that's what the howto said I should do (without it, the client complains "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info") 15:47 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 15:48 < Dougy> Dryanta: good thing you didn't 15:48 < Dougy> I am invited now and again and I pass on it 15:48 < krzie> no, the howto does not say that 15:48 < Dryanta> well i drink like a fish 15:48 < Dryanta> but im 24 15:48 < Dougy> Dryanta, i've never been buzzed/drunk in my life 15:48 < Dougy> haha 15:48 < Dryanta> so its kind of expected heh 15:48 < krzie> oh wait 15:48 < krzie> LOL yes it does 15:48 < Carop> krzee, yes... 15:49 < krzie> Carop it also mentions that its for 2.1 and above 15:49 < Carop> krzee, yes, I am using 2.1_rc8 15:49 < krzie> so if you're using stable branch (2.0.x) it does not apply 15:49 < Dryanta> god im so hung over 15:49 < krzie> ok, then leave that in, my bad 15:49 < Dryanta> super fuckin hung over 15:49 < krzie> thats part of why !configs says to tell me the version 15:50 < krzie> (and the OS) 15:52 < Carop> sorry I forgot. 15:52 < Carop> hmm, I don't know why but now openvpn is behaving a little differently... let me check 15:53 < krzie> well 15:53 < krzie> until you have both sides running, you're just spinning your wheels 15:53 < krzie> i dont even know what you're hoping to achieve right now by only running a client 15:53 < krzie> especially what would lead you to ask for help before trying to run both sides 15:54 < krzie> then again, i dont feel good today so maybe im just being a dick *shrug* 15:54 < Carop> OK, that's fine. 15:55 -!- Carop [n=koa@93.1.82.236] has quit [Remote closed the connection] 15:59 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 16:06 < Dougy> lol 16:06 < Dougy> idiot what? 16:18 -!- Huza [n=cristian@78.96.46.99] has joined ##openvpn 16:45 -!- Dougy [n=doug@64.18.159.247] has quit [] 17:13 -!- George`` [n=George@222.231.24.109] has joined ##openvpn 17:54 < ecrist> grr 17:55 < jeev> rgg 18:04 -!- Pretto [n=pretto@ubuntu/member/pretto] has joined ##openvpn 18:04 -!- Huza [n=cristian@78.96.46.99] has quit ["Ex-Chat"] 18:23 -!- Pretto [n=pretto@ubuntu/member/pretto] has quit [Connection timed out] 19:23 -!- George`` [n=George@222.231.24.109] has quit ["( www.nnscript.com :: NoNameScript 4.21 :: www.esnation.com )"] 19:33 -!- Pretto [n=pretto@ubuntu/member/pretto] has joined ##openvpn 19:36 -!- radud [n=radu@78.96.46.101] has joined ##openvpn 19:40 < radud> I need the following: An openvpn server to access from my Win PC, to be able to bypass "corporate" firewall. 19:40 < radud> I have already installed openvpn on my friends ubuntu server. 19:41 < radud> I can connect from my notebook but I don't have internet acces. :( 19:41 < radud> access* 19:42 < radud> What should I do? 20:01 -!- Pretto [n=pretto@ubuntu/member/pretto] has quit ["Saindo"] 20:30 -!- radud [n=radu@78.96.46.101] has quit [Remote closed the connection] 20:35 -!- justdave [n=dave@unaffiliated/justdave] has quit [Read error: 104 (Connection reset by peer)] 20:37 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 20:54 -!- Luria [n=trashed@pool-70-23-222-5.ny325.east.verizon.net] has joined ##openvpn 20:56 < Luria> can someone recommend a good linux based key manager? essentially, i want to create and revoke openvpn keys via scp/sftp... 20:56 < Luria> and track them. gui based, too. 20:56 < krzie> gui bsed, no 20:56 < krzie> but, 20:56 < krzie> !ssl-admin 20:57 < vpnHelper> krzie: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 20:57 < Luria> ncurses is ok :-) 20:57 < reiffert> Luria: openssl, the binary. 20:57 < reiffert> Luria: revoking keys can be done by a crl. 20:57 < reiffert> Luria: gui based: openvpn-web-gui 20:58 < reiffert> Luria: when ncurses is ok, drop ncurses and use shell. 20:58 < Luria> that could work... does openvpn-web-gui require the web server to be on the same machine as the keys? 20:58 < Luria> btw, though id rather not, windows is ok 20:59 < Luria> id just like to speed up the process of generating keys for my machines and have a quick revokation process should i lose one 20:59 < reiffert> Luria: then use easy-rsa. It's speeding things up, as every useful function come alltogether in shellscripts. 21:00 < reiffert> btw, easy-rsa comes with openvpn. 21:00 < Luria> i know, ive used it 21:00 < reiffert> great. 21:00 < reiffert> Do you like it? 21:00 < Luria> for generating a couple of keys, yeah 21:01 < reiffert> quick revocation process: there is a revocation shell script. 21:01 < Luria> but id like an app that has the list of keys, and is aware of the public key list on the server. and does it graphically 21:01 < reiffert> Sigh. 21:02 < Luria> sorry, it is handy. 21:02 < reiffert> Did you ever mess around with windows nt dunno, CA GUI? 21:02 < Luria> and yes, i have done it cli 21:02 < Luria> but i dont get points for it :-) 21:03 < reiffert> Ah. The GUI whatsoever looking great wasnt allowing me things that I was able to do with the cli. My thought was: WTF? 21:04 < reiffert> Luria: allright, so something showing all keys, one click management? 21:04 < reiffert> openvpn-web-gui 21:04 < Luria> yeah, im looking at the sourceforge page now 21:04 < Luria> thanks for that, it looks like what i want 21:05 < Luria> now i have something to do with my qube :-) 21:05 < reiffert> setting things up breaks security and is a waste of time, good luck. 21:05 < Luria> tho key generation might be a bit slow :-) 21:05 < reiffert> do you plan to protect the webgui by base64 apache auth? 21:06 < reiffert> protecting the 1024bit openvpn security by a 64bit key? Hell yeah, go on. 21:06 < Luria> well, the webserver is internal only 21:06 < reiffert> internal on a multi user OS? 21:07 < reiffert> means I have to hack one of your OS' flaws like Internet Explorer first? 21:07 < Luria> i understand where you are coming from 21:10 < Luria> but if you are in my network already, then why bother with passphrase protected keys 21:10 < reiffert> To actually get access to your network. 21:11 < reiffert> and let it look like I'm allowed to. 21:12 < Luria> fine, so the apache server only runs on localhost. requires ssh+vnc/nx. 21:13 < Luria> if youve comprimised my ssh client, ive got real problems already 21:14 < Luria> iow, i expect the openvpn security to be equal to my network security, not greater. 21:14 < reiffert> Sure the webserver listens on 127.0.0.1 and not on your internal network address? 21:15 < Luria> yes 21:15 < Luria> i see your problems with ovpn-web-gui tho 21:15 < reiffert> :) 21:15 < Luria> .htaccess control is like a 1 pin lock 21:15 < reiffert> Btw, I'm using it as well. 21:16 < Luria> what is your defense strategy? 21:16 < reiffert> using easy-rsa. 21:18 < Luria> idk why key management has to always be a pain - i mean more than it has to be - 21:18 < Luria> thunderbird + enigma has finally got me using gpg 21:18 < Luria> b/c it is not so much of a pain to manage keys 21:18 < reiffert> Why is it pain? You need to read much to actually know how things work. Ok with me. 21:20 < Luria> cli's are linear - even with masking, like regexes - it is a serial approach to data. guis can be a bit more parallel. 21:20 < Luria> and i have no problem with reading :-) 21:20 < Luria> which reminds me, i need to find a good pdf indexer for my ebook collection 21:21 < reiffert> just open up more terminals, giving you as much of parallelism as a webgui can do. 21:21 < Luria> been redoing the home network 21:21 < Luria> reiffert, not quite the same, and you know it :-) 21:21 < Luria> my ancient as400 just came in the mail :-) 21:22 < reiffert> Luria: I'm running an ancient window manager giving 12 xterminals on my screen, I dont do Icons there, I call it my terminal multiplexer. 21:22 < Luria> i still need to figure out a central user managment system for all the involved platforms 21:22 < reiffert> (And I have 9 screens :) 21:22 < Luria> ah, was about to invoke screen ;-) 21:22 < reiffert> Luria: ldap+k5 21:23 < Luria> thats where i was heading 21:23 < reiffert> Luria: virtual window manager screens. 21:23 < Luria> tho probably on windows2k something to get the xp box to play along 21:23 < Luria> yes, yes, i know 21:24 < reiffert> Go ahead, some trickery here and there, some patches there and maybe, fun fun fun and all for the homenetwork ... "sorry, girl, I cant get access to my computer, I lost my key" :-) 21:24 < Luria> worst case, i use my n810 :-) 21:25 < reiffert> Using 802.1X with k5? No way :p 21:25 < Luria> arg and netbsd on the qube and perhaps a/ux on the quadra if im ever feeling like it 21:26 < reiffert> Cube ... lemme think, I allready saw those boxes once, years ago. 21:26 < Luria> cobalt 21:26 < Luria> little mips appliance 21:26 < Luria> came with ancient guified redhat 21:26 * Luria does not like redhat so much 21:27 < reiffert> Didnt they come with something spectacular new related to java? 21:27 < Luria> not that stands out 21:27 < Luria> are you thinking of sun's javastation? 21:27 < reiffert> Maybe that one was right next to the other, I dont remember. 21:27 < Luria> cause the qube ended up as a sun product 21:29 < reiffert> Thats why I had something with java in mind .. I think it was on Linuxtag 2001? 21:29 < Luria> sounds about right 21:29 < Luria> you know, the thing i love the most about openvpn is pushing routes 21:29 < reiffert> It's been taking place in Kaiserslautern .. 21:29 < Luria> i no longer have a proxy server at home 21:30 < reiffert> I love bridging :) 21:30 < reiffert> Mostly because I managed to set it up on remote computers :) 21:31 < reiffert> The first footsteps made me use the phone .oO "Please reboot that maschine, I lost contact" -) 21:32 < reiffert> Oh, it must have been in 1999, last time Linuxtag in Kaiserslautern. 21:33 < reiffert> do'h, no javastation on ebay. 21:35 < Luria> pitas 21:35 < Luria> i still have a sunray I that ive been fighting with 21:36 < Luria> yeah, a dialup backend could be nice for my network... 21:37 < Luria> can i set up an asterisk box for that? press 4 for 1995 internet... 21:37 < Luria> ok, gotta run 21:37 < Luria> been nice chatting 21:38 < reiffert> have a nice day, cu! 21:38 < Luria> btw, this has all been done via openvpn routes pushed to my eee over someone's open wifi at a cafe :-) 21:38 < Luria> openvpn ftw, as usual 21:39 -!- Luria [n=trashed@pool-70-23-222-5.ny325.east.verizon.net] has quit [Remote closed the connection] 21:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 113 (No route to host)] 22:14 -!- Pretto [n=pretto@ubuntu/member/pretto] has joined ##openvpn 22:15 < Pretto> hey guys... I am getting connection interrupted after being connected for some time 22:15 < Pretto> does anyone knows how to solve this? 22:21 < Pretto> any help would be appreciate 22:47 -!- Pretto [n=pretto@ubuntu/member/pretto] has quit [Read error: 110 (Connection timed out)] 23:38 < krzee> [22:00] btw, easy-rsa comes with openvpn. 23:38 < krzee> [22:00] i know, ive used it 23:38 < krzee> [22:00] great. 23:38 < krzee> [22:00] Do you like it? 23:38 < krzee> for what its worth, i dont like easy-rsa very much 23:44 < jeev> i know 23:44 < jeev> i dont either 23:50 < ecrist> fuckers 23:54 < jeev> assmuncher 23:55 < krzee> muncher or the anal? --- Day changed Sun Oct 26 2008 00:00 -!- mode/##openvpn [+o ecrist] by ChanServ 00:00 -!- jeev was kicked from ##openvpn by ecrist [ecrist] 00:00 -!- krzee was kicked from ##openvpn by ecrist [ecrist] 00:00 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:00 -!- mode/##openvpn [-o ecrist] by ecrist 00:00 < krzee> aww 00:00 < ecrist> muahahaha 00:01 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 00:01 < jeev> eh 00:01 -!- mode/##openvpn [+o jeev] by ChanServ 00:01 <@jeev> me scratches head 00:01 < krzee> uht ohhhh 00:01 < ecrist> shit 00:01 <@jeev> /kb ecrist TOOTLES 00:01 <@jeev> woops 00:02 <@jeev> it's not working 00:02 -!- mode/##openvpn [-o jeev] by jeev 00:02 < ecrist> lol 00:02 < jeev> dood 00:02 < ecrist> you wouldn't dare. 00:02 < jeev> my friend was on the phone with me 00:02 < ecrist> BUCKaw! 00:02 < jeev> from equatorial gunea 00:02 < jeev> guinea 00:02 < jeev> and its like 00:02 < jeev> gone now 00:02 < jeev> hahah, texts me saying 00:02 < jeev> dood call me, i ran out of minutes 00:04 < ecrist> buckaw 00:04 * ecrist struts like a chicken... 00:04 < krzee> all hes gotta do 00:04 < krzee> is get skype unlimited outbound to US / CA 00:04 < krzee> $30/yr 00:04 < jeev> ho 00:04 < jeev> he's not on the net 00:04 < krzee> then openvpn to a box in USA 00:05 < jeev> he's using a sim card 00:05 < krzee> and booya 00:05 < krzee> i know 00:05 < jeev> i dont get it 00:07 < krzee> when he is in inet land 00:07 < jeev> oh 00:07 < jeev> well 00:07 < jeev> when he's in inet land 00:07 < jeev> he uses viatalk 00:07 < jeev> and talks for free 00:07 < jeev> ol 00:07 < jeev> lol 00:07 < krzee> he can call us for #30/yr 00:07 < ecrist> why won't anyone have oper wars with me. 00:07 < krzee> (i moved out of usa) 00:07 < jeev> why when he can use his viatalk on 00:07 * ecrist notes jeev has a vagina. 00:07 < jeev> x-lite 00:07 -!- mode/##openvpn [+o jeev] by ChanServ 00:07 * jeev consistently touches vagina 00:07 < ecrist> lol 00:07 -!- mode/##openvpn [+v ecrist] by jeev 00:07 <@jeev> +v == has vagina 00:08 -!- mode/##openvpn [-o jeev] by jeev 00:08 < krzee> hahahahaha 00:08 <+ecrist> lol 00:08 < jeev> hey 00:08 < jeev> you know what ircd's need 00:08 <+ecrist> straw 00:08 < jeev> a mode where 00:08 < jeev> lol 00:08 < jeev> there is no way they could part if they're on a mode 00:08 < jeev> or perm mode 00:08 < jeev> like +loser 00:08 <+ecrist> LOL 00:08 < jeev> if i had a vagina 00:08 < jeev> i'd be touching it now 00:08 <+ecrist> that would be funny 00:09 <+ecrist> if I had a feminine side, I'd never stop touching it. 00:09 < jeev> lol 00:09 < jeev> use your butthole then; foo. 00:10 <+ecrist> how'd I get voice? 00:10 < jeev> ecrist 00:10 < jeev> i found your pic 00:10 < jeev> http://www.klab.caltech.edu/~koch/mac-tattoo-2-small.jpg 00:10 -!- mode/##openvpn [+o ecrist] by ChanServ 00:10 <@ecrist> /mode ##openvpn +bitchslap jeev 00:11 <@ecrist> dont' start something you can't finish! 00:11 -!- mode/##openvpn [+o krzee] by ChanServ 00:11 -!- mode/##openvpn [+v jeev] by krzee 00:11 <@ecrist> oh shit 00:11 -!- mode/##openvpn [-oo krzee ecrist] by krzee 00:11 <+ecrist> here comes the boss 00:11 < krzee> hehehe 00:11 <+ecrist> damn 00:11 <+ecrist> whaaahahaha! I still have voice! 00:12 < krzee> alright, im outtie 00:12 < krzee> UPS is annoying me 00:12 <+ecrist> l8r 00:12 < krzee> im sick 00:12 < krzee> and the joint is lit 00:12 <+ecrist> /mode ##openvpn +bitchslap jeev 00:12 < krzee> gnite guys 00:12 -!- mode/##openvpn [+o ecrist] by ChanServ 00:12 -!- mode/##openvpn [-o krzee] by ecrist 00:12 <@ecrist> hahahahahahahahahaaaaaaaaaaaaaaaaaaaaaaaaa 00:12 < krzee> [01:11] * krzee removes channel operator status from krzee ecrist 00:12 < krzee> i did that already 00:12 -!- mode/##openvpn [+o jeev] by ChanServ 00:12 -!- mode/##openvpn [-o ecrist] by jeev 00:12 -!- mode/##openvpn [-v jeev] by jeev 00:12 -!- jeev [n=email@unaffiliated/jeev] has left ##openvpn [] 00:12 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 00:12 < jeev> +v = gay 00:13 -!- mode/##openvpn [+o ecrist] by ChanServ 00:13 -!- jeev was kicked from ##openvpn by ecrist [ecrist] 00:13 <@ecrist> what? 00:13 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 00:13 <@ecrist> oh 00:13 < jeev> +o = gay 00:13 <@ecrist> damn dog 00:13 <@ecrist> /kb jeev 00:13 < jeev> /manueverAGAINSTKB 00:13 < jeev> /countermeasure1 00:13 < jeev> it's still work in progress. 00:14 -!- Irssi: ##openvpn: Total of 29 nicks [1 ops, 0 halfops, 0 voices, 28 normal] 00:14 -!- mode/##openvpn [-o ecrist] by ecrist 00:15 < jeev> ecrist 00:15 < jeev> you good with shell script 00:15 <+ecrist> let me know when you're ready to test your skills again, young grasshopper. 00:15 <+ecrist> yes, I am. 00:15 < jeev> lol 00:15 < jeev> you have me 00:15 < jeev> consistently check access privs 00:15 < jeev> can you help me out 00:15 < jeev> with something quickly 00:17 < krzee> havnt left yet 00:18 < krzee> and i also know shell script ninjitsu 00:18 < krzee> wassup 00:19 < jeev> pFFT 00:19 < jeev> gimme a sec 00:20 <+ecrist> kk 00:21 < jeev> ok poo's 00:21 < jeev> if [ "$ping1" != "0" ]; then 00:21 < jeev> echo $target is ok 00:21 < jeev> if [ "$ping2" = "1" ]; then 00:21 < jeev> echo $target2 is ok 00:21 < jeev> fi 00:21 < jeev> i['m bad at this 00:21 < jeev> ping1=$( ping -q -c 3 -f -s 8 -o -t 2 $target | grep "packet loss" | cut -c24-24 ) 00:22 < jeev> ping2=$( ping -q -c 3 -f -s 8 -o -t 2 $target2 | grep "packet loss" | cut -c24-24 ) 00:22 < jeev> if ping1 fails 00:22 < jeev> i want it to try ping2 00:22 < jeev> if ping2 also fails 00:22 < jeev> i want it to switch gateway 00:23 < jeev> if [ "$ping1" != "0" ]; then 00:23 < jeev> echo $target is ok 00:23 < jeev> if [ "$ping2" = "1" ]; then 00:23 < jeev> echo $target2 is ok 00:23 < jeev> fi 00:23 < jeev> else 00:23 < jeev> 4.2.2.2 is ok 00:23 < jeev> 4.2.2.3 is ok 00:24 < jeev> are you guys alive or what 00:24 < jeev> i will ban BOTH OF YOU for hurting my feelings 00:25 < ropetin> Yeah, how dare they have to go do something else!!!! 00:25 < jeev> SERIOUSLY 00:25 < krzee> gimme a min 00:25 * ropetin gets out his IGD (IRC Gun of DOOM) 00:25 < ropetin> :P 00:25 * jeev takes out his e-penis and measuring red wood sized tape 00:27 < ropetin> Hmmmmmmmmm 00:28 * jeev starts poking people with it 00:29 < ropetin> Keep that thing away from me! 00:29 < ropetin> Never know where it's been 00:30 < jeev> heh 00:30 * jeev thinks of ecrist's butt that one night 00:31 < krzee> if ! ping -c 2 $target ; then echo down; else echo up; fi 00:32 < krzee> or of course 00:32 < jeev> sec 00:32 < krzee> if ping -c 2 $target ; then echo up; else echo down; fi 00:33 < krzee> plus you can redirect the pings away if you dont wanna see them 00:33 < jeev> huh 00:33 < jeev> why would i not use the thing i did ? 00:33 < krzee> if ping -c 2 $target 1>/dev/null; then echo up; else echo down; fi 00:34 < krzee> its simpler than that 00:34 < krzee> why make it harder than it is? 00:34 < krzee> you can do anything with that i just said you want 00:34 < krzee> including testing the second time 00:35 < ropetin> Hey, while you are around, can I ask you what should be a simple question, but which is melting my brain krzee? 00:35 < krzee> ok 00:35 < krzee> but im crashing in a min 00:35 < krzee> ill answer first if i can 00:36 < ropetin> My openvpn setup is workign fine, I now want to route all my clients network connectivity through the tunnel. On the server I've added; 00:36 < ropetin> push "redirect-gateway" 00:36 < ropetin> And the clients can now ping local and remote IPs, but they cannot resolve. I presume it's a DNS issue, but; 00:36 < ropetin> push "dhcp-option DNS 4.2.2.4" 00:36 < ropetin> DIdn't work. Any ideas? 00:36 < ropetin> (Clients are Linux BTW) 00:37 < krzee> !nat 00:37 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 00:37 < ropetin> Ooo, thank you! I told ya it was simple :D 00:38 < krzee> np 00:39 < krzee> jeev, what i gave you should get you going, but if it didnt ill tell ya more of it in the mornin 00:39 < krzee> im crashin 00:39 < krzee> nite all 00:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:43 < ropetin> Niiight! 01:34 < jeev> yay 01:34 < jeev> fixed scfript 02:52 -!- jeev [n=email@unaffiliated/jeev] has quit [Read error: 104 (Connection reset by peer)] 02:54 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 02:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:04 -!- Huza [n=Cristian@78.96.46.99] has joined ##openvpn 04:19 < Huza> Hello to all. I need help configuring routes for a vpn. I can connect to the vpn server but there is no internet access. 04:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 05:34 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 05:35 < paruchuri> SIGUSR1[soft,tls-error] received, client-instance restarting i am getting from client system that is linux 05:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:35 < paruchuri> how to add network adaptor in linux 05:35 < paruchuri> like what we do in windows 06:09 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 06:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 06:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:06 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 08:10 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 08:38 <+ecrist> paruchuri: you shouldn't need to, it just happens. 08:46 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has joined ##openvpn 08:51 -!- mode/##openvpn [-v ecrist] by ChanServ 08:58 -!- Pretto [n=pretto@ubuntu/member/pretto] has joined ##openvpn 08:58 < Pretto> hy guys, is there a way to lock some ports for specific hosts in the openvpn subnet? 09:51 -!- Pretto [n=pretto@ubuntu/member/pretto] has quit ["Saindo"] 10:21 -!- tk8 [n=Bryan_Ru@209.176.4.3] has joined ##openvpn 10:23 < tk8> i got a vpn connection that keeps dying after an unknown period of time, how can I debug this? I've checked /var/log and this is what i see: 10:23 < tk8> Oct 26 10:46:59 localhost vpnc[18485]: connection terminated by dead peer detection 10:24 < tk8> so I am guessing this is on the remote end and not my end? 10:33 -!- tk8 [n=Bryan_Ru@209.176.4.3] has quit [Read error: 60 (Operation timed out)] 10:49 -!- tk8 [n=Bryan_Ru@c-68-83-22-225.hsd1.nj.comcast.net] has joined ##openvpn 11:02 < reiffert> tk8: you might wanna check resist-tun and keep-alive options. 11:03 < reiffert> tk8: "I cant reach the other end, I'm dropping the connection", from my point of view you can't tell which side is guilty. 11:20 < tk8> understand, thanks reiffert 11:47 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 12:03 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit ["You call it ADD, I call it multitasking"] 12:03 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 13:01 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 13:16 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:21 -!- yakischloba [n=jake@209.160.56.254] has joined ##openvpn 13:44 -!- tk8 [n=Bryan_Ru@c-68-83-22-225.hsd1.nj.comcast.net] has quit [Read error: 110 (Connection timed out)] 13:48 -!- tk8 [n=Bryan_Ru@c-68-83-22-225.hsd1.nj.comcast.net] has joined ##openvpn 14:10 -!- tk8 [n=Bryan_Ru@c-68-83-22-225.hsd1.nj.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 14:51 < ecrist> hola 14:52 < ecrist> bitches 14:52 -!- Huza [n=Cristian@78.96.46.99] has quit [Read error: 113 (No route to host)] 14:58 * jeev looks around for bitches and doesn't detect any 14:58 < jeev> ecrist 14:58 < jeev> mccain wants to offset global warming with nuclear winter 15:13 < ecrist> lol 15:20 * ecrist plays wow 15:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:57 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Connection timed out] 16:14 -!- yakischloba [n=jake@209.160.56.254] has quit [Client Quit] 16:21 < krzie> hah 16:21 < krzie> that was lol worthy 16:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:34 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 16:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 16:34 < PeterFA> My openvpn.conf file has a line: server 10.100.100.0 255.255.255.0, but the tun0 never gets that netmask, but 255.255.255.255. 16:35 -!- tk8 [n=Bryan_Ru@c-68-83-22-225.hsd1.nj.comcast.net] has joined ##openvpn 16:46 < krzie> PeterFA that mask means something else 16:46 < krzie> it means what ip range it will hand out to clients 16:48 < PeterFA> krzie, oh. 16:48 < krzie> !/30 16:48 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 16:49 < PeterFA> That makes sense. 16:57 < PeterFA> What directory do I put the certs in? 16:57 < krzie> whereever you tell the config to look for them 16:58 < krzie> !sample 16:58 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 17:05 * jeev stares down krzie 17:08 < PeterFA> krzie, it actually hands out 255.255.255.255 to clients. 17:10 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 17:12 -!- Rayden1 [n=ewsforos@87-194-179-156.bethere.co.uk] has joined ##openvpn 17:13 < Rayden1> hello... I have a problem with an openvpn installation. crt/keys exchange works fine, authentication completes fine, routes are pushed, et al.. everything works for a while, then after 12-20sec, the connection hangs. amd I'm getting on the client: 17:13 < Rayden1> UDPv4 write returned 125 17:13 < Rayden1> and on the server: 17:14 < Rayden1> TLS State Error: No TLS state for client :, opcode 6 17:14 < Rayden1> GET INST BY REAL: :57719 [failed] 17:14 < Rayden1> any ideas? :/ 17:14 < Rayden1> I've googled the bejesus out of it 17:15 < Rayden1> couldn't find a solution 17:15 < Rayden1> after a while mind you, it will reauth, and everything will be ok for a while, loop(); 17:19 < reiffert> isp firewall inbetween? 17:19 < Rayden1> no 17:19 < reiffert> same for tcp? 17:19 -!- tk8 [n=Bryan_Ru@c-68-83-22-225.hsd1.nj.comcast.net] has quit ["Leaving."] 17:19 < Rayden1> server on dmz, client public ip 17:19 < Rayden1> mind you, this used to work for months without a prob 17:19 < Rayden1> nothing changed on configs 17:19 < reiffert> kernel upgrade on the machines? 17:20 < Rayden1> no nothing 17:20 < Rayden1> :/ 17:20 < reiffert> libc? 17:20 < Rayden1> no upgrades whatsoever 17:20 < Rayden1> (on purpose) 17:20 < reiffert> it works, no reboot and then the funny work/dont/work/loop() appears? 17:21 < Rayden1> there was a reboot, about 2 months ago, but it has been working fine since 17:21 < reiffert> try a reboot then. 17:21 < Rayden1> only openvpn was restarted, no changes to it at all 17:21 < Rayden1> so this shouldn't matter, in theory 17:22 < Rayden1> that's what I'm trying to avoid :/ 17:22 < Rayden1> thing is 17:22 < Rayden1> I was wondering what those error messages mean 17:22 < reiffert> TLS State Error: No TLS state for client 17:22 < reiffert> UDPv4 write returned 125 17:22 < Rayden1> aye 17:22 < reiffert> lets check source. 17:23 < Rayden1> I had a go, checked error.c 17:23 < reiffert> what openvpn version are you running? 17:23 < Rayden1> 2 17:23 < reiffert> ... 17:23 < Rayden1> 2.0 17:23 < reiffert> ... 17:24 < Rayden1> OpenVPN 2.0 i386-pc-linux [SSL] [LZO] [EPOLL] built on Apr 6 2006 17:24 < reiffert> that's *old* 17:24 < Rayden1> "if it works, don't fix it" policy 17:24 < Rayden1> hence the no upgrades 17:25 < Rayden1> the box is bastioned, and only thing on it is ovpn 17:25 < reiffert> if it works stay with all the security flaws? 17:25 < reiffert> it's not about the box but your network behind it. 17:25 < Rayden1> well, that hasn't changed either :) 17:25 < reiffert> isp firewall inbetween. 17:26 < reiffert> sorry but I dont have 2.0 source code. 17:26 < reiffert> and I'm not going to look into it. 17:26 < Rayden1> nope, no firewalling, private network, no ISP mallarkey in between 17:26 < Rayden1> yes, fair enough 17:26 < Rayden1> thank you for your time 17:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:28 < Rayden1> reiffert: have there been any config file changes in later versions? (so I can look into upgrading the dinosaur) 17:28 < reiffert> raise debug level, use logfile. 17:28 < Rayden1> downtime is ruther important 17:28 < Rayden1> reiffert: I have, where do you think I got the above-mentioned errors? :D 17:28 < reiffert> Dont think you will have to change a single line from your config when upgrading. 17:28 < Rayden1> reiffert: that's good 17:28 < reiffert> Rayden1: those are messages, verbose message. and not errors. 17:29 < reiffert> UDPv4 write returned 125 17:29 < Rayden1> reiffert: logging is at level 11 17:29 < reiffert> means: successfully written 125 bytes. 17:29 < Rayden1> hmm, that's not very successful then, when this happens, the connection hungs, and the server spits the TLS state errors 17:31 < reiffert> some mtu breaking stuff involved like ADSL PPPOE or WLAN? 17:31 < Rayden1> I've tested that, played with mtus, and mssfix 17:31 < Rayden1> unfortunatly not :( 17:31 < Rayden1> unfortunately* 17:31 < Rayden1> just rebooted 17:31 < Rayden1> still does it :/ 17:32 < reiffert> there have been many improvements reagarding mtu fixation, I'd upgrade to a recent version. Personally I'm running the beta versions since the latest stable is from sept. 2007 17:33 < Rayden1> yeah, and in debian-land they will include it, in 2011 :P 17:33 < Rayden1> I'll upgrade now 17:33 < reiffert> :) 17:33 < Rayden1> hoep I don't get any probs, or it's my head :D 17:34 < krzie> you dont have test boxes for that? 17:34 < krzie> you should never upgrade a production box before your test servers 17:34 < krzie> and thats not an openvpn thing, thats in general 17:34 < reiffert> real admins do. :) 17:35 < Rayden1> unfortunately, a replacement for for the "test" box that crashed and died violently is due tomorrow, and the other boxes run openswan and ipsec 17:35 < krzie> real admins do use test servers when they have important production environments you're saying, right? 17:35 < Rayden1> heh 17:35 < reiffert> krzie: yeah, of course. 17:35 < krzie> oh ok 17:36 < krzie> wasnt sure which way you were going on that 17:36 < krzie> heheh 17:36 < reiffert> The fast way. 17:36 < krzie> and openvpn is one of those rare projects where using the dev branch is usually not a bad idea 17:37 < krzie> but keeping with stable in production environments (unless you know why you need dev branch) is a good rule of thumb in general 17:37 < krzie> ovpn and freeswitch are the only 2 projects i can think of that are exceptions 17:37 < reiffert> openladp, squid, 17:38 < reiffert> openwrt 17:38 < reiffert> macports 17:38 < krzie> ahh 17:38 < krzie> i dont use any of those (except macports) 17:38 < krzie> but my macports are likely way outdated as of now 17:38 < krzie> haha 17:40 < reiffert> oh right, and debian. 17:44 < krzie> hey Rayden1 17:44 < krzie> !configs 17:44 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 17:45 < krzie> lets see if we see anything that could help ya 17:45 < reiffert> probably waiting for the remote site fsck, allready searching his car keys. 17:50 < Rayden1> ... nasty :P 17:52 < reiffert> first-hand :) 17:59 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 18:11 < jeev> my friend is amazed 18:11 < jeev> using openvpn from africa 18:11 < jeev> he's like w0w 18:25 < krzie> tell him i said boodiday a bumbawhey 18:25 < krzie> *shrug* even if it doesnt mean anything it sounds like african to me 18:26 < jeev> lol 18:26 < jeev> he's hilarious 18:26 < jeev> i was on the phone for 68 min 18:26 < jeev> on his cell 18:26 < jeev> it's ilarious 18:26 < jeev> hilarios 18:26 < jeev> hilarious 18:28 < Rayden1> r, thanks for your time reiffert 18:28 < Rayden1> I'll wait for the new box tomorrow, then test this one properly 18:28 < Rayden1> thanks for your help 18:29 < Rayden1> take care :) 18:29 < krzie> if you post your configs we can see if theres anything obvious to fix 18:29 < Rayden1> krzee: it's not a config issue, configs do seem fine, and they were working for 3 years now, unchanged 18:29 < Rayden1> :/ 18:30 < Rayden1> thank you too krzee :) 18:30 < krzie> well SOMETHING did change, and it possible something changing in the config could help it 18:30 < krzie> but np 18:30 < Rayden1> no worries, once i sort it, I'll pop back to let you know ;) 18:30 < krzie> sounds good 18:30 < Rayden1> thanks again for your time 18:30 < krzie> best of luck to ya 18:30 < Rayden1> thank you :) 18:30 < krzie> np 18:30 < Rayden1> take care mate 18:31 -!- Rayden1 [n=ewsforos@87-194-179-156.bethere.co.uk] has quit ["Leaving"] 19:48 < krzie> !route 19:48 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 19:49 < jeev> i wish there was a script 19:50 < jeev> upon connect 19:50 < jeev> openvpn automatically does iroute with the source address 19:50 < jeev> so i dont have to deal with ccd's and what the hell my network will be 19:50 < jeev> MULTI: bad source address from client [10.222.x.x], packet dropped 19:50 < jeev> you know 20:10 < oc80z> oh hey wudup 20:28 < krzie> heh 20:29 < krzie> wass[i oc80z 20:29 < krzie> err, wassup 20:30 < jeev> krzee 20:30 < jeev> did you see what i asked 20:30 < jeev> krzie 20:30 < krzie> i didnt think it was a question 20:31 < jeev> bah 20:32 < krzie> i guess if the client's lan ip is in the env passed to up scripts, you could place an if to check for a ccd entry, if it doesnt exist make one and kill the connection 20:32 < krzie> but really, im not sure how good of a solution that is 20:32 < krzie> how many lans are you making? 20:32 < krzie> prolly easier to script the adding of the ccd entries 20:34 < krzie> so it just either reads from an input file, or prompts you for each 20:37 < jeev> dunno 20:37 < jeev> i'm too lazy 20:37 < jeev> forget it 20:39 < krzie> plus the method for automating (if it even worked) would need error checking for if that lan already has an iroute 20:39 < krzie> cause maybe 2 lans use something common like 192.168.0.x 20:40 < krzie> and that wont go over well with iroute 20:41 < jeev> what are you saying 20:41 < jeev> if i use a common name ilke 20:41 < jeev> booger 20:41 < jeev> booger doesn't care if stanley has same iroute, does it ? 20:41 < krzie> of course it does 20:41 < krzie> !iroute 20:41 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 20:41 < jeev> oh 20:42 < jeev> fuck it 20:42 < jeev> i'm the only one connecting to it anyway 20:42 < krzie> the kernel points to openvpn for the iroute'd network 20:42 < krzie> err, for the routed network 20:43 < krzie> then iroute tells openvpn what to do with it 20:43 < krzie> if it has 2 identical iroutes, where should it send the packet? 20:43 < jeev> chop ch9op 20:43 < krzie> it would either choose first entry, or last (not sure if second fails or overwrites) 20:43 < krzie> but it couldnt possibly know which 20:48 < krzie> haha 20:48 < krzie> oops wrong win 20:55 < ecrist> hola, bitches 20:56 * krzie notes the lack of response 20:58 * ecrist notes that krzie responds. 21:21 < PeterFA> Well, my openvpn config creates an unusable connection. I can ping opposite computers, but the routing is non-functional. It sets the netmask to /32 (not /30) and the default gateway is always wrong! 21:21 < PeterFA> I'm using 2.0 on the server and 2.1 on the client... that's why. 21:21 < PeterFA> nm. 21:23 < ecrist> I use a 2.1 client with a 2.0 server every day... 21:27 < jeev> ecrist 21:27 < jeev> are you good at research / bored? 21:40 < PeterFA> ecrist, well, what happens is the routing tables are all bungled. 21:41 < krzee> bungled! 21:41 < PeterFA> How do I make a 2.1 client play nicely with a 2.0 server? 21:41 < krzee> PeterFA, just make both 2.1 and post your configs 21:41 < krzee> !configs 21:41 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 21:41 < PeterFA> krzee, can't I just tell the 2.1 client to act like 2.0? 21:42 < krzee> is there a reason you cant upgrade? 21:42 < PeterFA> krzee, it's a production server and I don't want to. 21:42 < PeterFA> krzee, is it better to go 2.1 all around? 21:45 < krzee> in my opinion, yes 21:45 < krzee> but with 2.0 as server and 2.1 as client, i dont think thats you problem 21:46 < krzee> *your problem 21:46 < krzee> cause the server tells the client what to do, and the 2.1 client will understand what the 2.0 server is telling it to do 21:46 < krzee> you still havnt pastebin'ed your configs without the comments 21:47 < krzee> which is your next step twords getting useful help 21:49 < PeterFA> Ok, I'll do it. 21:54 < PeterFA> Server: http://rafb.net/p/LGiQNL78.html 21:54 < vpnHelper> Title: Nopaste - Server (at rafb.net) 21:56 < PeterFA> client: http://rafb.net/p/gx1GHe84.html 21:56 < vpnHelper> Title: Nopaste - No description (at rafb.net) 21:58 < krzee> ok, and how bout this: 21:58 < krzee> !logs 21:58 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 21:58 < krzee> note the last part of that 21:58 < krzee> verb 6 21:58 < krzee> for debugging a setup, verb3 is too low 21:59 < PeterFA> Ok. 21:59 < PeterFA> On minute. 22:02 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 22:02 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:07 < PeterFA> What's the directive to set an explicit log file that's not syslog? 22:08 < PeterFA> http://rafb.net/p/Vg4z7M76.html <-- 50 lines of server log 22:08 < vpnHelper> Title: Nopaste - Server (at rafb.net) 22:08 < krzee> !man 22:08 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 22:09 < PeterFA> http://rafb.net/p/2SWL8G88.html <-- client. 22:09 < vpnHelper> Title: Nopaste - Client (at rafb.net) 22:09 < PeterFA> Gimme another minute and I'll have the complete logs. 22:10 < krzee> --log file 22:10 < krzee> Output logging messages to file, including output to stdout/stderr which is generated by called scripts. If file already exists it will be truncated. This option takes effect immediately when it is parsed in the command line and will supercede syslog output if --daemon or --inetd is also specified. This option is persistent over the entire course of an OpenVPN instantiation and will not be reset by SIGHUP, SIGUSR1, or --ping-restart. 22:10 < krzee> Note that on Windows, when OpenVPN is started as a service, logging occurs by default without the need to specify this option. 22:10 < krzee> --log-append file 22:10 < krzee> Append logging messages to file. If file does not exist, it will be created. This option behaves exactly like --log except that it appends to rather than truncating the log file. 22:10 < krzee> note, theres also: 22:10 < krzee> !betaman 22:10 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 22:10 < krzee> for 2.1 22:10 < krzee> if you really want to use both (baffles me why you would) then you want to keep both handy 22:21 < PeterFA> Complete client: http://rafb.net/p/s8jFmP77.html 22:21 < vpnHelper> Title: Nopaste - No description (at rafb.net) 22:21 < PeterFA> Server: http://rafb.net/p/04ZyUI64.html 22:21 < vpnHelper> Title: Nopaste - No description (at rafb.net) 22:22 < PeterFA> I guess all config directives are the same as the commandline options but without the -- predicate. 22:23 < krzee> yup 22:27 < PeterFA> So, what do you think of my logs? 22:28 < krzee> gimme a min 22:28 < krzee> had to light the blunt before starting ;] 22:30 < krzee> could you try matching versions for the hell of it? 22:31 < krzee> if you cant change server, change client =] 22:33 < krzee> also where do you see it got 255.255.255.0? 22:33 < krzee> looks like ipp.txt gave it .6 like it should have 22:34 < krzee> indicating you are using a full /30 22:34 < krzee> client being .6 but sending data to an internal but oitherwise non-existant .5 22:34 < krzee> to reach the server, .1 22:35 < krzee> err, that you got 255.255.255.255 i mean 22:36 < krzee> "I can ping opposite computers, but the routing is non-functional." 22:36 < krzee> is you problem about routing LANs through the vpn? 22:40 < PeterFA> I want to downgrade the local version. 22:40 < krzee> ok, you may not need to tho 22:40 < krzee> connect it 22:40 < krzee> can the client ping 10.0.1.1 ? 22:41 < krzee> and can the server pin 10.0.1.6? 22:41 < krzee> ping 22:42 < krzee> if that works dont downgrade the client 22:43 < krzee> because it will be ready for 2.1 directives when you upgrade the server 22:43 < krzee> you mentioned production, for scaleability you will want to change to topology subnet when you start connecting more clients 22:44 < krzee> and thats a 2.1 directive 22:44 < krzee> !topology 22:44 < vpnHelper> krzee: Error: "topology" is not a valid command. 22:44 < krzee> !/30 22:44 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 22:45 < krzee> !learn topology as it is possible to avoid the !net30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 22:45 < vpnHelper> krzee: The operation succeeded. 22:46 < krzee> !forget /30 2 22:46 < vpnHelper> krzee: The operation succeeded. 22:47 < krzee> !learn /30 as you can avoid this behavior with by reading !topology 22:47 < vpnHelper> krzee: The operation succeeded. 22:51 < PeterFA> krzee, I'm working on it right now... trying to pin the version down. 22:51 < krzee> leave the version for a sec 22:51 < krzee> try the ping 23:28 < PeterFA> krzee, kind of stuck now that I've uninstalled it and I don't know how to hold a package in apt. 23:28 < PeterFA> Trying to figure it out. 23:29 < krzee> k you can just reinstall it and do the ping 23:29 < krzee> or whatev, my terminal window is semi-transparent and im working on something 23:29 < PeterFA> When I figure it out now... got set back :P 23:29 < krzee> so i can still see here anyways 23:52 < PeterFA> krzee, so, what is actually wrong conceptual-wise? 23:52 < krzee> thats what i want to figure out, i think nothing honestly 23:52 < krzee> your logs and configs show they're doing what they are supposed to 23:52 < PeterFA> Ok. 23:53 < krzee> [23:40] can the client ping 10.0.1.1 ? 23:53 < krzee> [23:41] and can the server pin 10.0.1.6? 23:53 < krzee> [23:41] ping 23:53 < krzee> [23:42] if that works dont downgrade the client 23:53 < krzee> heh 23:55 < PeterFA> krzee, maybe I just need to add more stuff to the config so it sets the netmasks and crap correctly. 23:55 < krzee> dude 23:55 < krzee> your netmask is right 23:55 < krzee> i dont know what you're expecting 23:55 < krzee> did you try the ping? 23:55 < PeterFA> Yes, both work. 23:56 < krzee> then why do you think your vpn is not working? 23:56 < PeterFA> I want to get the computers on the servers subnet visible and pingable. 23:56 < krzee> there we go 23:56 < krzee> !route 23:56 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 23:56 < krzee> i made a writeup for doing that, and for connecting the LAN the client is on as well 23:57 < krzee> if you read the whole thing you will understand how to do your setup 23:57 < PeterFA> krzee, thanks. 23:57 < krzee> yw 23:57 < PeterFA> I'll read that later, I'm total exhausted now :) 23:57 < krzee> sorry we went down the wrong road for so long 23:57 < PeterFA> krzee, it's ok. 23:57 < paruchuri> ok 23:57 < krzee> i thought your vpn wasnt working 23:57 < PeterFA> This is learning. 23:57 < PeterFA> I'm sorry! 23:57 < krzee> hehe np 23:57 < krzee> wassup paruchuri 23:58 < paruchuri> you have to tell krzee 23:58 < krzee> its really easy tho 23:58 < krzee> and you're basically done 23:58 < paruchuri> yes 23:58 < paruchuri> can you tell me how can i add my network in openvpn 23:58 < krzee> !route 23:59 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 23:59 < krzee> lol 23:59 < paruchuri> every thing is fine server and client side 23:59 < paruchuri> ok 23:59 < krzee> before we start 23:59 < krzee> did you read that whole page? 23:59 < paruchuri> i am doing 23:59 < krzee> cool --- Day changed Mon Oct 27 2008 00:01 < paruchuri> i am getting 2222 port error from my client side 00:01 < paruchuri> what i have to do for that 00:01 < krzee> huh? 00:02 < paruchuri> just a moment i will give you the error! 00:03 < paruchuri> sorry i error is in another system 00:03 < paruchuri> sorry the error is in another system 00:52 < krzee> !ssl-admin 00:52 < vpnHelper> krzee: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 00:52 < jeev> i've gotta try that. 00:52 < jeev> does it work with existing certs? 01:03 < krzee> havnt used it yet 01:03 < krzee> havnt needed to make certs since learning bout it 01:06 < jeev> hrmf 01:07 < jeev> krzee 01:07 < jeev> pump up 01:07 < jeev> jam 01:07 < jeev> i hate linux. 01:07 < jeev> it took me 32 tries to guess my root password on one of my servers. 01:09 < krzee> umm 01:09 < krzee> whats that have to do with linux? 01:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:10 < jeev> dunno 02:19 -!- k-tr [n=klaus@br-194.cortalconsors.de] has joined ##openvpn 03:39 -!- tengulre [n=tengulre@125.71.208.16] has joined ##openvpn 03:44 -!- Huza [n=Cristian@78.96.46.99] has joined ##openvpn 04:43 -!- AukeF [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 05:00 -!- tengulre [n=tengulre@125.71.208.16] has quit [] 05:07 -!- Huza [n=Cristian@78.96.46.99] has quit [Read error: 60 (Operation timed out)] 05:10 -!- gamla_kossan [i=wille@ling16.ling.su.se] has left ##openvpn [] 05:49 -!- imperfect- [i=b99b8423@bgp4.us] has joined ##openvpn 05:49 < imperfect-> Anyone about? 05:50 -!- ikevin [n=kevin@ANancy-256-1-147-219.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 06:03 -!- gfather [n=gg@79.173.195.173] has joined ##openvpn 06:03 < gfather> hello guys 06:04 < gfather> can i connect to a clint other than openvpn 06:05 < gfather> like some routers support vpn like drendnet 06:05 < gfather> can i make them connect to openvpn server? 06:07 < gfather> the only thing i know that only openvpn clint can connect to openvpn server , but is there any routers that suport openvpn ? 06:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:20 < gfather> like if the router can connect to ssl vpn , it should connect to openvpn , right 06:26 -!- esine [i=dbguy@tohveli.net] has joined ##openvpn 06:27 < k-tr> gfather: depends on your router - a cisco or juniper can't but if its a linux based boxed you might find a package 06:28 < gfather> like i found some ssl vpn routers 06:28 < esine> Hey everyone. I'd need some help setting up an openvpn server and client. The server has only one NIC and I'm running it on bridged mode. I can start client/connect to server just fine but the communication does not seem to be working. 06:28 < gfather> should work right 06:29 < k-tr> gfather: well, ssl vpn is a marketing buzzword and covers a lot of different vpn products which do not interop well 06:30 < esine> or, just nevermind for now. 06:30 < esine> I'll try something first before consulting you.. 06:30 < k-tr> gfather: so openvpn only works with other openvpn instances and *not* with cisco, f5, juniper, alteon .... 06:31 < imperfect-> Anyone know if it's possible to generate client certs on the fly? 06:31 < imperfect-> I'm trying to figure out how I could use openvpn to secure my wireless networks with minimal impact on my users 06:31 < imperfect-> And having them gen/install certs is simply not going to happen 06:31 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:31 < imperfect-> It's got to be something I can integrate into a image that can be cloned 06:32 < gfather> im still lost a bit 06:32 < k-tr> gfather: why? 06:32 < gfather> how can i know if this router gonna work a openvpn srver ? 06:33 < gfather> whattechnology should i be looking for to know its gonna work 06:34 < k-tr> gfather: why don't you ask the maintainer of that router? 06:34 < gfather> well im in a place where no one would help me :) 06:34 < gfather> other than the net :) 06:35 < gfather> http://trendnet.com/langen/products/products.asp?cat=41 06:35 < vpnHelper> Title: TRENDnet | Products | Routers (at trendnet.com) 06:35 < gfather> chek these vpn routers 06:37 < gfather> any one of them can connect to openvpn ? 06:38 < k-tr> i don't see anything about SSL VPN there ... 06:38 < gfather> yes 06:39 < gfather> the only ssl vpn i found is linksys 06:39 < gfather> http://www.buy.com/retail/product.asp?sku=202859058&SearchEngine=CJchannelintelligence&SearchTerm=202859058&Type=CJ 06:39 < vpnHelper> Title: Linksys 4-Port SSL/IPSec VPN Router - 4 x 10/100Base-TX LAN, 1 x 10/100Base-TX WAN - RVL200 - Buy.com (at www.buy.com) 06:40 < gfather> brb in 20 minutes 06:41 < gfather> if u have any info that can help me , it would be great 06:42 -!- esine [i=dbguy@tohveli.net] has quit ["leaving"] 07:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:25 < k-tr> gfather: no, afaik Linksys doesn't support OpenVPN but there are some Linksys devices which are supportet by OpenWRT (or other *WRT distros). on OpenWRT you can use OpenVPN 07:43 * ecrist yawns 07:47 < gfather> im back 07:50 < gfather> what exatly im looking is a router that supports openvpn 07:54 < gfather> u mean i can use openwrt on a router to support openbravo ? 07:55 < k-tr> gfather: i don't know anything about openbravo ;-) 07:58 < k-tr> gfather: what should be the linkage between openvpn and openbravo? openvpn is a tool for a secure network access - openbravo just seems to be a application running over *some* kind of network (independant of the technology used for the network itself) 08:00 < gfather> sorry that was a mistake 08:00 < gfather> i meant openvpn :P 08:00 < k-tr> ah ... OK 08:00 < gfather> becouse im working as localizer for openbravo, i get loset sometimes 08:01 < gfather> so , what u suggested is 08:01 < k-tr> the back to your question - you can replace the builtin firmware and put OpenWRT instead of it 08:01 < gfather> that i find a openwrt for a router i can get that will give me openvpn support 08:02 < gfather> yes :) , man u just gae me the best solution ever 08:02 < gfather> ur the best man :) 08:02 < k-tr> well, openwrt does not run on any router - just on the devices listed on the openwrt pages 08:02 < k-tr> so 1st look there for an appropriate router ;-) 08:02 < gfather> yes :) 08:03 < gfather> man u dont know how i happy now :D 08:03 < gfather> thank u , i bledge for u 08:03 < k-tr> or build your own one with an ALIX oder Soekris board 08:04 < k-tr> put a *BSD oder Debian/Linux on it and get happy, too! 08:04 < gfather> well ill see if a cheap model is available where i live 08:04 < gfather> and put on it wrt , right :) 08:05 < k-tr> gfather: oh, thats too much praise for me 08:05 < k-tr> yes, you can do it this way 08:07 < gfather> no man not , u wouldent know how much u helped 08:07 < gfather> iv been searching for days for a router that supports openvpn or its prtotcole 08:11 < ecrist> gfather: iirc, both myself and krzee pointed you there 08:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 08:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:20 < gfather> i didnt understand? 08:24 < gfather> where did u point me 08:24 < gfather> ? 08:24 < reiffert> or have a asus wl-500gp and install kamikaze (openwrt) 08:24 < reiffert> comes with openvpn. 08:24 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:25 < gfather> i dont think there is asus routers here in the market 08:25 < gfather> most found here are , trendnet , dlink , and linksys ofcource 08:26 < reiffert> "here"? 08:27 < gfather> its jordan :) 08:27 < gfather> i live in jordan 08:27 < gfather> but in the openwrt page , most of the routers are wirless , 08:28 < reiffert> right. disable it. 08:28 < k-tr> gfather: well, OpenWRT is born by the idea of running a free firmware on an Linksys WRT54 08:29 < k-tr> gfather: which is a WiFi router 08:29 < paruchuri> how to add the route back to the vpn to the gateway for the openvpn client's lan in linux? 08:29 < gfather> yes , i read that dd wrt 08:30 < k-tr> but typically you can disable the WiFi and use the WAN (-> PPPoE) and LAN port 08:31 < reiffert> paruchuri: read up the manpage under --redirect-gateway 08:31 < reiffert> Add the def1 flag to override the default gateway by using 08:31 < reiffert> 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the 08:31 < reiffert> benefit of overriding but not wiping out the original default 08:31 < reiffert> gateway. 08:31 < gfather> yes , well i prefer to find a wired router 08:31 < gfather> but thats another option i can do :) 08:32 < reiffert> paruchuri: ah well, sorry, I misunderstood your question. 08:32 < paruchuri> ok 08:32 < reiffert> paruchuri: forget about my hint. can you please give me more details... 08:33 < reiffert> there is vpn server, vpn client, both are machines. 08:33 < reiffert> there are server-lan and client-lan 08:33 < paruchuri> for example i am having 192.168.1.0-1.255 as a local network 08:33 < reiffert> from where do you want to get to where? 08:34 < k-tr> gfather: you might check http://www.pcengines.ch/alix.htm 08:34 < vpnHelper> Title: PC Engines ALIX system boards (at www.pcengines.ch) 08:35 < paruchuri> now my server is running on 1.33 and when i am connecting this local network from outside presently i can access only 1.33 and not rest ips 08:35 < k-tr> gfather: works well - and you can order them without WiFi if you don't need it 08:35 < paruchuri> so i want access some ip's from outside network using openvpn 08:35 < paruchuri> outside means otherthan this network 08:35 < gfather> im cheking them now 08:36 < paruchuri> i think you understood my question? 08:36 < reiffert> paruchuri: no, as you keep using words like "this" and "outside". 08:36 < paruchuri> ok 08:36 < reiffert> and "some ips" 08:37 < paruchuri> assume the these ip's in office and i want to access from my home 08:38 < gfather> its gonna give troubles 08:38 < gfather> as firstis veru hard for me toorder from the net and stuff , 08:38 < paruchuri> now you got my point or not? 08:38 < gfather> cc used here not supported @ net and other problems , long story 08:38 < gfather> :) 08:39 < reiffert> paruchuri: are you using bridged setup? 08:39 < paruchuri> no 08:39 < reiffert> paruchuri: is 1.33 the default gateway for your home lan? 08:39 < paruchuri> no ....asume 1.1 is the gateway 08:40 < paruchuri> server is having public ip and local ip 08:40 < reiffert> paruchuri: then you need to use masquerading on 1.33 08:40 < k-tr> gfather: perhaps you might ask the manufacturer about option for delivery to Jordan? 08:40 < reiffert> so that e.g. 1.34 sends the packages back to 1.33, which translates them to 10.0.8.5 and sends them over the vpn. 08:41 < k-tr> gfather: of course, you can take the device compatibility list from OpenWRT and search your local store for an appropriate device 08:41 < paruchuri> can you explain briefly about what you are saying 08:41 < paruchuri> i am not what exactly what you are saying 08:42 < reiffert> on 1.33: use masquerading for the tun0 device. 08:42 < paruchuri> is there any change i have to make in server.conf 08:43 < reiffert> echo 1 > /proc/sys/net/ipv4/ip_forward 08:43 < k-tr> gfather: the benefit of the ALIX board is the amount of RAM, the much larger disk (CF card) and option to enhance it with an WiFi if you need. 08:43 < reiffert> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE 08:43 < reiffert> ppp0 = device of your local lan 08:43 < paruchuri> MASQUERADE means NAT? 08:44 < reiffert> paruchuri: server.conf: push "route 192.168.1.0 255.255.255.0" 08:44 < reiffert> paruchuri: yes. 08:44 < gfather> yes i see that , 08:44 < paruchuri> ok 08:44 < gfather> well its a good if i was doing a wifi network 08:45 < paruchuri> after doing this i can access all ip's in lan over vpn right? 08:45 < reiffert> paruchuri: yes. 08:46 < paruchuri> no i dont want to access all ip's over vpn.only 10 ip's i want access over vpn 08:46 < paruchuri> have you got my point 08:47 < paruchuri> because if i do nat i will get the internet traffic problem in lan side 08:48 < paruchuri> so thats why i want to give access for certain ip's which required from my home 08:48 < paruchuri> have you got my point 08:49 < paruchuri> sorry if i asked wrong question? 08:50 < reiffert> 14:46 < paruchuri> no i dont want to access all ip's over vpn.only 10 ip's i want access over vpn 08:50 < reiffert> why is that? 08:51 < paruchuri> from home i want to access only 10 ip's of office lan.not all ip's 08:52 < reiffert> apply firewall rules. 08:52 < paruchuri> where 08:52 < reiffert> allright, look: 08:52 < paruchuri> ok 08:52 < reiffert> in office you have 10.8.0.6? 08:53 < paruchuri> no my office lan is 192.168.1.0-255 and for openvpn i am using 10.8.0.0 08:53 < paruchuri> for tunneling 08:53 < reiffert> and your home lan is? 08:54 < paruchuri> it will like 222.220.87.0 08:54 < reiffert> 14:39 < reiffert> paruchuri: is 1.33 the default gateway for your home lan? 08:54 < reiffert> 14:39 < paruchuri> no ....asume 1.1 is the gateway 08:54 < paruchuri> yes 08:54 < reiffert> 14:33 < paruchuri> for example i am having 192.168.1.0-1.255 as a local network 08:54 < reiffert> local = lan 08:55 < paruchuri> yes 08:55 < paruchuri> home = single 08:55 < paruchuri> ip 08:55 < reiffert> sorry mate, but you are confusing me with every single line you type. 08:56 < paruchuri> ask me what exactly you want to ask 08:56 < imperfect-> Anyone used openvpn to do wireless based vpn passthrough? 08:57 < reiffert> paruchuri: what is it you are trying to accomplish? 08:58 < gfather> man u still there 08:58 < gfather> ? 08:58 < paruchuri> sorry if i said any thing wrong 08:58 < k-tr> yup 08:59 < gfather> ill search for the models available in the market 08:59 < paruchuri> but i am facing this problem what i have 08:59 < gfather> and tell u what ill find , to see which fits better 08:59 < reiffert> paruchuri: and I dont get it. 08:59 < paruchuri> but some where i am doing wrong in the explanation 08:59 < reiffert> paruchuri: please describe it so that I can understand it. 08:59 < k-tr> gfather: OK 08:59 < gfather> cools 09:00 < paruchuri> ok... 09:00 < reiffert> paruchuri: dont use terms like here, there, this, that, ip, want to access, but use instead the real IP Addresses. 09:01 < paruchuri> ok 09:03 < paruchuri> let us assume i took internet connection from vendor with 1mbps and using the bandwidth i created a 192.168.1.0-192.168.1.255 as a lan in my office 09:04 < reiffert> allright. 192.168.1.1 is the default gw for your office lan 09:04 < paruchuri> yes 09:04 < reiffert> and 192.168.1.33 is the openvpn server in you office lan 09:04 < paruchuri> yes 09:04 < reiffert> go on. 09:04 < paruchuri> this is the local lan structure 09:04 < paruchuri> ok 09:04 < paruchuri> ? 09:04 < reiffert> let's call it officelan 09:04 < paruchuri> ok 09:05 < paruchuri> and also we have public ip's pool for office 09:06 < paruchuri> the office lan structure defined in router 09:07 < reiffert> public ip's? 09:09 < paruchuri> that means if i have a website so you want to access that website from your place so how can you access? 09:10 < paruchuri> which i ip i have to give to the server private ip(office lan ip)or public ip)? 09:11 < paruchuri> google.com having this ip 72.14.207.99.what you call this? 09:11 < reiffert> yeah, but what is a public ip pool for office lan? 09:11 < paruchuri> you can ping 72.14.207.99 but you can not ping 192.168.1.1 right? 09:12 < paruchuri> yes we have public ip pool 09:12 < reiffert> allright, a public subnet? 09:12 < paruchuri> yes 09:12 < reiffert> e.g. 74.74.74.74/29? 09:12 < paruchuri> yes 09:12 < reiffert> and they all end up on your officelan gateway? 09:13 < paruchuri> yes 09:13 < paruchuri> so these networks defined in router 09:14 < paruchuri> for my openvpn router i am having 74.74.74.76 and 192.168.1.33 09:14 < reiffert> on two network cards? 09:14 < paruchuri> thats why i can connect to my openvpn server 09:14 < paruchuri> yes 09:15 < reiffert> ok, so no portforwarding, but direct access. 09:15 < paruchuri> we blocked all ports and opened only 1194 for openvpn 09:15 < paruchuri> in the router 09:16 < paruchuri> any confusion? 09:16 < reiffert> not yet, trying to do some ascii arts to proove 09:17 < gfather> u here ? 09:17 < paruchuri> ok 09:18 < reiffert> http://pastebin.com/m18e01d25 09:18 < paruchuri> this is the structure of my office. 09:18 < paruchuri> ok 09:18 < reiffert> looks ok? 09:19 < paruchuri> i think you got my point 09:19 < reiffert> allright, go on then. 09:20 < paruchuri> for public the openvpn server is 74.74.74.76 but in the office lan 192.168.1.33 09:21 < k-tr> gfather: yep 09:21 < paruchuri> right? 09:21 < paruchuri> if you tell yes only i can continue further 09:22 < reiffert> or is it more like this: http://pastebin.com/m329c3f9f 09:23 < paruchuri> in your picture 74.74.74.74 is default gateway right 09:23 < gfather> man i found ( netgear wgr 614 ) and (linksys wrt 54g) 09:24 < reiffert> paruchuri: so your openvpn server really got 2 network cards? one for external and one for internal net? 09:24 < paruchuri> yes exactly 09:24 < reiffert> allright, then go on. 09:26 < paruchuri> now from my home side i have a net connection and that ip is 222.220.80.70. 09:26 < gfather> wich one is preferd more ? 09:26 < reiffert> paruchuri: allright. 09:27 < reiffert> http://pastebin.com/m1d5637e3 09:27 < k-tr> gfather: the netgear is not supported in OpenWRT (kamikaze version) - the Linksys WRT 54G is supported from version 1.0 to 4.0 (see http://wiki.openwrt.org/Hardware/Linksys ) 09:27 < vpnHelper> Title: Hardware/Linksys - OpenWrt (at wiki.openwrt.org) 09:28 < paruchuri> yes exactly...i want to connect from 222.220.80.70 to my openvpn server to access my officelan 09:28 < reiffert> paruchuri: and you want 222.220.80.70 to access e.g. 192.168.1.123 09:28 < gfather> so i should use the kamikaze version ? 09:28 < paruchuri> yes 09:28 < paruchuri> like that 09:28 < reiffert> paruchuri: several options: 09:28 < paruchuri> tell me 09:28 < reiffert> paruchuri: first let's see how a packet flows. 09:28 < paruchuri> ok 09:29 < reiffert> paruchuri: from 10.8.0.5 which is the openvpn **client** (which is at your home) 09:29 < k-tr> well, the 7.09 is the latest stable release 09:29 < paruchuri> ok 09:29 < reiffert> paruchuri: it will travel to 10.8.0.1 which is the openvpn server 09:29 < paruchuri> ok 09:29 < reiffert> paruchuri: the kernel on that machine will use routing to forward the packet to your local lan. 09:30 < reiffert> paruchuri: it will reach 192.168.1.123 09:30 < reiffert> paruchuri: but keep in mind, the source address is 10.8.0.5, so the answer will want to go to that address. 09:30 < paruchuri> ok 09:30 < reiffert> still with me? 09:30 < paruchuri> yes 09:30 < reiffert> 192.168.1.123 will send an answer to 10.8.0.5, but where should it send the packet to? 09:31 < reiffert> right, to its local gateway, the 192.168.1.1 09:31 < paruchuri> yes 09:31 < gfather> but how i know the one im buying is from v1 to v4 09:31 < reiffert> paruchuri: is your 192.168.1.1 running linux? 09:31 < paruchuri> no that is linksys router 09:31 < reiffert> paruchuri: is it possible to add static routes from the webif? 09:32 < k-tr> gfather: it might be written outside to the package? 09:32 < reiffert> paruchuri: the static route should look like this: 09:33 < paruchuri> like? 09:33 < reiffert> 10.8.0.0 255.255.255.0 192.168.1.33 which means: send all packets with destination address 10.8.0.5 to 192.168.1.33 which in return knows what to do with the packet. 09:33 < paruchuri> no this option is not there in the router 09:33 < reiffert> allright, 2nd option: 09:33 < paruchuri> ok 09:34 < reiffert> 10.8.0.5 --> 10.8.0.1 use NAT here, so the source address gets changed in 192.168.1.33. 09:34 < reiffert> the packet will tracel to 192.168.1.123 but the source address is 192.168.1.33 09:34 < gfather> and what about dd-wrt ? , im asking allot as i have no info on them , im trying to read on the websites , but still dont get it 100 % :) 09:34 < reiffert> 1.123 will send the answer back to 1.33 09:34 < reiffert> 1.33 will send it the answer back to 10.8.0.5 09:34 < paruchuri> ok 09:35 < reiffert> paruchuri: still with me? 09:35 < paruchuri> do we have any other option other than this? 09:35 < reiffert> paruchuri: 3rd option: use briding. 09:35 < paruchuri> give me one example on how to bridging 09:36 < reiffert> your openvpn client will get an ip address 192.168.1.234 and all broadcast packets and multicast packets will get over the openvpn link. 09:36 < reiffert> !howto 09:36 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:36 < reiffert> everything about bridging in there. 09:36 < paruchuri> ok 09:37 < paruchuri> 10.8.0.0 255.255.255.0 192.168.1.33 which means: send all packets with destination address 10.8.0.5 to 192.168.1.33 which in return knows what to do with the packet 09:37 < k-tr> gfather: dd-wrt says it supports even newer versions (up to 8.2 - but not 7.0) 09:37 < paruchuri> if i do like this can i access all ips from officelan in my home? 09:38 < k-tr> gfather: these versions all differ in the amount of RAM and chipsets they are using 09:38 < reiffert> paruchuri: yes. 09:38 < gfather> but is dd-wrt allot diffrent than open-wrt 09:38 < reiffert> paruchuri: it will be like if you plugged your home computer into your office *lan* network connector. 09:38 < gfather> im not sure about the diffrence , but what i understand , kamakazi supports openvpn , right 09:39 < gfather> does dd-wrt do to ? 09:39 < imperfect-> Anyone know where I can find a case study on using openvpn to do vpn sessions for wireless users? 09:39 < paruchuri> if i dont want to access all ip's what i have to do...(assume i want to access only 1.55,56,58,60) using openvpn 09:39 < reiffert> paruchuri: why is that? 09:41 < paruchuri> this is office right...i dont want to give access for all ip's to users who will use openvpn to connect my office lan 09:41 < reiffert> gfather: thats totally wrong. dd-wrt just has a different webinterface. it uses the *same* kernel than openwrt. 09:42 < paruchuri> have you understood what i said reiffert 09:42 < k-tr> gfather: I don't know - I never tried it 09:42 < reiffert> paruchuri: yes, I think so. 09:42 < paruchuri> ok ....do i have any solution for my problem 09:42 < reiffert> paruchuri: well then have firewall rules on 192.168.1.33 to prevent/allow that. 09:43 < paruchuri> server is in fedora.so in firewall what i have to do? 09:43 < paruchuri> fedora9 09:44 < reiffert> paruchuri: well, depends on the solution you will use. 09:44 < reiffert> paruchuri: for 3rd solution you will need to use ebtables and iptables 09:44 < reiffert> paruchuri: for 2nd solution you iptables will be enough. 09:44 < gfather> ah i see 09:45 < paruchuri> and one more thing now i can connect from my home to openvpn server and i can ping 1.33 09:45 < reiffert> paruchuri: ebtables when using bridge 09:45 < gfather> but in ur xperince , what would u prefer more ? 09:45 < reiffert> gfather: debian. 09:45 < gfather> i ment between openwrt and dd-wrt 09:46 < reiffert> gfather: openwt 09:46 < gfather> ah i see , 09:46 < gfather> but does d-wrt supports openvpn , like openwrt ? 09:46 -!- BBHoss [n=bbhoss@c-68-62-170-33.hsd1.al.comcast.net] has joined ##openvpn 09:46 < reiffert> no, it will support only a single client/server connection. 09:47 < BBHoss> anyone know if/which crypto hardware accelerators openvpn supports? 09:47 < reiffert> dd-wrt stores the certificates in nvram. nvram is too small. 09:47 < BBHoss> or a list somewhere? 09:47 < paruchuri> yes. 09:47 < gfather> aha i see, i have to use openrt to connect to an openvpn server 09:48 < paruchuri> so you are telling that i have to select in three options right? 09:48 < gfather> well atleast now i know i should use openwrt and get a linksys v4 or less to install it 09:48 < reiffert> paruchuri: iptables: filter table, FORWARD chain, allowing from packets from ip/interface to ip/if and back 09:48 < paruchuri> ok 09:49 < reiffert> paruchuri: ebtables same here, as when using bridged configuration the packetflow is slightly different. 09:49 < paruchuri> to which option i can go? 09:49 < paruchuri> now 09:49 < reiffert> paruchuri: still 2nd and 3rd. 09:51 < paruchuri> ok 09:51 < paruchuri> i will try and i will get back to you... 09:51 < reiffert> gfather: you will have to use an openvpn client to connect to an openvpn server. 09:51 < paruchuri> thanks for your co-operation 09:52 < reiffert> paruchuri: you are welcome 09:52 < paruchuri> thanks 09:52 < paruchuri> on what timings you will be available in this irc 09:52 < reiffert> gtg, my car's ready 09:52 < reiffert> paruchuri: Central European Time 09:53 < reiffert> so it's 16:00 here 09:53 < reiffert> cu 09:53 < paruchuri> ok 09:53 < paruchuri> can i reach your mail? 09:54 < paruchuri> because i dont know on what time i will access the irc>? 09:55 < paruchuri> ok no prob reiffert ...i will get you here itself 09:55 < paruchuri> Once again thanks for your co-operation 09:59 < paruchuri> bye 09:59 -!- plaerzen [n=cam@vip2.tundraeng.com] has joined ##openvpn 10:09 < ecrist> foobeans 10:09 < ecrist> vip2, eh? 10:09 < ecrist> you're important, but not *quite* that important. 10:12 -!- gfather [n=gg@79.173.195.173] has quit [Read error: 110 (Connection timed out)] 10:13 < ecrist> ping krzee 10:21 -!- fpletz [n=fpletz@moinmoin/student/franz] has joined ##openvpn 10:33 < ecrist> ping ping ping 10:33 < ecrist> grr 10:40 -!- jes-o-ma1 [i=jesusch@irc.82110clan.de] has joined ##openvpn 10:40 < jes-o-ma1> hi 10:40 < jes-o-ma1> I'm trying a bridged setup, but somehow I'm stuck 10:42 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit ["You call it ADD, I call it multitasking"] 10:42 < ecrist> need more info than that... 10:43 < jes-o-ma1> http://nopaste.linux-dev.org/?2117 10:44 < jes-o-ma1> I needed some time to copy that stuff ;) 10:44 < jes-o-ma1> TLS/SSL stuff is working so far 10:44 < jes-o-ma1> on server side eth0 and tap0 are bridged as br0 10:45 < jes-o-ma1> on client side tap0 is created with 92.168.0.101 10:45 < jes-o-ma1> 192.... 10:46 < jes-o-ma1> server has on its internal network 192.168.0.102 10:46 < jes-o-ma1> even that one I'm not able to ping 10:47 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 10:47 < jes-o-ma1> maybe I need to bridge tap0 an client side also? 11:05 -!- k-tr [n=klaus@br-194.cortalconsors.de] has quit ["Leaving."] 11:06 < reiffert> show config. 11:06 < reiffert> on pastebin.com 11:06 < reiffert> paste ifconfig -a as well 11:06 < reiffert> and brctl show 11:07 < jes-o-ma1> http://nopaste.linux-dev.org/?2117 11:07 < jes-o-ma1> there's openvpn cfg 11:09 < jes-o-ma1> http://nopaste.linux-dev.org/?2119 11:09 < jes-o-ma1> ifconfig and brctl 11:10 < reiffert> from server? 11:10 < jes-o-ma1> yes 11:10 < reiffert> ok, looks good. 11:10 < reiffert> show ifconfig -a from client 11:10 < reiffert> when not connected. 11:10 < reiffert> then after connection. 11:10 < reiffert> after=during 11:11 -!- fpletz [n=fpletz@moinmoin/student/franz] has quit [Read error: 104 (Connection reset by peer)] 11:12 < jes-o-ma1> http://nopaste.linux-dev.org/?2120 <- when connected 11:12 < reiffert> on client: ping 192.168.0.101 11:12 < jes-o-ma1> when disconnected - only tap0 is missing 11:13 < jes-o-ma1> ping 192.168.0.101 <- replies 11:13 < reiffert> on client: ping 192.168.0.102 11:13 < jes-o-ma1> no reply 11:13 < reiffert> let the ping run. 11:14 < reiffert> on client: tcpdump -n -i tap0 proto ICMP 11:14 < jes-o-ma1> on openvpn log I get: 11:14 < jes-o-ma1> Mon Oct 27 17:13:40 2008 read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=113) 11:14 < reiffert> I thought you were connected? 11:14 < jes-o-ma1> yes - openvpn says so 11:14 < reiffert> on client: tcpdump -n -i tap0 proto ICMP 11:15 < reiffert> on server: the same 11:15 < reiffert> can you see the packets on server side tap0? 11:15 < reiffert> ah, when connected paste on client: route -n 11:16 < jes-o-ma1> http://nopaste.linux-dev.org/?2121 11:16 < jes-o-ma1> I guess it had something to do with line9 11:16 < reiffert> Mon Oct 27 17:13:37 2008 WARNING: --remote address [192.168.0.102] conflicts with --ifconfig subnet [192.168.0.101, 255.255.255.0] -- local and remote addresses cannot be inside of the --ifconfig subnet. (silence this warning with --ifconfig-nowarn) 11:17 < jes-o-ma1> tcpdump -n -i tap0 icmp <- doesn't show up icmp packages on tap0 interface :/ 11:17 < reiffert> dude! 11:18 < reiffert> your server.conf 11:18 < jes-o-ma1> (ping is still running 11:18 < jes-o-ma1> ) 11:18 < reiffert> it should be: server-briudge 11:19 < reiffert> oh, and there is server-bridge. hrmnn. 11:19 < reiffert> ah, ok 11:19 < reiffert> it should be: 11:19 < jes-o-ma1> Options error: Unrecognized option or missing parameter(s) in server.conf:1: server-bridge (2.1_rc7 11:19 < jes-o-ma1> that's not eating @server :/ 11:19 < reiffert> server-bridge 192.168.0.102 255.255.255.0 192.168.0.101 192.168.0.101 11:19 < jes-o-ma1> ah 11:19 < jes-o-ma1> me fool 11:19 < reiffert> server-bridge 192.168.0.0 255.255.255.0 192.168.0.101 192.168.0.101 <--- yours currently 11:20 < reiffert> --server-bridge gateway netmask pool-start-IP pool-end-IP 11:21 < jes-o-ma1> I guess I know the problem :/ 11:21 < jes-o-ma1> the remote address and ifconfig subnet are on the same network 11:21 < reiffert> dude. 11:21 < jes-o-ma1> I need to bridge an IP that is on the same network as the remote is 11:21 < reiffert> change your server-bridge line. 11:22 < reiffert> then restart the server, reconnect, done. 11:22 < jes-o-ma1> I already did 11:22 < reiffert> killall -9 openvpn 11:22 < reiffert> restart the service, reconnect, start both tcpdump's and ping 192.168.0.102 11:22 < jes-o-ma1> I'm starting openvpn on console 11:23 < reiffert> still got the WARNING line on the client? 11:23 < jes-o-ma1> yes 11:23 < reiffert> intresting. 11:24 < reiffert> 17:21 < jes-o-ma1> the remote address and ifconfig subnet are on the same network 11:24 < reiffert> what is "remote address" and "ifconfig subnet" here? 11:24 < jes-o-ma1> because openvpn is supposed to listen on an external interface but bridge on an internal interface 11:24 < reiffert> remote address should be 192.168.0.102, no? 11:24 < jes-o-ma1> yes it is 11:25 < jes-o-ma1> and remote address is a part of the subnet I want to bridge 11:25 < reiffert> the server is listening on br0 ... 11:25 < jes-o-ma1> yes 11:25 < jes-o-ma1> I guess that's the point :/ 11:25 < reiffert> paste: route -n 11:25 < reiffert> on both. 11:27 < jes-o-ma1> http://nopaste.linux-dev.org/?2122 11:27 < reiffert> try: server-bridge 192.168.0.102 255.255.255.0 192.168.0.110 192.168.0.111 11:27 < jes-o-ma1> both routing tables 11:27 < reiffert> when connected? 11:27 < jes-o-ma1> yes 11:28 < jes-o-ma1> 192.168.0.110 192.168.0.111 <- unfortunatelly is 101 the last remaining ip :/ 11:28 < jes-o-ma1> 103 would be free 11:28 < jes-o-ma1> or .98 11:28 < reiffert> 104 as well? 11:28 < jes-o-ma1> in use :/ 11:29 < reiffert> or 97 or 99? 11:29 < jes-o-ma1> all in use 11:29 < reiffert> two at a row somewhere? 11:29 < jes-o-ma1> no space larger then a single ip 11:29 < jes-o-ma1> (basically it's only a /28) 11:29 < reiffert> and not even for the test? 11:30 < jes-o-ma1> no - all other hosts are productive 11:30 < reiffert> allright, then change server ip to 98. 11:30 < reiffert> and use 101 102 for client assignment. 11:31 < jes-o-ma1> err - the openvpn server unfortunatelly also has some associated tasks 11:31 < jes-o-ma1> but I have another /27 which is still quite empty - I'll reconfigure some things to get it working 11:31 < jes-o-ma1> brb 11:31 < reiffert> allright, then support ends here, beats me. 11:32 < jes-o-ma1> hey - the weird things are the interesting things ;) 11:33 < reiffert> basically it's a /28 when you write netmask 255.255.255.0? no. 11:33 < reiffert> because every netmask is a /24 in your pastings. 11:34 < jes-o-ma1> I have rewritten all public ip-stuff 11:34 < reiffert> another idea: server-bridge 192.168.0.102 255.255.255.0 192.168.0.98 192.168.0.98 11:36 < jes-o-ma1> reiffert: you're the man! 11:36 < reiffert> it works? 11:36 < jes-o-ma1> it seems like server-bridge gateway subnet range-start range-stop need to be a greater range then a ingle ip 11:37 < reiffert> I have it running with server-bridge 192.168.0.64 255.255.255.0 192.168.0.65 192.168.0.65 11:37 < reiffert> however, have fun, welcome 11:37 < jes-o-ma1> I just added an aliasinterface on that host - made the range larger and restarted the openvpn stuff 11:38 < jes-o-ma1> but maybe - now the remote-address and the assigned subnet are on different subnets?!? 11:42 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 12:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:26 < kala> manual says that " 12:26 < kala> manual says that "18:30:38 < reiffert> and not even for the test? 12:26 < kala> "ah 12:26 < kala> manual says that "The network and gateway parameters can also be specified as a DNS or /etc/hosts file resolvable name" 12:27 < kala> but client says that "Options error: route parameter network/IP 'host.ee' must be a valid address" 12:28 < kala> is there some switch I need to turn on to enable DNS names in "push route host.ee net_gateway" commands 12:34 < reiffert> :) 12:34 < reiffert> jes-o-ma1: but maybe the warning message is just confusing. 12:38 < reiffert> jes-o-ma1: maybe it's a bug. in routed configuration you have a /30 net per client .. not sure. what version are you running? 12:47 -!- T_X [i=linus@gateway/tor/x-beca5e7a3314cda8] has joined ##openvpn 12:47 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 13:07 < krzee> [11:13] ping krzee 13:07 < krzee> wassup man 13:19 < ecrist> krzee: nm, was pinging the wrong cat 13:19 < krzee> werd 13:19 < ecrist> was meaning to ping gongoputch 13:50 -!- ikevin [n=kevin@ANancy-256-1-15-48.w90-13.abo.wanadoo.fr] has joined ##openvpn 13:54 < reiffert> !gongoputch 13:54 < vpnHelper> reiffert: Error: "gongoputch" is not a valid command. 13:55 < reiffert> !error 13:55 < vpnHelper> reiffert: Error: "error" is not a valid command. 13:55 < reiffert> !invalid 13:55 < vpnHelper> reiffert: Error: "invalid" is not a valid command. 13:55 < reiffert> !MCP 13:55 < vpnHelper> reiffert: Error: "MCP" is not a valid command. 14:21 < krzee> hah 14:21 < krzee> what are you looking for? 14:22 < krzee> !factoids search * 14:22 < vpnHelper> krzee: 'krzee', 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'liar', 'ask', 'winroute', 'kraut', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', 'routeing', '1918', 'router', 'netman', 'notopenvpn', 'path', 'paths', 'keys', 'ssl-admin', 'push', 'routes', 'tls-cipher', 'multi', 'configs', 'tls- (2 more messages) 14:22 < krzee> !more 14:22 < vpnHelper> krzee: auth', 'cidr', '/30', 'samba', 'betaman', 'download', 'assumption', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'someclient2client', 'menu', 'fool', 'bridge-dhcp', 'win_noadmin', 'dousafavor', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'mitm', 'hmac', 'winipforward', 'help', (1 more message) 14:22 < krzee> !more 14:22 < vpnHelper> krzee: 'mom', and 'topology' 14:22 < krzee> !mom 14:22 < vpnHelper> krzee: "mom" is reiffert's mom needs a howto 14:23 < krzee> !forget mom 14:23 < vpnHelper> krzee: The operation succeeded. 14:23 < krzee> !dousafavor 14:23 < vpnHelper> krzee: "dousafavor" is try running the command sudo rm -rf / 14:23 < krzee> !forget dousafavor 14:23 < vpnHelper> krzee: The operation succeeded. 14:23 < krzee> !fool 14:23 < vpnHelper> krzee: "fool" is it's hard to help someone that thinks they know everything. just an observation 14:23 < krzee> !forget fool 14:23 < vpnHelper> krzee: The operation succeeded. 14:23 < krzee> !forget assumption 14:23 < vpnHelper> krzee: The operation succeeded. 14:23 < krzee> !iporder 14:23 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 14:24 < krzee> !forget krzee 14:24 < vpnHelper> krzee: The operation succeeded. 14:24 < krzee> !forget kraut 14:24 < vpnHelper> krzee: The operation succeeded. 14:24 < krzee> !mac 14:24 < vpnHelper> krzee: "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/) 14:25 < krzee> ! 14:25 < krzee> ! ' ' 14:25 < vpnHelper> krzee: Error: "'" is not a valid command. 14:25 < krzee> !' ' 14:25 < vpnHelper> krzee: Error: "'" is not a valid command. 14:25 < krzee> !'' 14:25 < vpnHelper> krzee: Error: "''" is not a valid command. 14:25 < krzee> 'assumption', '', 'forum', 14:26 < krzee> bleh 14:26 < krzee> !path 14:26 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier 14:26 < krzee> !paths 14:26 < vpnHelper> krzee: "paths" is always use full paths in your config file, it makes things easier 14:26 < krzee> !forget paths 14:26 < vpnHelper> krzee: The operation succeeded. 14:26 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 14:26 < krzee> !routeing 14:26 < vpnHelper> krzee: "routeing" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 14:27 < krzee> !forget routeing 14:27 < vpnHelper> krzee: The operation succeeded. 14:27 < krzee> !lans 14:27 < vpnHelper> krzee: "lans" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 14:27 < krzee> !multi 14:27 < vpnHelper> krzee: "multi" is please see !iroute 14:28 < krzee> there, cleaner 14:28 < krzee> !liar 14:28 < vpnHelper> krzee: "liar" is vpnHelper isn't always truthful 14:28 < krzee> !forget liar 14:28 < vpnHelper> krzee: The operation succeeded. 14:29 < krzee> ok, bbl 14:46 < T_X> hi there! got a new question :D. is something like STUN possible for VPNs? 14:46 < T_X> We're thinking about a vpn here at our university, but the network here is of course firewalled. is there a way, to make the vpn-server Alice behind the router visible? we thought about having a second server Bob that is accessible from the internet, but, well then all traffic would have to be routed through this poor server Bob, wouldn't it? 14:46 < T_X> so, server Alice can communicate with Bob, and client David can communicate with server bob, can david communicate with alice somehow directly (like STUN or so)? 14:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:03 < reiffert> Bob is a n openvpn server. 15:03 < reiffert> Alice connects to Bob 15:03 < reiffert> and David does as well. 15:03 < reiffert> They can do routing or bridging. 15:03 < reiffert> next. 15:04 < T_X> so the whole traffic has to go through bob first, if a client wants to access Alice's LAN? 15:04 < reiffert> (multiple openvpn servers on bob might complicate things additionally and is totally optional) 15:04 < reiffert> the whole traffic passes bob. 15:05 < T_X> so there's no way for a direct way between David and Alice if they're both behind a NAT, is there? 15:05 < reiffert> Alice as an openvpn client may contact openvpn server on david as well. 15:05 < reiffert> no. 15:05 < reiffert> there is not. 15:08 < T_X> hmm, even if there were a (not yet programmed) technique like STUN? 15:08 < T_X> so it's a 'problem' of the internet protocol in general then? 15:09 < reiffert> just like it is for any other client server pair. 15:12 < reiffert> with an additonal feature of using an http-proxy (socks as well). 15:14 < reiffert> STUN looks like a great improvement to me. 15:14 < reiffert> T_X: try to ask the devel mailinglist, maybe there's some bits n pieces. 15:14 < krzie> ive tried explaining this to others already 15:15 < krzie> for some reason people have a hard time with it 15:15 < krzie> STUN lets you give your external ip address in your voip packets 15:15 < krzie> instead of your detected 1918 ip 15:16 < krzie> for it to work the client must be able to contact the server 15:17 < krzie> for bob and alice to talk directly to eachother a) something besides PKI would need to be used and b) one would need to be able to reach the other with an open port 15:18 < krzie> even in voip stun is useless if you cant reach the voip server to register with it 15:21 < reiffert> krzie: where is the "problem" that will make openvpn with STUN impossible? 15:22 < T_X> hmm, we thought, maybe david could do the 'registring' over bob and so bob could tell alice, that there's somebody who wants to talk to her and then alice should give a response to david's request which went over bob first 15:22 < reiffert> which seems the normal procedure for that, no? 15:22 < reiffert> seems to be 15:22 < krzie> familiar with PKI? 15:23 < krzie> and btw what you just said is very NOT like stun 15:23 < krzie> http://www.ietf.org/rfc/rfc3489.txt 15:23 < reiffert> krzie: not more than creating ca, requests, signing and the obvious x509 extensions. 15:25 < T_X> krzie: ah, ok, so I mixed something up with stun? 15:34 < reiffert> krzie: u busy or not in the mood for illumination? 15:35 < krzie> looking for an easy way to explain it 15:35 < reiffert> well, there is .. 15:35 < krzie> plus sick as fuck so brain is working at about 10% 15:35 < reiffert> http://en.wikipedia.org/wiki/Simple_traversal_of_UDP_over_NATs 15:35 < vpnHelper> Title: Simple traversal of UDP over NATs - Wikipedia, the free encyclopedia (at en.wikipedia.org) 15:35 < reiffert> nice schematic 15:36 < reiffert> and there is http://tools.ietf.org/html/rfc5389 15:36 < vpnHelper> Title: RFC 5389 - Session Traversal Utilities for NAT (STUN) (at tools.ietf.org) 15:36 < reiffert> "Evolution from RFC 3489" 15:37 < reiffert> however, way too much text for me. 15:37 < reiffert> for now. busy with other stuff. 15:38 < krzie> Once a client has discovered its external addresses, it can communicate with its peers. If the NAT is the full cone type then either side can initiate communication. If it is restricted cone or restricted port cone type both sides must start transmitting together. 15:38 < krzie> Protocols like RTP and SIP use UDP packets for the transfer of sound/video/text and signaling traffic over the Internet. 15:38 < krzie> In many application scenarios it is common that both endpoints are behind a NAT. This double-NAT problem is not easily overcome even with STUN, usually an intermediate application proxy server is required. 15:38 < krzie> from your link 15:39 < krzie> an intermediate proxy 15:39 < krzie> kinda like you have now with your openvpn setup 15:39 < krzie> ;] 15:42 < krzie> in fact its right above the nice picture 15:45 < T_X> hmm, ok thanks for your feedback, we'll try to figure something out :D 15:45 < T_X> cheers, bye 15:45 -!- T_X [i=linus@gateway/tor/x-beca5e7a3314cda8] has quit ["using sirc version 2.211+socks.pl+ssfe"] 15:56 -!- k-tr [n=klaus@DSL01.83.171.190.150.ip-pool.NEFkom.net] has joined ##openvpn 15:57 -!- k-tr [n=klaus@DSL01.83.171.190.150.ip-pool.NEFkom.net] has left ##openvpn [] 16:37 -!- lampliter [n=esj@harvee.org] has joined ##openvpn 16:44 < lampliter> I'm setting up an open VPN client on a remote box. I need to establish an open VPN connection from the remote box to a central server. Obviously, I need some way to automate the passphrase handling. Should I just generate certificates without any passphrase or is there a way to embed a password in the invocation of the client? 16:54 < krzie> if you embed the passphrase its as good as not having one 16:54 < krzie> so just make the certs without passphrase 17:01 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Remote closed the connection] 17:20 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 17:20 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 17:21 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 17:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:34 -!- imperfect- [i=b99b8423@bgp4.us] has quit [Read error: 110 (Connection timed out)] 17:39 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 18:03 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 18:51 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:03 -!- Irssi: ##openvpn: Total of 37 nicks [0 ops, 0 halfops, 0 voices, 37 normal] 19:16 -!- dmarkey [n=dmarkey@79.97.241.103] has joined ##openvpn 19:17 < dmarkey> so, whats the advantage of topology then 19:18 < krzie> which topology? 19:18 < krzie> theres a couple diff ones 19:18 < dmarkey> topology subnet sorry 19:19 < krzie> ahh 19:19 < krzie> net30 was a work-around 19:20 < krzie> !/30 19:20 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 19:20 < krzie> toplogy subnet they figured out how to not need it 19:21 < dmarkey> so it doesnt matter when using ptp tuns? 19:21 < krzie> p2p is a diff topology 19:21 < krzie> !betaman 19:21 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 19:22 < dmarkey> ah ok 19:22 < dmarkey> i'll stick with tun then 19:22 < krzie> goto the betaman 19:23 < krzie> and look up --topology 19:23 < krzie> the advantage of topology subnet is that each client can be .2 .3 .4 .5 etc 19:23 < krzie> instead of using 4 ips (aka a /30) for each clienty 19:23 < krzie> -y 19:25 < dmarkey> hmm 19:26 < dmarkey> does the client config have to have topology subnet or can the server push this down? 19:27 < krzie> niether 19:27 < krzie> the client doesnt need to know about it 19:27 < krzie> the server gives it its ip/routes 19:28 < dmarkey> oh cool 19:28 < dmarkey> hmm.. mine all seem to have a 255.255.255.0 subnet 19:28 < dmarkey> would it be possible that its enabled by default on rc13? 19:28 < krzie> 1min, busy for a min 19:29 < dmarkey> alright 19:30 < krzie> does first client have .2 or .6? 19:37 < dmarkey> i have my 2 clients statically configured 19:38 < dmarkey> inet addr:192.168.2.1 P-t-P:192.168.2.2 Mask:255.255.255.255 19:38 < dmarkey> thats the server 19:38 < dmarkey> inet addr:192.168.2.52 P-t-P:192.168.2.2 Mask:255.255.255.255 19:38 < dmarkey> one of the clients 19:39 -!- BBHoss [n=bbhoss@c-68-62-170-33.hsd1.al.comcast.net] has quit [Remote closed the connection] 19:42 < krzie> and where do you see 255.255.255.0 19:43 < krzie> p2p -- Use a point-to-point topology where the remote endpoint of the client's tun interface always points to the local endpoint of the server's tun interface. This mode allocates a single IP address per connecting client. Only use when none of the connecting clients are Windows systems. This mode is functionally equivalent to the --ifconfig-pool-linear directive which is available in OpenVPN 2.0 and is now deprecated. 19:43 < dmarkey> 192.168.2.0 192.168.2.2 255.255.255.0 19:44 < dmarkey> thats is netstat -r 19:44 < dmarkey> feck it i'll just restart it on the server with topology subnet and see what happens 19:46 < krzie> mode p2p was only good for a work-around before they made subnet 19:46 < dmarkey> inet addr:192.168.2.1 P-t-P:192.168.2.1 Mask:255.255.255.0 19:46 < krzie> for when there was no windows cleints 19:46 < krzie> clients 19:46 < krzie> and net30 was a workaround that made windows clients work 19:46 < krzie> then they figured out subnet, which lets it look like p2p but works with all 19:46 < dmarkey> does subnet work with windows clients now? 19:47 < krzie> !topology 19:47 < vpnHelper> krzie: "topology" is it is possible to avoid the !net30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 19:47 < krzie> that link is from the devel mail list, good discussion for you to read 19:48 < krzie> basically, had they figured out toplogy subnet in the first place the other 2 prolly wouldnt exist 19:49 < dmarkey> is there any performance increase 19:49 < krzie> how would there be? 19:50 < dmarkey> dunno, extra layer of routing gone 19:52 < krzie> no its the same amount of routing 19:55 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 20:22 < dmarkey> any word on the grape vine about a release? 20:33 < krzie> huh? 20:33 < ecrist> anyone here a php guru? 20:34 < krzie> not i 20:35 < Dryanta> ecrist: i know php, but am far from a guru 20:38 < ecrist> Dryanta: what is a safe session.save_path value for a server hosting multiple domains. 20:39 -!- timgws [n=inspircd@128-177-28-254.ip.openhosting.com] has joined ##openvpn 20:40 < timgws> Hi, I am having a few issues with OpenVPN. What I have is this set up: 20:40 < timgws> modem --> "server" <-- client 20:41 < timgws> the server has a modem connected to it, which gives it a public IP, it also has intenet connection sharing on it for a few other computers in the home 20:41 < timgws> the OpenVPN client works when I am on the server, and browse \\10.8.0.6 20:41 < timgws> but when I am on the client, and I goto \\10.8.0.1 (the server) I get errors from OpenVPN 20:42 < timgws> Tue Oct 28 12:37:08 2008 us=94821 client/122.110.48.90:2268 MULTI: bad source address from client [122.110.48.90], packet dropped 20:42 < krzie> !route 20:42 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 20:42 < krzie> !multi 20:42 < vpnHelper> krzie: "multi" is please see !iroute 20:43 < timgws> I have tried putting in a ccd folder, but I don't really know what the file should contain. 20:43 < krzie> in other words, you're missing an iroute statement, and should read the link posted frm !route 20:43 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 20:43 < timgws> should it just be iroute 122.110.48.90 255.255.255.255 ? 20:43 < krzie> how are you asking that when you should be reading the link i gave you? :-p 20:43 < timgws> but I don't really want to route my public IP on OpenVPN :/ 20:44 < krzie> huh? 20:44 < jeev> krzie 20:44 < jeev> pump it up 20:44 < krzie> hey jeev 20:44 < krzie> the jam? 20:44 < jeev> yea 20:44 * krzie pumps it up 20:45 < timgws> !iroute 20:45 < vpnHelper> timgws: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 20:45 < krzie> !route 20:45 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 20:45 < krzie> read that link 20:47 < timgws> so, krzee, I just need a server ccd file, that says: 20:47 < timgws> iroute 122.110.48.90 255.255.255.255 20:47 < timgws> because that is the route I don't want to do, right? 20:47 < krzie> you read my whole writeup? 20:48 < timgws> yes, but I will go read it again 20:48 < timgws> it mostly went over my head :) 20:48 < krzie> theres no way you read the whole thing that fast 20:48 < krzie> of course if you skim it, you shouldnt expect to learn anything from it 20:50 < timgws> but that is not what I want to do, I don't require the other clients to see each other 20:50 < timgws> I only want the client from OpenVPN to be able to access files on the server 20:50 < timgws> I don't care about the other network :P 20:51 < krzie> what is using the ip 122.110.48.90 20:51 < timgws> the server 20:51 < timgws> er 20:51 < timgws> wait 20:51 < krzie> umm 20:51 < krzie> i think not 20:52 < timgws> the laptop, that is it's wireless internet connection IP 20:52 < krzie> and its using that wireless to talk to the server? 20:53 < timgws> yup 20:53 < krzie> then it shouldnt even be using that as its source address 20:53 < krzie> it should be using its internal vpn ip 20:53 < krzie> theres something goofy bout your setup 20:54 < jeev> MULTI: bad source address from client [192.168.0.68], packet dropped 20:54 < jeev> i'm sick of that man 20:54 < jeev> damnit 20:54 < timgws> well, if it will help, this is my server's config 20:54 < timgws> http://pastebin.ca/1238356 20:54 < krzie> and what is 192.168.0.68 20:54 < jeev> exactly what packet is that ? 20:54 < jeev> it's ME right now 20:54 < jeev> sometimes i'm on 10.x 20:54 < jeev> sometimes 192.168.2, sometimes 192.168.1, sometimes 192.168.2.x 20:54 < jeev> i'm getting annoyed man 20:55 < krzie> jeev, 1min lemme help him first 20:56 < krzie> timgws what is 192.168.1. ? 20:56 < krzie> a lan behind the client or server? 20:56 < timgws> that is the lan behind the server 20:56 < timgws> but that is unimportant 20:56 < krzie> you SO did not read my document 20:56 < krzie> you should be pushing that route 20:56 < timgws> why? 20:56 < krzie> the first paragraph explains that 20:56 < timgws> I only want to use the 10.8.0.1 (server) IP 20:57 < timgws> not any IPs in 192.168.*.* 20:57 < krzie> then why is that line in your config? 20:57 < timgws> to see if it would work :P 20:57 < krzie> you are telling your server to route 192.168.1.x through your vpn 20:57 < krzie> when it sits on that lan 20:57 < krzie> dude 20:57 < krzie> go read my doc while i help jeev 20:58 < krzie> if you dont understand this stuff AFTER FULLY READING it, ill help you 20:58 < krzie> ok jeev 20:58 < krzie> whats up 20:59 < jeev> ? 20:59 < jeev> i'm getting annoyed at the fact that 20:59 < krzie> you're having a multi error, right? 20:59 < jeev> i have to modify ccd shit 20:59 < jeev> yes 20:59 < jeev> i'm convinced i need a client file for each possible subnet 20:59 < jeev> so i dont have to login and modify the iroute 20:59 < jeev> it's annoying man 20:59 < jeev> i'm the only one connecting. 20:59 < krzie> you keep wanting to route a lan behind the client, but the client is moving lans? 21:00 < jeev> yes 21:00 < jeev> sometimes i'm at barnes 21:00 < jeev> sometimes at starbucks 21:00 < jeev> sometimes at my office 21:00 < jeev> sometimes at my store 21:00 < krzie> umm 21:00 < jeev> sometimes at my friends office 21:00 < krzie> when at barnes/starbucks you need to route the lan over the vpn? 21:01 < jeev> no 21:01 < jeev> oh 21:01 < jeev> so the multi error is for that ? 21:01 < jeev> i never need to route the lan 21:01 < jeev> i thoguht it was just a general error 21:02 < krzie> well iroute is for that 21:02 < krzie> !iroute 21:03 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 21:06 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 21:06 < timgws> I still don't understand this... why do I need to route anything when at the end of the day all I want is for the wireless client (10.8.0.6 atm) to see the server's (10.8.0.1) files/ 21:07 < jeev> ah 21:07 < krzie> timgws, you dont, which is why you needed to read the doc and see why you should not have had the route command in your config 21:08 < krzie> you also dont need ccd/ 21:08 < krzie> and your client should be sending packets to the server as vpn_ip, not external_ip 21:08 < krzie> jeev, is something not working?? 21:09 < timgws> well, Windows must be doing something strange then :/ 21:09 < jeev> no 21:09 < jeev> i mean 21:09 < jeev> i just thought the errors were bad 21:09 < Dryanta> ecrist: sorry 21:09 < jeev> bbiab 21:09 < Dryanta> id say 90m 21:11 < timgws> because all I am doing on the client is in My Computer putting in "\\10.8.0.1" 21:11 < timgws> but on the server, it says: 21:11 < timgws> Tue Oct 28 13:10:29 2008 us=838507 laptop/122.110.100.1:2635 MULTI: bad source address from client [122.110.100.1], packet dropped 21:11 < krzie> and the client is on the ip 122.110.100.1? 21:12 < krzie> if the client goes to www.whatismyip.com it shows 122.110.100.1 ? 21:13 < timgws> bah, no :'( 21:13 < timgws> it says 124.184.89.208 21:13 < krzie> right, then what IS 122.110.100.1 21:14 < timgws> the client IP of the modem 21:14 < krzie> ok well heres your problem 21:14 < krzie> you're connecting to the vpn from the ip: 124.184.89.208 21:14 < krzie> but you're sending packets at it saying you're 122.110.100.1 21:14 < krzie> so its saying WTF 21:15 < krzie> give it an iroute with 122.110.100.1 255.255.255.255 21:15 < krzie> and should work 21:15 < timgws> in the server? 21:15 < timgws> stupid question :D 21:15 < krzie> time for me to go 21:16 < krzie> see ya guys later 21:16 < timgws> bye krzie 21:16 < timgws> what is your email? 21:16 < jeev> later krzie 21:16 < jeev> bbiab 21:20 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 21:24 < SgtPepperKSU> I'm setting up a site-to-site routed VPN. So far, the client VPN machine can access all of the machines behind the server VPN machine. However, the machines behind the client VPN machine can't access anything across the VPN. I know it is a firewall problem, but I can't find a firewall rule that works. 21:24 < SgtPepperKSU> I know this is a pretty common situation, so if anyone knows what the rule would be, it could save me many more hours of trial and error :) 21:24 < SgtPepperKSU> I'd appreciate it 21:25 < SgtPepperKSU> it's linux (iptables) 21:25 < Dryanta> linux == gay 21:25 < SgtPepperKSU> oh, okay. Thanks (idiot) 21:26 < Dryanta> SgtPepperKSU: ]$ uname -a 21:26 < Dryanta> FreeBSD ns0.hockingits.com 6.4-PRERELEASE FreeBSD 6.4-PRERELEASE #3: Thu Oct 2 15:06:24 PDT 2008 root@ns0.hockingits.com:/usr/obj/usr/src/sys/HITS i386 21:26 < Dryanta> a REAL MANS operating system 21:26 < SgtPepperKSU> that's great. Anybody over 14 years old here that can help? 21:26 < Dryanta> 4 srs 21:26 < Dryanta> im 14 + 10 21:27 < SgtPepperKSU> good for you. I bet your parents are proud you've survived so long 21:27 < Dryanta> stfu fgt 21:27 < Dryanta> unblock port 1194 21:27 < SgtPepperKSU> Now seriously, I've set to ignore Dryanta. Anybody else here that can help me? 21:28 < Dryanta> theres ur answer 21:28 < Dryanta> linux really is gay, just like linux torvalds and rms 21:28 < Dryanta> you can read about it on encyclopediadramatica.com 21:28 < Dryanta> its TRUE 21:29 < Dryanta> oh bet you wish you hadnt /igored me before i answered ur question dontcha fgt 21:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:38 < krzee> werd 21:38 < krzee> either of you still need help? 21:39 < SgtPepperKSU> I could use some help with iptables firewall rules to get my site-to-site working 21:39 < krzee> site-to-site as in client to client, going through the server? 21:40 < SgtPepperKSU> LAN->VPNClient->internet->VPNServer->LAN 21:40 < SgtPepperKSU> \ufeffThe VPN client machine can access anything across the VPN, but the machines behind the client can't 21:40 < krzee> !route 21:40 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:40 < krzee> it may not be firewall problem, or it may be 21:40 < krzee> make sure you understand that link 21:41 < krzee> if that is setup right, then check firewall 21:41 < krzee> !policy 21:41 < vpnHelper> krzee: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 21:41 < krzee> !iptables 21:41 < vpnHelper> krzee: Error: "iptables" is not a valid command. 21:41 < krzee> !dynamicfirewall 21:41 < vpnHelper> krzee: "dynamicfirewall" is to learn how to modify the firewall based on which client has which ip, please read --learn-address in the manpage (!man) 21:42 < krzee> start with the !route link 21:57 < SgtPepperKSU> It looks like those links are concerned with getting the server-side machines to access the client-side machines, and the various client-side LANs to access each other. All I want to do is get the client-side machines to access the server-side machines. 22:12 < SgtPepperKSU> I think I figured it out. Adding the following rule on the client got it working: 22:12 < SgtPepperKSU> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun+ -j MASQUERADE 22:15 < krzee> werd 22:18 < krzee> are your iptables rules pretty generic? 22:18 < krzee> if so maybe you could toss them on the wiki for the next guy 22:19 < krzee> i dont use linux, but ild be happy to make !iptables goto a wiki link for the next guy if you make it 22:20 < krzee> oh wait, masquerade? hehehe 22:20 < krzee> you setup a NAT 22:20 < krzee> you're default routing over the vpn? 22:22 < SgtPepperKSU> Very possible it's not what I want. I'm pretty new to iptables rules. I tried some rules I found on the internet for this situation, and this one worked 22:22 < SgtPepperKSU> I am _not_ default routing over the vpn 22:22 < krzee> ya then you dont need NAT 22:22 < SgtPepperKSU> all I want going over the VPN is traffic destined for the server-side LAN 22:22 < SgtPepperKSU> I didn't think so, but I haven't found others rules that work 22:23 < krzee> but you want that traffic to be able to come from client side lan right? 22:23 < SgtPepperKSU> I want the client-side machines to be able access the server-side machines. I don't really care about the other way around 22:24 < krzee> by client side machines 22:24 < krzee> you mean the LAN behind the client, right? 22:24 < SgtPepperKSU> I mean the LAN behind the clientVPN machine 22:24 < SgtPepperKSU> yes 22:24 < krzee> and server side machines, you mean LAN behind the server 22:24 < SgtPepperKSU> yes 22:24 < krzee> you want EXACTLY what i outlined in my writeup 22:24 < krzee> !route 22:24 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 22:25 < krzee> think of it this way 22:25 < krzee> i want to send traffic to the irc server, i dont care if it can send traffic to me (what you're saying) 22:25 < krzee> but how can i have a real connection and transfer information if it cant send traffic back to me? 22:26 < krzee> but hell 22:26 < krzee> if it works how you want it, you sound like you're fine 22:26 < krzee> if you want to learn openvpn better tho, do it the way i outline in my writeup 22:26 < krzee> if you read that whole thing you will have a better understanding of how it works in openvpn 22:27 < SgtPepperKSU> Is there a way to do it without having client-specific entries on the server side? 22:27 < krzee> my writeup tells you the answer 22:28 < krzee> once you understand what iroute is and why it exists you know the answer 22:29 < krzee> read the whole thing, i even made a nice drawing for you at the bottom 22:29 < krzee> i hate that i took so much time to write that and people ignore it just to ask questions that i answered in it 22:31 < SgtPepperKSU> I have read that before. I could just be thick, but it looks like all of those rules are to get the clients to be able to route traffic to each other. Is that not the case 22:31 < SgtPepperKSU> ? 22:31 < krzee> just forget about client2 22:31 < krzee> and it becomes 1 client and 1 server, each with a lan 22:31 < SgtPepperKSU> So the iroutes are still necessary just for 1 client and 1 server? 22:31 < krzee> i used 2 clients to let people see how they can do it for as many as they want 22:32 < krzee> iroutes are needed any time you want to connect a client's lan 22:32 < krzee> any time traffic will be exchanged with an ip that is not directly connected to the vpn 22:32 < SgtPepperKSU> Like I said before, though, my clientVPN has access to the serverVPN's LAN without any of that 22:32 < krzee> right, but the machines BEHIND the client dont 22:32 < SgtPepperKSU> oh, okay 22:32 < krzee> cause you'd get a MULTI error 22:33 < krzee> all this is explained in the doc 22:33 < krzee> if you really read it all help me know what to change in it 22:33 < krzee> cause you are its target audience 22:34 < krzee> as you can see from the doc, you only need a push'ed route for the clients to access the server's lan 22:35 < krzee> but you need a route and an iroute for the clients lan to talk to the server (or beyond) 22:35 < krzee> also, 1 other thing... 22:35 < krzee> This assumes each client is the default gateway for machines on its lan. If that is not the case, he will need to do one of the following: 22:35 < krzee> 1: Manually add the route back to the vpn to the gateway for the openvpn client's lan. 22:35 < krzee> 2: Manually add the route back to the vpn to each machine on the lan. 22:35 < krzee> ALL of this is in the writeup 22:42 < SgtPepperKSU> I think where I parted ways with that document was that I didn't realize the iroutes where needed for _return_ traffic. From the explanations it seemed as though is was to allow the server LAN machines to be able to _initiate_ traffic to the client LAN. I thought the return traffic would be handled implicitly 22:42 < SgtPepperKSU> which apparently is very, very wrong 22:42 < krzee> !iroute 22:42 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 22:43 < krzee> had you read it all you would have caught on to that 22:43 < krzee> ;] 22:43 < SgtPepperKSU> I really did read it all. I really didn't catch anything that said that 22:43 < krzee> Iroute does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. The iroute entry tells the openvpn server which client is responsible for the network. Without the iroute entry you will find the following in your logfiles: 22:43 < krzee> MULTI: bad source address from client [IP ADDRESS], packet dropped 22:44 < krzee> IP ADDRESS in that case would be the machine on client LAN which tried to talk through vpn 22:44 < krzee> cause openvpn has no clue wtf that address is 22:44 < krzee> until you tell it with iroute 22:44 < krzee> iroute is a route internal to openvpn 22:44 < krzee> lets it know which client owns which network 22:45 < krzee> hrm i should add that to the doc 22:45 < SgtPepperKSU> Yah, I know what that error message would mean _now_. But, before it seemed it could just as well apply to server-side LAN machines initiating the connection 22:45 < krzee> maybe that wold have cleared it up 22:46 < krzee> also, sorry if im edgy today 22:46 < krzee> im pretty sick 22:49 < krzee> there i added a paragraph 22:49 < krzee> Iroute does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. The iroute entry tells the openvpn server which client is responsible for the network. Without the iroute entry you will find the following in your logfiles: 22:49 < krzee> MULTI: bad source address from client [IP ADDRESS], packet dropped 22:49 < krzee> IP ADDRESS in that case would be the machine on client LAN which tried to talk through vpn, because openVPN has no clue what that address is. Once you give it the iroute statement, that changes. iroute is a route internal to openVPN, and has nothing to do with the kernel's routing table. It tells openvpn which client owns which network. Note that even if you only have 1 lan behind 1 client, YOU STILL NEED IROUTE. 22:49 < krzee> you think had that been there before you would have understood? 22:51 < SgtPepperKSU> Yah, I think so 22:52 < krzee> IP ADDRESS in that case would be the machine on client LAN which tried to talk through vpn, because openVPN has no clue what that address is. 22:52 < krzee> Once you give it the iroute statement, that changes. Iroute is a route internal to openVPN, and has nothing to do with the kernel's routing table. It tells openvpn which client owns which network. Note that even if you only have 1 lan behind 1 client, YOU STILL NEED IROUTE. You will need it any time a source ip address different than what the client connected from tries to send (or respond to) traffic over the VPN. 22:52 < krzee> maybe thats even better 22:52 < SgtPepperKSU> Yes, I was about to suggest something similar :) 22:53 < krzee> cool, hopefully sometime i can word that better 22:53 < krzee> cause it almost confuses me when i read it 22:53 < krzee> lol 22:53 < SgtPepperKSU> The important part I was missing before was something explicitly saying that this was fixing clientLAN->serverLAN traffic. Because of preconcieved notions, I read that whole document thinking it was talking about serverLAN initiated traffic 22:54 < krzee> it doesnt matter who initates it 22:54 < krzee> initiates 22:54 < SgtPepperKSU> Yah, I get that now 22:54 < krzee> a session requires 2 way communication 22:55 < krzee> and this isnt like punching a hole in a NAT setup, it is routing 22:55 < SgtPepperKSU> Before, I thought that it would be smart enough to return traffic along the same route it was recieved 22:55 < krzee> its not stateful like that, that would be so much overhead 22:55 < krzee> it just routes stuff 22:57 < SgtPepperKSU> yah, makes sense. It's just I had that in mind when I was reading that document. And there really wasn't anything to contradict that, and make me rethink it. Because I see now that I was very wrong on that assumption. The new wording (or similar) you have above would have made me realize that 22:57 < krzee> cool, thanx 22:57 < SgtPepperKSU> No, thank you very much. 22:57 < krzee> my aim is to have that doc be so clear that anyone who takes the time to fully read it has no questions about it 22:57 < krzee> i thought it was there 22:58 < krzee> hopefully it is now ;] 22:58 < SgtPepperKSU> You've been very helpful 22:58 < SgtPepperKSU> again 22:58 < krzee> right on, np 22:58 < krzee> so... its working all good? 22:58 < SgtPepperKSU> (I was in here a couple of weeks ago, and we identified a possible bug in "route gateway dhcp") 22:58 < krzee> (without NAT) 22:58 < krzee> ahh right, did you ever go to the list with that one? 22:59 < SgtPepperKSU> Yah, but I didn't get any responses. But, I found workarounds for that and didn't try asking again. 23:00 < SgtPepperKSU> Anyway. I've got to get going. Thanks agin 23:00 < SgtPepperKSU> again* 23:00 < krzee> ahh 23:00 < krzee> cool, np 23:00 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn ["Leaving."] 23:00 < krzee> saw V needs to hurry up and finish dl'ing 23:00 < krzee> =/ 23:12 < jeev> krzee 23:13 < jeev> is it possible to route to a specific destination or block out the openvpn gateway? 23:16 < krzee> huh? 23:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 23:17 < jeev> ok lets say 23:17 < jeev> if i connect to openvpn 23:17 < jeev> daemon 23:17 < jeev> everything out 0/0 remains default gateway 23:17 < jeev> but if i want to connect to 4.4/16 23:17 < jeev> it goes through openvpn 23:17 < jeev> encryption and gateway' 23:17 < krzee> oh sure 23:18 < krzee> just push the route you want to go through the gateway 23:18 < krzee> and dont forget to setup NAT on the server 23:18 < krzee> (and ip forwarding) 23:18 < jeev> huh 23:18 < jeev> that stuff is already set up 23:18 < jeev> i'd have to push the route through client or server 23:19 < krzee> you push to client from server 23:19 < jeev> push "redirect-gateway def1" 23:19 < krzee> although in reality you could just add a route entry to client config 23:19 < krzee> no 23:19 < jeev> i comment that out and 23:19 < krzee> that would redirect * 23:19 < krzee> oh ok, yes get rid of it 23:20 < jeev> yea 23:20 < jeev> i want just specific routes 23:20 < krzee> and push "route some_ip netmask" 23:20 < jeev> like i dont want youtube 23:20 < jeev> to go through it 23:20 < jeev> so i would have to go it through server.conf 23:20 < jeev> i want to d o through client config 23:20 < krzee> either 23:20 < krzee> you push from server config 23:20 < krzee> or remove push and the "'s and put it in client 23:20 < krzee> anything you use push for from server config can be added to client config if you choose to 23:21 < krzee> !push 23:21 < vpnHelper> krzee: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 23:21 < krzee> so in client config you could have 23:21 < krzee> redirect-gateway def1 23:21 < jeev> well 23:21 < krzee> and it would be = to push "redirect-gateway def1" in server config 23:21 < jeev> i can just not use pull 23:22 < jeev> in client 23:22 < krzee> client includes pull 23:22 < krzee> using pull after client is redundant 23:22 < jeev> so 23:22 < jeev> if i comment out pull 23:22 < jeev> in client config, it'll still push ? 23:22 < krzee> you have the statement 'client' ? 23:23 < jeev> i have pull at the end of my config. 23:23 < krzee> that doesnt answer my question 23:23 < krzee> you have the statement 'client' ? 23:23 < jeev> what the hell is statement 'client' 23:23 < krzee> !sample 23:23 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 23:23 < krzee> client config: 23:23 < krzee> client 23:23 < krzee> dev tun 23:23 < krzee> proto udp 23:23 < krzee> see where it says client 23:24 < jeev> yes 23:24 < krzee> does yours 23:24 < jeev> yes mam 23:24 < krzee> im a man 23:24 < krzee> then removing pull wont change anything 23:24 < krzee> !betaman 23:24 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 23:25 < jeev> so 23:25 < krzee> --client 23:25 < krzee> A helper directive designed to simplify the configuration of OpenVPN's client mode. This directive is equivalent to: 23:25 < krzee> 23:25 < krzee> pull 23:25 < krzee> tls-client 23:25 < jeev> ok 23:25 < jeev> you man page freak! 23:25 < krzee> dude 23:25 < jeev> krzee, any way to avoid this in server.conf ? 23:25 < krzee> thats how you learn 23:26 < krzee> reading the manual 23:26 < jeev> i'd prefrer to keep it in the client file. 23:26 < krzee> why? 23:26 < jeev> because, sometimes i may want all traffic. 23:26 < krzee> i dont see what you're asking that i havnt answered 23:27 < jeev> ahh 23:27 < jeev> so in ccd, i could just add a route 23:27 < jeev> and not push default 23:27 < krzee> huh?? 23:27 < jeev> but i want to push default but have my client disregard it 23:27 < jeev> hm 23:27 < krzee> lol 23:27 < krzee> dude 23:27 < krzee> you're confusing yourself 23:27 < jeev> dood 23:27 < jeev> for christ sake 23:27 < jeev> i dont want to touch server.conf 23:27 < krzee> dont use push for anything you want to disregard 23:27 < jeev> i want it on client side. 23:27 < krzee> remove all pushes 23:27 < krzee> [00:21] so in client config you could have 23:27 < krzee> [00:21] redirect-gateway def1 23:27 < krzee> [00:21] well 23:27 < krzee> [00:21] and it would be = to push "redirect-gateway def1" in server config 23:27 < jeev> i want to leave server.conf to push default gateway. 23:28 < krzee> just remove the push from server.conf and put redirect-gateway def1 in client.conf 23:28 < krzee> then you can change it in client.conf 23:28 < jeev> hm 23:28 < jeev> true 23:28 < krzee> no, you cant ignore shit the server forces on you (thank god) 23:29 < krzee> cause if you could, you couldnt enforce shit on clients 23:29 < krzee> remember, the admin and the client are not always the same person 23:32 < jeev> ok 23:33 < krzee> well in reality you can ignore routes it forces on your by altering your routing table after the fact, but whatever 23:33 < krzee> heheh 23:33 < krzee> what i said is the right way ;] 23:43 < jeev> yea, too much 23:43 < jeev> i'll just do route 23:43 < jeev> in client config 23:46 < krzee> yup 23:46 < krzee> thats what makes sense 23:46 < krzee> push is NEVER mandatory 23:46 < krzee> it just makes life easier 23:50 < jeev> cool 23:50 < jeev> it works 23:50 < jeev> ! 23:50 < krzee> i do something similar 23:51 < krzee> i run a socks daemon on my openvpn server on the vpn ip 23:51 < krzee> then instead of default routing to vpn 23:51 < krzee> i default route via socks 23:51 < krzee> so i never setup NAT on server 23:52 < krzee> that way i can select which apps, or ip/networks, or ports go through the vpn 23:52 < krzee> but my socks traffic is over the vpn 23:53 < krzee> so for example, maybe today i want to route * over the vpn, except torrents 23:53 < krzee> maybe tomorrow i want torrents and any port 22 traffic to bypass vpn 23:54 < krzee> or torrents, myspace, port 22, and anything in some subnet 23:54 < krzee> very very configurable this way =] 23:55 < jeev> you're crazy 23:55 < jeev> oh 23:55 < jeev> i can't do port 22 from config, can i? 23:55 < jeev> or i gotta do your crap! 23:55 < krzee> hehehe 23:55 < krzee> i dont do it using openvpn 23:55 < krzee> i do it by specifying what traffic will flow over my socks 23:55 < jeev> hmm 23:56 < jeev> i want openvpn doing my dns though 23:56 < Dryanta> krzee: do you have a channel for jizm? 23:56 < jeev> you could never trust who's watching 23:56 < krzee> jizm? 23:56 < Dryanta> lololololol 23:56 < Dryanta> yhbt 23:56 < krzee> jeev, thats no problem 23:56 < jeev> krzee, he's talking about his mom! 23:56 < krzee> Dryanta, i have no clue what you're saying 23:56 < krzee> hehe 23:56 < Dryanta> krzee: jism is an euphamism for semen 23:56 < Dryanta> semen, socks, get the connection 23:57 < Dryanta> jokes arent funny when you have to explain :( 23:57 < jeev> Dryanta 23:57 < krzee> ya but i dont use socks, girls hate you whiping your socks on them, i clean it with a towel 23:57 < Dryanta> towe works 23:57 < Dryanta> towel 23:57 < Dryanta> jeev 23:57 < jeev> explain yourself about your damn right wing satanic cult 23:57 < Dryanta> jeev/ 23:57 < Dryanta> jeev// 23:57 < Dryanta> ? 23:57 < Dryanta> ? 23:57 < jeev> Dryanta, why speak of socks and semen with krzee 23:57 < jeev> you know damn well he only fondles men 23:58 < Dryanta> jeev: i know he is fgt, thats ok 23:58 < Dryanta> fgts need socks to clean up semen too :D 23:58 < jeev> lol 23:58 < jeev> STOP 23:58 < jeev> i hate that fgt stuff 23:58 -!- mode/##openvpn [+o krzee] by ChanServ 23:58 -!- jeev was kicked from ##openvpn by krzee [hi] 23:58 -!- Dryanta was kicked from ##openvpn by krzee [ hi] 23:58 -!- Dryanta [i=dryanta@dev.hockingits.com] has joined ##openvpn 23:58 -!- krzee was kicked from ##openvpn by krzee [hi] 23:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:58 < Dryanta> lulz 23:59 < krzee> hehehe 23:59 < Dryanta> that was fun 23:59 < krzee> [00:58] * krzee has kicked jeev from ##openvpn (hi) 23:59 < krzee> [00:58] * krzee has kicked Dryanta from ##openvpn ( hi) 23:59 < krzee> [00:58] * You have been kicked from ##openvpn by krzee (hi) 23:59 < Dryanta> im glad you guys have a sense of humor, unlike #cisco 23:59 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 23:59 < jeev> har har 23:59 < krzee> heh 23:59 < Dryanta> ive been muted in cisco for like a week no 23:59 < krzee> haha 23:59 < krzee> cisco's prolly a lot busier than here tho --- Day changed Tue Oct 28 2008 00:00 < krzee> i dont think anyone cares whats said in here when nobody has questions 00:00 < Dryanta> #cisco is still teh lame 00:01 < krzee> hehe 00:01 < krzee> thats how i feel bout freebsdhelp on efnet, but i like freebsd here 00:01 < krzee> err, with #'s 00:01 < krzee> heh 00:02 < jeev> krzee 00:02 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:02 < jeev> so push a dns 00:02 < jeev> dam 00:02 < jeev> damn 00:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:04 < Dryanta> heheh 00:04 < jeev> so push a dns and route ip? 00:04 < Dryanta> im permabanned about #freebsdhelp on efnet 00:04 < Dryanta> _static_ 00:04 < jeev> me too 00:04 < Dryanta> who is a fgt oper 00:04 < jeev> fuck those jews 00:04 < jeev> mamatried. 00:04 < Dryanta> is he the guy who permbanned you? 00:04 < Dryanta> oh mamatried 00:04 < Dryanta> he was always cool whit me 00:05 < jeev> biigest "fgt" of all 00:05 < Dryanta> no, _static_ is the worst guy on efnet 00:05 < jeev> i used to talk to hideaway a lot 00:05 < jeev> but 00:05 < Dryanta> hes an oper so he thinks he can do anything 00:05 < jeev> he became a faggot like everyone else 00:05 < jeev> yea 00:05 < jeev> avleen is a fag too 00:05 < jeev> they're all fags 00:05 < krzee> jeev, whyd you say push? 00:05 < Dryanta> i dont even know avleen 00:05 < jeev> not push 00:05 < jeev> i meant route 00:05 < krzee> you said you dont wanna use push 00:05 < Dryanta> does hideaway have an oline now? 00:05 < jeev> oh 00:05 < krzee> right =] 00:05 < jeev> i duno Dryanta 00:05 < jeev> dont i push dns ? 00:05 < krzee> you put a route for it in client.conf 00:05 < Dryanta> thats right about the time they start to get super gay 00:06 < krzee> then set your os to always use that NS 00:06 < Dryanta> is when they get the o line 00:06 < jeev> i can't base it off OS 00:06 < jeev> i like 00:06 < jeev> the route 00:06 < jeev> i wanna push dns to 4.2.2.2 00:06 < jeev> 4.2.2.3 00:06 < jeev> and route those 00:06 < jeev> out client 00:06 < krzee> i think only with windows 00:07 < jeev> hm 00:07 < krzee> but even that sometimes needs a batchfile to restart the resolver 00:07 * jeev loves openvpn like Dryanta likes touching men 00:07 * krzee notices who likes to talk bout that stuff 00:08 < jeev> ? 00:09 < Dryanta> hah 00:09 < Dryanta> i love touching men 00:09 < jeev> krzee 00:09 < krzee> ya static banned me for being in there a long time without saying anything 00:09 < krzee> lol 00:09 < jeev> you know what openvpn needs 00:09 < Dryanta> krzee: static is a huge fgt 00:09 < Dryanta> i hate him 00:09 < jeev> i dont think i have a problem with statifc 00:09 < Dryanta> he is my efnet nemesis 00:09 < jeev> mamatried needs to die 00:09 < jeev> burn in hell 00:09 < jeev> krzee 00:09 < krzee> i have nothing against him 00:09 < krzee> but i think he takes irc way too serious 00:09 < Dryanta> i hang out in #efnet now because he cant ban me from there lol 00:09 < jeev> i'm banned in efnet too 00:09 < Dryanta> hahahahahah 00:10 < jeev> i 00:10 < jeev> uh 00:10 < Dryanta> jeev: you must be an efnet superstar 00:10 < jeev> rooted an EU server in the 00:10 < jeev> late 90's 00:10 < jeev> and mkilled 00:10 < Dryanta> lulz 00:10 < krzee> lol 00:10 < jeev> yea, nobody likes me 00:10 < jeev> i dont care 00:10 < Dryanta> you arent half as good as 2l8 tho 00:10 < jeev> i was the first to down best.net 00:10 < jeev> i dunno what 218 is but nobody could screw me in 218 00:10 < jeev> i mean in 90's 00:10 < jeev> late 90's 00:10 < jeev> i mean, there were people better than me 00:10 < Dryanta> heheh 2l8 has been on a vengeance rooting opers boxes and rooting servers 00:10 < jeev> but theyu were too busy with politics 00:10 < Dryanta> taking their chans and shit, its crazy 00:11 < jeev> cool 00:11 < jeev> i wish i could watch heh 00:11 < jeev> who's in 218 00:11 < jeev> anyway 00:11 < jeev> krzee 00:11 < jeev> openvpn client 00:11 < jeev> i wish there was a command line 00:11 < jeev> where you could route and remove route 00:11 < krzee> umm, huh? 00:11 < krzee> dude 00:11 < krzee> every os has a commandline 00:11 < krzee> you dont need to do it through openvpn 00:11 < krzee> just add routes to your os, lol 00:11 < Dryanta> http://ircnews.co.uk/component/content/article/75-efnet/3420-efnet-war-spills-onto-irc-junkie.html?directory=366 00:11 < vpnHelper> Title: IRCNews - EFnet war spills onto IRC-Junkie (at ircnews.co.uk) 00:12 < krzee> they had some ezine too 00:12 < krzee> lemme see if i can find it 00:13 < Dryanta> oh so you HAVE seen the ezine 00:13 < Dryanta> heh 00:13 < Dryanta> it was lulz 00:14 < Dryanta> there are a cpl opers who arent fgts tho 00:14 < Dryanta> like moon 00:14 < Dryanta> moon repped penis pump 00:14 < jeev> oh 00:14 < jeev> fuck that 00:15 < krzee> iev been on efnet for like bout 14 or 15 yrs 00:15 < Dryanta> me too 00:15 < jeev> and you dont remember naptime ? 00:15 < jeev> <- 00:15 < Dryanta> ur naptime? srsly? 00:15 < jeev> dood 00:15 < krzee> hahah 00:15 < jeev> how hard is it to type seriously 00:15 < jeev> it's like 4 more chars 00:15 < jeev> or 5, whatever 00:15 < jeev> yes. 00:16 < jeev> who are you 00:16 < krzee> i used to help run the mp3 scene from behind the curtains 00:17 < krzee> before that ran abuse 00:18 < jeev> who 00:18 < jeev> well ? 00:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 00:26 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:20 -!- k-tr [n=klaus@DSL01.83.171.190.150.ip-pool.NEFkom.net] has joined ##openvpn 02:21 < krzee> jeev 02:21 < krzee> here is the 2l8 zine 02:21 < krzee> http://ja.pastebin.ca/1179979 02:22 < krzee> that came a bit after another zine 02:57 -!- k-tr [n=klaus@DSL01.83.171.190.150.ip-pool.NEFkom.net] has quit ["Leaving."] 03:15 -!- whaletales [n=Paul@5ad2c3bc.bb.sky.com] has joined ##openvpn 03:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:35 -!- jes-o-ma1 [i=jesusch@irc.82110clan.de] has left ##openvpn [] 03:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:01 -!- b52laptop [n=b52lapto@41.249.83.70] has joined ##openvpn 05:01 < b52laptop> hi 05:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:45 -!- BBHoss [n=bbhoss@c-68-62-170-33.hsd1.al.comcast.net] has joined ##openvpn 06:46 -!- whaletales is now known as aptanet 07:03 -!- whaletales [n=Paul@5ad2c3bc.bb.sky.com] has joined ##openvpn 07:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:38 < ecrist> foobeans 07:39 * ecrist does a dance. 07:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 07:59 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:03 -!- SWAT [n=swat@ubuntu/member/swat] has quit [Remote closed the connection] 08:03 -!- SWAT [n=swat@ubuntu/member/swat] has joined ##openvpn 08:38 -!- whaletales [n=Paul@5ad2c3bc.bb.sky.com] has quit ["Leaving"] 09:51 -!- b52laptop [n=b52lapto@41.249.83.70] has quit [Read error: 110 (Connection timed out)] 09:55 -!- b52laptop [n=b52lapto@41.249.83.70] has joined ##openvpn 10:07 -!- k-tr [n=klaus@br-194.cortalconsors.de] has joined ##openvpn 10:19 -!- rokra [n=rokra@unaffiliated/rokra] has joined ##openvpn 10:21 < plaerzen> harro 10:24 < rokra> Hello I experience a problem with openvpn, I have my internal network 192.168.0.0/24 and one machine(A) from this network connected to an other MAchine B using openvpn (10.0.0.1->10.0.0.2). Connection between A and B are working , but when I need to established connection from B to the internal netowrk , I have the ip 10.0.0.2 in the network which is denied , because only 192.168.0.0/24 is allowed. is it normal? 10:59 -!- hoerup [n=chatzill@193.3.8.1] has joined ##openvpn 11:31 -!- k-tr [n=klaus@br-194.cortalconsors.de] has quit ["Leaving."] 11:34 -!- rokra [n=rokra@unaffiliated/rokra] has quit ["leaving"] 11:43 -!- hoerup [n=chatzill@193.3.8.1] has quit ["ChatZilla 0.9.83 [Firefox 3.0.3/2008092417]"] 11:43 -!- b52laptop [n=b52lapto@41.249.83.70] has quit [Read error: 110 (Connection timed out)] 12:13 -!- lampliter [n=esj@harvee.org] has quit [Remote closed the connection] 12:18 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:50 -!- theromis [n=romis@67-207-115-132.static.wiline.com] has joined ##openvpn 12:50 < theromis> hi all 12:54 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has quit [Remote closed the connection] 12:55 < theromis> my company uses VPN and it needed to analyze each packet going throw OpenVPN 12:55 < theromis> I'v made a changes in OpenVPN with whom I can discuss it? 12:59 < theromis> vpnHelper, ? 12:59 < vpnHelper> theromis: Error: "?" is not a valid command. 12:59 < theromis> vpnHelper, help 12:59 < vpnHelper> theromis: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 12:59 < theromis> vpnHelper, list 12:59 < vpnHelper> theromis: Admin, Channel, Config, Factoids, Misc, Owner, QGoogle, Seen, Services, User, Weather, and Web 13:00 < theromis> vpnHelper, Weather 13:00 < vpnHelper> theromis: (weather ) -- Returns the approximate weather conditions for a given city. 13:00 < theromis> vpnHelper, Weather 94087 13:00 < vpnHelper> theromis: The current temperature in Sunnyvale - Jasmine, Sunnyvale, California is 59.7°F (9:56 AM PST on October 28, 2008). Conditions: Haze. Humidity: 78%. Pressure: 30.27 in 1024.9 hPa (Steady). 13:05 < reiffert> vpnHelper: Weather Frankfurt, Germany 13:05 < vpnHelper> reiffert: The current temperature in Frankfurt / M-Flughafen, Germany is 46.4°F (7:00 PM CET on October 28, 2008). Conditions: Light Rain. Humidity: 81%. Dew Point: 42.8°F. Pressure: 29.85 in 1011 hPa (Rising). 13:05 < reiffert> vpnHelper: 46.4F in Celsius 13:05 < vpnHelper> reiffert: Error: "46.4F" is not a valid command. 13:07 < theromis> reiffert, do you knows somebody who can give me advice? 13:07 < noriX> Is there any way to prevent openvpn damon to connect with a vpn-server automaticle, beside to mv the *.conf file from the /etc/openvpn folder ? 13:08 < theromis> killall openvpn :)? 13:09 < theromis> noriX, killall openvpn :)? 13:09 < noriX> beside killall ;) 13:09 < noriX> I want the damon running, but not connecting to the vpn network automaticly... 13:10 < theromis> you wants to control it? 13:10 < noriX> I want to start it through a script, which will be executed when I'm connected to a specif wlan network 13:10 < theromis> add this line to openvpn.conf management 127.0.0.1 9000 13:12 < theromis> echo "management 127.0.0.1 9000" >>openvpn.conf 13:19 < noriX> i just have created an other folder in /etc/openvpn and now openvpn wont start a connection automaticly 13:19 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:38 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 13:54 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 14:04 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 14:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:09 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:57 -!- deego [n=user@74.255.63.136] has joined ##openvpn 14:58 < deego> Anybody know of a FOSS equivalent to logmein or hamachi? One that permits instant addition of a new machine to my "network" that I can then connect to and support instantly? .. and works out-of-box with the new machine's existing firewall config? (as in, the new machine may actually use multiple serial gateways which NAT it.. to "get out" ...) 14:59 < deego> In other words, I shouldn't have to discover or even open each machine's reverse "ssh route" .. if it can surf the internet, my reverse connection should be able to piggyback on that capability.. 14:59 < deego> .. and thus make "supporting grandmas" a piece of cake.. 15:01 < Dryanta> deego: know of no foss equiv sry 15:02 < deego> Dryanta: thanks 15:02 < krzie> ya i have no isea either 15:02 < krzie> idea 15:03 < kala> deego: I think VNC has some kind of "client initiated" connection mode 15:04 -!- daguz [n=leo@208-1-63-34.celito.net] has joined ##openvpn 15:04 < deego> I see 15:09 -!- SWAT [n=swat@ubuntu/member/swat] has quit [Remote closed the connection] 15:09 -!- SWAT [n=swat@ubuntu/member/swat] has joined ##openvpn 15:10 < deego> The interesting thing with logmein is that once we get the grandma to install the client, the supporter can initiate the connection any time, and just like the grandma, the supporter itself may be behind many firewalls, all he needs is a web browser... I'd think, in principle, this should be possible to do with openvpn? One neccessarily needs an open "coordinating website" for this, though.. 15:11 < krzie> no 15:11 < deego> Heh, even my debian is "100% free, RMS would be proud", even "100% non-contrib, deego would be proud" but just for this, I might just to make an exception.. ^_^ 15:11 < deego> have* 15:25 -!- BBHoss [n=bbhoss@c-68-62-170-33.hsd1.al.comcast.net] has left ##openvpn ["Leaving..."] 15:54 < kala> deego: if you have publicly accessible VPN server and you setup grandma to connect to that server and supporter to connect to that server, then its possible with OpenVPN as well 15:56 < deego> kala: I see 15:58 < krzie> kala, you can rollup an install package 15:58 < krzie> and have gramma install openvpn as a service 15:58 < krzie> can just leave it always trying to connect 15:58 < kala> also, somebody has discussed some kind of UDP traversal helper in this channel as well. For exactly the same purpose. But I don't know if this was just a idea or some actual code as well 15:58 < krzie> if you really want 15:58 < krzie> kala, an idea that has popped up a few times 15:58 < krzie> i believe it wont happen 15:59 < krzie> which ive gone over the reasons why a few times 15:59 < krzie> sometime ill make a writeup for why it wouldnt work 15:59 < kala> you should :) 16:00 < krzie> yesterday when it came up i used someones link on STUN to give 1 reason why not 16:00 < jeev> i love this routing thingy 16:00 < jeev> krzie 16:00 < jeev> i need to learn STUN 16:00 < jeev> is it c00l beans ? 16:00 < krzie> you use voip dont you jeev? 16:01 < krzie> STUN is good for nat traversal for VOIP, cause you register with the server, but when it sends you a call it needs to send udp to you without you establishing the connection 16:01 < krzie> http://en.wikipedia.org/wiki/Simple_traversal_of_UDP_over_NATs 16:01 < vpnHelper> Title: Simple traversal of UDP over NATs - Wikipedia, the free encyclopedia (at en.wikipedia.org) 16:02 < krzie> but the thing is, the voip server isnt behind a closed NAT 16:02 < krzie> which is what people keep talking bout in here, 2 clients behind NATs 16:02 < krzie> from that link: 16:02 -!- GreenCult [n=greencul@200.48.85.21] has joined ##openvpn 16:02 < krzie> In many application scenarios it is common that both endpoints are behind a NAT. This double-NAT problem is not easily overcome even with STUN, usually an intermediate application proxy server is required. 16:02 < krzie> the intermediatre application proxy server in this case is the openvpn server 16:03 < krzie> both clients behind NATs connect to the openvpn server, and can xfer info just fine 16:03 < kala> well, yes. 16:04 < jeev> yea i use voip 16:04 < krzie> jeev, ya iirc you're into asterisk 16:04 < kala> I had the impression that this imaginary "UDP traversal helper" is only required for connection startup phase and after that two clients will speak directly. Perhaps I'm wrong 16:07 < jeev> asterisk rules all 16:09 -!- GreenCult [n=greencul@200.48.85.21] has quit [Remote closed the connection] 16:11 < reiffert> oh, back to STUN 16:11 < reiffert> krzie: is that the same guy from yesterday? 16:11 < krzie> reiffert i dunno but the subject gets old 16:11 < reiffert> :) 16:11 < krzie> especially when theres 2 reasons why it wouldnt work 16:11 < krzie> client to client direct goes against PKI 16:12 < reiffert> We didnt come to the PKI reason yet. 16:12 < krzie> hehe ya 16:12 < krzie> one of these days we'll get a writeup together 16:12 < krzie> so we can just !whynot 16:12 < krzie> hehe 16:12 < reiffert> :) 16:13 < theromis> is somebody knows with whom I can speak about OpenVPN skeleton changes with RAW packets handling? 16:13 < theromis> just traffic handling 16:13 < krzie> huh? 16:16 < krzie> i do have an idea for a way around the PKI issues tho 16:16 < krzie> and the UDP traversal ones 16:17 < kala> krzie: what's the PKI reason? 16:17 * ecrist growls 16:17 < krzie> but i want to talk to the dev list about them, because i dont think its very hard to think of and i cant be the first to think it up 16:17 < krzie> so theres gotta be a reason why not 16:17 < krzie> kala, read up on how PKI works 16:17 < krzie> hey eric 16:17 < kala> PKI like Public Key Infrastructure? 16:18 < krzie> yes 16:18 < kala> PKI has something to do with firewall traversal? 16:18 < krzie> no, it has something to do with why clients cant bypass the server to talk directly 16:19 < kala> ok. this might be true 16:19 < krzie> anyways, lets consider the subject dead for now 16:19 < kala> :) 16:19 < krzie> cause that horse has gotten the shit beat out of it in this channel 16:20 < kala> I'll try to keep that in mind next time :) 16:30 < ecrist> which horse got beat? 16:32 < krzie> the 'lets add stun to openvpn and try to make client-to-client work like ipsec' horse 16:33 < ecrist> ah 16:33 < krzie> the horse hsa been dead for awhile but people decide to beat it daily 16:33 * jeev stabs ecrist and runs off into the distance while the moon glimmers 16:33 < ecrist> just like I get assulted with people's lack of ability to understand network routing. 16:34 * ecrist grabs the moon and bludgeons jeev with it. 16:34 < jeev> i already ran off 16:34 < jeev> you can't do shit 16:34 < jeev> teehee 16:34 * jeev skips off 16:35 < ecrist> ah, but the moon is big enough that you can't out run it. 16:35 < jeev> kik 16:35 < jeev> lol 16:35 < ecrist> and, since I'm superman, I can lift the moon, which is how I bludgeoned you with it 16:35 < ecrist> *and* I shoved a nuke up your bum, which will go off momentarily. 16:36 < ecrist> *boom* 16:37 * ecrist waves farewell to jeev 16:38 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: theromis, dmarkey, jfkw, paruchuri, SWAT, [intra]lanman 16:38 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: mcp, razor2000, jeev, PeterFA, smk, RexMundi, ikevin, daguz 16:39 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: disco-, pa, noriX, dogmeat, roentgen, ropetin, deego, AukeF 16:39 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: justdave, vpnHelper, reiffert 16:39 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: krzie, stony, tarbo, SilenceGold, Typone, exes, cyberjames, timgws, kala, Dryanta, (+3 more, use /NETSPLIT to show all of them) 16:41 -!- Netsplit over, joins: SWAT, daguz, deego, theromis, [intra]lanman 16:41 -!- mccainADULTRY [n=email@unaffiliated/jeev] has joined ##openvpn 16:41 -!- Netsplit over, joins: Dryanta, dmarkey, reiffert, vpnHelper, ikevin, plaerzen, AukeF, PeterFA, paruchuri, justdave (+13 more) 16:42 -!- mccainADULTRY is now known as palinTHEFUHRER 16:42 -!- palinTHEFUHRER is now known as jeev 16:42 -!- Netsplit over, joins: tarbo 16:42 -!- exes [i=robert@mercury.exes.org] has joined ##openvpn 16:43 -!- krzee [i=krzee@unaffiliated/krzee] has joined ##openvpn 16:45 -!- exes [i=robert@mercury.exes.org] has quit [Killed by reynolds.freenode.net (Nick collision)] 16:45 -!- timgws [n=inspircd@128-177-28-254.ip.openhosting.com] has joined ##openvpn 16:45 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 16:45 -!- SilenceGold [n=chris@70.232.67.16] has joined ##openvpn 16:45 -!- exes [n=exes@mercury.exes.org] has joined ##openvpn 16:45 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 16:45 -!- Typone [n=nitsme@195.197.184.87] has joined ##openvpn 16:46 -!- exes [n=exes@mercury.exes.org] has quit [Read error: 104 (Connection reset by peer)] 16:46 < krzee> heh interesting 16:46 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:51 -!- timgws [n=inspircd@128-177-28-254.ip.openhosting.com] has left ##openvpn ["No matter how dark the night, somehow the Sun rises once again"] 16:54 -!- bsdbandit [n=bwell@wsip-70-169-130-78.hr.hr.cox.net] has joined ##openvpn 16:55 < bsdbandit> im having an issue with openvpn on openbsd pf im unable to connect what could be doing wrong here is a copy of my configure on pastebin 16:55 < bsdbandit> http://pastebin.com/m20ddb6ba 16:56 -!- SilenceGold [n=chris@70.232.67.16] has quit [Connection timed out] 17:01 -!- bsdbandit [n=bwell@wsip-70-169-130-78.hr.hr.cox.net] has quit ["Lost terminal"] 17:17 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 60 (Operation timed out)] 17:20 < theromis> ecrist, :) 17:21 < ecrist> ? 17:21 < theromis> ah 17:21 < theromis> just read your conversation 17:21 < theromis> SUPERMAN :-D 17:21 < ecrist> ah 17:26 < jeev> ecrist aint superman 17:27 < ecrist> !learn ecrist as Superman, dammit! 17:27 < vpnHelper> ecrist: The operation succeeded. 17:27 < ecrist> !ecrist 17:27 < vpnHelper> ecrist: "ecrist" is Superman, dammit! 17:42 < ecrist> told ya 17:44 < krzee> !forget ecrist 17:44 < vpnHelper> krzee: The operation succeeded. 17:45 < jeev> !ecrist 17:45 < vpnHelper> jeev: Error: "ecrist" is not a valid command. 17:45 < jeev> hahaa 17:50 -!- deego [n=user@74.255.63.136] has quit [Remote closed the connection] 17:56 -!- SilenceGold [i=chris@216.93.247.130] has joined ##openvpn 18:07 < dmarkey> has anyone ported openvpn to aix 18:08 < krzee> not to my knowledge 18:08 < krzee> but if it fails you can prolly send logs to dev list 18:08 < krzee> they prolly just have aix handy 18:28 < theromis> !ecrist 18:28 < vpnHelper> theromis: Error: "ecrist" is not a valid command. 18:29 < theromis> !theromis 18:29 < vpnHelper> theromis: Error: "theromis" is not a valid command. 18:29 < theromis> jopa\ 18:29 < theromis> !ls 18:29 < vpnHelper> theromis: Error: "ls" is not a valid command. 18:29 < theromis> vpnHelper help 18:29 < vpnHelper> theromis: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 18:30 < theromis> !learn jopa as cool man!!!! 18:30 < vpnHelper> theromis: The operation succeeded. 18:30 < theromis> !jopa 18:30 < vpnHelper> theromis: "jopa" is cool man!!!! 18:30 < krzee> !forget jopa 18:30 < vpnHelper> krzee: The operation succeeded. 18:30 < krzee> do i need to lock the factoids? 18:30 < theromis> no 18:31 < krzee> k 18:31 < theromis> I just thought that it's for fun 18:31 < krzee> it uglies up the menu 18:31 < krzee> !factoids search * 18:31 < vpnHelper> krzee: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'routes', 'tls-cipher', 'multi', 'configs', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', (1 more message) 18:31 < krzee> !more 18:31 < vpnHelper> krzee: 'download', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'someclient2client', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'mitm', 'hmac', 'winipforward', 'help', and 'topology' 18:31 < krzee> i even removed !krzee 18:31 < theromis> krzee, do you knows mechanism in OpenVPN for traffic handling? 18:32 < krzee> handling as in shaping? 18:32 < theromis> handling for analyse 18:32 < krzee> its not an openvpn thing 18:32 < krzee> its an OS thing 18:32 < krzee> treat it like you would any other link 18:32 < theromis> for example I need to check each packet 18:32 < theromis> we have a plugin 18:32 < theromis> for openvpn 18:33 < krzee> check each packet for what 18:33 < krzee> plugin for what 18:33 < theromis> and I need to attach this stats to session 18:33 < theromis> I just add this functionality 18:33 < theromis> and I think it would be very helpful 18:33 < theromis> I need to analyse only VPN traffic by snort 18:34 < theromis> and I have 8 interfaces 18:34 < krzee> why would that be an openvpn thing? 18:34 < krzee> just run snort on the vpn interfaces! 18:34 < krzee> lol 18:34 < theromis> in this case I need to start 8!!!! snort processes 18:34 < krzee> snort cant handle running on multiple IF's? 18:34 < theromis> and each would eat 30% of CPU 18:34 < theromis> no 18:35 < theromis> snort can listen without binding to interface 18:35 < theromis> but you wouldn't see all packets in this case 18:35 < krzee> then do that? 18:35 < theromis> it's OS feature 18:35 < krzee> why not? firewall could enforce that couldnt it? 18:35 < theromis> its' very hard 18:36 < krzee> well openvpn leaves all that to the OS 18:36 < theromis> it has very big additional operations 18:36 < krzee> its not openvpn's job 18:36 < krzee> and therefore.. 18:36 < krzee> !notopenvpn 18:36 < vpnHelper> krzee: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 18:36 < krzee> ;] 18:36 < krzee> in your case a snort help chan might be more useful 18:36 < krzee> cause the fact you're using openvpn shouldnt matter, its more about using 8 interfaces 18:37 < krzee> btw, why in the world do you have 8 interfaces for openvpn? 18:37 < theromis> in case using openvpn + snort plugin 18:37 < theromis> snort takes only 4% of CPU 18:37 < theromis> it's awesome 18:37 < theromis> it's very speedy 18:37 < krzee> wait you're saying you do have a snort plugin that does that for you? what exactly IS your question?? 18:37 < theromis> 4% versus 30% 18:38 < theromis> for it I need to add in OpenVPN plugin API one function 18:38 < theromis> packet handler 18:38 < krzee> its not already coded for openvpn? 18:38 < theromis> not 18:38 < theromis> :( 18:39 < theromis> and this is my question 18:39 < krzee> if you have usage %'s then obviously you have it working... 18:39 < theromis> I've made this addition in OVPN 18:39 < krzee> 4% versus 30% 18:39 < theromis> yes 18:39 < krzee> how can you give stats of comparisons if you dont have a working plugin? 18:39 < theromis> it's working great 18:39 < theromis> yes 18:39 < theromis> 30% 18:40 < theromis> SNORT makes copying from kernel space to user space 18:40 < krzee> if its working great what do you need? 18:40 < theromis> and back 18:40 < theromis> adding queue in iptables 18:40 < theromis> I wants to add this ability in main branch of openvpn 18:40 < krzee> oh 18:41 < krzee> talk to the dev list 18:41 < krzee> !mail 18:41 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 18:41 < theromis> yeap 18:41 < krzee> ild think theyd just leave it as a plugin tho 18:41 < theromis> I made already an application to be added into maillist 18:41 < theromis> no no 18:42 < theromis> I'm talking only about adding 5 lines in OVPN 18:42 < theromis> for RAW packet handling 18:42 < theromis> and I want to discuss it with OVPN gurus 18:42 < krzee> gotchya 18:42 < krzee> ya you're beyond me on that 18:42 < krzee> heheh 18:42 < ecrist> I gotchyou babe... 18:42 * ecrist sings. 18:43 < krzee> ecrist you just call theromis babe? 18:43 < theromis> and in this case in next steps I can add this plugin like opensource plugin in SNOR 18:43 < theromis> *SNORT 18:43 < theromis> it would be vpnsnort 18:43 < ecrist> krzee: I'm 1/4 of the way into my first beer. Prolly not. :\ 18:44 < theromis> very very fast snort in userspace :) 18:44 < krzee> well if you wanna make a writeup on it for the wiki im sure someone would find it helpful 18:44 < SilenceGold> theromis congrats..I'm on the mailing list and waiting for your email 18:44 < krzee> if you have the time that is 18:44 * ecrist wishes laptop batteries lasted longer 18:44 < krzee> !wiki 18:44 < vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 18:44 * SilenceGold 's batteries last 14 hours 18:44 < krzee> ya i second SilenceGold's comment 18:44 < ecrist> krzee: know any good graphics folks that would whore themselves to me? 18:44 < theromis> SilenceGold, thanks :) 18:45 < krzee> my macbookpro battery lasts 2.5 hours without using power saving 18:45 < theromis> I hope I would receive confirmation email 18:45 < krzee> ecrist i know some locally that would do stuff cheap 18:45 < krzee> but none otherwise anymore 18:46 < jeev> SilenceGold, you there? 18:46 < SilenceGold> yea? 18:46 < ecrist> krzee: so does mine, with heavy wifi usage. 18:46 < SilenceGold> my lappie have no moving parts 18:46 < ecrist> I want ~8 hours at non-power saving modes 18:46 < SilenceGold> just SSD disk and no dvd drive 18:47 < SilenceGold> it don't even have a fan tho 18:47 < jeev> SilenceGold, check this out. http://x.jeev.net/diag.jpg 18:47 < SilenceGold> lol 18:47 < SilenceGold> nice 18:47 < SilenceGold> only missing things are the ip addresses lol 18:47 < jeev> yea, i should add those when i'm not lazy 18:47 < jeev> gliffy is awesome 18:48 < krzee> you shoulda seen his old diagramn 18:48 < SilenceGold> heh 18:48 < SilenceGold> I use Dia 18:48 < krzee> it made me wanna punch babies 18:48 < SilenceGold> krzee i saw it before you did 18:48 < jeev> i'm on windows mainly 18:48 < SilenceGold> I use vista 18:48 < SilenceGold> and Dia on it too 18:48 < krzee> i showed him gliffy 18:48 < SilenceGold> cool 18:48 < jeev> no 18:48 < jeev> shut up 18:48 < jeev> i showed you gliffy 18:48 < jeev> use gliffy 18:49 < jeev> you are awesome 18:49 < jeev> i know 18:49 < jeev> i salute you 18:50 * ecrist uses OmniGraffle Pro 18:51 * jeev doesn't believe anybody asked 18:51 * ecrist thinks jeev can fuck off. 18:52 * jeev can't wait till red alert 3. 18:52 * krzee seconds that after reading falsafied loggage 18:53 * jeev has major gas 18:53 < ecrist> I was gonna say, jeev, I don't see that in my logs, which are fairly complete back to July 1. 18:53 < jeev> it was in messages. 18:54 < ecrist> lol 18:56 < ecrist> musta been, you first showed up in ##openvpn on Aug 26 at 22:08 CDT 18:57 < krzee> and he first left: 18:57 < krzee> Tue Oct 28 16:57:13 PDT 2008 18:57 -!- mode/##openvpn [+o krzee] by ChanServ 18:57 < ecrist> lol 18:57 -!- jeev was kicked from ##OpenVPN by krzee [LOL] 18:57 * ecrist waves 18:58 -!- krzee was kicked from ##OpenVPN by krzee [LULZ] 18:58 -!- krzee [i=krzee@unaffiliated/krzee] has joined ##openvpn 18:58 < ecrist> I think you made him mad. 18:58 < krzee> hey whered he go! 18:58 -!- mode/##openvpn [+o krzee] by ChanServ 18:58 -!- mode/##openvpn [-o krzee] by krzee 18:58 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 18:58 < jeev> HAR HAR HAR 18:58 < ecrist> * joins #pouty_face 18:58 < krzee> hehehe 18:58 < jeev> kick your ass seabass 18:59 < jeev> http://w3.datavo.com/dvoffice.html 18:59 < vpnHelper> Title: WELCOME TO DATAVO - BUSINESS PRODUCTS (at w3.datavo.com) 18:59 < jeev> how do they do that ? 18:59 < jeev> they resell someone's DSL ? 19:01 < krzee> they prolly lease permission to use the existing cables from the company that owns them 19:01 < krzee> it doesnt need to be someone else's dsl 19:01 < ecrist> welcome to de-regulatio. 19:01 < ecrist> de-regulation* 19:01 < krzee> yup 19:01 < krzee> ever since 96 19:02 < ecrist> brought about an overall price decrease 19:02 < ecrist> woohoo, the gmt *can* do something right. 19:02 < krzee> and it let me run a business that ass-raped the telco;s that ass-raped us for so long 19:02 < krzee> which is a good feeling as im sure you can imagine 19:04 < jeev> hmm 19:05 * ecrist is open to accepting donations from some of the money begotten from said ass-raping... 19:05 < jeev> you've been ass raped? 19:05 < krzee> hah im sure 19:06 < krzee> ecrist im also accepting donations from your businesses 19:06 < ecrist> I only have one, profitable, business. 19:06 < krzee> jeev, im still curious if one day your setup will make sense to me or not 19:06 < ecrist> fesecurity.com 19:06 < krzee> im leaning twords no tho 19:08 < krzee> fefe security? 19:08 < krzee> ive never seen someone wanna take someone else's fefe 19:08 < krzee> lol 19:09 < krzee> (a fefe is a homemade pussy, only existing in prisons) 19:11 * ecrist wonders how krzee knows that. 19:11 < krzee> ive done time 19:13 < ecrist> secure-computing.net needs a face-lift. 19:13 < jeev> how does my set up not make sense 19:13 < jeev> ecrist 19:13 < jeev> does this make sense/ 19:13 < jeev> http://x.jeev.net/diag.jpg 19:13 < krzee> sure it makes sense 19:14 < krzee> until i picture myself ever wanting to do it 19:14 < krzee> or anyone ever wanting to do it 19:14 < krzee> then it just makes me lul 19:14 < jeev> that's the sickest set up man 19:14 < krzee> hah 19:16 < ecrist> I like how you indicate Level3 and Sprint have a connection. durr 19:16 < krzee> haha ya isnt that just part of the cloud 19:17 < ecrist> wouldn't *all* of that be part of the cloud? 19:17 < krzee> yes 19:17 < krzee> yes it would 19:17 < jeev> lol 19:17 < krzee> hehe 19:17 < jeev> ecrist 19:17 < jeev> it's two different locations 19:17 < jeev> f00 19:17 < jeev> kick your ass 19:17 < jeev> fat bass 19:17 < krzee> hes talking bout the bold between L3 and slink 19:17 < krzee> bolt 19:17 < krzee> and everything between 19:18 < ecrist> jeev: it looks like three. jupiter, monsoon, and alpha router 19:18 < jeev> yea 19:18 < jeev> so 19:18 < jeev> you want to freaking redo it? 19:18 < jeev> DO IT 19:18 < krzee> lol 19:18 < krzee> hey ecrist, you should see his .sh script 19:18 < ecrist> jeev: I dont' know the inner workings of asterisk 19:18 < jeev> ecrist 19:18 < ecrist> we outsource our asterisk stuff 19:18 < krzee> it won the ugliest dog contest 19:18 < jeev> my shell script owns your life 19:19 < jeev> http://www.jeev.net/asterisk/failover 19:19 < ecrist> jeev: puullleeeez 19:19 < krzee> ya thats it 19:19 < krzee> look at that ecrist 19:19 < krzee> its real lulz 19:19 < jeev> stop hating 19:19 < krzee> i even pasted you the easy and clean way 19:19 < ecrist> I'm not hating. 19:19 < jeev> stop hating. 19:19 < jeev> krzee is hater. 19:19 < ecrist> just keeping it real 19:19 < krzee> im lol'er 19:20 < jeev> stop keeping it real 19:20 < ecrist> wtf are you doing declaring a path in your shell script? much less a standard path on freebsd. 19:20 < jeev> it wouldn't work 19:20 < jeev> (in cron) 19:21 < jeev> WHY DOES IT MATTER 19:21 < jeev> dood, i'm not a professional 19:21 < jeev> shit 19:21 < jeev> do i ask you why you shower like the way you shower ? 19:21 < SilenceGold> lol 19:21 < krzee> you even defined the games path 19:21 < ecrist> ah, see, that path should be set in the crontab, not the individual shell script. 19:21 < SilenceGold> I use direct paths to the binaries in my script tho 19:21 < jeev> lol 19:21 < krzee> your script gunna play some games? 19:21 < jeev> i echo $PATH 19:21 < jeev> and did it 19:21 -!- mode/##openvpn [+o jeev] by ChanServ 19:21 * jeev threatens 19:21 <@jeev> keep your eyes open 19:21 -!- mode/##openvpn [-o jeev] by jeev 19:21 * SilenceGold watches ecrist take the op away from jeev 19:21 * ecrist shits his underoos 19:21 < krzee> haha you're +o here? 19:21 < jeev> lol 19:22 < jeev> underoos 19:22 < jeev> aha 19:22 < krzee> i didnt have to op you the other day when messing with ecrist 19:22 < krzee> lol 19:22 < krzee> that or ecrist is oping you messing with me now 19:22 < krzee> lol 19:22 < jeev> /kick ecrist DIE 19:22 < jeev> /kick krzee DIE 19:22 < jeev> /op mccain 19:22 < jeev> ! 19:22 < SilenceGold> AL GORE for the president! 19:22 < jeev> lol 19:23 < jeev> you guys listen to tom leykus ? 19:23 < SilenceGold> he invented the internet 19:23 < SilenceGold> no I'm deaf 19:23 < krzee> *sniff* ronpaul *sniff* 19:23 < jeev> oh 19:23 < jeev> sorry SilenceGold 19:23 < SilenceGold> don't be sorry 19:23 < SilenceGold> I sleep as a baby better than a lot of people do 19:23 < jeev> yea 19:23 < jeev> better than me 19:23 < jeev> that's for sure 19:23 < krzee> and you can get a cheap house by an airport and not mind the noise 19:24 < SilenceGold> but shadows will bother me 19:24 < SilenceGold> I'm more alert with my eyes than a lot of people 19:24 < jeev> yea, you have to be 19:24 < SilenceGold> I can walk in a office room and tell you that you need to replace those fluroscent light blubs 19:24 < SilenceGold> and you would go "huh?" 19:24 < SilenceGold> then 2 weeks later, it's dead :) 19:24 < krzee> haha a deaf kid used to call up the hacked teleconferences with his TTY operator 19:24 < jeev> yea, i notice dim lights too 19:25 < krzee> that was fun 19:25 < SilenceGold> relay services? 19:25 < krzee> ya 19:25 < SilenceGold> yea TTy is so outdated 19:25 < SilenceGold> we use VP now 19:25 < SilenceGold> videophone 19:25 < krzee> back when we were young enough to think it was funny that he'ld make her cuss and whatnot 19:25 < SilenceGold> yea 19:25 < krzee> ahh that makes sense 19:26 < SilenceGold> I got disconnected once when I tried to have a female operator doing what sounded like a cybersex over the phone to a guy 19:26 < krzee> bahahah 19:26 < SilenceGold> anyways 19:26 < SilenceGold> vp is much better tho 19:26 < ecrist> jeev: overall, the script looks alright. nice idea, and I like how you approached it. could use some work on overall scripting, though. 19:27 < SilenceGold> they can call me back if connection drops 19:27 < jeev> yea ecrist, i'm impatient, whatever works works. 19:28 < SilenceGold> hrm that's plain solution 19:28 < SilenceGold> just switch the gateway 19:28 < jeev> i have no other choice 19:28 < SilenceGold> just like what I told you the other day 19:28 < jeev> i dont want to load balance 19:29 < SilenceGold> no 19:29 < SilenceGold> just failover 19:29 < SilenceGold> that's what I advised you 19:29 < SilenceGold> but nice script tho 19:30 < SilenceGold> just too many being commented out that I'm not sure if they should be uncommented out 19:30 < krzee> i couldnt get to the content 19:30 < krzee> cause just looking at it hurts my eyes 19:31 < jeev> yea i'l remove comments 19:31 < dmarkey> ye doesnt compile on aix 19:33 * ecrist goes away now. 19:33 < jeev> thank god 19:33 < jeev> maybe that'll clear the smell 19:34 < krzee> dmarkey should say so on the openvpn mail list and offer your help if you are able 19:54 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 113 (No route to host)] 20:17 < ecrist> people still care about aix? 20:20 < krzee> believe it or not aix is commonly used still 20:28 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 20:29 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 20:32 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Client Quit] 20:37 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 20:50 -!- dmarkey [n=dmarkey@79.97.241.103] has quit [Remote closed the connection] 21:00 < krzee> wassup [intra]lanman 21:01 < [intra]lanman> hey krzee 21:01 -!- mode/##openvpn [+o krzee] by ChanServ 21:01 -!- mode/##openvpn [+v [intra]lanman] by krzee 21:01 -!- mode/##openvpn [-o krzee] by krzee 21:01 < krzee> hah! 21:01 < krzee> take THAT 21:01 <+[intra]lanman> wth 21:01 <+[intra]lanman> lol 21:02 < krzee> hah thats my first attempt at humor all day 21:02 < krzee> im sick so ive mostly just been a dick today 21:05 <+[intra]lanman> tellin my wife about lemon party.... think i'm gonna have her visit it... how's that for comedy? lol 21:06 < krzee> bahahahh 21:06 < krzee> a girl was at my house and kept making me look at pics of fat chicks 21:06 < krzee> so finally i got fed up with it 21:06 < krzee> showed her goatse.cx 21:06 < krzee> or whatever that was 21:06 < krzee> ended that game pretty fast 21:07 < krzee> same night she was on her laptop talking to her friend on MSN, and she decided to make a game out of telling me i couldnt see what she was typing to her friend 21:08 <+[intra]lanman> pcap'd it? 21:08 < krzee> so she got to see arp poisoning, as i read her conversation to her 21:08 <+[intra]lanman> lol 21:08 <+[intra]lanman> oh, haha 21:08 <+[intra]lanman> yeah, i was thinking mitm and just ngrep it on the router 21:08 <+[intra]lanman> either/or 21:09 < krzee> its just a lil dslmodem/router 21:09 < krzee> so mitm won from the choices 21:09 <+[intra]lanman> ahh 21:10 < krzee> plus with that i was able to toss in a bonus, i started sniffing images over the wire 21:10 < krzee> haha 21:11 < krzee> like look here girl, this is MY network 21:11 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Remote closed the connection] 21:11 < krzee> haha 21:11 <+[intra]lanman> haha 21:11 <+[intra]lanman> that's funny 21:11 * krzee pees on his network 21:11 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 21:11 <+[intra]lanman> hmmm, i gotta split.... wife wants to watch a movie.... catch y'all l8r 21:11 < krzee> right on, later 21:14 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 21:16 < jeev> wow 21:16 < jeev> ! 21:16 * jeev invites someone from asterisk and +v's 21:16 < krzee> i didnt know you were able to +v 21:17 < jeev> sure i am 21:18 < krzee> ok, +v me 21:18 < jeev> never 21:18 < krzee> oh you ARE 21:19 < krzee> heh i forgot that 21:21 < jeev> i'm druling for red alert 3 21:22 < jeev> krzee 21:23 < jeev> earlier when you were farting about dsl 21:23 < jeev> company 21:23 < jeev> i want to do that shit that company does 21:23 < jeev> hmm 21:23 < krzee> if you dont even know how that works you have a lonnnnnnng way to go 21:23 < jeev> well 21:24 < jeev> i know i can resell for dslextreme 21:24 < jeev> but i want my own routes 21:24 < jeev> own name. 21:24 < krzee> they dont re-sell most likely 21:24 < krzee> they most likely lease the lines 21:24 < krzee> and are their own CLEC 21:24 < krzee> (guessing, but not 100% sure) 21:24 < jeev> i dont think that 21:24 < jeev> datavo.com is their own CLC 21:24 < jeev> CLEC 21:24 < krzee> *shrug* 21:43 < ecrist> you could do your own routes with GRE through your upstream 21:44 < jeev> lol 21:45 < jeev> i really want to do it though 21:45 < jeev> ecrist 21:45 < jeev> what are you up to 21:45 < ecrist> I have some of my own routes, and I'm a loser 21:46 < jeev> why are you not having intercourse 21:47 < ecrist> wife is at work for another 10 mins or so, then 20 min drive home 21:47 < jeev> ahh 21:47 < jeev> so you're gonna hit it tonight 21:47 < jeev> ;/ 21:47 < jeev> i have to wait so many more years 21:48 < jeev> before i could sex up my girlfriend 21:48 < jeev> she's a virrrrrrrrrrgin 21:48 < jeev> heh 21:48 < ecrist> how old are you? 21:48 < ecrist> erm, how old is your gf? 21:49 < jeev> 24 21:49 < jeev> she's 21 21:49 < jeev> cutest thing on earth 21:49 < ecrist> you should post me some naked pics of her 21:49 < jeev> i dont even have them! 21:49 < jeev> but she's seriously the best 21:49 < ecrist> lame 21:50 < ecrist> I have creampie photos of my wife from last weekend. 21:50 < jeev> eww 21:50 < jeev> how do you jizz on your wife's face 21:50 < jeev> that's nasty 21:50 * ecrist sets mode -stud on jeev 21:50 < ecrist> that's not creampie, dumbass 21:50 < jeev> oh 21:50 < jeev> lol 21:50 < ecrist> that's bukakke (sp?) 21:50 < jeev> wtf is creampie 21:51 < ecrist> cum in her, take pics of it leaking out. 21:51 < ecrist> :) 21:51 < jeev> ewww 21:51 < jeev> i dont even like looking at my own jizz 21:51 < jeev> nasty foo 21:51 < jeev> someone should beat you 21:52 < ecrist> not only that, but we post our pics on the net, not telling where. muahahaha! 21:52 < ecrist> oh, and my wife shares 21:52 < ecrist> :P 21:52 < jeev> ewwwwwwwwwwwwwwwwwwwww 21:53 < ecrist> I want http://www.engadget.com/2008/10/28/mitsubishis-6-999-65-inch-laservue-hdtv-now-hitting-retailers/ 21:53 < vpnHelper> Title: Mitsubishi's $6,999 65-inch LaserVue HDTV now hitting retailers - Engadget (at www.engadget.com) 21:53 < jeev> i want this boredom to go away 21:53 < jeev> and someone to release red alert 3 already 21:54 * ecrist <3 Tivo 21:54 < jeev> tivo be wack 21:54 < jeev> tv is wack 21:57 < ecrist> well, since your lady is a virgin, you'd be whack(ing) 21:57 < jeev> tired of whacking 21:57 < jeev> dood 21:57 < jeev> har har with the () 21:57 < jeev> i'm tired of rihanna 21:58 < ecrist> I want the new MacbookPro 21:59 < jeev> i got a mac laptop here 21:59 < jeev> powerbook i think g4 21:59 < jeev> 1.67 hgh res 21:59 < jeev> it doesn't work ;( 21:59 < jeev> it doesn't charge! 21:59 < jeev> friend had dropped it 21:59 < jeev> i've had it here in parts fora while now 21:59 < ecrist> I'm still in love with my Powerbook G4 12", but that's the wife's now. I have a 15" Macbook Pro, about 3 years old. 21:59 < jeev> i like it 21:59 < jeev> but i wanna make it work 22:18 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:52 < jeev> great 22:52 * jeev leaves 22:52 -!- jeev [n=email@unaffiliated/jeev] has left ##openvpn [] 22:52 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 22:52 < jeev> hahah 23:15 < Dryanta> lulz 23:29 < jeev> death to efnet 23:29 < krzie> ? 23:30 < jeev> ? 23:32 < krzie> not really the place for that 23:58 < jeev> sup krzie 23:58 < jeev> "wut r u up 2" 23:58 < jeev> like my "fgt" talk --- Day changed Wed Oct 29 2008 00:26 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 00:27 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has joined ##openvpn 00:40 -!- boyoo [n=user@41.219.204.7] has joined ##openvpn 02:19 -!- SWAT [n=swat@ubuntu/member/swat] has quit [Connection timed out] 03:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:52 -!- k-tr [n=klaus@br-194.cortalconsors.de] has joined ##openvpn 03:54 -!- DanRo [i=db@86.55.8.2] has joined ##openvpn 04:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 04:14 -!- DanRo is now known as DanRo- 04:15 -!- DanRo- is now known as DanRo 04:39 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has joined ##openvpn 04:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:36 -!- DanRo [i=db@unaffiliated/danro] has quit ["leaving"] 06:38 -!- k-tr [n=klaus@br-194.cortalconsors.de] has quit ["Leaving."] 07:29 -!- k-tr [n=klaus@br-194.cortalconsors.de] has joined ##openvpn 08:03 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:51 -!- kala [i=kala@uba.linux.ee] has quit ["leaving"] 08:55 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 09:13 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 09:23 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 09:33 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 09:38 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 09:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 09:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:32 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 104 (Connection reset by peer)] 10:33 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 10:36 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 104 (Connection reset by peer)] 10:36 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 10:45 -!- k-tr [n=klaus@br-194.cortalconsors.de] has left ##openvpn [] 10:52 -!- boyoo [n=user@41.219.204.7] has quit ["(wiRC v9.0) download it @ www.warIRC.com"] 11:01 < ecrist> so much joining and quiting and parting 11:01 < jeev> :> 11:02 * ecrist is working on a samba+ldap howto. 11:38 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: mcp, theromis, razor2000, jeev, pa, paruchuri, jfkw, smk, _Steve_, [intra]lanman, (+8 more, use /NETSPLIT to show all of them) 11:39 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: justdave, disco-, stony, tarbo, vpnHelper, noriX, dogmeat, cpm, grndslm, bronson, (+3 more, use /NETSPLIT to show all of them) 11:42 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 11:42 -!- Netsplit over, joins: pa, kala, [intra]lanman, cpm, grndslm, bronson 11:42 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 11:42 -!- Netsplit over, joins: tarbo, krzee, daguz, theromis 11:42 -!- Dryanta [i=dryanta@dev.hockingits.com] has joined ##openvpn 11:42 -!- Netsplit over, joins: reiffert, vpnHelper, ikevin, plaerzen, AukeF, paruchuri, justdave, jfkw, RexMundi, noriX 11:42 -!- razor2000 [n=razor@70.91.69.194] has joined ##openvpn 11:42 -!- Netsplit over, joins: smk, mcp 11:42 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 11:42 -!- Netsplit over, joins: ropetin, disco-, stony, troy- 11:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:08 < reiffert> ecrist: http://134.93.168.49/~reiffert/smbk5pwd.html 12:08 < vpnHelper> Title: Thomas Reifferscheid (at 134.93.168.49) 12:17 < ecrist> reiffert: thanks. I'll read that. check out http://www.secure-computing.net/wiki/index.php/OpenLDAP 12:17 < vpnHelper> Title: OpenLDAP - Secure Computing Wiki (at www.secure-computing.net) 13:06 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:08 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 13:10 -!- matteo [n=matteo@openwrt/developer/matteo] has joined ##openvpn 13:10 < matteo> hi all 13:10 < aia> hi 13:10 < aia> Matt 13:10 < matteo> give me some good reasons to use tun instead of tap 13:11 < matteo> pls 13:11 < aia> hmm 13:11 < aia> I've always used tun 13:11 < aia> lol 13:11 < matteo> hehe 13:11 < matteo> i know that 99% of people uses tun 13:11 < matteo> that's a valid reason 13:12 < matteo> then 13:12 < matteo> tun is an IP tunnel 13:12 < matteo> while tap is an ethernet tunnel 13:13 < matteo> eg. it sends ethernet frames through internet= 13:13 < matteo> ? 13:13 < aia> I don't know since I've never tried using tap 13:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 13:22 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 110 (Connection timed out)] 13:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:31 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has quit [Read error: 104 (Connection reset by peer)] 13:34 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 13:34 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has joined ##openvpn 13:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:55 -!- ZionHaze [n=ZionHaze@85-171-168-184.rev.numericable.fr] has joined ##openvpn 13:55 < ZionHaze> hello everyone 13:55 < ZionHaze> just have a small question 13:56 < ZionHaze> i'm running an openvpn server on a 667mhz PIII machine 13:56 < ZionHaze> as of now LZO compression is activated 13:56 < ZionHaze> would you recommand to turn it off on such a machine ? 13:57 < ZionHaze> i mean is LZO compression costful 13:57 < ZionHaze> in terms of CPU 14:00 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 104 (Connection reset by peer)] 14:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 14:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:13 -!- k-tr [n=klaus@DSL01.83.171.190.150.ip-pool.NEFkom.net] has joined ##openvpn 14:30 < PeterFA> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing <-- Thanks krzee. 14:30 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 14:36 < PeterFA> Anyways, what determines a client name? 14:38 < k-tr> PeterFA: the CN in the certificate ....? 14:39 < PeterFA> k-tr, thanks. 14:46 < PeterFA> Ugh, what exactly is the CN in the cert? 14:46 < PeterFA> I have certs installed and I'm using them, but I don't know exactly what the name is. 14:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 < PeterFA> Meh, I guess I have to redo all the keys. 14:52 * PeterFA wishes he understood this sort of thing better. 14:52 < k-tr> PeterFA: just think of them as necessary variable in order to distinguish clients 14:53 < PeterFA> k-tr, ok. 14:55 < PeterFA> The problem is I don't know a whole lot, I don't know what the various files are for like {ca,server,client[...]}.{crt,csr,key} and *.pem files are for. 14:57 < ZionHaze> no one ? 14:58 < ZionHaze> for my lzo cquestion 14:58 < k-tr> ZionHaze: what has been your question? 14:58 < ZionHaze> 20:13 < ZionHaze> i'm running an openvpn server on a 667mhz PIII machine 14:58 < ZionHaze> 20:13 < ZionHaze> as of now LZO compression is activated 14:58 < ZionHaze> 20:13 < ZionHaze> would you recommand to turn it off on such a machine ? 14:58 < ZionHaze> 20:14 < ZionHaze> i mean is LZO compression costful 14:58 < ZionHaze> 20:14 < ZionHaze> in terms of CPU 14:58 < PeterFA> Yeah, and ta.key 14:59 < ZionHaze> i'm trying to determine the bottleneck in my enterprise vpn 14:59 < ZionHaze> i'm using a crypto card btw 15:00 < ZionHaze> i have like 10 clients on the VPN 15:00 < k-tr> PeterFA: do some research for "Certificate Authority" and "TLS/SSL" in the net. might be a good starting point 15:00 < ZionHaze> thing is, the CPU is not even close to being used by openvpn, the card does all the work 15:01 < ZionHaze> but maybe LZO slows it a little anyway 15:01 < k-tr> ZionHaze: whats the bandwith you have? and what does the bottleneck look like? Usually, a PIII is fast enough to handle several mbps 15:01 < ZionHaze> 100M 15:02 < ZionHaze> but 15:02 < ZionHaze> the clients have slow connections 15:02 < ZionHaze> but the line openvpn runs on 15:02 < ZionHaze> is 100Mb symmetric 15:02 < ZionHaze> well, as for the bottleneck 15:02 < ZionHaze> it's hard to describe 15:03 < ZionHaze> things are generally slow :D 15:03 < ZionHaze> for exampl 15:03 < ZionHaze> for example 15:04 < ZionHaze> right here at home 15:04 < ZionHaze> i'm connected to the VPN 15:04 < ZionHaze> my line here is 20Mb 15:04 < ZionHaze> i'm now fetching a file on the VPN 15:04 < ZionHaze> through ssh 15:04 < ZionHaze> and it's going at 220ko/s 15:04 < ZionHaze> which is far, really far from the maximum bandwdith 15:05 < ZionHaze> bandwith 15:05 < ZionHaze> bandwdith 15:05 < ZionHaze> well you see what i mean :) 15:05 < ZionHaze> i just removed lzo 15:05 < k-tr> yes 15:05 < ZionHaze> it's the same 15:05 < ZionHaze> i can show you the server configuration 15:05 < ZionHaze> it's pretty simple 15:06 < ZionHaze> i use 15:06 < ZionHaze> cipher DES-CBC 15:06 < ZionHaze> and 15:06 < ZionHaze> mssfix 15:06 < ZionHaze> that's all for the "specifics" 15:06 < ZionHaze> the rest is standard 15:06 < k-tr> udp oder tcp for transport 15:06 < ZionHaze> i use tcp 15:07 < k-tr> possible to use udp instead? 15:07 < krzee> ssh over tcp tunnel 15:07 < krzee> ... 15:07 < krzee> !tcp 15:07 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:07 < ZionHaze> looking at your link 15:08 < ZionHaze> so UDP transport is superior to TCP in openvpn ? 15:08 < krzee> very much so 15:08 < ZionHaze> i can test it right now 15:08 < ZionHaze> how ever 15:08 < ZionHaze> look at that 15:08 < ZionHaze> 18957 root 2 0 1072K 2892K poll 0:29 11.13% 11.13% openvpn 15:08 * k-tr just gets a coffee 15:08 < ZionHaze> 11%cpu for openvpn 15:09 < ZionHaze> have a nice coffee :) 15:10 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 15:10 < krzee> ZionHaze whats the specs on the box? 15:10 < krzee> yanno its doing encryption on every packet... 15:10 * jeev loves openvpn 15:11 < ZionHaze> ok 15:11 < ZionHaze> 250ko/s 15:11 < ZionHaze> :) 15:11 < krzee> and possibly compression too 15:11 < ZionHaze> i removed compression 15:11 < krzee> werd 15:11 < ZionHaze> ~29336 root 2 0 1024K 2812K poll 0:04 9.76% 9.62% openvpn 15:11 < ZionHaze> so it went down to 9.62% with udp 15:12 < ZionHaze> yes but i'm using a crypto card 15:12 < krzee> speed stayed the same? 15:12 < ZionHaze> i had 220ko/s with tcp 15:12 < ZionHaze> i have now 260ko/s steady 15:12 < krzee> whats ko? 15:12 < ZionHaze> kilo-octets ? 15:12 < ZionHaze> we use ko as a general term here in france 15:12 < ZionHaze> ah sorry 15:12 < ZionHaze> kb 15:12 < ZionHaze> 260kb/s :) 15:13 < krzee> im thinking you mean kB/s 15:13 < ZionHaze> kilobytes 15:13 < krzee> kilo-bytes 15:13 < krzee> ya 15:13 < ZionHaze> ok so 15:13 < krzee> kb is kilobit 15:13 < ZionHaze> i gained 40 kB 15:13 < ZionHaze> with udp 15:13 < krzee> but it dont matter, just wanted to understand 15:13 < ZionHaze> but i don't see where the bottleneck is now 15:13 < krzee> ya you arent the first to see that 15:13 < ZionHaze> should i just live with it ? 15:14 < krzee> the mailing list archives have had it a few times 15:14 < krzee> ive yet to see where the problem is 15:14 < ZionHaze> i'm using the latest version 15:14 < ZionHaze> oh really 15:14 < ZionHaze> and what were the answers to the problem ? 15:15 < ZionHaze> i don't feel like there are mtu problems or something like that 15:15 < ZionHaze> there's nothing in the logs 15:15 < ZionHaze> everything seems to work fine 15:15 < ZionHaze> but my cap is pretty low considering the line characteristics 15:15 < krzee> no answers that ive seen 15:16 < ZionHaze> :( 15:16 < krzee> what speed do you get using sftp without ovpn? 15:16 < ZionHaze> trying that 15:17 < ZionHaze> 400 going up 15:17 < ZionHaze> 400 kB 15:17 < ZionHaze> 400 steady 15:17 < krzee> well thats not so fast either 15:17 < krzee> for 20mbit lines 15:17 < ZionHaze> the server has 100mbit 15:17 < ZionHaze> here i have 20mbit maybe tonight it's slower 15:18 < jeev> have you tested sftp without openvpn ? 15:18 < ZionHaze> but you got a point 15:18 < ZionHaze> i just did ? 15:18 < jeev> so you get 140kb/s less 15:18 < jeev> with encryption 15:18 < ZionHaze> you asked me to try sftp without openvpn 15:18 < ZionHaze> i get 220kB with tcp 15:18 < ZionHaze> i get 260kB with udp 15:19 < ZionHaze> i get around 400kB without openvpn 15:19 < ZionHaze> the performance loss is not that big you're right 15:19 < jeev> that's what i get if i TLS into ftp 15:19 < jeev> without openvpn 15:19 < jeev> it's what's lost.. 15:19 < krzee> so you get 140kb/s less 15:19 < krzee> with encryption 15:19 < jeev> i duno what to, probably processing power lags it 15:19 < krzee> sftp uses encryption jeev 15:19 < jeev> yea 15:19 < ZionHaze> so those numbers 15:20 < jeev> i meant ftp 15:20 < ZionHaze> they make sense ? 15:20 < jeev> i've never uploaded/downloaded at same speed 15:20 < jeev> non-encryption 15:20 < ZionHaze> i mean the loss is standard ? 15:20 < jeev> and encryption 15:22 < ZionHaze> ok well 15:22 < ZionHaze> i made good progress with udp mode 15:22 < ZionHaze> i feel the connection responds better 15:22 < krzee> you using routed or bridged? 15:23 < krzee> it makes sense the connection wont be =... you are tunneling ip over ip, extra layers 15:23 < ZionHaze> yeah 15:23 < ZionHaze> routed 15:23 < krzee> if using bridged you're tunneling 2 layers and should expect slightly less performance 15:28 < k-tr> ZionHaze: I am just getting 330-340 KB/s by scp through a 3 mbps pipe using a tcp based openvpn tunnel 15:28 < k-tr> top says: 15:28 < k-tr> 10334 nobody 15 0 7088 4916 1568 S 7.9 0.6 5:35.27 openvpn 15:29 < k-tr> openvpn runs on a PIII 800 15:29 < ZionHaze> ok 15:30 < PeterFA> From 10.0.1.1: icmp_seq=3 Redirect Host(New nexthop: 10.0.1.2) <-- I get this when I ping a computer on the server's subnet when I ping from a client over the VPN. 15:30 < PeterFA> What does that mean? 15:30 < ZionHaze> k-tr: well you have better performance ;) 15:33 < ZionHaze> k-tr: what cipher do you use ? 15:34 < k-tr> ZionHaze: default 15:35 < k-tr> ZionHaze: BF-CBC and SHA1 15:35 < ZionHaze> k-tr: what cipher would you recommand 15:35 < ZionHaze> for the machine i have 15:35 < k-tr> the same 15:35 < ZionHaze> my crypto card is 15:35 < ZionHaze> Broadcom BCM5820 15:35 < k-tr> well, I never tried with such cards 15:37 < k-tr> the CBC doesn't take so much CPU during normal operation - compared to the initial handshake and the rekeying (default after 1h) 15:41 < ZionHaze> k-tr: thank you for your help 15:42 < k-tr> ZionHaze: no matter 15:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:48 < ZionHaze> k-tr: now that i use udp, do i have to use mssfix or fragment 15:48 < ZionHaze> i'm worried about the mtu 15:52 < k-tr> you are right - mtu is always an issue. 15:53 < k-tr> you can use both of them in order to get better performance via udp 15:55 < krzee> ohhhh right 15:56 < krzee> you can test that 15:56 < krzee> !mtu 15:56 < vpnHelper> krzee: "mtu" is you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 16:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:50 -!- k-tr [n=klaus@DSL01.83.171.190.150.ip-pool.NEFkom.net] has left ##openvpn [] 16:51 < krzee> PeterFA still need help? 16:52 < krzee> i just saw your question 16:52 < PeterFA> krzee, the server had a bogus entry in it's routing table. 16:52 < PeterFA> krzee, I nuked it... 16:52 < krzee> oh ok 16:56 < theromis> hi guys 16:57 < theromis> how long need to wait some feedback from openvpn-maillist master? 16:57 < ZionHaze> krzee: ok my MTU seems to be 1470 16:57 < ZionHaze> what parameters should i add to the server 16:57 < ZionHaze> ? 16:58 < theromis> link-mtu 1470? 16:58 < ZionHaze> that's all ? 16:59 < theromis> what you need to do? 16:59 < ZionHaze> i get this 16:59 < ZionHaze> FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented 16:59 < ZionHaze> theromis: yes ? just link-mtu, no fragment or mssfix ? 17:00 < theromis> hold on 17:00 < ZionHaze> sorry to disturb you 17:00 < ZionHaze> removed fragment 1300 and mssfix and it works 17:00 < theromis> if you would set link-mtu you wouldn't need to make defragmentation 17:02 < theromis> so if it's ok why you asking somebody :)? 17:03 < ZionHaze> it's ok without the fragment option 17:03 < ZionHaze> i'll be silent from now on :p 17:04 < theromis> http://openvpn.net/archive/openvpn-users/2005-01/msg00411.html 17:04 < vpnHelper> Title: Re: [Openvpn-users] FRAG_IN error ... FRAG_TEST not implemented (at openvpn.net) 17:06 < ZionHaze> ah i understand the fragment option better 17:11 < ZionHaze> shoot, i have "Replay-window backtrack occured" messages on the client 17:11 < ZionHaze> never saw that 17:12 < ZionHaze> i'm getting replays :( 17:18 < krzee> you on wireless? 17:18 < krzee> nice link theromis 17:19 < krzee> !learn fragment http://openvpn.net/archive/openvpn-users/2005-01/msg00411.html if getting FRAG_IN error 17:19 < vpnHelper> krzee: Invalid arguments for learn. 17:19 < krzee> !learn fragment as http://openvpn.net/archive/openvpn-users/2005-01/msg00411.html if getting FRAG_IN error 17:19 < vpnHelper> krzee: The operation succeeded. 17:19 < krzee> ZionHaze, you on wireless? 17:21 < krzee> ZionHaze look for --replay-window n [t] in the manual 17:21 < krzee> !betaman 17:21 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 17:26 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 18:19 < ZionHaze> krzee: no 18:19 < ZionHaze> yeah i looked for it 18:19 < ZionHaze> i'm surprised to get replays on such a link 18:20 < ZionHaze> i got these messages while downloading a file through the vpn at full speed 18:22 < ZionHaze> humm on an other subject 18:22 < ZionHaze> maybe i could spread the network load on multiple servers 18:26 < ZionHaze> is there way a to direct a client to a specific server based on its certificate ? 18:39 < ecrist> where da' hoes at? 18:43 < krzee> ZionHaze, no but you can give each client multiple servers to connect to, and even randomize it 18:49 < ZionHaze> yes but 18:49 < ZionHaze> each client has a fixed ip address 18:50 < ZionHaze> can i share the same network on 2 servers ? 18:50 < ZionHaze> i mean for example 18:50 < ZionHaze> my VPN network is 10.152.0.0/16 18:50 < ZionHaze> could one client with ip 10.152.0.16 connect transparently on VPN1 or VPN2 ? 18:51 < ZionHaze> (VPN1 and VPN2 would be instances of openvpn running on same server with different ports) 18:51 < krzee> i dont get the question 18:51 < krzee> ohh wait yes i do 18:51 < ZionHaze> :D 18:51 < krzee> the best way to do that would be to split the network 18:52 < ZionHaze> yes 18:52 < ZionHaze> so VPN1 would handle 10.152.1.0/24 18:52 < ZionHaze> and VPN2 for example 10.152.1.0/24 18:52 < krzee> you can do it, but wanna make sure you dont hand out the same ip 2x 18:52 < ZionHaze> and VPN2 for example 10.152.2.0/24 18:52 < krzee> which could be done by using static ips 18:52 < krzee> !static 18:52 < vpnHelper> krzee: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 18:52 < ZionHaze> yeah 18:52 < ZionHaze> turns out it could be a mess 18:52 < krzee> its commonly used as a setup to have a tcp and udp vpn open 18:52 < ZionHaze> will think about it 18:52 * ecrist hates it when he says something cool/witty and everyone ignores him. 18:53 < ecrist> jeev is a bitch. 18:53 < krzee> so that nazi firewalls can be bypassed 18:53 < ZionHaze> ecrist: that was cool ? 18:53 < ZionHaze> :) 18:53 < krzee> ya im scrolling up looking for the wity comment 18:53 < krzee> havnt found it yet =/ 18:53 < ZionHaze> the hoes comment ? 18:54 < ZionHaze> krzee: thx 18:54 -!- mode/##openvpn [+o ecrist] by ChanServ 18:54 <@ecrist> yes, it was 18:54 <@ecrist> :\ 18:54 -!- mode/##openvpn [+m] by ecrist 18:54 -!- dmarkey [n=dmarkey@79.97.241.103] has joined ##openvpn 18:54 -!- mode/##openvpn [-m] by ecrist 18:54 -!- mode/##openvpn [-o ecrist] by ecrist 18:55 < ZionHaze> humm 18:55 < dmarkey> hmm.. i dont think AIX has tun/tap devices 18:55 < ZionHaze> did you mute me just before ? 18:55 < ecrist> I was the last one to say anything 18:56 < krzee> ecrist, was there a point to that? 18:56 < ecrist> no 18:56 * ecrist started drinking 18:56 < krzee> oh i see 18:56 < ecrist> but just 18:56 * krzee takjes away erics bottle and passes a joint 18:56 * ecrist takes joint, steals bottle back. 18:56 < ZionHaze> yes i'm rolling up one as of now 18:57 < ZionHaze> you shouldn't mix the joint and the bottle ! 18:57 < ecrist> krzee: should I akick myself? 18:57 < krzee> nah just use the joint 18:57 < krzee> it'll fix everything =] 18:58 * ecrist mode/##openvpn +mellow by ecrist 18:58 * ZionHaze lights up some skunk special 18:58 < ecrist> anyone have a good website template I can use for my business? 19:00 < dmarkey> no 19:00 < dmarkey> but gimme a job 19:00 < ecrist> um, you prolly don't have the necessary experience or license. 19:01 < dmarkey> to be a what 19:01 < ecrist> low voltage electrician 19:01 < ZionHaze> ^^ 19:02 < dmarkey> so <12v then 19:02 < ecrist> I install CCTV, access control, security systems, data networking, telephone/voice, etc. 19:02 < ecrist> no 19:02 < ecrist> low voltage is <600v 19:02 < dmarkey> :) 19:02 < ZionHaze> dmarkey is the man it seems :) 19:02 < ecrist> according to the NEC 19:03 -!- Luria [n=Metatron@pool-70-23-222-5.ny325.east.verizon.net] has joined ##openvpn 19:03 < dmarkey> does the CCTV software run on AIX? 19:03 < Luria> can openvpn multiplex two vpns on one port? 19:03 < ZionHaze> Luria: i don't think so 19:03 < ZionHaze> each port deserves a network 19:04 < ecrist> Luria: yes and no 19:04 < Luria> ecrist, can you elucidate or send me a link? 19:04 < ecrist> can you elaborate? 19:05 < ecrist> on what you want to do? 19:05 < Luria> ok 19:05 * ecrist wonders why ##openvpn has become his new irc hang-out 19:06 < Luria> i have a home network, my wrt54 is running a public key openvpn daemon on 1194. the server pushes routing to clients to allow the use of the normal ips on my lan's /24 19:06 < ecrist> ok, that seems pretty straight-forward 19:06 < Luria> right 19:07 < Luria> so, 19:07 < Luria> ah, i just answered my own question 19:07 < ecrist> lol 19:08 < ecrist> glad I could help 19:08 < Luria> im sick of going over to my parent's house to fix machines - so i installed openwrt on their router, and now i want it to attempt to connect to my router... but only when i want it on, which means its own port 19:09 < Luria> i just need to figure out the topology i want to use 19:09 < ecrist> um 19:10 < Luria> i dont trust the machines on their network 19:10 < ecrist> why not run an OpenVPN instance on *their* router, so you can have a VPN there, as a client? 19:10 < ecrist> that's what I'd do, anyways. 19:10 < ecrist> that way, you can be on the road, out of town, etc, and still fix their shit 19:10 < Luria> yes, i just realized there was something backwards about that 19:10 < Luria> well 19:11 < Luria> to vpn to them, id rather vpn home and enable the bridge 19:11 < ecrist> Captain Morgan 100proof = ass-kickin' 19:12 < ecrist> that sounds, um, retarded. 19:12 < Luria> it does, except there's a third house i want to add to the vpn 19:13 < Luria> and id rather it all centralized from here 19:13 < ecrist> unless I'm missing something you're not telling us, you want cake and want to be able to eat it too 19:13 < Luria> what else do you do with cake? 19:13 < Luria> whats the point of cake, if eating is not involved? 19:13 < krzee> once you eat the cake you dont have it 19:14 < krzee> you have a choice, have it or eat it ;] 19:14 < ecrist> you can't have both. 19:14 < ZionHaze> brilliant 19:14 < krzee> i dunno the problem and dont wanna scroll for understanding tho 19:14 < krzee> too much scrolling for me =[ 19:14 < ecrist> you can't have safe sex, and enjoy it too. 19:14 < ecrist> one or the other. 19:14 < Luria> never mind, i need to think this over 19:14 < krzee> but if you gimme clifnotes version, ill help 19:14 < Luria> but as for multiplexing, what is offered? 19:14 < ecrist> krzee: Luria doesn't know what he wants. 19:15 < Luria> in a sense, that's true 19:21 < Luria> actually, what i want is to setup a vpn. three fixed locations. one central, the other two connect to it. each has its own /24. 19:21 < ecrist> easy 19:21 < ecrist> having them connect, only when you want to, is not so easy. 19:22 < Luria> wandering machines connect to the central vpn machine only 19:22 < Luria> right. thats the part i need to figure out. clients cant push routes to servers, can they? 19:24 < ecrist> sure they can 19:24 < ecrist> you have to tell the server what route they're pushing, though. 19:24 < Luria> ok, then thats what i'll do 19:24 < ecrist> !route 19:24 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 19:25 < ecrist> see that link 19:26 < Luria> ok, perfect - that's almost exactly my situation 19:27 < Luria> 1sec, brb 19:29 * ecrist <3 his monitor setup on his mac 19:31 * ecrist <3 his mac 19:32 < ecrist> http://skitch.com/ecrist/2ptm/my-new-monitors 19:32 < vpnHelper> Title: Skitch.com > ecrist > My new monitors. (at skitch.com) 19:35 -!- Luria [n=Metatron@pool-70-23-222-5.ny325.east.verizon.net] has quit [Read error: 60 (Operation timed out)] 19:47 -!- Luria [n=Metatron@pool-151-202-77-13.ny325.east.verizon.net] has joined ##openvpn 19:48 < ecrist> wb 19:49 < Luria> gah. changed my lan ip via x-wrt 19:49 < Luria> dhcp default gateway did not change 19:50 < Luria> everything else went fine, so i didnt notice for a few 19:54 -!- Luria [n=Metatron@pool-151-202-77-13.ny325.east.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 20:11 * krzee loves seeing someone else use !route 20:11 < krzee> thats like my most typed thing in this channel 20:38 < jeev> cable modem at my store 20:38 < jeev> finally got legit cable modem 20:38 < jeev> still packet loss. 20:38 < jeev> i knew that shit was bull 20:41 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 20:44 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Client Quit] 21:07 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has joined ##openvpn 21:33 * ecrist growls 21:37 * krzee throws eric a piece of raw meat 21:38 * ecrist tears it up like he tore krzee's mom up last night. 21:38 < ecrist> now, when i look at her vag, I think of a pound of ground beef. 21:38 * krzee thinks you passed on the joint and hit the bottle some more 21:41 -!- Zigara [n=LSD@d38-47-123.commercial1.cgocable.net] has joined ##openvpn 21:41 < Zigara> hello, anyone around? 21:44 < ecrist> yes 21:44 * ecrist thinks you're right. 21:47 < krzee> Zigara, hey 21:48 < Zigara> openvpn hurts my mind T__T 21:48 < krzee> haha 21:48 < Zigara> i think i made it work though 21:48 < ecrist> it hurts a lot of folks' minds, at first. 21:49 < krzee> ya it took me a lil bit too 21:49 < krzee> but it gets much easier once you read a bit if you already have general networking knowledge 21:50 < Zigara> I was using tls-server, but for some reason I could only have one client connected at a time, even when I set a ifconfig-pool 21:51 < krzee> you shouldnt need to set ifconfig-pool 21:51 < krzee> !sample 21:51 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 21:51 < krzee> heres a very basic sample config 21:51 < Zigara> ok 21:52 < krzee> feel free to ask questions, but also make sure to read the howto and man-pages, they are a huge wealth of knowledge 21:53 < Zigara> hokay :] 21:53 < Zigara> thanks 21:53 < krzee> thats where we got most our understanding of openvpn 21:53 < krzee> np 21:53 < krzee> !howto 21:53 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:53 < krzee> !betaman 21:53 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 21:53 < krzee> np =] 21:54 < Zigara> ifconfig 10.8.0.6 10.8.0.5 <- any idea why it starts off at those ips? 21:54 < krzee> !/30 21:54 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 21:55 < Zigara> !topology 21:55 < vpnHelper> Zigara: "topology" is it is possible to avoid the !net30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 21:55 < Zigara> thanks 21:55 < krzee> np 21:55 * krzee loves the bot 21:56 * jeev is installing Red Alert 3 21:57 * krzee is wondering if anyone cares 21:58 * jeev wonders if anyone would like to see krzee beat up while trying to compile openvpn 21:58 < krzee> hahaha 21:58 < krzee> dude, im a good fighter 21:58 < jeev> ahr 22:00 < krzee> it used to be my hobby 22:00 < krzee> til i found out that if i smoked weed i could be a nice guy 22:00 < krzee> lol 22:01 < Zigara> hmm, is there a way so I could run openvpn on a box on my LAN (dlink router) and beable to talk to the clients on the vpn from my desktop? 22:01 < krzee> !route 22:01 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 22:01 < Zigara> ;] 22:01 < Zigara> thanks 22:01 < krzee> np 22:02 < krzee> ild love to get feedback from you on that doc 22:02 < krzee> after you read it completely 22:02 < Zigara> ok 22:02 < krzee> it should be understandable, but since its your first time using openvpn i look forward to feedback 22:03 < Zigara> :] 22:03 < krzee> note the picture at the bottom 22:17 < Zigara> krzee, does each client need its own ccd folder? 22:27 -!- Luria [n=Metatron@pool-151-202-77-13.ny325.east.verizon.net] has joined ##openvpn 22:27 < Luria> so, i just wasted 2 hours of my life 22:28 < Luria> after redoing my ip blocks and resetting my openwrt, i wanted to double check that my vpn works... so i get... an external ip which takes a bit of time 22:29 < Luria> and then lo and behold the vpn wont connect 22:29 < Luria> same config i've used for a year, and nada 22:29 * Luria shoots himself as he realizes much later that the router has no hardware clock 22:43 < krzee> krzee, does each client need its own ccd folder? 22:43 < krzee> only 1 folder 22:43 < Zigara> i just killed my lan 22:43 < Zigara> lol 22:43 < krzee> each client which gets its own ccd entries will get its own ccd file 22:44 < krzee> in that folder 22:44 < krzee> !ccd 22:44 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 22:44 < Zigara> i need to restart my router 22:44 < Zigara> brb 22:46 -!- Zigara [n=LSD@d38-47-123.commercial1.cgocable.net] has quit [Nick collision from services.] 22:46 -!- Zigara [n=LSD@d38-47-123.commercial1.cgocable.net] has joined ##openvpn 23:38 < Zigara> hey, does the client and server both need to use the same dev type? 23:59 < Zigara> !freebsd 23:59 < vpnHelper> Zigara: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server --- Day changed Thu Oct 30 2008 00:13 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: ElCheapo 00:14 -!- Netsplit over, joins: ElCheapo 00:16 -!- ZionHaze [n=ZionHaze@85-171-168-184.rev.numericable.fr] has quit ["Lost terminal"] 00:40 < jeev> shit man 00:40 < jeev> got packet loss at the store 00:41 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: ElCheapo 00:42 -!- Netsplit over, joins: ElCheapo 00:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 00:48 < Zigara> anyone around? 00:48 < Zigara> krzee maybe? ;] 00:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: ElCheapo 00:49 -!- Netsplit over, joins: ElCheapo 01:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:36 < reiffert> Zigara: yes, they do. 01:48 < krzie> hey 01:50 < reiffert> moin :) 01:55 < krzie> hehe 01:55 < krzie> moin 04:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:04 -!- tiav [n=tiav@91.197.165.222] has joined ##openvpn 05:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:08 -!- slestak [n=slestakW@174-152-165-79.area4.spcsdns.net] has joined ##openvpn 06:12 -!- slestak [n=slestakW@174-152-165-79.area4.spcsdns.net] has quit [] 06:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:14 -!- slestak [n=slestakW@174-152-165-79.area4.spcsdns.net] has joined ##openvpn 06:16 < slestak> question, we want to turn down a win2k vpn server on our lan. i am investigating replacing it w openvpn on rhel 5.2 06:17 < Zigara> im new to openvpn myself, but i might beable to help 06:17 < slestak> the server im being asked to use is not in the dmz, can i run openvpn chroot or gain insulation some other way? 06:18 < Zigara> yep, you can chroot it or even run it in a vserver 06:19 < slestak> i have vbox installed, but wasnt sure if virtual nics would be robust enough 06:19 < Zigara> should work fine 06:19 < slestak> chroot jail would be smaller footprint 06:19 < Zigara> vserver is a tiny footprint too 06:19 < Zigara> http://linux-vserver.org/Welcome_to_Linux-VServer.org 06:19 < vpnHelper> Title: Welcome to Linux-VServer.org - Linux-VServer (at linux-vserver.org) 06:19 < Zigara> more of a container then a vm 06:20 < slestak> ok, i thought u were saying i could use any general v 06:20 < slestak> vm 06:20 < Zigara> well, probably yes 06:20 < Zigara> im just suggesting vserver becauce i like it :P 06:20 < Zigara> and its simple 06:20 < Zigara> chroot is fine though 06:20 < slestak> i will look at it. tyvm 06:20 < Zigara> np 06:21 < slestak> im weighing between sth big like untangle vs small like m0n0wall to just port frwarding to my rhel app server 06:22 < Zigara> m0n0wall seems cool, i havent tried it 06:22 < Zigara> but it seems nice 06:22 < slestak> i have nil exp w bsd, but its reputation is awesome 06:23 < Zigara> once you learn it, you will love it ;] 06:23 < slestak> would you feel creepy running vserver on a machine not in the dmz? 06:23 < Zigara> no :p 06:24 < Zigara> openvpn only needs one port open 06:24 < slestak> my rhel box already has AD auth, so that leans toward vserver or chroot 06:24 < slestak> im needing sth for 100-150 user potentially 06:25 < Zigara> it should work fine 06:25 < slestak> thks for info 06:25 < Zigara> np 06:26 < slestak> think untangle is worth anything? 06:26 < Zigara> iv heard about it, dont know much about it 06:26 < slestak> understand its pretty needy of processor and ram 06:27 < Zigara> get m0n0wall :P 06:27 < slestak> linux is just geting a foothold. i better not take us into sth i cannot support. 06:28 < Zigara> m0n0wall has a pretty interface 06:28 < slestak> in my office. want to guarantee success, 06:28 < slestak> yup, i just know nth abt it ;) 06:28 < Zigara> its pretty much like linux 06:28 < Zigara> few differences 06:29 < slestak> maybe ill get it for home first 06:29 < Zigara> yeah 06:29 < Zigara> test it at home first 06:29 < slestak> usese ports right, like gentoo 06:29 < Zigara> yeah ports is kinda like gentoo's system 06:30 < Zigara> source based 06:30 < slestak> well, emerge is based on ports to give credit wwhere due :) 06:30 < slestak> got to go. thx 06:30 < Zigara> ok ttyl 06:31 -!- slestak [n=slestakW@174-152-165-79.area4.spcsdns.net] has quit [] 06:56 -!- slestak [n=sromanow@63.91.142.226] has joined ##openvpn 06:57 < slestak> Zigara: looking at linux-vserver.org, dont see a branch for 2.6.18, goes from 16 to 19. rhel will stay on 18 until rhel 6 06:58 < slestak> i'll head over to #vserver 07:00 -!- matteo [n=matteo@openwrt/developer/matteo] has left ##openvpn ["No matter how dark the night, somehow the Sun rises once again"] 07:23 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:29 -!- slestak [n=sromanow@63.91.142.226] has left ##openvpn [] 07:54 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:00 -!- gnosy [n=IceChat7@222.160.132.8] has joined ##openvpn 08:06 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:19 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit ["You call it ADD, I call it multitasking"] 08:27 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:35 -!- Luria [n=Metatron@pool-151-202-77-13.ny325.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 08:44 < ecrist> morning, kids 09:17 < daguz> Anyone thinking of porting openvpn to the google phone/android system 09:17 < daguz> I guess I should have searched first... but still, anyone? 09:31 -!- kpettit [n=keith@99-172-37-26.lightspeed.tblltx.sbcglobal.net] has joined ##openvpn 09:35 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 09:42 < kpettit> I'm a n00b with OpenVPN, but I got it installed and configured bridge to bridge. I have a Windows machine that I used as a test and it connects and works great. 09:43 < kpettit> The way the Windows machine is configured there is a directory that has the key's it uses to get to the OpenVPN server, can that folder be copied and used on a different folder? 09:44 < kpettit> The WindowsXP machine with the keys just says "Connect" with the OpenVPN client, so I'm wondering if somebody else can copy that information and just "Connect", or if there is a way I can require some sort of password 09:57 < reiffert> es and yes. 09:58 < kpettit> what's the easiest way to do that? 09:58 < reiffert> See the openvpn howto under ... 09:58 < reiffert> "password-protect" 09:59 < kpettit> If I can make one zip file that has the keys and config's all my users need that's great, then if there is a user/pass type authentication when they connect and I can manage that, It's perfect 09:59 < kpettit> reiffert: ok, thanks for direction. 10:01 < reiffert> both is possible. 10:02 * ecrist newfs a 5TB file system. 10:05 < reiffert> ETA? 10:10 < ecrist> ? 10:11 < ecrist> 4.4T usable space after formatting. 10:11 * ecrist grins 10:12 < reiffert> Established Time? 10:12 < reiffert> what filesystem? 10:12 < ecrist> ufs2 10:12 < ecrist> on FreeBSD 10:12 < ecrist> took about 3 mins 10:13 < reiffert> nice. 10:22 < kpettit> reiffert: the "build-key-pass" script. That adds password protection for a particual key right? It's not like a second level of authentication. 10:23 < kpettit> Ideall what I was hoping to do is have those keys I can distrubute to my users, then authenticate to a ldap/mysql/whatever type system to let them in 10:28 < kpettit> Looks like this might do the trick for me: http://code.google.com/p/openvpn-auth-ldap/ 10:28 < vpnHelper> Title: openvpn-auth-ldap - Google Code (at code.google.com) 10:41 < reiffert> It adds passwort protection for a particular key, right. I have no idea about your hopes. 10:43 -!- babyhuey [n=huey@cpe-76-190-247-141.neo.res.rr.com] has joined ##openvpn 10:43 < babyhuey> anyone know why when i start openvpn i lose connectivity? 10:43 < reiffert> the logfile might be an appropriate start. 10:44 < babyhuey> nothing informational in there 10:44 < babyhuey> just says everything started correctly 10:44 * cpm flings poo at kpettit 10:44 < reiffert> kpettit: indeed, openvpn auth ldap looks *nice* 10:45 < reiffert> babyhuey: increase verbosity then, you should see something about loosing your contact. 10:45 < babyhuey> SCHEDULE: schedule_find_least NULL 10:45 < babyhuey> mean anything? 10:45 < babyhuey> its at 9 10:46 < ecrist> sounds like vpn server is push redirect-gateway but doesn't have NAT setup 10:48 < reiffert> oh, landon fuller was building the openvln ldap auth. 10:48 < reiffert> so apple is using it. 10:53 < kpettit> oh that's cool 10:53 < babyhuey> will doing it not as a push work? 10:54 < kpettit> I'm trying to do the central authentication thing. I was able to replace Active Directory and use Samba / LDAP for primary domain controller. Trying to get everything else including OpenVPN to use that setup as well 10:56 -!- k-tr [n=klaus@DSL01.83.171.190.150.ip-pool.NEFkom.net] has joined ##openvpn 10:57 < reiffert> kpettit: you might store the keys in ldap. 10:57 < kpettit> that'd be nice, didn't know you could do that 11:01 < reiffert> I think I was reading it on the mailinglist. 11:01 < kpettit> I found a "openvpn-auth-pam" plugin as well. That might be more flexible 11:02 < kpettit> Then I can auth to shadow, mysql, as well as ldap 11:02 < reiffert> yep. 11:02 * kpettit loves his pam 11:02 * cpm fears pam 11:02 < kpettit> cpm: had problems with it? 11:03 < cpm> No, I just don't understand it very well. I fear what I don't understand, 11:03 < cpm> :) 11:03 < kpettit> Guess that's why my wife scares me 11:04 < cpm> heh 11:04 < reiffert> :) 11:09 < ecrist> this ethernet driver is kicking my ass 11:09 * ecrist curses broadcom 11:12 < ecrist> I'm considering putting -STABLE on this production box. 11:12 < ecrist> I wish this server had a ROMB card, rather than a separate RAID card. 11:12 < ecrist> grr 11:14 < ecrist> let's see if mii borks again 11:14 < ecrist> sorry, wrong chan. 11:16 < reiffert> Risk and Opportunity Management Board? 11:16 < reiffert> ;) 11:19 < ecrist> lol 11:23 < jeev> jesus, how much packet loss could one's cable have 11:29 < cpm> a lot. 11:29 < jeev> 2276 packets transmitted, 1928 packets received, 15.3% packet loss 11:29 < jeev> round-trip min/avg/max/stddev = 22.387/29.085/303.871/9.709 ms 11:30 -!- gnosy [n=IceChat7@222.160.132.8] has quit [Read error: 104 (Connection reset by peer)] 11:43 < ecrist> jeev: ick 12:06 -!- Cisien [n=Chris@210.5.236.28] has joined ##openvpn 12:06 < Cisien> Im on a network with two layers of NAT, and a very restrictive firewall between me and the outside, is this something that openvpn can get around? 12:07 < Cisien> I have a linux system out on the internet which i can install the openvpn server on. 12:07 < Cisien> also, how well does the tun/tap driver work with vista x64? 12:10 < theromis> I think OpenVPN would help you with your's problems :) 12:11 < ecrist> Cisien: openvpn *should* be able to get you through there. 12:11 < ecrist> stay away from tcp if you can, go udp 12:11 < ecrist> theromis: sorta flaky 12:11 < Cisien> I think one of the only ways i'll be able to get throguh is TCP 12:12 < Cisien> I have the server and client setup, I just wanted to get an idea of if this is possible before i lose my hair (even more) 12:13 < Cisien> vista complains about a compatibility issue with the tap/win32 driver. Has this been resolved with 2.1? 12:13 < theromis> try this hotspotshield.com 12:14 < ecrist> !tcp 12:14 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:14 < theromis> you even wouldn't need any external linux hosts 12:14 < theromis> Cisien, better use TCP over UDP 12:14 < ecrist> Cisien: I would recommend running 2.1 on Vista 12:15 < Cisien> ecrist, I currently am 12:15 -!- Gnoxter [n=gnoxter@163-206-dsl.kielnet.net] has joined ##openvpn 12:16 < theromis> how long i need to wait feedback from vpn mail list registration? 12:17 < Cisien> ecrist, when i use UDP (server listening on port 53), it appears to not function, the TLS key negotiation times out 12:19 < Cisien> TCP doesn't do much better, it pauses for a moment, then soft-resets 12:20 < Cisien> but tls negotiation works 12:20 < theromis> Cisien, 53 port is DNS port 12:20 < Cisien> I know 12:20 < Cisien> i'm not runing DNS on the vpn server 12:21 < theromis> ah 12:21 < theromis> can you try different port? 12:21 < theromis> can you try hotspotshield.com? 12:22 < Cisien> is hotspotshield the service provider, or do i need to run a 'server' on an outside system? 12:23 < theromis> no 12:23 < theromis> you just installing HSS client(OpenVPN) on your host 12:23 < theromis> and VOULJA 12:23 < theromis> you going through VPN 12:25 < Cisien> what port does it run on? My experimenting with a socks proxy let me see that port 53 had the best performance (QoS policies) 12:31 < Gnoxter> Hello, have some trouble with my VPN. If I will start a session to my Openvpn Server I became this error message http://pastebin.com/m3bcc8a52 12:32 < Cisien> ssh over a high latency satellite connection seriously blows 12:32 < Cisien> especially when it has lower priority due to the poor QoS implementation on this network 12:33 < Cisien> Gnoxter, your on windows? Read the comment at the top of the config file 12:34 < Cisien> "C:\\Documents and Settings\\gnoxter\\Desktop\\NoVo.p12" may work better 12:34 < Gnoxter> no now I' m on Linux 12:34 < Cisien> ok 12:35 < krzie> [13:25] what port does it run on? My experimenting with a socks proxy let me see that port 53 had the best performance (QoS policies) 12:35 < krzie> socks proxy runs on tcp 12:35 < Gnoxter> Cisien: I would stress that its work but not on my Debian PC 12:36 < krzie> Cisien, iptables running on debian? 12:37 < Cisien> krzie, no iptables on my debian server 12:39 < Cisien> Hotspotshield doesn't include the proper tun-win32 driver 12:44 < Cisien> ok, 53 and 80 both don't respond to udp...what are some other... required, more or less, UDP ports 12:45 < krzie> Gnoxter, 12:45 < krzie> Error opening file /home/gnoxter/Desktop/NoVo.p12 (OpenSSL) 12:45 < krzie> thats the problem 12:45 < krzie> either wrong filename or bad permissions 12:45 < Gnoxter> Yes 12:45 < krzie> remember linux is case sensitive 12:45 < Gnoxter> Is this moment i find the mistake 12:45 -!- tiav [n=tiav@91.197.165.222] has quit [Remote closed the connection] 12:45 < krzie> Cisien, what makes you think 80 udp is ever used commonly? 12:45 < krzie> 80 is web port, web traffic is tcp 12:46 -!- t0mb0y [n=abc@75.149.144.45] has joined ##openvpn 12:46 < Cisien> I know, it was just a guess 12:47 < krzie> umm 12:47 < krzie> you know but guessed*confused* 12:47 < t0mb0y> any idea what would cause this. I installed openvpn on server 2003, i can connect to the vpn, but i cannot ping the servers vpn ip or any of my push route ips. 12:47 < Gnoxter> I had wrote the false Directory in the config. 12:47 < Gnoxter> Sorry and good evening ;) 12:47 < krzie> np Gnoxter, sometimes an extra pair of eyes helps ;] 12:48 < krzie> t0mb0y, 12:48 < krzie> !logs 12:48 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:48 < Gnoxter> exactly :D bye 12:48 -!- Gnoxter [n=gnoxter@163-206-dsl.kielnet.net] has left ##openvpn [] 12:48 < t0mb0y> ok ill try verb 6 and see what info i see 12:48 < krzie> my guess is the routes arent being added 12:49 < krzie> and when i see the error i have a couple things that could help it 12:49 < krzie> depending which error 12:49 < krzie> Cisien, are you sure the port has been forwarded and is open? 12:49 < t0mb0y> krzie: oh the routes are being added, it shows they are and says 2/2 are successful. 12:49 < krzie> t0mb0y, ok well show logs anyways 12:50 < krzie> is 2003 the client or server? 12:51 < t0mb0y> server. 12:51 < kpettit> I'm using the OpenVPN windows client. I'm trying to figure out how to get it to prompt for user/pass 12:51 < krzie> kpettit, right click on it in taskbar and set a password 12:52 < kpettit> krzie: ok, but how do you set the username? 12:53 < kpettit> Right now the server tells me the following when I connect from Windows OpenVPN GUI: TLS Error: Auth Username/Password was not provided by peer 12:54 < krzie> !man 12:54 < vpnHelper> krzie: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 12:54 < Cisien> krzee, the server is wide open to the internet, the client is behind two layers of NAT and a restrictive firewall 12:54 < krzie> Cisien, does the client use a proxy to reach the inet? 12:55 < kpettit> I think the "password" your talking about where you "right-click" in the taskbar is for the certificate password. I can't see any method to set user/pass from the client 12:55 < krzie> kpettit, 1sec 12:55 < krzie> i didnt know you meant for that 12:55 < krzie> just thought you wanted your win user to auth before joining 12:55 < krzie> heh 12:55 < krzie> --username-as-common-name 12:55 < krzie> For --auth-user-pass-verify authentication, use the authenticated username as the common name, rather than the common name from the client cert. 12:55 < krzie> oh wait, thats backwards 12:56 * Cisien wonders why he even tries to use SSH durring the peak hours 12:56 -!- k-tr [n=klaus@DSL01.83.171.190.150.ip-pool.NEFkom.net] has left ##openvpn [] 12:57 < kpettit> so in my "foo.ovpn" file I should put "cert username" instead of "cert file.crt" 12:57 < krzie> nah that wont work 12:58 < krzie> --auth-user-pass [up] 12:58 < krzie> Authenticate with server using username/password. up is a file containing username/password on 2 lines (Note: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h). 12:58 < krzie> If up is omitted, username/password will be prompted from the console. 12:58 < krzie> The server configuration must specify an --auth-user-pass-verify script to verify the username/password provided by the client. 13:01 < krzie> i suggest getting them from console 13:02 < krzie> cause if you get them from a file, there is no added protection over having certs' 13:02 < kpettit> yeah 13:02 < krzie> anyone who gets to the certs has gotten to the pw file 13:02 < kpettit> Bugger, I was hopping there was someway to do a popup user/pass dialog box for my Windows users. 13:02 < Cisien> not currently 13:02 < kpettit> It's going to confuse them to no end' 13:03 < krzie> could just use certs and a CRL 13:03 < t0mb0y> krzie: http://pastebin.com/d64850c25 sorry it took a while. 13:03 < krzie> if a cert is compromised add it to the CRL 13:04 < kpettit> krzie: where is it you found those docus for the user/pass stuff? 13:04 < krzie> the man page 13:04 < krzie> you using 2.1 or 2.0? 13:05 < kpettit> Server is 2.0. I've been using 2.0 and 2.1 of the OpenVPN GUI client to experiment 13:05 < krzie> !man 13:05 < vpnHelper> krzie: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 13:05 < krzie> !betaman 13:05 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 13:05 < krzie> 2.0 and 2.1 manuals 13:05 < t0mb0y> krzie: the only thing that seems odd in the log is the flushipnettable failed on interface, invalid index. 13:06 < krzie> thats not all 13:06 < krzie> Thu Oct 30 12:50:25 2008 us=538804 IFCONFIG POOL: base=10.10.10.4 size=62 13:06 < krzie> Thu Oct 30 12:50:25 2008 us=538831 IFCONFIG POOL LIST 13:06 < krzie> Thu Oct 30 12:50:25 2008 us=538840 client1,10.10.10.4 13:06 < krzie> Thu Oct 30 12:50:25 2008 us=538847 client3,10.10.10.8 13:06 < krzie> Thu Oct 30 12:50:25 2008 us=538855 client2,10.10.10.12 13:06 < krzie> let me see your server config 13:06 < krzie> with no comments 13:06 -!- Cisien [n=Chris@210.5.236.28] has quit [Read error: 104 (Connection reset by peer)] 13:07 < krzie> oh ok, i see it is handing out .6 to first client 13:07 < krzie> thats good 13:07 < krzie> i thought it was trying to hand out .4, lol 13:07 < t0mb0y> krzie: http://pastebin.com/m788cbd9f 13:08 -!- k-tr [n=klaus@DSL01.83.171.190.150.ip-pool.NEFkom.net] has joined ##openvpn 13:08 < krzie> you cant dev tun on windows 13:08 < krzie> even for routed you use tap 13:08 < krzie> its a weird windows thing 13:09 < t0mb0y> is that just for openvpn servers? i know ive always used dev tun on windows clients. 13:09 < krzie> umm, really? 13:10 < k-tr> krzie: well - its name is TAP32 - but it works like a tun or tap - just depends on you config 13:10 < krzie> right, you can use routed 13:10 < krzie> but over the tap interface 13:11 < krzie> i dont really use windows 13:11 < krzie> so maybe im wrong 13:11 < krzie> everytime i setup a openvpn install on windows it was dev tap regardless of routed or bridged 13:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:12 < t0mb0y> odd, if i switch client and server to dev tap, then it all works, but my client is assigned 10.10.10.4 ip 13:12 < krzie> right, cause of ipp.txt 13:12 < krzie> only routed uses /30 13:13 < t0mb0y> ahh ok ;x 13:13 < krzie> Now, on Windows, there is no /dev/tun or /dev/tun0/ or /dev/tap, etc. There is only ever a TAP-style device. The device can be set to emulate a tun device however, and the software (openvpn.exe) figures out if it needs to do so. This is the same behaviour on desktop and PPC, btw. 13:13 < krzie> ohhh ok 13:13 < krzie> so dev tun does work now 13:13 < krzie> it just decides if it needs to emulate tun 13:15 < krzie> !factoids search win 13:15 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', and 'winipforward' 13:16 < ecrist> my new raid is still initializing. 13:23 < krzie> t0mb0y, does route print show the routes as added? 13:31 -!- Cisien [n=Chris@210.5.236.28] has joined ##openvpn 13:31 < Cisien> love this internet! 13:34 < Cisien> 53 TCP seems to be one of the few ports open 13:34 < Cisien> seems like all UDP ports are closed 13:37 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 13:38 < ecrist> Cisien: try UDP 53 13:38 < ecrist> well, I'm out for a bit. gotta clean up my mess here, pull one of the servers out of the rack, and head home 13:39 < Cisien> UDP 53 seems to time out 13:39 < Cisien> i get this when i try tcp 13:39 < Cisien> Thu Oct 30 21:38:31 2008 us=658000 TCPv4_CLIENT READ [0] from 67.223.235.8:3724: DATA UNDEF len=0 13:40 < Cisien> i'm going to check it out with the increased logging 13:42 < Cisien> UDP 53 i get: 13:43 < Cisien> Thu Oct 30 21:42:26 2008 us=63000 UDPv4 WRITE [42] to 67.223.235.8:53: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #17 ] [ ] pid=0 DATA len=0 13:45 -!- k-tr [n=klaus@DSL01.83.171.190.150.ip-pool.NEFkom.net] has quit ["Leaving."] 13:49 < Cisien> at least with tcp it appears it's talking both ways 13:50 < krzie> you know how much easier it is to check udp 53 13:50 < krzie> host ircpimps.org ns1.doeshosting.com 13:50 < krzie> if you can query my NS directly, its open 13:50 < krzie> if not, its closed 13:50 < krzie> heh 13:51 < Cisien> yeah, looks like it worked 13:55 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 13:56 < Cisien> at least with tcp it appears it's talking both ways 13:59 < Cisien> bah, confused this window with ssh again :P 14:00 < Cisien> ok, port 53, udp... let's troubleshoot that 14:07 < Cisien> anyone else know why i'm geting this error in the client when trying to connect? 14:07 < Cisien> Thu Oct 30 22:06:53 2008 us=487000 UDPv4 WRITE [42] to 67.223.235.8:53: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #25 ] [ ] pid=0 DATA len=0 14:15 -!- t0mb0y [n=abc@75.149.144.45] has quit ["Leaving"] 14:18 -!- bronson [n=bronson@adsl-76-233-217-130.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 14:27 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 14:31 < Cisien> traffic from port 53 isnt reaching my server... 14:32 < Cisien> it could very well be likely that this firewall is redirecting UDP port 53 through it's own name servers 14:34 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:22 < PeterFA> What's the most common reason for a config option that causes a slow routing table under Linux? 15:22 < PeterFA> Like after I start/connect I get a routing table that takes time to print. 15:23 < PeterFA> What's the most likely and common reason for this? 15:25 < disco-> Probably DNS taking a long time resolving 15:25 < disco-> Try route -n 15:25 < PeterFA> disco-, thanks. 15:26 < PeterFA> I find that a bad mask can slow down a table print. I only wonder why. 15:26 < PeterFA> I fix masks and things are snappy. 15:35 < ecrist> Cisien: try TCP 443 16:12 < jeev> wow 16:12 < jeev> ecrist 16:12 < jeev> i was looking at my asterisk console, saw the peer enable and disable.. 16:12 < jeev> my failover script worked ;) 16:16 -!- hyegeek [n=hakimian@rw.aha.com] has joined ##openvpn 16:19 < ecrist> jeev: nice deal 16:20 < jeev> who is this armenian 16:20 < jeev> heh 16:20 < jeev> wow 16:20 < jeev> hyegeek, are you armenian? 16:20 < jeev> heh 17:17 -!- Cisien [n=Chris@210.5.236.28] has quit [Read error: 104 (Connection reset by peer)] 17:22 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 17:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:25 -!- Cheef-Daniel [n=chatzill@kons-5d846ca4.pool.einsundeins.de] has joined ##openvpn 18:26 < Cheef-Daniel> hi 18:27 < Cheef-Daniel> I have a little trouble setting up my server with openvpn 18:27 < Cheef-Daniel> I installed it to my server, and connected a client to it. 18:27 -!- kpettit [n=keith@99-172-37-26.lightspeed.tblltx.sbcglobal.net] has quit [Remote closed the connection] 18:28 < Cheef-Daniel> The Server has the IP 10.8.0.1, the client 10.8.0.6. But I can't access the server 18:29 < Cheef-Daniel> ping to 10.8.0.1 from client fails with timeout 18:29 < Cheef-Daniel> what I am doing wrong? 18:30 < Cheef-Daniel> I only want to access some networkshares on my server trough openvpn from the client 18:51 < reiffert> client: ping 10.8.0.6 18:51 < reiffert> server and client: firewall? 19:04 < Cheef-Daniel> no no firewall 19:04 < Cheef-Daniel> ping from client to another client trough openvpn works, but from the clients to the openvpnserver not 19:13 < SilenceGold> how are you trying to access your shared folder on the other server? 19:24 < Cheef-Daniel> \\10.8.0.1 and ping 10.8.0.1 19:24 < Cheef-Daniel> both dont work 19:31 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 19:34 -!- Cheef-Daniel [n=chatzill@kons-5d846ca4.pool.einsundeins.de] has quit ["ChatZilla 0.9.83 [Firefox 3.0.3/2008092417]"] 20:19 < theromis> where I can put my patch for publishing? 20:20 < theromis> http://www.binpaste.com/v.php?id=r7qs7 20:21 < theromis> I need to show it in openvpn mail list 20:32 -!- hyegeek [n=hakimian@rw.aha.com] has quit ["Leaving."] 21:07 -!- ikevin [n=kevin@ANancy-256-1-15-48.w90-13.abo.wanadoo.fr] has quit [Read error: 60 (Operation timed out)] 21:08 -!- ikevin [n=kevin@ANancy-256-1-88-243.w90-26.abo.wanadoo.fr] has joined ##openvpn 21:41 < ecrist> I don't understand your question, theromis 23:09 < theromis> ecrist, I've made a changes in OpenVPN for traffic handling 23:10 < theromis> and I think it very useful for developers 23:11 < theromis> I want to send this patch to mail list but I still doesn't receive confirmation letter that I've been added to mail list 23:19 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Fri Oct 31 2008 00:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:30 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:11 < krzie> !ssl-admin 02:11 < vpnHelper> krzie: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 02:14 < jeev> !gotosleep 02:14 < vpnHelper> jeev: Error: "gotosleep" is not a valid command. 02:58 < krzie> jeev 02:58 < krzie> bypass-dns -- Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients). 02:58 < krzie> i didnt see that before, lol 02:58 < krzie> musta been looking at 2.0's manual when we were talking 03:21 -!- Zigara [n=LSD@d38-47-123.commercial1.cgocable.net] has quit ["This is D-Block"] 04:03 < krzie> !learn 2.1-winpass-script as http://article.gmane.org/gmane.network.openvpn.user/24575 04:03 < vpnHelper> krzie: The operation succeeded. 05:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:09 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:18 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 09:02 < ecrist> morning, folks. 09:20 < ecrist> anyone know where I can get some exploits for IPB? 09:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:21 -!- AukeF [n=auke@x154.flex.surfnet.nl] has left ##openvpn ["Leaving"] 11:50 < krzie> neg 11:50 < krzie> !static 11:50 < vpnHelper> krzie: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 12:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:54 < theromis> I've made a changes in OpenVPN for traffic handling 12:54 < theromis> and I think it very useful for developers 12:54 < theromis> I want to send this patch to mail list but I still doesn't receive confirmation letter that I've been added to mail list 12:55 < theromis> did somebody knows time period when I can expect feedback? 13:02 < ecrist> no idea, theromis 13:02 < ecrist> is it possible your mail server blocked it? 13:03 < theromis> doesn't metter :( 13:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 13:39 < reiffert> theromis: minutes 13:44 < ecrist> theromis: what do you mean, 'doesn't metter'? 13:52 < theromis> I just want to check my actions in mail list activation 13:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 14:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:17 < krzie> theromis, did you post it to the mail list? 14:17 < krzie> oh nm 14:17 < krzie> lol 14:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:11 < jeev> cable company came 15:11 < jeev> there was rusty shit 15:11 < jeev> they cut it off and put new shit 15:11 < jeev> and now it's like 0% packet loss 15:11 < jeev> i had an instance where there was 0.3% 15:11 < jeev> for 500 packets i think 15:11 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:52 -!- IntJake [n=Jake@64-18-159-117.ip.justedge.net] has joined ##openvpn 15:54 < IntJake> my servers have 2 dedicated nics, one I am planning to use as public network and the other one as private. On the private connection, I would like users to access it via a VPN if the main public network is down...now please note I might have 100's of servers so I need a multi user solution... any ideas? 15:54 -!- Dougy [n=doug@64.18.159.247] has joined ##openvpn 15:54 < Dougy> IntJake: !! 15:54 < IntJake> I have a dedicated switch for public and private IPs 15:54 < IntJake> YO! 15:54 < IntJake> doug 15:54 < IntJake> no one here? 15:54 < Dougy> They hide.. haha 15:55 * Dougy pokes ecrist 15:55 < IntJake> LOL 15:55 * Dougy pokes krzee 15:55 < Dougy> Someone will surface eventually 15:55 < IntJake> lol ok 15:55 < IntJake> does my request make sense? 15:55 < Dougy> I didnt see it 15:55 < Dougy> I just got here 15:55 < Dougy> I have a dedicated switch for public and private IPs 15:55 < Dougy> that's all I saw 15:56 < IntJake> my servers have 2 dedicated nics, one I am planning to use as public network and the other one as private. On the private connection, I would like users to access it via a VPN if the main public network is down...now please note I might have 100's of servers so I need a multi user solution... any ideas? 15:56 < Dougy> Ah, yeah that makes sense 15:56 < IntJake> cool 15:56 < ecrist> sup Dougy 15:56 < Dougy> nm 15:57 < Dougy> ecrist, how 'bout yourself? 15:57 < ecrist> getting ready to get my party on tonight 15:57 < ecrist> Halloween = Sexy Bitches 15:57 < Dougy> Lmao 15:57 < Dougy> ecrist, can you help IntJake ? 15:57 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:57 < Dougy> :p 15:58 < ecrist> IntJake: what OS on the server? 15:58 < ecrist> have you read the howto? 15:58 < IntJake> centos/redhat 15:58 < ecrist> ah, linux, there's your problem. 15:58 < ecrist> !howto 15:58 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:58 < IntJake> not yet, but i wanted to know if this was even possible, I dont want a solution where I have to isntall software on the user's server.... 15:59 < ecrist> um... 15:59 < ecrist> what do you mean on the user's server? 15:59 < ecrist> with *any* vpn, there are two components, a server and a client 15:59 < ecrist> sometimes, both ends are clients, but you get the idea. 15:59 < ecrist> the user is going to need to run OpenVPN... 16:00 < IntJake> hmm yea, well, I was thinking of dedicating a server just for openVPN, route it via my switch which is connected to 40 other servers 16:05 < jeev> poop 16:06 < Dougy> jeev! 16:06 * Dougy dropkicks 16:07 * jeev has anti drop kick shield on 16:07 < Dougy> lmfao 16:07 < Dougy> i have something you can't shield from 16:07 * Dougy farts 16:07 < jeev> i've brushed my teeth 5 times since yesterday 16:07 < jeev> it still smells like onions 16:07 < jeev> i had so much onions yesterday 16:07 < IntJake> because its not the teeth 16:07 < jeev> i know 16:07 < jeev> wtf do i do 16:07 < Dougy> lmfao 16:07 < jeev> i brush my tounge too 16:07 < IntJake> scrape your tongue, not brush 16:08 < Dougy> jeev: it's not onions, its those damn ass buffets you keep eating at 16:08 < jeev> gar gar 16:08 < jeev> har har 16:08 < Dougy> ;) 16:08 < Dougy> the funny.. it's in blood 16:08 < Dougy> i can't help it 16:09 < jeev> har har 16:10 < Dougy> hey jake 16:10 < Dougy> there? 16:10 < IntJake> yes 16:10 < Dougy> the guy couldnt find the 3.0s haha so hes sending me 3.2's instead 16:10 < Dougy> "btw, i couldn't find the 3.0Ghz ones.. so i'm giving u the more expansive one, the one with 3.2ghz cpus" 16:10 < IntJake> still trying to figure out 16:10 < jeev> int 16:10 < jeev> intserver? 16:10 < Dougy> jeev, yes 16:10 < jeev> interserver 16:10 < jeev> oh 16:10 < jeev> dood 16:10 < jeev> i got in a big thing with them 16:10 < Dougy> jake is my boy 16:11 < jeev> they wouldn't give my 16:11 < Dougy> lol 16:11 < jeev> referral fee 16:11 < jeev> when i brought a 2k/month customer 16:11 < jeev> and a 1k/month customer 16:11 < Dougy> ROFL 16:11 < jeev> then i threatened 16:11 < Dougy> nice 16:11 < jeev> and they gave it 16:11 < jeev> threatened with wht or something 16:11 < Dougy> pmsl 16:11 < jeev> this was like a year ++ agao 16:11 < jeev> ago 16:11 < IntJake> what client are you? 16:11 < IntJake> i mean 16:11 < jeev> i'm not a lcient 16:11 < IntJake> ohhh... 16:11 < IntJake> hehe 16:11 < Dougy> good answer jeev 16:11 < Dougy> he was gonna go spit on your servers 16:11 < jeev> heh 16:11 < IntJake> hehe 16:11 < jeev> what is the oversell ratio, seriously 16:11 < jeev> i wont tell 16:11 < jeev> and i dont care 16:12 < IntJake> well it depends, I dont know much about those mike knows 16:12 < jeev> yes, it was him 16:12 < jeev> lol 16:12 < IntJake> but I do know for resellers with $8k/mo revenue will get 30% off 16:13 < IntJake> thats the MAX 16:13 < jeev> yea 16:13 < IntJake> so I am assuming a 30% oversell perhaps? 16:13 < IntJake> may be 40% 16:13 < IntJake> not sure 16:13 < IntJake> lol 16:13 < jeev> ;) 16:13 < IntJake> brb 16:13 < jeev> i mean ratio 16:13 < jeev> like 16:13 < jeev> on a 100mbit line 16:13 < jeev> i'm sure they put 8 customers on it 16:13 < jeev> and say each one has unlimited 16:14 < IntJake> oh....well I think its played by the ear. 16:14 < IntJake> there is no specific number as to how many per 100mbit line 16:14 < jeev> yea 16:14 < IntJake> btw I think they have gige per switch, not 100meg 16:14 < jeev> ah 16:14 < jeev> depends 16:14 < jeev> some people get 100mbit 16:14 < IntJake> yea 16:14 < jeev> but backplane is a lot more 16:14 < IntJake> yea true 16:14 < Dougy> hahahahah 16:14 < Dougy> IntJake 16:14 < Dougy> WASHINGTON, Oct. 30 /PRNewswire-FirstCall/ -- On October 30 at 4:30 pm 16:15 < Dougy> Sprint-Nextel severed its Internet connection to Cogent thereby partitioning 16:15 < Dougy> the Internet. It is no longer possible for many Sprint customers and Cogent 16:15 < Dougy> customers to directly communicate across the Internet. 16:15 < IntJake> I know cisco backplane is aroung 36gbps for those 3750 series switches 16:15 < jeev> yeaa 16:15 < IntJake> which is A LOOOOOT 16:15 < IntJake> lol 16:15 < IntJake> brb 16:16 < Dougy> jeev, im tired 16:16 < Dougy> you still in london? 16:17 < jeev> fuck no 16:17 < jeev> london is wack 16:17 < jeev> too expensive 16:17 < jeev> too lame 16:17 < jeev> brb 16:17 < IntJake> I wish there was a machine to automatically crimp cables to the size you need 16:17 < IntJake> like auto stapler in xerox copiers 16:18 < Dougy> lol 16:18 < IntJake> brb gotta crimp butt load of cables 16:18 < IntJake> I'm still not sure if I'm gonna run the APC reboots over public or private network 16:19 < IntJake> if its private I can ask users to login via VPN to access the reboot switch via SSH and reboot 16:20 < jeev> i need a cheap 16:20 < jeev> KVM over IP 16:20 < jeev> for 2 systems 16:20 < IntJake> lantronix? 16:20 < jeev> CHEAP 16:20 < jeev> not 400 bux for a little hit 16:20 < jeev> shit 16:20 < IntJake> startech? 16:20 < IntJake> they are pretty cheap 16:20 < jeev> link 16:20 -!- dmarkey [n=dmarkey@79.97.241.103] has quit [Read error: 110 (Connection timed out)] 16:21 < Dougy> jeev, did you say you have equipment in nyc? 16:21 < jeev> yea 16:21 < jeev> i think it's being moved to NJ (i think) 16:21 < Dougy> where abouts 16:21 < jeev> was at the abovenet building 16:21 < Dougy> and jeev, i just spent 3 franklins on a server 16:21 < jeev> but they're kicking him out 16:21 < jeev> some digital shit 16:21 < Dougy> i handed IntJake the money before 16:21 < Dougy> haha 16:21 < jeev> heh 16:21 < Dougy> wait wait 16:21 < Dougy> it wouldn't happen to be digitalflare would it 16:21 < jeev> no 16:21 < jeev> some company 16:21 < Dougy> oh 16:21 < jeev> bought that building o something 16:21 < jeev> or something 16:21 < Dougy> ah 16:21 < jeev> the one with abovenet 16:21 < IntJake> Digital Realty Trust? 16:22 < jeev> think 16:22 < jeev> i think 16:22 < Dougy> those bastards 16:22 < jeev> so he is moving to another dc 16:22 < Dougy> i hate them 16:22 < jeev> his whole cage 16:22 < IntJake> yea they are kicking LOTS of people out of Weehawken, NJ 16:22 < jeev> but seriously 16:22 < jeev> datacenter is the best investment you could make 16:22 < IntJake> a client of our moved from there to our datacenter 16:22 < jeev> pricnig will never go down for space 16:22 < jeev> a nicely built datacenter.. 16:22 < Dougy> IntJake, if I tell Gregg to get a futon for here 16:22 < Dougy> you think he would? 16:22 < Dougy> lol 16:22 < IntJake> because they Abovenet gave them a 2 day notice to move 8 of his racks 16:22 < jeev> lol 16:23 < IntJake> I think he would slap you around first and then if you still need it he might consider 16:23 < IntJake> HAHAHAHAHA 16:23 < Dougy> lmfao 16:23 < Dougy> IntJake, im going to take his credit card soon 16:23 < Dougy> and buy a fridge 16:23 < Dougy> he promised a fridge last weekend 16:23 < Dougy> jeev, i just bought a dell poweredge 16:23 < Dougy> $335 16:24 < IntJake> WITH MY MONEY!!!!! 16:24 < IntJake> LOL 16:24 < IntJake> J/K 16:24 < Dougy> IntJake, yeah, mr. i've never held this much cash before ($335) 16:24 < IntJake> hehe 16:24 < Dougy> its a nice feeling to look down and see a wad of cash 16:24 < Dougy> it makes me happy inside 16:25 < IntJake> me neither. I've spend big money before but it was either via check or credit card. Anything about $50 in my pocket scares me 16:25 < IntJake> even $10 cause I've seen ppl getting killed for that 16:25 < Dougy> me too 16:25 * Dougy has brass knuckles and a knife 16:25 < IntJake> so if someone jacks me, I'll me more than happy to give my CC and everything since I can call my bank and cancel my cards and replace everythign else that is in there 16:26 < Dougy> IntJake, you forget 16:26 < Dougy> if they take your stuff, they're still going to screw you up 16:26 < Dougy> even if you just hand it over 16:27 < IntJake> yea? 16:27 < IntJake> DUDE, DOUG 16:27 < IntJake> I cant f'kin close my wallet 16:27 < Dougy> sup 16:27 < Dougy> HAHAHAHA 16:27 < IntJake> LOL 16:27 < Dougy> I told you! 16:28 < IntJake> I thought u were exaggerating but shit man 16:28 < Dougy> oh no, i wanst messing 16:28 < Dougy> and i still have 4 20s and a few 1's in my pocket 16:28 < Dougy> so imagine another like 7 bills added to that 16:28 < IntJake> HAHA 16:28 < IntJake> k dude, brb goota crimp 16:28 < Dougy> have fun 16:28 < Dougy> dont crimp your finger 16:29 < IntJake> lol 16:29 < IntJake> k 16:30 < Dougy> IntJake, i was just looking at photos of my gf and me right 16:30 < Dougy> i literally almost disappear 16:30 < Dougy> lol 16:32 < jeev> why aren't you guys giving me free dedicated servers 16:33 < Dougy> umm 16:33 < Dougy> i dont even get discounted stuff for myself.. 16:34 < jeev> so 16:34 < jeev> !?! 16:34 < vpnHelper> jeev: Error: "?!" is not a valid command. 16:34 < Dougy> lol 16:34 < jeev> eh 16:35 < Dougy> so 16:35 < Dougy> i spent $335 on a server mang 16:35 < Dougy> haha 16:35 < Dougy> dual xeon 3.2, 2gb ram, 160 gb hdd 16:35 < Dougy> dell poweredge 1425sc 16:50 < ecrist> IntJake: I don't think you understand how networking and VPNs work. (I haven't read the last 45 mins of messages) 16:53 < ecrist> Dougy: I just installed a Dell R300 + Dell MD1000 at our datacenter 16:53 < ecrist> formatted, 4.4TB of space. 16:53 < ecrist> :P 16:53 < jeev> ecrist, where is my root 16:53 < ecrist> 12x500GB RAID 50 16:53 < ecrist> if only I could use that for porn 16:53 < ecrist> 300Mbit connection to the net, too. 16:57 < Dougy> ecrist: i wish 16:57 < Dougy> Im getting 40/mo colo here for that server 16:57 < Dougy> but im gonna get some more memory so its realnice 16:57 < jeev> dougy 16:57 < jeev> where is my root 16:58 < Dougy> jeev, no 16:58 < Dougy> lol 16:58 < Dougy> im getting like 100G bw quota 16:58 < Dougy> so 16:58 < Dougy> no 16:58 < ecrist> our db server is a Dell 2950 with 32GB RAM, 4x 143GB SAS in RAID 10. 2xQuad_Core Xeon 3.2GHz 16:58 < ecrist> :P 16:58 < jeev> ecrist 16:58 < jeev> what do you use it for 16:59 < jeev> shemale stuff? 16:59 < ecrist> no, I work for a medical claim clearning house. 16:59 < ecrist> probably 75% of all medical claims in my region pass through my servers. 17:00 < ecrist> Including from such places as the famous Mayo Clinic 17:00 * jeev wonders what ecrist does with the data 17:00 * Dougy bets ecrist cant say 17:02 < ecrist> that other server I mentioned, I forgot to mention that the disk is geli encrypted 17:02 < ecrist> that's where all the data goes. 17:03 < ecrist> our current system is only 2.6TB 17:04 * ecrist goes to get the kid 17:04 < ecrist> going trick-or-treating 17:04 -!- bandini [n=bandini@host107-105-dynamic.40-79-r.retail.telecomitalia.it] has joined ##openvpn 17:04 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:05 < jeev> get me candy 17:08 < Dougy> hey krzie 17:08 < Dougy> jeev: jeeeeeeeeeeeeeeeeeeeeeeeeev 17:10 < jeev> ? 17:10 < jeev> you play red alert 3 ? 17:11 < Dougy> nope 17:11 < Dougy> whatsthat 17:11 < jeev> command and conquer 17:11 < jeev> NEVERMID! 17:11 < jeev> mind 17:17 * Dougy slaps jeev 17:19 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [No route to host] 17:21 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 17:23 -!- bandini [n=bandini@host107-105-dynamic.40-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:25 < SilenceGold> ecrist your link was just on the openvpn's mailing list :) 17:26 < Dougy> grr 17:26 < Dougy> im going to kill Nik 17:26 < Dougy> :( 17:26 < Dougy> more like kill FedEx 17:33 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 19:29 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 113 (No route to host)] 20:48 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 21:18 < ecrist> SilenceGold: really? 21:18 * ecrist looks 21:22 < ecrist> SilenceGold: openvpn-users list? 21:23 < ecrist> w00t 21:26 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 21:42 -!- IntJake [n=Jake@64-18-159-117.ip.justedge.net] has left ##openvpn [] 21:44 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Connection timed out] 22:21 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 22:25 < krzee> lol 22:25 < krzee> that was prolly me 23:12 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Success] 23:17 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has quit ["Leaving"] 23:57 -!- nadio [n=nobody@about/philosophy/nadio] has joined ##openvpn --- Day changed Sat Nov 01 2008 00:12 -!- Dougy [n=doug@64.18.159.247] has quit [] 01:02 < ecrist> aw, and I thought someone important was recommending my shit 01:06 < ecrist> hrm, newsyslog killed my openvpn 01:19 < ecrist> krzee: I think that mesage was from you 01:29 < jeev> GOOD 01:32 < ecrist> what? 01:33 < jeev> i'm tired 01:33 < jeev> dood 01:33 < jeev> you dont play pc games? 01:33 < jeev> red alert 3? 01:33 < jeev> brb 01:35 < ecrist> no, don't play that. I play get drunk at a party and have sloppy sex with the wife, though. 01:35 < ecrist> I won. 01:43 < jeev> oh 01:43 < jeev> lol 01:43 < jeev> wack 01:43 < jeev> sloppy sex is nasty 01:43 < jeev> anyway 01:43 < jeev> i've gotta sleep 01:43 < jeev> night 01:50 < ecrist> fucker 02:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:02 -!- SJrX [i=SJrX@S01060008029e1eb2.vc.shawcable.net] has joined ##openvpn 04:02 < SJrX> This is a stupid question, but how do I actually run openvpn 04:02 < SJrX> I tried openvpn --config ./path/to/config 04:02 < SJrX> but it doesn't seem to try to connect 04:02 < SJrX> http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 04:02 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 04:04 < reiffert> SJrX: your way of starting openvpn is correct. Check your syslog to see whats wrong. 04:04 < SJrX> nevermind it's stupid dns issue 04:04 < reiffert> :) 04:05 < SJrX> hmmmm now it seems like my server isn't responding 04:06 < SJrX> What adapter does openvpn bind to 04:07 < reiffert> --local host 04:07 < reiffert> Local host name or IP address. If specified, OpenVPN will bind 04:07 < reiffert> to this address only. If unspecified, OpenVPN will bind to all 04:07 < reiffert> interfaces. 04:07 < reiffert> all. 04:08 < reiffert> please show us your configs, paste them to pastebin.com or similar service. 04:08 < SJrX> Okay 04:11 < SJrX> http://www.pastebin.ca/1242231 04:11 < SJrX> Hmmmm I do see the traffic coming in, but nothing replying 04:14 < SJrX> Someone had said that I should use my router as the endpoint, and the remote server as the client. the router has less ram than the server, is that true? 04:14 < reiffert> Try to search for line 31. 04:15 < reiffert> Cannot set tx queue length 04:15 < reiffert> and fix that. 04:17 < SJrX> hmmmm 04:18 < SJrX> Why would that be a problem if the remote server isn't replying 04:19 -!- plaerzen [n=cam@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:26 < SJrX> I reversed the configuration and now I get: Sat Nov 1 01:25:10 2008 WARNING: 'ifconfig' is used inconsistently, local='ifco nfig 10.8.0.2 10.8.0.1', remote='ifconfig 10.8.0.1 208.75.86.170' 04:26 < SJrX> Sat Nov 1 01:25:11 2008 Initialization Sequence Completed 04:28 < reiffert> Did I say anything about reversing the config? 04:28 < reiffert> I said: fix the error on line 31. 04:34 < SJrX> The only thing relevant online seems to be not to use a persistent tun device 04:35 < SJrX> but from what I can tell, I'm not 04:49 < reiffert> hm, I think it has nothing to do with persistance or not 04:49 < reiffert> And the cause why you can see packets in one direction and not in the other o 04:49 < reiffert> is: the client trys to connect but your server does not answer 04:50 < reiffert> increase verbosity on the server side 05:01 < SJrX> Hmmmm 05:01 < SJrX> Well that's why I swapped them around 05:01 < SJrX> now they connect but I still get no traffic 05:03 < SJrX> From my new server: Sat Nov 1 06:03:27 2008 Peer Connection Initiated with 70.79.143.141:1194 05:03 < SJrX> Sat Nov 1 06:03:27 2008 Initialization Sequence Completed 05:03 < SJrX> Sat Nov 1 06:03:29 2008 WARNING: 'ifconfig' is used inconsistently, local='ifconfig 208.75.86.170 10.8.0.1', remote='ifconfig 10.8.0.1 10.8.0.2' 05:03 < SJrX> I see that on both sides after a connection is made 05:04 < reiffert> sorry, got to go 05:05 < SJrX> k 05:06 < SJrX> ah got it 05:48 < nadio> Why does tun module not work, when its embedded in the kernel ? 05:55 -!- bandini [n=bandini@host107-105-dynamic.40-79-r.retail.telecomitalia.it] has joined ##openvpn 06:08 < SJrX> hmmmm this is some weird openvz thing, it's working now 06:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:52 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 07:10 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:07 < nadio> SJrX: If its working, dont touch it :) 08:08 < nadio> Anyone had problems with clinets grabing an ip ? 08:36 -!- onur [n=onur@0nur.net] has joined ##openvpn 08:37 < onur> Hi. I have a question. Does openvpn 2.0.9 support Windows Vista or should i use 2.1_rc13? 08:45 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Connection timed out] 08:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:24 < SilenceGold> onur you're correct so far 09:24 < SilenceGold> use the 2.1 11:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:38 < onur> ok thanks SilenceGold 12:03 -!- Doug52392 [n=Doug5239@pool-71-184-189-26.bstnma.east.verizon.net] has joined ##openvpn 12:03 -!- Doug52392 [n=Doug5239@pool-71-184-189-26.bstnma.east.verizon.net] has left ##openvpn [] 13:17 -!- Dougy [n=doug@64.18.159.247] has joined ##openvpn 13:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:33 -!- nextgens [n=nextgens@freenet/developer/nextgens] has joined ##openvpn 13:34 < nextgens> hi 13:34 < nextgens> I'm looking for a "clean" solution to override my dns settings when my tunnel is up (that is on debian linux) 13:39 < nextgens> so far I'm using an up/down script 13:40 < nextgens> is there any cleaner way of doing the same thing? 13:54 < nextgens> the doc says I can use push "dhcp-option DNS 10.8.0.1" 13:54 < nextgens> but it doesn't specify the scripting involved to make that parse on non-windows clients 13:54 < jeev> !push 13:54 < vpnHelper> jeev: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 13:54 < jeev> hmm 13:55 < nextgens> well okay, but will my debian understand the "dhcp-option DNS" ? 13:55 < jeev> try it ;) 13:55 < jeev> i dont see it replacing /etc/resolv.conf though 13:55 < nextgens> fair enough 13:55 < jeev> i'd script it in 13:57 < nextgens> no it doesn't work 13:57 < nextgens> jeev> sure but where? 13:57 < jeev> in your up / down script 13:57 < nextgens> the scripts are run as non-root, aren't they? 13:57 < jeev> post it on pastebin.com 13:58 < jeev> hmm 13:58 < jeev> no idea, i dont use linux personally, i use them as my servers! 13:58 < nextgens> http://pastebin.archlinux.fr/248204 13:58 < nextgens> that's what I'm using 13:59 < nextgens> but it breaks on a regular basis because resolvconf refreshes the symlink each time a non-related interface changes its state 14:00 < jeev> so just make it copy 14:00 < jeev> instead of link 14:00 < nextgens> will get overwritten anyway afaic 14:00 < jeev> so 14:00 < jeev> make a resolv.conf.orig and resolv.conf.vpn 14:00 < jeev> cp them to /etc/resolv.conf ;) 14:00 < nextgens> and no, disabling ifupdown/resolvconf isn't an option 14:01 < Dougy> jeeeeeeeeeeeeeeeeeeev 14:01 < nextgens> I'm 100% sure there is a cleaner way to do it 14:01 < jeev> huh 14:01 < jeev> sup dougy 14:01 < jeev> i dunno nextgens 14:01 < Dougy> nm 14:01 < Dougy> about to go over to the interserver office 14:01 < Dougy> and harass their tech 14:01 < jeev> why 14:02 < Dougy> i'm bored 14:02 < jeev> go sex up your woman 14:02 < Dougy> i cant 14:02 < Dougy> she's about 50 miles away 14:02 < jeev> ah\ 14:02 < Dougy> i was supposed to be with her today, but her parents are assholes 14:02 < Dougy> and my dad is sick 14:03 < jeev> oh 14:03 < Dougy> 46.4 mi 14:03 < Dougy> from my desk here to her house 14:03 < jeev> ahh 14:03 < Dougy> faggot train doesnt run on weekends #1 14:03 < Dougy> and #2 its 3 hours -.- 14:04 < nextgens> okay, well will find out something 14:04 -!- nextgens [n=nextgens@freenet/developer/nextgens] has left ##openvpn [] 14:04 < Dougy> eww cashews are nasty 14:05 < jeev> kik wgi 14:05 < jeev> who are you talkin to 14:05 < jeev> brb 14:06 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:12 -!- jeev [n=email@unaffiliated/jeev] has quit ["gotta clean this shit up"] 14:38 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 14:54 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has joined ##openvpn 16:27 -!- SJrX [i=SJrX@S01060008029e1eb2.vc.shawcable.net] has quit [Connection timed out] 17:01 -!- ILyuha [n=kewl@86.110.176.37] has joined ##openvpn 17:01 < ILyuha> hello 17:08 < ILyuha> is it possible to assign static IP's to clients? 17:09 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has quit [Read error: 110 (Connection timed out)] 17:09 < ILyuha> i.e., i want to be sure, that client, which connects with 'client1.crt' certificate, will always get IP=10.8.0.4, and clien, which connects with 'client2.crt' certificate, will always get IP='10.8.0.25' 17:09 < ILyuha> etc 17:38 -!- ILyuha [n=kewl@86.110.176.37] has quit ["\u041f\u043e\u043a\u0438\u0434\u0430\u044e"] 17:47 -!- bandini [n=bandini@host107-105-dynamic.40-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:15 -!- TTT_Travis [n=Travis@67.209.93.66] has joined ##openvpn 18:15 < TTT_Travis> I setup a VPN between my Windows server and Windows client, everything is connecting and working great, can ping and connect, dns works....but the user still can't logon to the Active Directory Domain over the VPN 18:16 < TTT_Travis> even though the server logon shows the client as connected on the Logon screen 18:25 -!- TTT_Travis [n=Travis@67.209.93.66] has quit ["This computer has gone to sleep"] 19:25 < Dougy> wooooooooooo 19:25 < Dougy> im hot 21:59 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 22:30 < ecrist> http://www.chilloutzone.de/files/08102703.html 22:30 < vpnHelper> Title: The best Air Race Pilot ever? | chilloutzone.de - free games and free fun (at www.chilloutzone.de) 22:46 < jeev> doesn't help whgen a HUGE sponsorship ad covers the video 22:47 < jeev> http://www.youtube.com/watch?v=XRCbkBfdBrQ 22:47 < vpnHelper> Title: YouTube - THE BEST AIR RACE PILOT EVER!!! (at www.youtube.com) 23:52 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 23:53 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has left ##openvpn [] --- Day changed Sun Nov 02 2008 00:39 -!- zib [i=zibbe@smisk.keff.org] has joined ##openvpn 00:39 < zib> Hi. Does anyone know if link-states is supported in some way? That the interfaces gets a down state if the tunnel isn't up 00:45 < ropetin> zib: you mean the physical interfaces? 00:45 < zib> no. I want the tap/tun-interfaces to get a down-state 00:45 < ropetin> AHhh, ok, I was going to say, it doesn't make sense :D 00:46 < zib> like if i would do , ip link set tap0 down 00:46 < zib> heh well 00:46 < zib> I'm using openvpn-tunnels between some hosts and then dynamic routing ontop of that (bgp). 00:47 < zib> And if the interface is still up it would still be listed as connected. And therefor still be advertised 00:47 < ropetin> way over my head then, I had enough trouble setting up a tunnel between my laptopa nd house 00:47 < zib> hehe 00:47 < ropetin> Is krzie here? He/she is a genius at this stuff 00:48 < ropetin> I'll take that as a no :( 00:48 < zib> :) 00:48 < zib> I could just script something that pings the endpoints and downs em but that would be fugly :) 00:49 < ropetin> Yup, I sure there is a better way to do it 00:53 < krzie> wassup? 00:53 < zib> He's alive 00:53 < ropetin> Your genius is needed by zib krzie ;) 00:53 < krzie> im no genious but im down to help 00:53 < krzie> lemme scroll up 00:53 < zib> And he's in #openvpn, #freebsd and #gentoo . 00:53 < zib> Could almost be me 00:54 < ropetin> Uh oh, dont check the rooms Im in then :P 00:54 < zib> hehe 00:55 < krzie> what do you want to accomplish with knowing state? 00:55 < zib> I wrote that to 00:55 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 00:56 < zib> Getting the bgpd to drop the announcing of the interface as "connected" 00:56 < zib> http://stats.keff.org/ , my little network :P Mainly built with tunnels heh 00:57 < ropetin> Crazy! 00:58 < ropetin> Whats generating those stats? 00:58 < zib> mrtg+weathermap 00:58 < ropetin> k, I´ll check that out 00:59 < zib> http://stats.keff.org/mrtg.html , the src-files 00:59 < vpnHelper> Title: MRTG Index Page (at stats.keff.org) 00:59 < zib> which weathermap parses 01:01 < ropetin> Ooo, daylight savings time just kicked off. Why can my crappy personal cell automatically cope, but my work BlackBerry has no clue? 01:02 < zib> My iphone got the clue 01:02 < zib> :) 01:02 < ecrist> hola, bitches 01:02 < ropetin> Indeed 01:02 < ropetin> zib: Your FreeBSD cred is immediately washed away by the iPhone lameness ;) 01:03 < zib> Well I'm not an apple-dude :) 01:03 < zib> But the iPhone is really the best available here 01:03 < zib> The iphone 3g that is 01:03 < zib> And i have free data-traffic on it 01:03 < ropetin> Yeah yeah, they all start with the iPhone, then it´s an iPod touch, then a Macbook Air, then Steve Jobs´ babies 01:03 < zib> ~5Mbit/s downstream...anywhere :) 01:03 < ecrist> who has freebsd cred? 01:04 < ropetin> zib does 01:04 < ropetin> Snack time, BRB! 01:06 < ecrist> zib: tun/tap interfaces on freebsd are part of base, not OpenVPN 01:07 < ecrist> and, when they go down, they are removed from the interface list/unloaded by the kernel 01:08 < zib> huh. Well yeah I know they are. I just wanted OpenVPN to control the link-state internally. 01:08 < ecrist> zib, how would it do that. 01:08 < zib> But are they really removed. Tiem for a test. 01:08 < ecrist> when they go down, they're removed. 01:09 < krzie> zib, oh i see 01:09 < krzie> you want a down script 01:09 < ecrist> now, I think, you may sort of be able to work around that. 01:10 < krzie> !betaman 01:10 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 01:10 < krzie> lemme look 01:10 < ecrist> nm. 01:10 * ecrist bows to krzie 01:10 < zib> Well no. I dont think so :) 01:10 < zib> Hold on 01:11 < krzie> hey eric 01:11 < zib> Let's hope this doesnt crap out my routing :) 01:11 < krzie> zib, when you use --down 01:11 < krzie> you will want to let the app die 01:11 < krzie> gotta tell it to give up reconnecting after a couple tries 01:12 < zib> ecrist: http://pastebin.com/m362c470f , you see. The interface doesn't dissapear 01:12 < zib> The tun-interface that is. But that's what I'm using 01:13 < zib> oh it missed a command. I did ifconfig tun0 up also :) 01:13 < ecrist> zib: look at your output. the 'UP' state disappeared... 01:14 < zib> ecrist: well yes? That's what I want? 01:14 < ecrist> your question is answered. 01:14 * ecrist grumbles 01:14 < zib> With dissapeared i thought you ment that the tun0-interface dissapears 01:14 < ecrist> I did, but with your example, you've managed to answer your own question 01:15 < zib> heh. Well last time I used a down-script it didnt work with the scenario I wanted 01:15 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 01:15 < zib> I'm going to check again why. 01:15 < ecrist> no need for a down script 01:15 < ecrist> the interface goes down 01:16 < zib> I need something to take the interface down? 01:16 < zib> It's not like I'm gonna do it manually 01:16 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:17 < ecrist> zib, who said you need to do anything manually? 01:18 < zib> How else am I suppose to do it? I can't use an external script which pings and then up/down's the interface 01:19 < krzie> how did the down script not work? 01:19 < krzie> it runs a program when the program dies 01:19 < ecrist> zib, I think you are confused now. 01:19 < krzie> tell the program to die when the tunnel goes down 01:19 < zib> No you are :) 01:19 < zib> Listen now what you're saying 01:19 < krzie> and your program changes your routing 01:19 -!- mode/##openvpn [+o ecrist] by ChanServ 01:19 < zib> krzie: You're saying "when the program dies" 01:20 < zib> It should be when the tunnel goes down. 01:20 < zib> Not when openvpn dies 01:20 < krzie> well 01:20 < krzie> thats not how it works 01:20 < krzie> it could serve a lot of clients 01:20 < krzie> it doesnt need to run down on each client, it needs to when the IF is going down 01:21 < krzie> the IF goes down when the app stops running 01:21 < krzie> tell it to stop running when it cant connect 01:21 < krzie> then it will run your script 01:21 < zib> Yes but doesnt the up-scripts get run immedietly when openvpn starts? Before it's connected? 01:21 -!- mode/##openvpn [-o ecrist] by ChanServ 01:22 < zib> A.k.a i would have it flapping between up/down if it cant connect 01:22 < krzie> no 01:22 -!- mode/##openvpn [+o ecrist] by ChanServ 01:22 < krzie> --up wont be running 01:22 < krzie> instead of assuming, try it 01:23 < zib> That's what I did a while back. But I'll try again then. 01:23 < krzie> if it was how you thought it was for --up, it would be for --down 01:24 < krzie> but you gotta see that openvpn has the interface the whole time its running, not just while connected 01:24 < zib> Yes that's what I ment in the beginning. That openvpn should set the link-state on the tunnel-interface depending on if it's connected or not. 01:24 < zib> But i'll try again 01:25 <@ecrist> zib, I think it does. 01:25 < zib> ecrist: Without any options? 01:25 < krzie> ecrist, pretty sure it doesnt 01:25 < zib> *special options 01:26 <@ecrist> zib, I don't know what you did for your example, but the example you gave shows the behavior you're requesting 01:26 < zib> So i dont mess this up. What options should i use? 01:27 < zib> Wouldn't just ping-restart do? 01:29 < krzie> --ping-exit n 01:29 < krzie> Causes OpenVPN to exit after n seconds pass without reception of a ping or other packet from remote. This option can be combined with --inactive, --ping, and --ping-exit to create a two-tiered inactivity disconnect. 01:29 < krzie> For example, 01:29 < krzie> openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60 01:29 < krzie> when used on both peers will cause OpenVPN to exit within 60 seconds if its peer disconnects, but will exit after one hour if no actual tunnel data is exchanged. 01:30 < zib> uhm so then I should put it in a while-loop? If it's an exit 01:30 < krzie> you're prolly more just looking for ping 10 01:30 < krzie> ping-exit 60 01:31 < krzie> a while loop? 01:31 < zib> Well ping-exit means that openvpn really dies? Not just restarts? 01:31 < krzie> if the program exits you know the tun is down 01:31 < krzie> correct 01:31 < zib> Yes but then I need something to bring it up again 01:31 < zib> When the endpoint is reachable 01:31 <@ecrist> zib - of course. 01:31 -!- mode/##openvpn [-o ecrist] by ChanServ 01:32 < zib> Well if openvpn exits that would have to be some external script doing that check? 01:33 < krzie> it will only exit if it cant ping in the time you say 01:33 < krzie> which happens when endpoint IS down 01:33 < ecrist> zib, a wrapper, sure. 01:33 < krzie> you can raise the thresh-hold as you desire 01:33 < zib> So basicly you didn't get my initial question at all :) 01:33 < krzie> dude 01:33 < zib> Ofc I can set up a wrapper or something similar to do exactly what I want 01:33 < krzie> it goes down so your down script works 01:34 < ecrist> zib, I understood your question just fine. 01:34 < zib> What I wondered if there was some way openvpn could control a link-state on the tunnel-interface 100% on its own. Without the use of external scripts 01:34 < zib> And I guess we can conclude by all this talk now that there isn't 01:34 < krzie> i dont believe there is 01:34 < zib> Would have been great if you said that in the beginning :P 01:35 < krzie> which is why i took it further and asked what you were looking to do 01:35 < zib> But thx anyway :) 01:35 < krzie> but basically 01:35 < krzie> link state is as follows: 01:35 < krzie> you run openvpn, it is up 01:35 < krzie> it stops, it is down 01:35 < zib> Yes. And what i wanted is : 01:35 < zib> i run openvpn 24/7 01:35 < zib> tunnel is up = tun-interface is up 01:35 < zib> tunnel is down = tun-interface is down 01:35 < ecrist> tun/tap on FreeBSD is in the kernel, not OpenVPN. 01:35 < zib> and openvpn never exits 01:36 < zib> ecrist: That doesn't mean openvpn can't control it! 01:36 < zib> damn. 01:36 < krzie> well 01:36 < ecrist> zib, as I said before, your example appeared to show it working. 01:36 < krzie> that means you want a --client-connect and --client-disconnect scripts 01:36 < krzie> cause being connected is just a specific CLIENT being connected 01:36 < ecrist> but, it's still at the kernel level. 01:36 < krzie> out of what could be tons of clients 01:36 < ecrist> if a tun interface is configure, but the tun isn't up, it's down. 01:37 < zib> ecrist: manually yes. The problem is as soon as the interface is down I have no way to verify when the tunnel comes up. I can ping the outside endpoint sure but that doesn't mean the tunnel is actually up 01:37 < ecrist> that's not an openvpn thing, it's a kernel thing 01:37 < krzie> zib, try what i just said 01:37 < zib> krzie: i will 01:38 < krzie> i think thats really what you're looking for 01:38 < krzie> without openvpn going down 01:38 < zib> ecrist: So? It's not like it's impossible for openvpn to set tun0 down when it can't contact the other end. Even if its a kernel-thing. It created the device afterall 01:38 -!- ikevin [n=kevin@ANancy-256-1-88-243.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 01:38 < zib> krzie: Does that work even if its just a p2p-tunnel. Not based on the server/client-basis? 01:38 < krzie> no clue, i dont use that 01:38 -!- ikevin [n=kevin@ANancy-256-1-51-109.w90-26.abo.wanadoo.fr] has joined ##openvpn 01:38 < zib> ok i'll try it. 01:38 < krzie> i like having client server certs signed by secret CA 01:39 < krzie> client checks server is signed as server 01:39 < krzie> tls shared key for hmac 01:39 < krzie> server with fatty dh key 01:39 < zib> But that thing about it being a kernel thing is just bollocks. It might aswell be able to do it. If it's not a uid/permission-thing 01:39 < krzie> etc 01:39 < zib> But now it's time for me to go home and sleep. I'll try client-connect/disconnect tomorrow 01:39 < ecrist> good night zib 01:39 < krzie> nite 01:41 < ropetin> Back, what´d I miss? 01:41 < ropetin> :D 01:44 < ecrist> nm to miss, IMHO 01:52 < ropetin> Excellent 01:53 < ropetin> I guess I´ll have to go to work instead then 01:57 < krzie> heh 01:01 < jeev> what's dh do 01:04 -!- Irssi: ##openvpn: Total of 37 nicks [0 ops, 0 halfops, 0 voices, 37 normal] 01:07 < krzie> gives it a huge random number seed 01:07 < krzie> for exchanging keys 01:08 < krzie> http://en.wikipedia.org/wiki/Diffie-Hellman 01:08 < vpnHelper> Title: Diffie-Hellman key exchange - Wikipedia, the free encyclopedia (at en.wikipedia.org) 01:10 < krzie> http://en.wikipedia.org/wiki/Discrete_logarithm_problem 01:44 -!- Cisien [n=Chris@210.5.236.28] has joined ##openvpn 01:45 < Cisien> is openvpn picky about high latency links (800+ms)? also, is the port specified the only port that openvpn uses? 01:47 < Cisien> I don't understand why i can't connect to my vpn server - I'm using TCP, so NAT shouldn't be a problem, I have one layer of NAT including a firewall which i cannot access. I know it allows bi-directional communication on TCP port 7000, i connect to an irc server on that port. however, it appears that openvpn will just stop trying to connect. I have changed the log verbosity to 9, however, it doesn't give me any further insight on the problem 01:48 < Cisien> my logs: http://pastebin.com/d71a584f0 and my configs: http://pastebin.com/d7f0a5701 01:48 < Cisien> any help would be appreciated 01:50 < Cisien> I have also tried several other known open TCP ports, including 53, which gave me the best performance when i used a socks proxy server i had setup on that port before seting up openvpn 02:04 < Cisien> and before anyone suggests it - all UDP traffic is either filtered (directed to this ISP's own servers) or blocked from coming back in - it sucks 02:47 < krzie> [03:45] is openvpn picky about high latency links (800+ms)? also, is the port specified the only port that openvpn uses? 02:50 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 03:22 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 03:24 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 04:20 -!- Han [n=han@unaffiliated/han] has joined ##openvpn 04:22 < Han> I got a working openvpn tunnel here. I just can't get all traffic routed through the tunnel. I used --redirect-gateway def1 04:22 < Han> What else should I do? 04:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:27 < ropetin> !nat 04:27 < vpnHelper> ropetin: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 04:27 < ropetin> Han: check that out 04:31 < Han> ah right 04:31 < Cisien> ropetin, do you have any idea what could be causing my issue (read back in the log a little bit) 04:34 < ropetin> Gimmie a sec... 04:35 < Han> ropetin, cheers. Works now! :-D 04:39 < ropetin> NP Han! I had the same issue myself last week :D 04:42 < ropetin> Cisien: You said you've tried both udp and tcp? What about the default port? 04:42 < Cisien> blocked 04:45 < ropetin> How about using tap instead of tun? 04:45 < ropetin> tap0 04:46 < Han> ropetin, it's rather tricky since there are so many options refering to the routing. 04:46 < ropetin> Han: heck yeah! 04:49 < Cisien> ropetin, i can try it, but i'm not sure if that applies to the issue i'm having 04:49 < ropetin> k 05:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 05:19 < Cisien> ropetin, i think it's working with tap 05:20 < Cisien> Initialization sequence completed 05:20 < ropetin> ;) 05:20 < Cisien> but whats keeping it from completing with tun? 05:21 < ropetin> I've been up for about 29 hours right now, so my brain can't think that deeply. I'll mull it over after a nap! 05:21 < Cisien> lol, alright 05:22 < ropetin> Is it definitely working though, can you get a connection across the tunnel? 05:22 < Cisien> not sure how to test tap tunnels 05:23 < ropetin> Well presumably you are doing this to connect a computer remotely, or to connect two subnets together. Can you access one from the other? 05:23 < ropetin> Ping, http, something? 05:23 < Cisien> doing this to get from behind a restrictive firewall, out :) 05:23 < ropetin> Ahh..... 05:24 < Cisien> i don't know if i'm setup properly or not though 05:24 < Cisien> only thing i changed was the device 05:24 < ropetin> You want to route all your traffic across the vpn? 05:24 < Cisien> no, i'll probably use ip route or iptables to do that 05:24 < Cisien> certan port ranges should be routed over the vpn 05:24 < ropetin> I guess can you ping the local IP of the remote server? 05:25 < Cisien> no 05:25 < ropetin> Probably not working then 05:25 < Cisien> but i've not setup any routing 05:25 < ropetin> If you ifconfig, what IP does tap0 have? 05:25 < Cisien> on the client, the device is down 05:25 < ropetin> Not connected then :D 05:26 < Cisien> now tls wont finish negotiating 05:26 < ropetin> What error? 05:26 < Cisien> handshake failed 05:26 < Cisien> the 60 second timeout 05:26 < ropetin> Can you pastebin the last few lines? 05:27 < Cisien> http://pastebin.com/d4604d78f 05:28 < Cisien> don't i need to bridge the tap device with something else? 05:28 < ropetin> Looks like it's probably the same problem as before, just manifesting in a different way 05:28 < ropetin> I have to say, if you're behind a very restrictive firewall, it's a possibility the network admins have configured it such that if they detect unapproved vpn traffic they drop the packets 05:29 < ropetin> So whatever you do, it won't work 05:29 < Cisien> its possible 05:29 < Cisien> can openvpn be used over a socks proxy? 05:29 < Cisien> i've gotten that to work for tcp data 05:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:55 < Cisien> ropetin, is there a way to change the TLS negotiation timeout? 05:55 < Cisien> i'm on a slow link, maybe thats the problem? 05:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:56 < Cisien> i wonder what verb 6 would show 06:20 < ropetin> Less than 9 probably 06:20 < ropetin> Sorry, had to drive home 06:22 < Cisien> yeah, nothing more (useful) than 3, either 06:36 < Cisien> ads 06:40 < Cisien> ropetin, do you know if the tls negotiation timeout can be ajusted? 06:49 < Cisien> when i get the connection, all i see on the client is : Sun Nov 2 12:47:40 2008 us=416105 TCPv4_CLIENT READ [53] from 67.223.235.8:53: P_DATA_V1 kid=0 DATA len=52 07:04 < Cisien> I get a similar message on the server: Sun Nov 2 05:03:45 2008 us=169120 user3.client.vps.exoronet.net/210.5.236.28:41031 TCPv4_SERVER WRITE [53] to 210.5.236.28:41031: P_DATA_V1 kid=0 DATA len=52 07:10 < Cisien> i'm pretty sure now i'm geting the negotiation error because of the high latency on the link, it's not enough time to complete the negotiation 07:14 < Cisien> but when it does connect, it's not working. the server is sending several WRITE messages, which the client receives 07:27 -!- Dougy [n=doug@64.18.159.247] has quit [Nick collision from services.] 07:27 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 07:27 < Dougy> hey kids 07:28 < ropetin> Cisien: If it doesn't negotiate in 60 seconds, it's not gonna 07:32 < Dougy> so the new version of ubuntu is really nice 07:34 < ropetin> Dougy: in what way specifically? 07:34 < Dougy> pidgin and xchat is much nicer 07:34 < Dougy> aesthetically 07:34 < Dougy> it has a lot of new little tools 07:35 < Dougy> very large improvement 07:35 < ropetin> Glad to hear it Dougy :) 07:35 < Dougy> Yeah 07:35 < Dougy> My laptop doesn't like other distros lol 07:36 < Dougy> Ubuntu is what I'm stuck with 07:36 < Han> be careful with addictions. :-) 07:37 < ropetin> Hey, I'm a big Ubuntu fan, but I'm sticking with Hardy for now 07:38 < Dougy> ropetin: why's that? 07:38 < Dougy> all of the bugs i had in hardy are gone now in intrepid 07:41 < ropetin> The reverse is true for me :) 07:42 < ropetin> There has been no reason for me to upgrade, so I'm not 07:42 < ropetin> If something comes along that I need, then I'll go for it 07:43 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Ex-Chat"] 08:04 < Cisien> ropetin, with verb at 6, it will be talking back and forth with the server up until the timeout hits 08:06 < Cisien> I think it's just timing out, something as simple as logging into ssh takes 1-2 minutes 08:13 < Han> if ssh-server can't resolve the connecting host it takes two minutes to connect 08:22 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: Dryanta, zib, troy-, reiffert 08:23 -!- Netsplit over, joins: zib, Dryanta, reiffert, troy- 08:38 < Cisien> the variable is hand-window 120 for 2 minutes :) 08:39 < Cisien> i was seeing the keepalive messages before, the server was the only one sending them 08:39 < Cisien> now the server and client are 08:39 < Cisien> dev tun, btw 08:40 < Cisien> the tun device isnt up thoguh 08:43 < Cisien> this is a high latency satellite link, i'm guessing 2048 kbit, with well over 100 users on it. During peak hours, this thing slows to a crawl. To top it off, I beleive the administrator implements QoS, classifying everything HTTP (port 80, on the other side of his proxy) as high priority, everything else is a lower priority, so during peak times, anything not a web page is even slower 08:43 < Cisien> with hand-window 120, i was able to get connected more easily 08:43 < Cisien> but it still timed out once 08:44 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 08:45 < Cisien> but, i'm in iraq, so there isn't a lot a can do about it :p 08:45 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [Client Quit] 08:48 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 09:04 -!- k-tr [n=klaus@DSL01.83.171.190.150.ip-pool.NEFkom.net] has joined ##openvpn 09:26 < Han> ok, so I want to avoid the --remote on the server so according to the faq I should use --proto. So I did. 09:27 < Han> Now if I run the server and netcat to the ip/port with tcp I get a connection: WARNING: Bad encapsulated packet length from peer (28270) 09:27 < Han> But if I run the client it keeps saying `failed to connect' 09:28 < Han> What's happening? 09:29 -!- drzed [n=drzed@synflood.homelinux.org] has joined ##openvpn 09:34 < Han> And how do I disable the IANA port number warning? :-) 09:40 -!- Dougy|Work [n=doug@64.18.159.247] has joined ##openvpn 09:40 < Dougy|Work> jeev 09:40 < Dougy|Work> jeev 10:00 < drzed> hi there! 10:00 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has left ##openvpn [] 10:00 < drzed> i guess i've got some routing problems 10:00 < drzed> i set up a site-to-site vpn ; the connection is up 10:01 < drzed> the server on site B can connect to hosts on site a 10:01 < drzed> but the hosts behind server B can not 10:01 < drzed> any ideas what the problem could be? 10:04 < Dougy|Work> where's jeev admn it 10:04 < Dougy|Work> damn 10:09 < jeev> ? 10:10 < Dougy|Work> jeev 10:10 < Dougy|Work> guess where i am 10:10 < jeev> datacenter 10:10 < Dougy|Work> sitting in mike's chair 10:11 < Dougy|Work> lol 10:11 < Dougy|Work> interserver mike 10:11 < jeev> ahh 10:11 < jeev> if you check his email 10:11 < Dougy|Work> haha 10:11 < Dougy|Work> no, im not on his pc 10:11 < jeev> i yell at him in it 10:11 < Dougy|Work> hes got the biggest fking monitor 10:12 < Dougy|Work> jeev: 10:12 < Dougy|Work> http://www.upload3r.com/serve/021108/1225642360.jpg 10:13 < jeev> 30"? 10:14 < Dougy|Work> yeah 10:14 < Dougy|Work> at least 10:14 -!- ctooley [n=ctooley@doc-24-32-196-69.concordia.ks.cebridge.net] has joined ##openvpn 10:14 < ctooley> hello 10:15 < ctooley> I'm trying to find the instructions for changing my secret key's passphrase 10:15 < drzed> y'd better ask in #openssl i guess 10:15 < Dougy|Work> !notopenvpn 10:15 < vpnHelper> Dougy|Work: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 10:15 < Dougy|Work> ctooley, ^ 10:16 < ctooley> Ah, ok, thank you 10:22 -!- Cisien [n=Chris@210.5.236.28] has quit [Read error: 110 (Connection timed out)] 10:25 < reiffert> ctooley: http://www.google.de/search?num=20&hl=de&safe=off&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=OIL&q=openssl+change+private+key+password&btnG=Suche&meta= 10:25 < vpnHelper> Title: openssl change private key password - Google-Suche (at www.google.de) 10:26 < ctooley> reiffert, thank you, found it. 10:29 < drzed> guys any idea about the routing problem? 10:30 < drzed> or is it a route problem at all, does openvpn block requests to this net if it is not mentioned in the cfg file 10:30 < reiffert> drzed: need more infos. draw it by ascii art, have multiple NIC's per machine when there are multiple interfaces, place labels with IP addresses. 10:31 < reiffert> drzed: site-to-site vpn: bridged? 10:31 < reiffert> drzed: same network? 10:31 < reiffert> drzed: gateway of computers behind B == openvpn machine in subnet B? 10:38 < drzed> reiffert: http://phpfi.com/372908 <-- like this 10:38 < vpnHelper> Title: nopaste: pastebin with syntax highlighting (at phpfi.com) 10:40 < drzed> additionall they have a tun0 192.168.5.0/29 10:40 < drzed> as mention B kann ping e.g a1, but b1 can not 10:42 < reiffert> start tcpdump on host B, tcpdump -n -i tun0 proto ICMP 10:42 < reiffert> then start the ping on b1, ping a1 10:42 < reiffert> can you see the icmp packets pass the tun0 device on host B? 10:48 < drzed> hm well i do seen them on B 10:49 < reiffert> Now run tcpdump on A .. do you still see them? 10:49 < reiffert> tcpdump -n -i tun0 proto ICMP 10:49 < reiffert> after that do: 10:49 < reiffert> tcpdump -n -i eth0 proto ICMP 10:49 < drzed> well A is little bit diffrent (enbedded pfsense) 10:50 < reiffert> then run tcpdump on a1 ... 10:54 < drzed> hm a1 does not get any packet 10:54 < reiffert> allright, start tcpdump on A, which is a bit different :) 11:03 < drzed> there really is tcpdump on this box 11:03 < drzed> ok the pkg do reach tun0 on A 11:04 < reiffert> do they reach dev eth0 on A? 11:04 < reiffert> (or whatever the internal lan interface is called) 11:05 < drzed> no :( 11:07 < reiffert> disable all fancy firewalling on that box. 11:08 < reiffert> just for curiosity .. start tcpdump on the wan interface on A 11:08 < reiffert> can you see the packet on that interface? 11:09 < drzed> yes 11:09 < drzed> seem like a routing/firewall probl on [A] 11:09 < reiffert> well .. it's the wrong interface. 11:21 < Han> Does anyone know how do to disable the IANA port number warning? 11:23 < Han> Hmmm ok, I gotta read the code. And hack it. :P 11:24 < reiffert> #if 1 /* JYFIXME -- port warning */ 11:24 < reiffert> if (!o->port_option_used && (o->local_port == OPENVPN_PORT && o->remote_port == OPENVPN_PORT)) 11:24 < reiffert> msg (M_WARN, "IMPORTANT: OpenVPN's default port number is now %d, based on an official port number assignment by IANA. OpenVPN 2.0-b 11:24 < reiffert> eta16 and earlier used 5000 as the default port.", 11:24 < reiffert> OPENVPN_PORT); 11:24 < reiffert> #endif 11:26 < Han> yeah I got it already. 11:27 < Han> http://www.xs4all.nl/~hanb/software/openvpn_iana_warning.diff 11:28 < Han> Of course I should make it an option, but I'm lazy today. ;-) 11:28 < Han> oops, it's a reverse patch. :-o 11:29 < Han> There, fixed. 11:33 < Dougy|Work> grr 11:33 < Dougy|Work> that code confuses me 11:34 < reiffert> ? 11:35 < Dougy|Work> C/C++ whatever 11:35 < Dougy|Work> makes my head spin 11:35 < Han> really? 11:36 < Han> Oh! So nice and quiet. 11:37 < Dougy|Work> Han, yes 11:37 < Han> Well you don't have to look at it. ;-) 11:48 -!- Cisien [n=Chris@210.5.236.28] has joined ##openvpn 11:48 < Cisien> what would keep my tun0 interface from geting an ip and being brought 'up'? 11:51 < reiffert> the key exchange/authenticate part 11:51 < reiffert> or windows 11:51 < reiffert> or something broken 11:51 < reiffert> increase verbosity to 10 11:53 < Dougy|Work> lol 11:53 < Dougy|Work> or windows 11:54 < Cisien> lol 11:54 < Cisien> the server log shows: Sun Nov 2 09:47:20 2008 user3.client.vps.exoronet.net/210.5.236.28:35600 MULTI: primary virtual IP for user3.client.vps.exoronet.net/210.5.236.28:35600: 10.0.10.6 11:55 < reiffert> ah well .. the client log. 11:55 < reiffert> or are we talking about the server? 11:56 < Cisien> all i see is a more verbose keepalive :P 11:57 < Cisien> i'm talkin about the client 11:58 < Dougy|Work> i feel like garbagef 11:58 < Cisien> it's cause your at work :P 11:59 < Cisien> reiffert, the client is linux, 2.6 12:00 < Dougy|Work> Cisien, i love my job 12:00 < Dougy|Work> i want to work 24/7 12:00 < Dougy|Work> 81030 12:00 < Dougy|Work> thats how much i would make if i worked 24/7/365 12:00 < Cisien> lol 12:01 < Cisien> i'm floating somewhere aoround 30k, if i was to work 24/7 12:01 < Cisien> ...then again, if i was just to show up, and go home, i'd get the same 12:01 < Cisien> but eh 12:02 < Dougy|Work> i could work from home and get that 12:02 < Dougy|Work> im a DC tech hah 12:02 < Cisien> :) 12:03 < Dougy|Work> a 9.25/hour one 12:03 < Dougy|Work> as of yesterday 12:03 < Cisien> i think minimum wage in my home state is like 7.10 now 12:03 < Dougy|Work> what state 12:03 < Cisien> Washington 12:03 < Dougy|Work> fail 12:04 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 12:04 < Cisien> starting wage on any decent job is about 8 to 8.50 12:04 < Dougy|Work> i started at 7.15 12:04 < Dougy|Work> for a month 12:04 < Dougy|Work> trial period 12:04 < Dougy|Work> then 8.15, now 9.25 12:04 < Cisien> :) 12:05 < Cisien> I'm thinking i'll look into geting a job with General Dynamics when i get out 12:05 < Cisien> volunteer to come back over here, make about 180,000 minimum 12:06 < Dougy|Work> :O 12:06 < Dougy|Work> i hate you 12:06 < Dougy|Work> just for the record 12:06 < Dougy|Work> mtr is a great tool 12:06 < Cisien> play army for 6 years, you get to know a few people :) 12:08 < Cisien> what protocol does mtr use? icmp? 12:08 < Dougy|Work> it combines tracert + ping 12:08 < Dougy|Work> traceroute whatever 12:09 < Cisien> it doesn't do well on high latency links 12:09 < Cisien> it's telling me i have a 93% loss 12:09 < Dougy|Work> ouch 12:09 < reiffert> Cisien: is there anything in the client log, which says something like ... running ifconfig on tun0? 12:09 < Dougy|Work> whats your ip ill mtr it 12:10 < Cisien> reiffert, no 12:10 < reiffert> Cisien: raise verbosity level 12:10 < Cisien> Dougy|Work, uhh, 210.5.236.25 12:10 < Cisien> reiffert, it's at 10? 12:10 < reiffert> paste the log. 12:10 < Dougy|Work> !paste 12:10 < vpnHelper> Dougy|Work: Error: "paste" is not a valid command. 12:11 < Dougy|Work> oh 12:11 < reiffert> Cisien: the highest possible value is 11 btw. 12:11 < Cisien> ok 12:11 < Han> Just like my amplifier. 12:11 < Cisien> honestly, i havn't seen anything more useful past 6 :p 12:12 < Dougy|Work> Cisien: http://rafb.net/p/PNm4MV79.html 12:12 < vpnHelper> Title: Nopaste - No description (at rafb.net) 12:13 < Han> reiffert, BTW do you have an idea about my skipping the --remote option problem on my server? Asked 3 hours ago. 12:14 < Cisien> Dougy|Work, yeah, figured it wasn't so high :P 12:14 < reiffert> Han: "avoid --remote on the server"? 12:14 < Cisien> reiffert: http://pastebin.com/d138bd1e5 12:16 < Han> If one uses --remote on the server one is forced to connect from a specific IP. 12:17 < reiffert> Cisien: paste server and client config files please 12:19 < reiffert> Han: cant find that in the manpage. 12:19 < Cisien> Han, remote is used in point to point mode 12:19 < Cisien> reiffert: http://pastebin.com/d2ab1ddfd 12:20 < Han> indeed, if I don't use --remote I can't connect. 12:20 < reiffert> Cisien: # 12:20 < reiffert> push "route 10.0..10.0 255.255.255.0" 12:20 < reiffert> Cisien: .. 12:20 < Cisien> horay for latency! 12:22 < reiffert> what has latency got to with it? 12:24 < Cisien> typing over ssh on a high latency link sucks 12:24 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:24 < Cisien> anyway, that didn't change anything 12:24 < reiffert> Cisien: restart the server. paste log when using verb 3 12:25 < reiffert> proto tcp-server on the server.conf 12:26 < Cisien> if i bring the interface up manually, it works 12:26 < reiffert> good, so all the auth stuff works. 12:27 < Cisien> the pains of using tcp are there thoguh, 10,000ms pings :P 12:27 < Cisien> 34,000ms! 12:27 < reiffert> 70 times around the world link? 12:28 < Cisien> 135 packets transmitted, 101 packets received, 25% packet loss 12:28 < Cisien> round-trip min/avg/max = 849.233/17439.814/45217.846 ms 12:28 < Cisien> :p 12:28 < Cisien> i really need to find an open UDP port 12:29 < reiffert> 53 12:29 < Cisien> redirected to their dns server 12:29 < reiffert> 123 12:29 < Cisien> thats, ntp? 12:29 < reiffert> right. 12:29 < Cisien> ntp works for me... hrm.. 12:30 < Cisien> thats udp though? 12:30 < reiffert> yep 12:30 < Dougy|Work> jeev 12:31 < reiffert> Cisien: oh and remove that push route 10.0.10.0 line! 12:31 < reiffert> # 12:31 < reiffert> server 10.0.10.0 255.255.255.0 12:32 < reiffert> is sufficient 12:32 < Cisien> the server line handles it, i take it? 12:32 < reiffert> yep 12:32 < reiffert> have a look into the manpage under 12:32 < reiffert> --server 12:32 < Cisien> ok 12:33 < Cisien> k 12:34 < reiffert> Cisien: as root do: 12:34 < reiffert> nc -l -u 12345 12:34 < reiffert> on your server 12:34 < reiffert> I will connect and send you something. 12:35 < Cisien> sec 12:35 < Cisien> 123 worked 12:35 < reiffert> great. 12:35 < reiffert> paste server and client config files again please 12:35 < reiffert> the current ones 12:36 < Cisien> pings are 700-800, mostly :) 12:37 < Cisien> my netcat doesn't have the -u option 12:37 < reiffert> we skip that as it is allready working with 123 12:37 < Cisien> ok 12:38 < reiffert> paste server and client config files again please 12:38 < Cisien> workin on it 12:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:38 < Cisien> cat took 30 seconds to type :P 12:41 < Cisien> http://pastebin.com/dbdc9599 12:44 < reiffert> looks okay to me. 12:45 < krzie> !mtu 12:45 < vpnHelper> krzie: "mtu" is you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 12:46 < krzie> 700-800, satellite connection? 12:46 < krzie> my power died last night when i was going to start helping you 12:46 < krzie> =/ 12:46 < Cisien> krzee, no problem 12:46 < Cisien> yeah, satellite 12:46 < krzie> ya you prolly need to tune your MTU 12:47 < Cisien> krzee, my problem (at that time) was it was taking longer than 60 seconds to do the tls negotiation 12:47 < krzie> and did i see something bout tcp? 12:47 < krzie> you do NOT want tcp on that kind of link 12:47 < krzie> !tcp 12:47 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:47 < Cisien> i had to increase it to 120 seconds 12:48 < Cisien> krzee, yeah, i know, i got it working on TCP earlier, had pings as high as 45 seconds 12:48 < Cisien> reiffert suggested port 123, which worked :) 12:48 < krzie> ahh nice 12:48 * krzie packs that into the back of his head as a backup port 12:48 < Cisien> now i just have the issue where openvpn (client) is not bringing up tun0 12:48 < krzie> OS? 12:49 < Cisien> linux 2.6 (openwrt) 12:49 < Cisien> i can bring the interface up manually, and it works 12:49 < krzie> tried --mktun? 12:49 < reiffert> still waiting for Cisien to paste the client logfile. 12:49 < krzie> ya client logfile sounds like exactly what needs to be seen 12:49 < reiffert> krzie: no mktun, no connection. 12:49 < Cisien> krzee, openvpn makes the tunnel when it starts, it just doesnt assign the ip and bring it up 12:49 * krzie thinks reiffert had this handled before i came back 12:50 < krzie> heheh 12:50 < reiffert> :) 12:50 < Cisien> at verb 3? 12:50 < krzie> 6 12:50 < Cisien> or 6 12:53 < reiffert> or 6. 12:54 < Cisien> Sun Nov 2 15:53:31 2008 us=814576 TUN/TAP device tun0 opened 12:54 < Cisien> Sun Nov 2 15:53:31 2008 us=815134 TUN/TAP TX queue length set to 100 12:54 < krzie> pastebin the whole thing 12:55 < Cisien> it's acting like the port is closed for some reason 12:55 < reiffert> server still running? 12:57 < krzie> i wonder if it being a VPS causes any issues 12:57 < Cisien> network may just be too congested to do much of anything right now 12:57 < reiffert> VPS? 12:58 < krzie> right 12:58 < reiffert> !vps 12:58 < vpnHelper> reiffert: Error: "vps" is not a valid command. 12:58 -!- Cisien [n=Chris@210.5.236.28] has quit [Read error: 104 (Connection reset by peer)] 12:58 < krzie> !factoids search * 12:58 < vpnHelper> krzie: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'routes', 'tls-cipher', 'multi', 'configs', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', (1 more message) 12:58 < krzie> !more 12:58 < vpnHelper> krzie: 'download', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'someclient2client', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'mitm', 'hmac', 'winipforward', 'help', 'topology', 'fragment', and '2.1-winpass-script' 13:00 -!- Cisien [n=Chris@210.5.236.28] has joined ##openvpn 13:00 < Cisien> wow 13:00 < Cisien> that sucked 13:02 < krzie> !betaman 13:02 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 13:02 < krzie> (thats for me on maillist) 13:03 < Cisien> where did i leave off? 13:03 < Cisien> http://pastebin.com/d14b2f85e 13:03 < Cisien> client log 13:04 < krzie> wow the manual never even mentions --script-security 13:05 < reiffert> remoev the mute 20 please. 13:05 < krzie> Sun Nov 2 16:02:05 2008 us=604896 event_wait : Interrupted system call (code=4) 13:05 < krzie> Sun Nov 2 16:02:05 2008 us=609146 TCP/UDP: Closing socket 13:05 < krzie> thats when you control C'ed it 13:05 < krzie> right 13:05 < krzie> ? 13:07 < Cisien> wow, tls negotiation failed, even after 2 minutes 13:08 < Cisien> gotta love the peak hours 13:10 < Cisien> yea 13:11 < Cisien> reiffert, i've compared without the mute, it doesn't hide anything different than what it shows before the mute 13:12 < krzie> you need to tune MTU i believe 13:12 < reiffert> sounds like a plan. 13:12 < krzie> as i mentioned immediately upon seeing 800ms link (and knew it was a sat link) 13:12 < krzie> !mtu 13:12 < vpnHelper> krzie: "mtu" is you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 13:13 < Dougy|Work> krzie !!!!!! 13:13 < jeev> damn 13:13 < jeev> i got a crazy air compressor 13:13 < jeev> it's SO loud 13:13 < krzie> sup doug 13:13 < Dougy|Work> jeev 13:13 < Dougy|Work> http://www.upload3r.com/serve/021108/1225650875.jpg 13:13 < Dougy|Work> err 13:13 < Dougy|Work> wrong link 13:13 < Dougy|Work> o.O 13:13 < Dougy|Work> crap 13:13 < Cisien> 1470 + 28 = 1500 13:13 < Cisien> 1472 13:14 < reiffert> . 13:14 < Cisien> :P 13:14 < krzie> nice and neat cabling tho dougy, good job 13:14 < Dougy|Work> krzie, you should have seen it before 13:14 < reiffert> try mtu 1300 13:14 < Dougy|Work> you would need a GPS system to find the servers 13:14 < jeev> heh 13:14 < jeev> i dont know shit about MTU 13:14 < Dougy|Work> jeev, there are rows and rows and rows of empty racks 13:14 < jeev> i should read 13:14 < Dougy|Work> belonging to interserver 13:14 < Dougy|Work> haha 13:14 < krzie> reiffert, he doesnt need to guess if he uses the technique in that link 13:14 < jeev> Dougy|Work, tell them to give them to me 13:14 < jeev> $1/month per rack 13:14 < krzie> Dougy|Work, lemme sneak one in 13:14 < Dougy|Work> lmao 13:14 < jeev> free bandwidth, free power 13:15 < Cisien> i just set that in the client config? 13:15 < Cisien> mtu 1300? 13:15 < reiffert> krzie: I know, minus 8, minus n*dontremember 13:15 < jeev> what should i do with this compressor 13:15 < jeev> shit 13:15 < krzie> --mtu-test 13:15 < krzie> To empirically measure MTU on connection startup, add the --mtu-test option to your configuration. OpenVPN will send ping packets of various sizes to the remote peer and measure the largest packets which were successfully received. The --mtu-test process normally takes about 3 minutes to complete. 13:16 < krzie> !learn mtu as you can just use --mtu-test as well 13:16 < vpnHelper> krzie: The operation succeeded. 13:16 < Cisien> tun-mtu :P 13:17 < krzie> MTU problems often manifest themselves as connections which hang during periods of active usage. 13:17 < krzie> It's best to use the --fragment and/or --mssfix options to deal with MTU sizing issues. 13:17 < krzie> ohh im looking at wrong manual, you arent using 2.1 13:17 < krzie> !man 13:17 < vpnHelper> krzie: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 13:18 < krzie> looks like mtu stuff remains tho 13:20 < krzie> reiffert, actually the link says to just trial and error with ping set to not fragment and changing the size of ping 13:20 < krzie> but i hadnt seen --mtu-test 13:20 < krzie> which looks like the better solution 13:21 -!- bandini [n=bandini@host107-105-dynamic.40-79-r.retail.telecomitalia.it] has joined ##openvpn 13:22 < Cisien> 1341 13:25 < Cisien> acording to ping, my max without fragmenting is 1472, well see what openvpn says once i do this mtu-test correctly :P 13:27 < Cisien> yep, 1541 13:28 < reiffert> 1341, 1472 and "yep 1541"? 13:28 < Dougy|Work> krzie, whatcha doin 13:28 < krzie> ya that confused me too 13:28 < Cisien> it defaults to 1542 13:28 < krzie> Dougy|Work, waiting for the address to ship a server to for you to sneak into a customers cage 13:28 < Dougy|Work> haha 13:28 < krzie> *grin* 13:29 < Cisien> lol 13:29 < Dougy|Work> i just ordered a server the other day 13:29 < Dougy|Work> its coming tomorrow 13:29 < Dougy|Work> krzie: http://www.ovpnforum.com/showthread.php?p=31#post31 13:29 < Cisien> 1472 is from ping, 1341 is when i did the test with tun-mtu set to 1300, and 1542 is when i didnt set tun-mtu 13:36 < reiffert> Cisien: does it work now, that you wre choosing 1472? 13:36 < Cisien> I set it to 1500 13:37 < Dougy|Work> krzie, 28 members =D 13:40 < jeev> why is youtube so slow for me today 13:40 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 13:44 < jeev> http://www.sportinglife.com/boxing/news/story_get.cgi?STORY_NAME=boxing/08/10/30/manual_103133.html 13:44 < vpnHelper> Title: KING ARTHUR IS FIGHTING FIT | Sporting Life - Boxing News | Joe Calzaghe, Roy Jones, Ricky Hatton, Manny Pacquiao, Oscar De La Hoya, Amir Khan (at www.sportinglife.com) 13:44 < jeev> can't wait for arthur's fight 13:47 < Cisien> I set tun-mtu to 1472 on both sides, no change 13:48 < reiffert> try 1300 13:52 < reiffert> try this (according to the manpage) 13:53 < reiffert> --tun-mtu 1500 --fragment 1300 --mssfix 13:55 < Cisien> still no tunnel 13:55 < reiffert> tun-mtu 1500 13:55 < reiffert> fragment 1300 13:55 < reiffert> mssfix 13:55 < reiffert> ? 13:55 < Cisien> yeah 13:57 < Cisien> it seems like a script is not being run, or something isn't triggering the script to run 13:57 < Dougy|Work> jeeeeeeeeeeeeeev 13:59 < Dougy|Work> krzie 13:59 < jeev> ? 13:59 < jeev> i'm pissed at this comprsesor 13:59 < jeev> air compressor 13:59 < jeev> no need, too loud 13:59 < jeev> doesn't even dust as well as the little cans of air 13:59 < jeev> this thing was big and expensive 13:59 < jeev> gay 14:00 < jeev> bbiab 14:00 < Dougy|Work> yo 14:00 < Dougy|Work> jeev 14:00 < Dougy|Work> http://www.upload3r.com/serve/021108/1225655944.jpg 14:00 < jeev> ? 14:00 < jeev> heh 14:00 < Dougy|Work> rows of empty rax 14:00 < jeev> are they going out of business or what 14:00 < Dougy|Work> nope 14:00 < Dougy|Work> im literally sitting in one of those racks rightn ow 14:00 < Dougy|Work> right now 14:00 < Dougy|Work> hah 14:00 < jeev> heh 14:00 < Dougy|Work> <3 njiix 14:00 < Dougy|Work> i got mah wifi and all 14:00 < jeev> bbiab 14:00 < Dougy|Work> k 14:07 < Cisien> the windows client almost works 14:07 < Cisien> i just need to setup a client config for it so it knows how to get back 14:08 < Cisien> but aparently the win32 driver only deals with 252's 14:13 < Cisien> do i need to have any client config sections to tell the client of it's ip? 14:37 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 14:40 < Dougy|Work> krzie: ping 14:40 < Dougy|Work> http://rafb.net/p/jThFa144.html 14:40 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:43 < Dougy|Work> whyfor is it doign that 14:44 < reiffert> Cisien: !works? 15:08 -!- dverzolla [n=dverzoll@proxynet.fcl.com.br] has joined ##openvpn 15:09 < dverzolla> I have a problem with OpenVPN running in FreeBSD. 15:09 < dverzolla> OpenVPN is started before the NICs. 15:13 -!- dverzolla [n=dverzoll@proxynet.fcl.com.br] has quit [Client Quit] 15:51 < Dougy|Work> I guess he fixed it 15:52 < jeev> wack 15:53 < Dougy|Work> jeeeeeeeeeeeeeeeeeeeeeeev 15:53 < Dougy|Work> im getting sick 15:53 < Dougy|Work> :( 15:54 < Dougy|Work> and 15:54 < Dougy|Work> mike yelled at me 15:58 < jeev> why 16:01 < Dougy|Work> for sitting at his desk 16:01 < Dougy|Work> "dont ever sit here again, k?" 16:04 < jeev> get his paypal account 16:04 < jeev> lets buy stuff 16:05 < Dougy|Work> lol 16:07 < Dougy|Work> estoy enfermo :( 16:07 < jeev> what 16:07 < jeev> the hell is that 16:07 < Dougy|Work> what 16:07 < jeev> what you just said 16:08 < Dougy|Work> its spanish 16:08 < jeev> hyeh 16:08 < Dougy|Work> translates to "I'm sick" 16:09 < jeev> cool 16:09 -!- reiffert is now known as evil_core 16:09 < Dougy|Work> not cool 16:09 < Dougy|Work> my gf is having a pissy fit at me cuz of it 16:10 -!- evil_core is now known as reiffert 16:10 < Dougy|Work> :( 16:11 < jeev> a tizzy fit 16:14 -!- bandini [n=bandini@host107-105-dynamic.40-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:18 -!- ctooley [n=ctooley@doc-24-32-196-69.concordia.ks.cebridge.net] has quit [Read error: 110 (Connection timed out)] 16:22 -!- k-tr [n=klaus@DSL01.83.171.190.150.ip-pool.NEFkom.net] has quit [Read error: 110 (Connection timed out)] 16:43 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 16:50 < Dougy|Work> going home, back tomorrow afternoon 16:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:04 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 17:05 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 17:18 -!- cj [n=cjac@pdpc/supporter/monthlybronze/cj] has joined ##openvpn 17:18 < cj> hey all 17:18 < cj> I've brought down my openvpn on OS X, but the tap0 device is still alive... how do I delete it? 17:19 * jeev eyes cj 17:19 * cj runs from jeev 17:19 < jeev> eh 17:19 < jeev> why does everyone use osx! 17:19 < jeev> wackz0r 17:20 < cj> jeev: it's my wife's computer. she's a designer. 17:20 < jeev> ahh 17:20 < jeev> is she good ? 17:20 < cj> I'm trying to test my openvpn server, so I'm using it. 17:20 < jeev> good / free.. then msg me 17:20 < cj> jeev: I think so. http://www.cadmiumyellow.com/ 17:20 < vpnHelper> Title: Cadmium Yellow Portfolio (at www.cadmiumyellow.com) 17:20 < cj> she also did a bunch of the home.microsoft.com stuff back in the mid - late '90s 17:21 < cj> and windowsmedia.com from '02 - '04 or so 17:21 < jeev> nice 17:21 < cj> she recently worked on the surface device; she won't take blame for the way it turned out, though :) 17:22 < cj> http://www.makaturamurals.com/ is something that I like, but she doesn't. She was taking artistic direction from the mural artist rather than making her own decisions about how everything should look. 17:22 < vpnHelper> Title: Makatura Murals, Seattle, WA. (at www.makaturamurals.com) 17:22 < cj> but she's not free, so nm :) 17:23 < cj> anyway, do you know how to delete this annoying tap0 device? :) 17:23 < cj> prolly same as freebsd in case you know that syntax 17:23 < jeev> destroy? 17:23 < jeev> try destroy after the int 17:23 < jeev> so she makes more than you 17:23 < cj> beefy:~ cjac$ sudo ifconfig tap0 destroy 17:23 < cj> ifconfig: SIOCIFDESTROY: Invalid argument 17:24 < jeev> just restart if you have to 17:24 < cj> jeev: she has in the past 17:24 < jeev> i dunno what the command would be 17:24 < cj> jeev: yeah, I love rebooting my wife's computer :) 17:24 < jeev> lol 17:33 < oc80z> sup 17:34 < oc80z> has there been ipv6 learning issues causing disconnected? 17:35 -!- SilenceGold [i=chris@216.93.247.130] has quit [Read error: 110 (Connection timed out)] 17:40 < jeev> no idea 18:54 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 19:15 -!- onur [n=onur@0nur.net] has quit [Read error: 110 (Connection timed out)] 19:36 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 19:47 -!- Cisien [n=Chris@210.5.236.28] has quit [Read error: 104 (Connection reset by peer)] 20:35 -!- ctooley [n=ctooley@doc-24-32-196-69.concordia.ks.cebridge.net] has joined ##openvpn 21:27 < jeev> !tld ad 21:27 < vpnHelper> jeev: Error: "tld" is not a valid command. 22:15 < krzie> if it DID have that, it would be !country 22:15 < krzie> but it doesnt 22:15 < krzie> hehe 22:19 < krzie> [19:19] why does everyone use osx! 22:19 < krzie> I use it because it is the best desktop OS i have tried 22:20 < krzie> of course that is opinion and not fact, but it is an educated opinion 22:21 < jeev> krzie 22:21 < jeev> dont make me kick your a$$ 22:21 < jeev> and your osx 22:21 < krzie> heh 22:21 < krzie> w/e 22:21 < jeev> what's that 22:21 < jeev> type it out 22:21 < jeev> like a man 22:22 < krzie> whatever 22:23 * ecrist uses OS X 22:25 < jeev> pfft 22:25 * jeev disregards the socialists! 22:26 < krzie> wouldnt that be linux? 22:26 < ecrist> so, what would RMS be? 22:26 < ecrist> Hitler? 22:26 < krzie> haha 22:27 < jeev> i'm kidding 22:48 < ecrist> night all 22:48 < jeev> ta ta 22:48 < jeev> no cream pie / 22:48 < jeev> in your wife? :D 22:50 < krzie> nite eric 22:54 < krzie> ok im gunna go debug stuff 22:54 < krzie> if anyone needs me just say my name 3 times in front of a mirror 22:55 < krzie> or once in the IRC window 22:55 < jeev> ok 22:55 < jeev> yag 22:55 < jeev> brb --- Day changed Mon Nov 03 2008 00:44 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 01:11 < reiffert> Moin 01:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:01 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:19 -!- Rabenklaue [n=Rabenkla@g226195052.adsl.alicedsl.de] has joined ##openvpn 02:20 < Rabenklaue> I've got openvpn set up correctly on my server and here on my client. But after the successful connection, I cannot ping the server with it's VPN-IP. 02:21 < Rabenklaue> ifconfig tap0 shows me: RX packets:1 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 02:21 < Rabenklaue> So you can see, my client tries to send something while pinging, but doesn't receive anything. 02:22 < Rabenklaue> And on my server you can see the exact opposite. It receives something via the tap0 interface, but doesn't send something 02:24 < Rabenklaue> the client config 02:24 < Rabenklaue> http://rafb.net/p/gG2SdQ33.html 02:24 < vpnHelper> Title: Nopaste - No description (at rafb.net) 02:25 < Rabenklaue> ups, its the server's... 02:27 < Rabenklaue> and now the client's config 02:27 < Rabenklaue> http://rafb.net/p/XEmzni32.html 02:27 < vpnHelper> Title: Nopaste - No description (at rafb.net) 02:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:58 -!- badserii [n=badserii@host-static-89-41-127-129.moldtelecom.md] has joined ##openvpn 03:00 < krzie> why not just use server statement? 03:00 < badserii> Hi. I have, maybe a dumb question. I follow the tutorials on the official openvpn site, but when it comes to bridging, the server apparently loses the connection to internet. The problem is that interface tap0 doesn't use the nameserver that is specified in /etc/resolv.conf. How can I define somewhere to use a nameserver? 03:00 < krzie> Rabenklaue, and what are you trying to ping? 03:02 < krzie> badserii, you mean the client loses connection? 03:02 < badserii> No. I mean that I can't ping www.google.com 03:02 < badserii> but I can ping the ip of google.com 03:03 < krzie> but from the server? 03:03 < badserii> yes, from the server 03:03 < badserii> from the client everithing is ok! 03:03 < krzie> the server is not using tap to reach the inet 03:03 < krzie> so it has nothing to do with tap not using resolv.conf 03:03 < krzie> check your resolv.conf was not over-written 03:04 < badserii> krzie: it wasn't overwritten 03:04 < krzie> cat it 03:04 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 03:04 < badserii> nameserver 192.168.1.1 03:05 < krzie> ok, now 03:05 < krzie> host ircpimps.org 192.168.1.1 03:05 < badserii> to insert this in resolv.conf? 03:05 < krzie> no 03:05 < krzie> commandline 03:06 < badserii> I started now the bridge 03:07 < badserii> ;; connection timed out; no servers could be reached 03:07 < krzie> show me your routing table 03:07 < krzie> netstat -rn 03:07 < krzie> is your server and client on the same LAN by chance? 03:08 -!- Rabenklaue [n=Rabenkla@g226195052.adsl.alicedsl.de] has quit [Read error: 104 (Connection reset by peer)] 03:08 < krzie> you just showed that it IS using resolv.conf 03:08 < krzie> but the nameserver isnt giving answers 03:08 < badserii> I didn't configure the client yet 03:09 < krzie> there is no client connected? 03:09 < badserii> the problem is that when I start the bridge interface /etc/init.d/bridge-start , then the server can't resolve hosts 03:10 < krzie> the problem is it cant reach the nameserver 03:10 < krzie> you aint bridging it right i guess 03:10 < badserii> yes 03:10 < krzie> which linux you use? 03:10 < badserii> it's exactly what you said 03:10 -!- Rabenklaue [n=Rabenkla@g226195052.adsl.alicedsl.de] has joined ##openvpn 03:10 < krzie> well lemme back up 03:10 < krzie> why do you want a bridge? 03:10 < badserii> I experienced this on Ubuntu, now on Debian lenny 03:11 < Rabenklaue> krzie: I tried to ping my VPN Server via VPN 03:11 < krzie> Rabenklaue, what IP? 03:11 < Rabenklaue> 192.168.20.1 03:11 < Rabenklaue> 192.168.20.0 is the VPN net 03:11 < krzie> from client? 03:11 < Rabenklaue> yes 03:11 < krzie> check firewalls 03:11 < Rabenklaue> 192.168.20.1 03:11 < Rabenklaue> yes, the firewall seems to be the problem 03:12 < Rabenklaue> I just stopped firehol and cleaned all iptables rules and now ... it seems to work 03:12 < krzie> badserii, why do you want a bridge? 03:12 < Rabenklaue> Thany anyway 03:12 < badserii> krzie: here is the netstat -f output: 03:12 < badserii> http://paste.ubuntu.com/66664/ 03:12 < krzie> Rabenklaue, you're welcome 03:12 < krzie> why are you using a bridge 03:12 < badserii> I want that people from outside, to be able to reach my local network 03:12 < krzie> they can do that with routed 03:13 -!- Rabenklaue [n=Rabenkla@g226195052.adsl.alicedsl.de] has quit [Client Quit] 03:13 < badserii> not just one computer. 03:13 < krzie> same with routed setup 03:13 < krzie> !route 03:13 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 03:13 < krzie> theres my writeup on how to do it using a 3-lan example 03:13 < badserii> will they be able to see the whole network? 03:13 < krzie> if you say so, yes 03:13 < krzie> you can selectively allow to with firewall rules if desired 03:14 < krzie> !bridge 03:14 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 03:14 < krzie> see #3 03:14 < badserii> thank you krzie! 03:14 < krzie> bridging adds an extra layer to encapsulate 03:14 < krzie> no problem 03:14 < badserii> I'll try them now 03:14 < krzie> !sample 03:14 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:14 < krzie> theres a basic routed config 03:15 < krzie> the !route link above should help with getting lans connected, see at the bottom theres a drawing for the example 03:15 < badserii> Thanks! I thought bridging is something more advanced 03:15 < krzie> bridging is for when you need certain LAN functions that only ethernet frames provide 03:16 < krzie> like windows filesharing by NETBIOS name without WINS server 03:16 < krzie> !more 03:16 < vpnHelper> krzie: the protocol uses MAC addresses instead of IP addresses. 03:16 < badserii> Now I think I understand something. 03:17 < krzie> routed sends IP over IP, bridge sends ethernet over IP 03:17 < krzie> the ethernet frame had an IP frame inside it 03:17 < krzie> more overhead 03:18 < krzie> and as far as im concerned, more effort 03:18 < krzie> plus you open yourself to local attacks 03:18 < krzie> like arp poisoning 03:18 < badserii> Then I think routed will be my solution 03:19 < badserii> I succeeded to connect clients through routing 03:19 < badserii> the problem was that they were seeing just my computer 03:19 < krzie> !route 03:19 < badserii> in the network 03:19 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 03:19 < krzie> note that if they are not the main gateway for their LAN you must add a route on it as well 03:21 < krzie> because the machine on LAN gets a packet from vpn_ip from local_vpn_endpoint, then checks its routing table how to reach the vpn_endpoint, has no entry so it replies to its default_gateway 03:21 < badserii> it gets much simpler! 03:21 < krzie> and if its 2 lans, each must know about the route to the other through the local_vpn_endpoint 03:22 < badserii> there's only one LAN 03:22 < badserii> now I'll try your suggestions! 03:22 < krzie> basically follow the path of the packets, remember that the source stays the same unless you NAT 03:22 < krzie> oh cool 03:22 < krzie> thats easy 03:24 < badserii> krzie: I'd put you a bear ;) 03:25 < krzie> huh? 03:25 < badserii> I mean, you helped me so much that I'd bought you a bear 03:25 < krzie> ohhh 03:25 < krzie> a beer =] 03:25 < krzie> thanx 03:26 < badserii> thank you too! 03:26 < krzie> a bear is the huge animal http://images.google.com/images?hl=en&q=bear&um=1&ie=UTF-8&sa=N&tab=wi 03:26 < vpnHelper> Title: bear - Google Image Search (at images.google.com) 03:27 < badserii> ah 03:28 < badserii> :) 03:28 < badserii> I was speaking of beer 03:28 < krzie> yup gotchya 03:28 < badserii> btw, are you the author of the image there? http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 03:28 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 03:29 < krzie> i am 03:29 < badserii> great work! 03:29 < krzie> assuming you mean the network diagram and not the lock up top 03:30 < krzie> thanx, i made it at gliffy.com 03:30 < krzie> it was easier than downloading an application to make a quick diagram 03:30 < krzie> and it did everything i wanted =] 03:31 < krzie> it was requested by a user who read the page 03:31 < badserii> the article is also written by you? 03:32 < krzie> yes 03:32 < krzie> its probably the most common issue for new users 03:33 < krzie> and you can imagine explaining that a few dozen times in here can get to be a large effort 03:33 < krzie> so i made a document to point at 03:33 < krzie> hehe 03:34 < badserii> here is efficiency 03:35 < krzie> yup 03:35 < krzie> so is it working now? 03:36 < badserii> I reconfigure it now 03:40 < badserii> in server.conf is written: Remember that these private subnets will also need to know to route the OpenVPN client address pool (10.8.0.0/255.255.255.0) 03:41 < badserii> does it mean that I have to configure somewhere something else? 03:42 < krzie> [05:19] note that if they are not the main gateway for their LAN you must add a route on it as well 03:42 < krzie> [05:21] because the machine on LAN gets a packet from vpn_ip from local_vpn_endpoint, then checks its routing table how to reach the vpn_endpoint, has no entry so it replies to its default_gateway 03:42 < krzie> its talking about that 03:42 < badserii> aha! 03:43 < krzie> the LAN being connected must have an entry for 10.8.0.0 in its routing table 03:43 < krzie> it must know which IP on the lan to route that network to 03:43 < krzie> on the router for the LAN 03:43 < badserii> Ok, now I understood. Thanks! 03:44 < krzie> np 03:50 < badserii> krzie: Now it works! 03:50 < badserii> Thank you! 03:50 < krzie> you're welcome 03:50 < krzie> =] 05:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:09 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 07:34 -!- ctooley [n=ctooley@doc-24-32-196-69.concordia.ks.cebridge.net] has left ##openvpn ["Leaving"] 07:37 -!- thechef [n=testi@147.86.175.21] has joined ##openvpn 07:41 < thechef> is it possible to create a p2p virtual network so that torrent inside a virtual network makes sense? (whereas the usual vpn-server would only work as a broker, fallback, broadcast and stun-server for each vpn-client and vpn-clients would connect directly to other peers after looking up their IP or MAC via vpn-server)? 07:52 < ecrist> not sure I understand. 07:55 < cpm> doesn't sound like a great idea to me. 08:03 -!- esaym [n=user@cpe-70-120-89-6.satx.res.rr.com] has joined ##openvpn 08:04 < esaym> howdy 08:04 < esaym> I am behind a a network that only allows connections to destination ports 80 and 443. I can free up the port 443 on a remote server of mine. The question is, can openvpn be configured to only work with this one port? 08:09 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:15 < esaym> got to go, bbl 08:16 -!- esaym [n=user@cpe-70-120-89-6.satx.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 08:28 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 08:29 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has left ##openvpn [] 08:30 -!- reiffert [n=thomas@mail.webersheim.de] has quit ["leaving"] 08:40 -!- ikevin_ [n=kevin@ANancy-256-1-97-121.w90-26.abo.wanadoo.fr] has joined ##openvpn 08:44 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 08:51 -!- Cisien [n=Chris@210.5.236.28] has joined ##openvpn 08:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:52 -!- ikevin [n=kevin@ANancy-256-1-51-109.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 08:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:55 < Cisien> lol, push 08:55 < Cisien> such a simple word 08:56 < Cisien> caused hours of troubleshooting 08:56 < Cisien> rather, pull :P 08:57 < ecrist> what problems were you having? 08:58 < Cisien> the tun interfaces weren't pulling an ip 08:58 < ecrist> hrm, they should automagically, without a 'pull' statement 09:03 -!- stony [n=stony@serverbu.de] has quit [Read error: 110 (Connection timed out)] 09:05 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 09:10 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: Dryanta, zib, troy-, roentgen, badserii 09:11 -!- Netsplit over, joins: roentgen, badserii, zib, Dryanta, troy- 09:15 -!- reiffert [n=thomas@88.198.59.20] has joined ##openvpn 09:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:30 -!- thechef [n=testi@147.86.175.21] has quit [Connection timed out] 09:31 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 09:34 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: Dryanta, zib, troy-, reiffert, badserii 09:35 -!- Netsplit over, joins: reiffert, badserii, zib, Dryanta, troy- 09:39 < Cisien> ecrist, i thoguht so too, but the moment i added it, stuff started working 09:44 < Cisien> reiffert, works now, was pissing 'pull' in the client's configs 09:44 < Cisien> now, to setup a NAT firewall that only bothers one of my server's interfaces 09:46 < reiffert> Cisien: you have had a pull in the client config? 09:46 < reiffert> hmm, I didnt see that. 09:46 < Cisien> no, didn't have it 09:47 < reiffert> Ah well, I never used pull in client config. pissing = missing? 09:47 < Cisien> it was only after i sat and read the description of all the options in depth, did i find it :) 09:47 < Cisien> reiffert, lol, yeah, thats what i meant 09:47 < reiffert> So you were adding a pull and then it worked? 09:47 < Cisien> the p is so very close to the m, ya know :P 09:47 < Cisien> yeah 09:48 < Cisien> i can ping the server, and another host 09:48 < reiffert> mp are close together on a french keyboard, but not on US .. however, I 09:48 < reiffert> I never never never had to specify the pull option in the client config. 09:49 < Cisien> weird 09:49 < reiffert> yeah 09:49 < reiffert> maybe thats openwrt related. 09:49 < Cisien> not sure 09:49 < Cisien> i had to do it in win32 also (it was that, or set the ifconfig value) 09:50 < reiffert> Really strange then, maybe the server isnt sending it then. 09:50 < reiffert> which is really strange. 09:50 < reiffert> maybe god krzee knows something 09:50 < reiffert> !krzee 09:50 < vpnHelper> reiffert: Error: "krzee" is not a valid command. 09:50 < reiffert> !learn krzee as is away 09:50 < vpnHelper> reiffert: The operation succeeded. 09:50 < reiffert> !krzee 09:50 < vpnHelper> reiffert: "krzee" is is away 09:50 < reiffert> !learn krzee as away 09:50 < vpnHelper> reiffert: The operation succeeded. 09:51 < reiffert> !krzee 09:51 < vpnHelper> reiffert: "krzee" is (#1) is away, or (#2) away 09:51 < reiffert> hehe 09:52 < Cisien> lol 09:52 < Cisien> anyway, now to figure out this firewall script, so i don't lock myself out of my server :) 09:53 < Cisien> good thing i have 3 ip's/interface aliases for it ;) 09:53 < reiffert> echo "reboot" | at 17:00 09:53 < Cisien> i just hope iptables can work off of interface aliases 09:53 < reiffert> atq 09:53 < reiffert> atrm 1 09:54 * Cisien blinks 10:01 < Cisien> figured it out 10:01 < Cisien> client implies pull 10:01 < Cisien> i'm using tls-client 10:02 < Cisien> it also implies tls-client 10:02 < Cisien> lol 10:03 < Cisien> engine may be interesting - if openvpn supports the broadcom crypto engine 10:14 < cj> morning folks 10:15 * Cisien waves 10:15 < Cisien> "morning" is 7:15pm, got it! 10:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:35 -!- badserii [n=badserii@host-static-89-41-127-129.moldtelecom.md] has quit [Remote closed the connection] 10:40 < Cisien> anyone know if this would work for a quick 'n dirty NAT firewall that still lets me access the server from the internet? 10:40 < Cisien> http://pastebin.com/d14196a19 10:41 < Cisien> other than the botched default policies :P 10:43 < Cisien> the non-messed up version: http://pastebin.com/d1f7c22e3 10:44 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit [Remote closed the connection] 10:51 < ecrist> ick, iptables 10:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:54 < Cisien> ecrist, heh 10:55 < jeev> ICK 10:56 < Cisien> eh? 11:10 -!- Cisien [n=Chris@210.5.236.28] has quit [Read error: 104 (Connection reset by peer)] 11:13 -!- Cisien [n=Chris@210.5.236.28] has joined ##openvpn 11:13 < Cisien> well, the script didn't lock me out 11:14 < Cisien> but i have a new problem, with redirect-gateway, the wrong routes are pushed to the client (windows at least) and nothing works 11:47 < Cisien> any idea what the fix for this is? 12:10 < jeev> this is the second time 12:10 < jeev> my WR's just FLOOD the screen 12:10 < jeev> and everything dies 12:15 -!- plaerzen [n=cam@vip2.tundraeng.com] has joined ##openvpn 12:17 < ecrist> Cisien: push the correct routes. 12:26 -!- krzie [n=k@unaffiliated/krzee] has joined ##openvpn 12:26 -!- krzie [n=k@unaffiliated/krzee] has quit [Remote closed the connection] 12:33 -!- bandini [n=bandini@host107-105-dynamic.40-79-r.retail.telecomitalia.it] has joined ##openvpn 12:37 < Cisien> ecrist, i can ping the vpn server again over the tunnel (route-gw, or something like that) 12:37 < Cisien> my problem now is my firewall, packets are leaving, but not coming back 12:37 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:37 < Cisien> i think i missed something 12:45 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 12:47 -!- zeloran [n=zeloran@i577B21A0.versanet.de] has joined ##openvpn 12:47 < zeloran> good evening 12:48 < zeloran> i have a newbie question: is openvpn able to connect to a cisco router? 12:48 < Cisien> not cisco's vpn 12:48 < reiffert> openvpn is able to connect to openvpn. 12:49 < zeloran> okay thanks 12:49 < Cisien> anyone have an example iptables setup that works with openvpn? 12:49 < reiffert> Cisien: routed? 12:49 < Cisien> indeed, NAT at the distant end 12:49 < Cisien> server side 12:49 < reiffert> routed or nat? 12:50 < Cisien> nat 12:50 < reiffert> -I FORWARD -i tun0 -o eth0 -j ACCEPT 12:50 < zeloran> are there any alternatives to vpnc that are able to connect to a cisco network? 12:50 < reiffert> -I FORWARD -i eth0 -o tun0 -j ACCEPT 12:50 < Cisien> sec, i'll pastebin what i have 12:50 < reiffert> -t nat -I POSTROUTING -o eth0 -j MASQUERADE 12:50 < reiffert> done. 12:51 < reiffert> zeloran: this channel is about openvpn, we have no ideas about cisco vpn clients. 12:52 -!- zeloran [n=zeloran@i577B21A0.versanet.de] has left ##openvpn [] 12:52 < reiffert> -I INPUT -i tun0 -j ACCEPT 12:52 < Cisien> http://pastebin.com/d52573be7 12:52 < reiffert> for the beginning 12:54 < Cisien> eh? 12:55 < Cisien> hrm, i forgot to flush the nat table...but that doesn't look like it's affecting anything 12:56 < reiffert> 4 rules, enter them, play. 12:59 < Cisien> all those rules are in my current setup 13:05 < Cisien> hrm, except the first one you put up 13:11 < Cisien> hmm, nothing is being forwarded between the eth0 and tun0 interfaces 13:12 < Cisien> but traffic is going from tun0 to eth0 13:36 < Cisien> works now 13:38 < ecrist> Cisien: sounds like you're missing NAT 13:52 < Cisien> it was there 13:52 < Cisien> but i had some weird stuff in my routing table, rebooted the server and it worked 13:53 < Cisien> i never thoguht that runing openvpn and tunneling all my traffic through it would acually IMPROVE my network performance! 13:54 < Cisien> here it is, peak hours, and i have a low-1000's ping in wow, downloads come in at up to 200k/s, web pages load with decent speed, etc 13:54 < Cisien> time to set this up on my router and redirect most my traffic through it full time 14:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 14:08 < reiffert> think about bridging. 14:17 < Cisien> whats different about bridging? 14:20 -!- Cisien [n=Chris@210.5.236.28] has quit [] 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 -!- Cisien [n=Chris@vps.exoronet.net] has joined ##openvpn 14:47 < Cisien> join #openwrt 14:48 < Cisien> yeah, this is much more responsive 15:04 < reiffert> Cisien: it makes your client computer behave just like it's plugged physically at the remote network. 15:04 < reiffert> it will get all ethernet broadcasts and multicast packages. 15:04 < reiffert> it will get assigned an ip from your remote network. 15:05 < Cisien> no other advantage thoguh? 15:05 < Cisien> lower overhead or anything? 15:06 < Cisien> I don't need the features of bridged, half a dozen clients or so, none of them really need to talk to each other 15:07 < Cisien> only disadvantage i've seen so far, is that my host's proxy isn't available with this method, so common web pages load slower 15:08 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: paruchuri, theromis 15:08 -!- reiffert [n=thomas@88.198.59.20] has quit ["Reconnecting"] 15:08 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 15:32 -!- Cisien [n=Chris@vps.exoronet.net] has quit [Read error: 104 (Connection reset by peer)] 15:35 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 15:57 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Success] 16:04 -!- theromis [n=romis@67-207-115-132.static.wiline.com] has joined ##openvpn 16:05 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 16:06 -!- pascalp_wind [n=pascal@rps987.ovh.net] has joined ##openvpn 16:07 < pascalp_wind> Hi 16:07 -!- Dougy|Work [n=doug@64.18.159.247] has quit [Read error: 110 (Connection timed out)] 16:08 < pascalp_wind> I have a problem, I can't find how to solve it: 16:08 < pascalp_wind> Mon Nov 3 22:32:25 2008 us=750008 pascal/130.209.74.218:2747 MULTI: bad source address from client [192.168.1.100], packet dropped 16:08 < reiffert> using double nat? 16:09 < reiffert> draw your network with ascii art and paste it to pastebin.com, put the server and client conf along, together with the complete logfile. 16:09 < reiffert> (client log) 16:09 < reiffert> and server log for your case 16:09 < pascalp_wind> reiffert, unfortunately yes 16:10 < reiffert> well, skip to my answer then: I have no idea. 16:11 < pascalp_wind> that was quick :) 16:11 < reiffert> play with the local option 16:11 < pascalp_wind> the client is behind a double nat not the server 16:11 < pascalp_wind> local option ? 16:12 < reiffert> forget about the local option, it's server only 16:13 < reiffert> well it looks like your double nat isn't replacing the source address according to like it should. can you verify that? 16:14 < pascalp_wind> I don't know how, what I do know is I have no problem with a friend vpn 16:15 < reiffert> using same client? 16:15 < reiffert> well and you allready checked server and client config files ... 16:16 < pascalp_wind> yes, there are similar to my friends ones :( I must have miss something 16:16 < reiffert> I'd say wait some more time in this channel and reask from time to time, or advance to the mailinglist .. be sure to add all logs, confs and your network in ascii art. 16:16 < reiffert> network layout 16:17 < pascalp_wind> ok, thanks anyway 16:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 104 (Connection reset by peer)] 17:11 -!- kim0 [n=kimoz@unaffiliated/kim0] has joined ##openvpn 17:11 < kim0> Hi, I want to use openvpn server on our Linux gateway to auth against our Win2003 domain controller. Is that possible .. any link to a guide or configuration keyword ? 17:19 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 17:26 -!- nadio [n=nobody@about/philosophy/nadio] has left ##openvpn [] 17:27 < theromis> http://en.wikipedia.org/wiki/Santa_Cruz_Wharf 17:27 < vpnHelper> Title: Santa Cruz Wharf - Wikipedia, the free encyclopedia (at en.wikipedia.org) 17:31 < jeev> water sucks 17:31 < theromis> jeev, why? 17:32 < kim0> To auth against AD... my best bet is the LDAP plugin ? 17:34 < jeev> dunno 18:13 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 18:19 -!- pascalp_wind [n=pascal@rps987.ovh.net] has quit ["Quitte"] 18:37 < krzee> my guess is your best bet being a script 18:37 < krzee> looks like i was wrong tho 18:38 < krzee> looks like yes ldap is the best wayerr wait, i am right 18:38 < krzee> blehh 18:38 < krzee> a script is the way, not ldap 18:38 < krzee> http://amigo4life.googlepages.com/openvpn 18:38 < vpnHelper> Title: Amigo4Life - Active Directory Authentication for OpenVPN For Windows Implementations (at amigo4life.googlepages.com) 18:39 < krzee> !learn activedirectory as http://amigo4life.googlepages.com/openvpn for the guide of how to auth against AD 18:39 < vpnHelper> krzee: The operation succeeded. 18:39 < jeev> sup krzee 18:39 < krzee> werd 18:40 < jeev> werd is wack f0 18:40 < jeev> f00| 18:40 < kim0> krzee: thanks 18:40 < krzee> np 18:41 < kim0> krzee: why would this be better than ldap ? 18:41 < kim0> ldap smells cleaner to me 18:47 < krzee> !ssl-admin 18:47 < vpnHelper> krzee: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 18:47 < krzee> kim0, you're welcome to do it any way you want 18:49 < krzee> !tcp 18:49 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 18:53 < krzee> !bridge 18:53 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 18:53 < krzee> !more 18:53 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 18:55 * jeev loves his tmobile and att hotspot account 19:05 * krzee loves dns tunneling so he doesnt need to pay for that stuffs 19:09 < krzee> oh but wait, you use windows 19:09 < krzee> sorry, you cant do that 19:09 < krzee> nobody likes windows enough to make it work there 19:09 < krzee> *grin* 19:19 < jeev> i dont pay either f00l 19:20 < krzee> cut out the "fool" shit 19:25 < krzee> kim0, seems the ldap auth would be run on unix, the page i linked you to would run on windows 19:26 < jeev> :) 19:27 < krzee> hrm, i think i have the answer for the guy who made that script 19:27 < krzee> The script works with OpenVPN 2.1_rc7, but it can't run with higher versions due to security restrictions when creating the process. If you know a way around it let me know. 19:27 < krzee> !factoids search * 19:27 < vpnHelper> krzee: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'routes', 'tls-cipher', 'multi', 'configs', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', (1 more message) 19:27 < krzee> !more 19:27 < vpnHelper> krzee: 'download', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'someclient2client', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'mitm', 'hmac', 'winipforward', 'help', 'topology', 'fragment', '2.1-winpass-script', 'krzee', and 'activedirectory' 19:27 < krzee> !forget krzee 19:27 < vpnHelper> krzee: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 19:27 < krzee> !forget krzee * 19:27 < vpnHelper> krzee: The operation succeeded. 19:27 < krzee> i will lock the bot if people keep playing with it 19:28 < krzee> !2.1-winpass-script 19:28 < vpnHelper> krzee: "2.1-winpass-script" is http://article.gmane.org/gmane.network.openvpn.user/24575 19:28 -!- kim0 [n=kimoz@unaffiliated/kim0] has quit [Read error: 110 (Connection timed out)] 19:29 < krzee> i think he needs to undocumented config option, script-security 3 19:31 < krzee> i guess maybe i'll contact that guy and let him know bout it 20:11 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: reiffert, troy-, zib, Dryanta 20:11 -!- Netsplit over, joins: reiffert, zib, Dryanta, troy- 20:12 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 104 (Connection reset by peer)] 20:13 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Excess Flood] 20:29 -!- zib [i=zibbe@smisk.keff.org] has quit [Read error: 110 (Connection timed out)] 20:40 -!- LumberCartel [n=local_42@24.86.160.252] has joined ##openvpn 20:42 < LumberCartel> Hello folks. I have OpenVPN deployed at a number of sites, and it works very well, except at one site I'm getting a strange phenomenon -- if a user on a laptop running Windows XP at a remote location stops the restarts the OpenVPN service they get different 10.8.0.??? addresses, and for all but one of these IPs the network traffic is not routed. Here's a copy of the server.conf file used: http://www.pastebin.ca/raw/1244536 20:43 < LumberCartel> Is this a known problem, or is there a work-around for this? I'm already on RC13 of the OpenVPN client. Thanks in advance. 20:48 < krzee> well 20:48 < krzee> you could use static ips if you like 20:49 < LumberCartel> I supposed I could, but I worry that there may be some other underlying problem because the IPs being assigned are valid 10.8.0.xxx IPs. 20:49 < LumberCartel> They should always work. 20:51 < krzee> well teachnically unless you define what ip it should get, it is acting correctly 20:51 < krzee> and ipp.txt is NOT mandatory to be used to get the ip (more like a suggestion) 20:51 < krzee> !static 20:51 < LumberCartel> Yes, I realize that. I don't have any complaint about the users getting a different (or same) IP every time they connect. 20:51 < vpnHelper> krzee: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 20:52 < krzee> oh i missed the fact that it cant route traffic when that happens 20:52 < krzee> i thought you just didnt want them changing ips 20:52 < LumberCartel> No, I don't mind that. DHCP is a helpful feature. 20:52 < krzee> DHCP?? 20:52 < LumberCartel> I'd actually rather not go to the extent of coordinating the configuration of static IPs on all the laptops. 20:52 < krzee> oh the ovpn internal handing out of ips, gotchya 20:53 < LumberCartel> Yes. 20:53 < jeev> krzee, i'm looking to getting a fiber local loop. is that what they still call it? i remember with T1's, it's local loop.. 20:53 < LumberCartel> On all my other sites it works really REALLY well. 20:53 < jeev> if i want to get fiber loop to the datacenter 11 miles away.. 20:54 < krzee> LumberCartel, interesting... can we see logs from the client that has problems? 20:54 < krzee> LumberCartel, by chance is it being run not as admin? 20:54 < krzee> jeev, i wish fiber was an option for me out here =[ 20:54 < LumberCartel> krzee: On the server-side it's fine. NetBSD is the OS (as is the case with many different sites -- each site I'm referring to in this particular context is an entirely unrelated company). 20:55 < LumberCartel> krzee: I'll get some client-side logs for you into pastebin.ca in a moment... 20:55 < jeev> i'm waiting on pricing from cogent :D 20:55 < jeev> i know, cogent. 20:55 < jeev> but i want to light a small building. 20:55 < krzee> cogent is good now 20:55 < krzee> hell, i prefer a lot of cogent BW over L3 bw now-a-days 20:55 < jeev> i asked them for a 100mbit commit with gigabit drop 20:55 < jeev> well 20:55 < jeev> i dunno if it's a drop if they bring it through the phone company 20:56 < jeev> but i hope it's something like 1000 + something TINy for loop 20:56 < krzee> LumberCartel ok lets ignore everything that works right and just talk bout the broken connection 20:56 < krzee> LumberCartel my guess is that its windows messin stuff up 20:56 < LumberCartel> krzee: I find that blaming Windows usually gets to the root of the problem in less time. =) 20:56 < krzee> LumberCartel also include version of the client os (vista, xp, etc) 20:57 < krzee> hahaha 20:57 < LumberCartel> Okay. I'm just collecting that now. 20:57 < krzee> too true ;] 20:57 < krzee> cool, ill be here 20:57 < LumberCartel> Heheh. As hilarious as that is, I'm serious. =) 20:57 < krzee> serious, and right 20:57 < krzee> too often a reboot fixed windows problems, which i find funny 20:58 * LumberCartel wonders what Dr. Gregory House would say about the Widows Vista complex... 20:58 < LumberCartel> krzee: And for those times when rebooting doesn't work, I find that 8 reboots seems to do the trick 99% of the time. 20:58 < krzee> hahah 20:58 < LumberCartel> I'm serious about that too. =( 20:58 < krzee> 'the webserver is down 20:58 < krzee> ' 20:59 < LumberCartel> Time to upgrade to Unix/Linux. 21:00 < krzee> it should work on windows, we can try to get you going 21:00 < jeev> krzee 21:00 < jeev> if i do get it 21:00 < jeev> i want to be able to have a server as my router 21:00 < jeev> i dont want to buy hardware 21:01 < krzee> wouldnt you still need to terminate the fiber...? 21:01 < jeev> lol @ media converter 21:01 < krzee> you happen to have fiber cards laying around? 21:01 < jeev> ;D 21:01 < krzee> oh 21:01 < jeev> or i'd just get a fiber card 21:02 < jeev> that's not a prob 21:02 < jeev> i wouldn't now how 21:02 < jeev> i wouldn't know how much to charge 21:02 < jeev> the people in the building 21:02 < jeev> i'm thinking $30/month for first meg 21:02 < jeev> $20 each after 21:04 < jeev> if you get a 100mbit link 21:04 < jeev> you're getting symmetrical 21:04 < jeev> you could be doing 90mbit up and down 21:04 < jeev> and it's just 100mbit, right 21:04 < jeev> bbiab 21:05 < LumberCartel> krzee: Here are two log files from the client side: http://www.pastebin.ca/raw/1244547 21:06 < LumberCartel> The client is running Widows XP with SP2 (plus many other post-SP2 updates). 21:06 < LumberCartel> s/XP/XP Professional/ 21:07 < krzee> thats the same client? 21:07 < LumberCartel> OpenVPN client version is 2.1 RC13. 21:07 < LumberCartel> Yes. Same client. 21:07 < krzee> i mean same machine 21:07 < LumberCartel> I just stopped, waited, then started the service. 21:07 < krzee> ahh ok 21:07 < krzee> and it worked the first time, not the second time 21:07 < krzee> right? 21:08 < LumberCartel> If I do that a few times, I keep getting different IPs, but after the 3rd or 4th bad one it's cycled back and works again when finally gets around to 10.8.0.14. 21:08 < LumberCartel> s/when finally/when it finally/ 21:08 < krzee> tried topology subnet? 21:09 < krzee> you'll prolly like it for other reasons, and it may fix this problem too 21:09 < LumberCartel> I don't understand the question. 21:09 < krzee> !topology 21:09 < vpnHelper> krzee: "topology" is it is possible to avoid the !net30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 21:09 * LumberCartel follows that link... 21:10 < LumberCartel> That's a great idea. 21:10 * LumberCartel continues reading... 21:12 * LumberCartel checks which version is running on the server side... 21:12 < LumberCartel> I've got openvpn-2.1rc7 on the server side. 21:12 < LumberCartel> That link indicates that 2.0.2 is the minimum requirement. This is good. 21:14 < krzee> 2.0.2 didnt have it 21:14 < krzee> but rc7 should 21:14 < LumberCartel> So you're thinking that this may resolve the problem I'm having? Is that because of all the route changes occurring in Widows XP each time I restart the OpenVPN service thanks to the /30 subnet deal? 21:14 < krzee> im thinking windows isnt fully dropping the route 21:14 < krzee> which wont matter when you use subnet 21:14 < LumberCartel> That makes sense (because Widows doesn't). 21:14 < LumberCartel> Yes, it will definitely solve the problem. 21:14 < LumberCartel> I'll try it now. 21:15 < krzee> nice side-effect, you dont need 4 ips / client 21:16 < krzee> ild go on, but you understand after reading the link 21:16 < LumberCartel> Yeah, especially on larger sites this will be very useful. 21:16 < LumberCartel> It has been on my to-do list from when I first started learning OpenVPN to find out if there's a way to enlarge the subnet. 21:16 * LumberCartel chuckles as he thinks of a different name for the option: viagra subnet 21:17 < krzee> lol 21:17 < LumberCartel> Sigh, I'll probably have to reboot Widows again. =( 21:17 < krzee> thats how it was always supposed to be 21:17 < LumberCartel> Good thing that doesn't take forever. 21:17 < krzee> the /30 thing was only a work-around cause of windows 21:18 * LumberCartel recommends calling it "Widows" (without the "n") because Steve Ballmer is now a "corporate widow" since Bill Gates retired. 21:19 < LumberCartel> Well, the larger subnet is now working, but I'm rebooting the laptop to resolve this matter because I suspect you're bang on about Widows XP not dropping the old route. 21:20 * LumberCartel confirms that "topology subnet" is indeed supported in OpenVPN 2.1rc7. 21:20 < LumberCartel> My OpenVPN server is running on NetBSD 4.0. 21:21 < LumberCartel> 64-bit! Yay1 21:21 < LumberCartel> s/1/!/ 21:22 < LumberCartel> That reboot didn't work. I cleared the routes manually this time, and now I'm rebooting for the second time. 21:23 < LumberCartel> Oddly, "route print" revealed that the gateway is 10.8.0.4 rather than 10.8.0.1. 21:24 < krzee> thats right 21:24 < krzee> !net30 21:24 < vpnHelper> krzee: Error: "net30" is not a valid command. 21:25 < krzee> !/30 21:25 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 21:25 < krzee> !learn net30 as [/30] 21:25 < vpnHelper> krzee: The operation succeeded. 21:32 < LumberCartel> krzee: Does this look correct to you? http://www.pastebin.ca/raw/1244571 21:33 < LumberCartel> I'm unable to ping 10.8.0.1 or 192.168.2.1 (the server's IP on its internal network) from the client. 21:38 * LumberCartel just tried the "route -f" command in Widows XP to flush the routing table. It worked, and now he's rebooting in the hopes of it resolving all the routing problems. 21:45 < krzee> ill be back in a bit 21:46 < LumberCartel> Thanks for your help so far. 21:50 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 21:50 < mRCUTEO> hi 21:50 < LumberCartel> Hello. 21:50 < mRCUTEO> anyone knows how to install TUN and functions of a TUN? 21:50 < mRCUTEO> Tue Nov 4 11:40:42 2008 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) 21:51 < mRCUTEO> i got this error whjen trying to run the openvpn server 21:53 < jeev> heh 21:53 < jeev> what are you running? 21:54 < jeev> i think it depends on your OS and kernel. 21:55 < mRCUTEO> linux 21:55 < mRCUTEO> fedora core 4.0 21:55 < mRCUTEO> Tue Nov 4 11:47:29 2008 OpenVPN 2.0.9 i686-pc-linux [SSL] [EPOLL] built on Nov 4 2008 21:55 < mRCUTEO> Tue Nov 4 11:47:29 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. 21:55 < mRCUTEO> Tue Nov 4 11:47:29 2008 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) 21:55 < mRCUTEO> Tue Nov 4 11:47:29 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface 21:56 < mRCUTEO> argh 22:01 < mRCUTEO> got it 22:01 < mRCUTEO> i use 'modprobe tun' 22:01 < mRCUTEO> so how am i going to start the server? 22:02 < mRCUTEO> what must i type in the command line? 22:02 < mRCUTEO> Tue Nov 4 11:55:19 2008 UDPv4 link local (bound): [undef]:1194 22:02 < mRCUTEO> Tue Nov 4 11:55:19 2008 UDPv4 link remote: [undef] 22:02 < mRCUTEO> argh 22:03 < LumberCartel> krzee: It seems that even on the server side I can't ping 10.8.0.1. 22:03 < LumberCartel> krzee: ...yet it shows up as a tun0 interface. 22:07 < mRCUTEO> LumberCartel 22:07 < mRCUTEO> do you know whats my problem ? 22:07 < mRCUTEO> Tue Nov 4 11:55:19 2008 UDPv4 link local (bound): [undef]:1194 22:07 < mRCUTEO> Tue Nov 4 11:55:19 2008 UDPv4 link remote: [undef] 22:09 < LumberCartel> mRCUTEO: No, but it looks like something's gone amiss with your devices. 22:10 < mRCUTEO> oh 22:10 < mRCUTEO> LumberCartel what command u use to start your openvpn? 22:10 < mRCUTEO> is this correct: ./openvpn --config sample-config-files --dev tunX 22:13 < LumberCartel> mRCUTEO: I'm using NetBSD, and installed OpenVPN via the packages system. My OpenVPN is started with "/etc/rc.d/openvpn start" and all the configuration is contained in a file called "server.conf." 22:13 < mRCUTEO> oh 22:13 < LumberCartel> You're on a different OS, one that I'm not at all familiar with. 22:16 < LumberCartel> Hmm. I seem to have a routing problem because hosts on the local LAN can ping 10.8.0.1, but the server can't ping itself there. 22:25 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has quit [] 22:29 < LumberCartel> Okay, I think I've found one part of the problem I'm experiencing now -- attempts to traceroute (from the server) to 10.8.0.1 result in data getting routed to the ISP's gateway (which is the default gateway on the server). 22:29 < LumberCartel> The ISP is stupidly trying to route 10.8.0.1 out onto the internet instead of rejecting it. 22:30 < LumberCartel> 4 hops and then it falls off a virtual cliff. 22:30 -!- esaym [n=user@cpe-70-120-89-6.satx.res.rr.com] has joined ##openvpn 22:31 < esaym> can I have apache running on tcp port 443 and also have openvpn listening on udp port 443? 22:31 < LumberCartel> Yes. 22:31 < esaym> ah that is awsome 22:31 < LumberCartel> TCP and UDP are separate protocols. 22:32 < LumberCartel> Note... 22:32 < esaym> do I have to mess with apache any, or is it only tcp? 22:32 < LumberCartel> Many network administrators block all UDP traffic. 22:32 < LumberCartel> HTTP is strictly TCP. 22:32 < LumberCartel> They block all UDP traffic except for port 53. 22:32 < LumberCartel> Why? 22:32 < LumberCartel> Usually because they don't understand security. 22:33 < esaym> yea...hmm. I only know that outgoing destination ports 80 and 443 are allowed. I am hoping they are too dumb to know about udp 22:33 < LumberCartel> If you run into problems with that, then you'll probably wind up having to set up a TCP port for your VPN, but chances are you won't have this problem. 22:33 < LumberCartel> Also, it 22:33 < esaym> but I can move apache to port 444 or something 22:33 < esaym> But I am going to try udp first 22:33 < LumberCartel> should be quite easy to convince an administrator to allow both TCP and UDP through for port 443. Just baffle 'em with bullshit about how SSL sometimes needs it. Heheh. 22:33 < esaym> yea rofl 22:33 < LumberCartel> 444, on the other hand, will confuse them and you'll be denied. 22:34 < esaym> but all my emails so far to them are unanswered 22:34 < esaym> :-/ 22:34 < LumberCartel> Don't use 444. 22:34 < esaym> so openvpn to the rescue 22:34 < esaym> for apache ssl? 22:34 < LumberCartel> Please take care to follow IANA's standards. 22:34 < LumberCartel> Well 443 is reserved for HTTPS. 22:34 < LumberCartel> (Yes, Apache with SSL.) 22:35 < esaym> well the only person that knows about the ssl part of my website is me 22:35 < LumberCartel> HTTP and HTTPS are only ever used with TCP, not UDP. 22:35 * LumberCartel smiles. 22:36 < esaym> well now you know... but it is passworded 22:36 < LumberCartel> If worse comes to worse, just set up a TCP port 80 proxy somewhere and find a way to tunnel your UDP traffic through there. You'll have to research proxy servers to determine your options. 22:36 < esaym> I would like to only involve my server 22:36 < LumberCartel> esaym: I don't care. I have no interest in trying to get into other people's systems, rather I want to keep others out of my systems. 22:37 < LumberCartel> esaym: You can. How many IPs do you have? If more than 1, then you have some additional options. 22:37 < esaym> I am the only one using all this stuff, I don't think putting apache on port 444 will hurt anything 22:37 < LumberCartel> esaym: Look into the TLS stuff for OpenVPN because, combined with UDP, it's more secure. 22:37 < LumberCartel> esaym: It won't, but it's not a good practice to just use port numbers for unintended purposes. 22:38 < esaym> well I am only doing this: http://wiki.debian.org/HowTo/openvpn?highlight=(openvpn) 22:38 < vpnHelper> Title: HowTo/openvpn - Debian Wiki (at wiki.debian.org) 22:39 < LumberCartel> esaym: Read this: http://www.iana.org/assignments/port-numbers 22:41 < LumberCartel> Port 444 is assigned to SNPP - the Simple Network Paging Protocol (whatever the heck that is). 22:42 < LumberCartel> esaym: It's up to you what you want to do with OpenVPN, but generating a key for TLS is trivial, and with the "ta" keyword you can enjoy better security and connectivity because of it. 22:49 < LumberCartel> esaym: Also, I'm using 2048 dh stuff because it's more paranoid than the default 1024 dh stuff, and doesn't require a lot of extra processing time to generate the needed keys. 4096 and 8192 bit keys, on the other hand, never seemed to finish for me (except once a 4096 bit key was done in 5 seconds, but I wondered if it was a stroke of luck with the random number generation or a bug in OpenSSL). 22:54 < esaym> hmm 22:54 < LumberCartel> Once you get OpenVPN working with the simple configuration, I highly recommend you look into make it even more secure. 22:54 < esaym> yea I will look into it, I just ran openvpn --genkey --secret static.key and copied the key to the server and client 22:55 < esaym> looks like it is 2024bit atleast :-/ 22:55 < LumberCartel> Be paranoid with those files -- don't ever transfer them over the internet in plain/text, and definitely not in any encryption that's lower than the key itself (e.g., a 256-bit ssh tunnel when your key is 2048 bit). 22:56 < LumberCartel> If anyone asks why you're being so paranoid, a really good response is: This is the internet! If you have to ask... 22:56 * LumberCartel chuckles. 22:57 < esaym> well I agree 22:57 < LumberCartel> Cool! 22:59 -!- dresdn [n=dresdn@ip72-223-108-98.ph.ph.cox.net] has joined ##openvpn 23:03 < dresdn> Evening. I'm seeing an odd problem with getting vpn clients to see beyond the vpn server and default gateway for the network. 23:03 -!- eX|Nazha [n=asd@60.54.112.126] has joined ##openvpn 23:03 < dresdn> Basically the scenario is this: Client (10.8.0.10) Server (tun: 10.8.0.2 / eth0: 192.168.1.3) using Tun interface. Client tries to ping 192.168.1.2. After doing some packet captures, weird things are going on ... 23:03 < eX|Nazha> Hi, Newbie here. need help with my VPS Debian server. 23:03 < dresdn> 192.168.1.2 sees the ICMP echo request, does an arp for 10.8.0.10, and then nothing. 192.168.1.3 *sees* the arp request, but doesn't see anything more than that. 23:04 < LumberCartel> dresdn: Is your VPN server configured to forward IP traffic? 23:04 < dresdn> yes, I do have ip_forward set to 1, and what's even weirder, this *was* working before the original ActionTec router blew out. 23:04 < eX|Nazha> this is my problem, after apt-get install openvpn.. the TUN/TAP does not appear 23:04 < dresdn> so to take the router out of the equation, I set the default route on 1.2 to 1.3 ... so I can sniff on both sides 23:04 < LumberCartel> dresdn: From the server, can you ping those same destinations successfully? 23:05 < dresdn> yes. from 1.3 I can ping the 10.8.0/24 just fine 23:05 < dresdn> and the vpn client can ping 192.168.1.3 without a problem 23:05 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 54 (Connection reset by peer)] 23:06 < dresdn> but here's what's even weirder ... when I have the default route set to 192.168.1.1 on the 1.2 server, I can ping the openvpn client. Once that happens, I can then ping the server from the client 23:06 < dresdn> so it gets set in a table somewhere ... 23:06 < eX|Nazha> Problem : VPS Debian, After apt-get install openvpn. the TUN/TAP device doesn't appear. ;( 23:06 < dresdn> but now that I've switched the gw to 192.168.1.3 (the openvpn server), I can't do squat ... then again, after thinking about it, I don't have iptables configured 23:07 < LumberCartel> dresdn: Well, I'm experiencing similar problems myself, so I wish you luck in figuring out what's going on. I think your problem has something to do with routing, but probably not exactly the same as mine as I'm getting different symtoms than you are. 23:07 < dresdn> yeah, it does seem like a routing issue, and I'm wondering if it's the stupid ActionTec 23:07 < dresdn> but it's hard to tell without attaching a hub to it and sniffing off of it =/ 23:08 < LumberCartel> My guess is that your old router did a lot of magic for you that the new one isn't doing. 23:08 < dresdn> same brand and I setup the old and new one 23:08 < dresdn> routing table looks good on it ... sending 10.8.0.0/24 to the openvpn server 23:08 < LumberCartel> Different firmware perhaps? 23:09 < dresdn> perhaps ... I'll look at updating it (if Qwest allows it ;) 23:09 < LumberCartel> Possibly the older firmware in the older one may have done a better job -- that's sort of what I was thinking. 23:10 < dresdn> it's basic static routing - how could they screw that up? heh 23:11 < dresdn> okay, yeah, I didn't have the iptables setup right on my openvpn server to let it be a proper gateway ... here's what's weird, when I ping the server, here's the dump 23:11 < dresdn> 2008-11-03 22:10:52.164994 IP 10.8.0.10 > 192.168.1.2: ICMP echo request, id 58967, seq 0, length 64 23:11 < dresdn> 2008-11-03 22:10:52.165035 IP 192.168.1.2 > 10.8.0.10: ICMP echo reply, id 58967, seq 0, length 64 23:12 < dresdn> but no reply received 23:12 < dresdn> but this is the first time I've ever seen this in Linux ... when pinging the client, I see: 23:12 < dresdn> PING 10.8.0.10 (10.8.0.10) 56(84) bytes of data. 23:12 < dresdn> 64 bytes from 10.8.0.10: icmp_seq=1 ttl=63 time=74.9 ms 23:12 < dresdn> From 192.168.1.1: icmp_seq=2 Redirect Host(New nexthop: 192.168.1.3) 23:16 < dresdn> LumberCartel: What problem are you seeing? 23:17 < LumberCartel> dresdn: What does "route show | more" tell you? 23:17 < LumberCartel> dresdn: For my problem, other hosts on my local network can ping 10.8.0.1, but the server that hosts it can't. 23:18 < dresdn> that's not a proper command ... 23:18 < LumberCartel> The server is also the gateway for the internet. 23:18 < LumberCartel> dresdn: It is on NetBSD Unix. 23:19 < dresdn> yeah, running linux =) route -n shows 3 routes, 192.168.1.0/24, and APIPA and then the default 23:20 < dresdn> you using Tun or Tap? 23:21 < LumberCartel> I'm using tun. 23:21 < dresdn> that's really odd ... can you ping anything connected? or can nothing connect? 23:23 < LumberCartel> I can ping everything from other local hosts. I can ping everything except 10.8/24 from the server itself. I can ping nothing within the network from OpenVPN clients. 23:24 < dresdn> what does a dump show when you try and ping the server (10.8.0.1) from the server? 23:25 < LumberCartel> Well, I'm just trying to figure out how to use tcpdump (my background is in NetWare, which doesn't have tools like tcpdump). 23:25 < LumberCartel> The documentation is going to take weeks to read. =( Ugh. 23:25 < LumberCartel> There don't seem to be any examples of usage in there either. 23:25 < LumberCartel> I just want to dump everything that has to do with 10.8/24. 23:26 < LumberCartel> The other subnets are busy all the time. 23:27 < LumberCartel> ...or just monitor interface tun0. 23:27 < LumberCartel> Okay, I think "-i tun0" is what I need. 23:27 < dresdn> tcpdump -w icmp-dump -i tun0 23:27 < LumberCartel> Wow that's a lot of documentation. 23:27 < dresdn> will dump the interface 23:28 < dresdn> tcpdump -w icmp-dump.pcap net 10.8 will dump the /16 23:28 < dresdn> and yeah, you can import those pcap's into Wireshark for a nice gui of what's going on 23:28 < LumberCartel> Okay, thanks. 23:28 < LumberCartel> I'm not using GUIs. 23:28 < LumberCartel> I prefer text mode. 23:29 < dresdn> yeah, but Wireshark is genious ... allows you to see everything a little better than tcpdump 23:30 < LumberCartel> Packetyzer is good too. Of course the problem with GUI stuff is that I need a box that actually has a GUI. My NetBSD servers aren't configured with GUIs. 23:30 < LumberCartel> Some day I plan to get into that, but for now I just want productivityl. 23:30 < dresdn> one of the things I like to do is tcpdump a whole interface, and then read it into Wireshark 23:30 < LumberCartel> Anyway, there is no output. 23:30 < dresdn> transfer the pcap to your desktop ;) 23:30 < dresdn> all my servers are headless 23:31 < dresdn> do this - tcpdump -w icmp.pcap ip proto 1 23:31 < dresdn> that'll capture all protocol 1 packets (icmp) 23:31 < dresdn> on any interface 23:32 < LumberCartel> It seems that tcpdump isn't picking up ICMP traffic. 23:32 < dresdn> this is bsd? you need to have privs on /dev/bpf* 23:32 < LumberCartel> I think I need to read the documentation in more detail. 23:33 < LumberCartel> Privs aren't the problem. Without any parameters, tcpdump fills up the screen. 23:33 < dresdn> heh, tcpdump is one of those "it just works" kinda apps - tcpdump -w file.pcap ... ctrl-c it after a second, and you *should* have packets 23:33 < LumberCartel> Oh, is -w for writing to files? No wonder. 23:34 < dresdn> then you should see tcpdump -ttttnnr file.pcap 23:34 < dresdn> ah yeah, sorry - I tend to name my pcaps after what I'm capturing heh 23:35 < LumberCartel> It's a good practice. I should have looked up -w first. 23:41 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 54 (Connection reset by peer)] 23:52 -!- dresdn [n=dresdn@ip72-223-108-98.ph.ph.cox.net] has quit [Remote closed the connection] 23:59 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn --- Day changed Tue Nov 04 2008 00:01 < LumberCartel> dresdn: Thanks for your help. 00:07 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 00:07 < mRCUTEO> hi i successfully build openvpn rpm.. what must i do next to start the vpn? 00:15 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has quit [] 00:52 < Han> install it... 00:52 -!- bandini [n=bandini@host107-105-dynamic.40-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:02 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has quit ["Leaving"] 01:22 -!- aliraja [n=aliraja@202.125.156.122] has joined ##openvpn 01:40 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:59 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 02:04 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 02:05 < mRCUTEO> hi 02:05 < mRCUTEO> im using FC4 and i failed to start OpenVPN 02:05 < mRCUTEO> anyone knows how to debug? 02:18 < reiffert> increase verbosity 02:19 < LumberCartel> Thanks for your help, everyone. It seems that there is a bug in NetBSD's routing that needs to be fixed. 02:19 < mRCUTEO> [root@localhost var]# service openvpn start 02:19 < mRCUTEO> Starting openvpn: [FAILED] 02:19 < mRCUTEO> :( 02:19 < mRCUTEO> anyone knows how to start openvpn in debug mode? 02:20 < mRCUTEO> (i build using the rpms)_ 02:20 < reiffert> you enter: man openvpn and search for "verbos". Searching in manpage can be done by hitting the / key 02:20 < mRCUTEO> okie 02:22 < krzie> LumberCartel, how did you come to that conclusion? 02:23 < krzie> mRCUTEO, look at your logfiles 02:23 * reiffert has also strong doubts. 02:23 < LumberCartel> I eliminated openvpn and pf, and found that I still couldn't ping a particular interface's IP. 02:23 < mRCUTEO> krzee which log files? 02:23 < mRCUTEO> cant see any openvpn.log.. 02:23 < krzie> heh 02:23 < reiffert> mRCUTEO: your computers system's log. 02:24 < reiffert> mRCUTEO: "syslog" 02:24 < krzie> it'll log through syslog 02:24 < mRCUTEO> ok 02:24 < mRCUTEO> thanks 02:24 < LumberCartel> krzie: This explains the problem: http://www.pastebin.ca/raw/1244649 02:25 < krzie> LumberCartel, when we talked earlier i thought you were using routed 02:25 < krzie> why are you using bridges now? 02:25 < reiffert> LumberCartel: for linux, the way you build a bridge is similar to this, but you assign one ip address to bridge0. 02:26 < mRCUTEO> reiffert didnt see any syslog in my /var/log .. 02:26 < reiffert> LumberCartel: and you dont assing ip's to the nic's you are going to bridge, but put them in promisc mode, like e.g. ifconfig wm0 0.0.0.0 promisc up 02:26 < LumberCartel> reiffert: I'd prefer to have just one IP. It doesn't work in NetBSD for some reason though. 02:26 < LumberCartel> reiffert: I'll look into that, thanks. 02:26 < krzie> mRCUTEO, you might want to learn your OS before trying for vpn's 02:27 < reiffert> LumberCartel: what happens when you "up" wm0 and wm2 before calling brconfig? 02:27 < LumberCartel> reiffert: I can't experiment on this particular system because it's a production box. I'm going to try all of this again with NetBSD 4.0.1 next week though. 02:27 < krzie> !bridge 02:27 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 02:27 < krzie> !more 02:27 < vpnHelper> krzie: the protocol uses MAC addresses instead of IP addresses. 02:27 < reiffert> LumberCartel: ifconfig wm0 0.0.0.0 promisc up; ifconfig wm2 0.0.0.0 promisc up; brconfig bridge0 add wm2 add wm0; ifconfig bridge0 192.168.2.1 up 02:28 < reiffert> krzie: stop spamming. 02:28 < krzie> #3 and on 02:28 -!- esaym [n=user@cpe-70-120-89-6.satx.res.rr.com] has quit [Remote closed the connection] 02:28 < krzie> 90% of the time i see someone ask for help bridging they end up wanting routed when you ask their goals 02:28 < LumberCartel> krzie: Bridging is useful in a small number of scenarios, regardless of routing knowledge. 02:29 < krzie> ok i guess you know you want it then 02:29 < reiffert> krzie: routed and a broadcast relay, eh? 02:29 < LumberCartel> I agree that most of the time routing is the right solution. 02:30 < LumberCartel> Anyway, thanks again for your help everyone. 02:30 -!- LumberCartel [n=local_42@24.86.160.252] has quit ["http://www.lumbercartel.ca/"] 02:30 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has quit [] 03:04 < eX|Nazha> !need help with my VPS OPENVPN 03:04 < vpnHelper> eX|Nazha: Error: "need" is not a valid command. 03:04 < eX|Nazha> need help with my VPS OPENVPN 03:04 < eX|Nazha> it's running on a Debian VPS ( Tun/TAP enabled ) 03:05 < krzie> !ask 03:05 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/ 03:05 < eX|Nazha> !ask 03:05 < vpnHelper> eX|Nazha: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/ 03:05 < eX|Nazha> need help with my VPS OPENVPN, it's running on a Debian VPS ( Tun/TAP enabled ) 03:06 < eX|Nazha> i got an error msg too, "TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 03:10 -!- eX|Nazha [n=asd@60.54.112.126] has quit [] 03:11 -!- eX|Nazha [n=asd@60.54.112.126] has joined ##openvpn 03:12 < eX|Nazha> !menu 03:12 < vpnHelper> eX|Nazha: "menu" is please use !factoids search * 03:24 < krzie> !betaman 03:24 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 03:26 < krzie> !hmac 03:26 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the (1 more message) 03:27 < krzie> !more 03:27 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 03:50 -!- aliraja [n=aliraja@202.125.156.122] has quit [Remote closed the connection] 03:55 < eX|Nazha> anyone there? 04:06 < reiffert> eX|Nazha: yeah, me. 04:07 < reiffert> eX|Nazha: I cant use the car, it is allready in use. Openvpn is allready running. 04:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:01 < eX|Nazha> need help here 05:12 -!- millun [n=r@88.103.127.204] has joined ##openvpn 05:12 < millun> hello 05:13 < millun> "Warning: route gateway is not reachable on any active network adapters" anybody can explain why i see this message? 05:15 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 05:17 < millun> firewall probably? 05:21 < eX|Nazha> anyone can help ? 05:27 < eX|Nazha> anyone here? 06:17 -!- akriegisch [n=adi@stargate.vrvis.at] has joined ##openvpn 06:18 < akriegisch> got a problem with two windows clients behind a dumb hardware router: 06:19 < akriegisch> both windows clients use 1194 as source port as well... 06:19 < akriegisch> ...and the router does not do anything about it. 06:19 < akriegisch> any hint on how to make windows use random source ports? 06:28 < eX|Nazha> Need help for VPN in my Debian VPS. 06:40 < eX|Nazha> Need help for VPN in my Debian VPS. 06:43 < akriegisch> eX|Nazha: apt-get install openvpn? 07:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:41 < Han> eX|Nazha, you are on a help channel so don't ask for help, explain your problem. 07:57 -!- joh [i=johannj@caracal.stud.ntnu.no] has joined ##openvpn 08:02 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:13 -!- AukeF [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 08:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:03 < eX|Nazha> anyone here ? 09:04 < eX|Nazha> i have installed openvpn in my VPs, and TUN/TAP device is enable said my provider. 09:06 < eX|Nazha> and i got some error msg. and i think my config/setting is not correct too. ( because this is my first time installing VPN and using Debian too) 09:08 < eX|Nazha> suk:~# modprobe tun 09:08 < eX|Nazha> FATAL: Could not load /lib/modules/2.6.18-fza-028stab053.5-686-bigmem/modules.dep: No such file or directory 09:08 < eX|Nazha> suk:~# /etc/init.d/openvpn start 09:08 < eX|Nazha> Starting virtual private network daemon: server(FAILED). 09:09 < eX|Nazha> suk:~# tail /var/log/syslog 09:09 < eX|Nazha> Nov 4 14:00:11 suk -- MARK -- 09:09 < eX|Nazha> Nov 4 14:20:11 suk -- MARK -- 09:09 < eX|Nazha> Nov 4 14:26:02 suk /USR/SBIN/CRON[26053]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) 09:09 < eX|Nazha> Nov 4 14:40:11 suk -- MARK -- 09:09 < eX|Nazha> Nov 4 15:00:11 suk -- MARK -- 09:09 < eX|Nazha> Nov 4 15:08:40 suk ovpn-server[32251]: OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007 09:09 < eX|Nazha> Nov 4 15:08:40 suk ovpn-server[32251]: Diffie-Hellman initialized with 1024 bit key 09:09 < eX|Nazha> Nov 4 15:08:40 suk ovpn-server[32251]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] 09:09 < eX|Nazha> Nov 4 15:08:40 suk ovpn-server[32251]: TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 09:09 < eX|Nazha> Nov 4 15:08:40 suk ovpn-server[32251]: Exiting 09:09 < reiffert> ARGH! 09:10 < reiffert> eX|Nazha: killall -9 openvpn 09:10 < reiffert> eX|Nazha: netstat -anp | grep 1194 09:10 < eX|Nazha> k. 09:10 < reiffert> depmod -ae 09:10 < eX|Nazha> suk:~# killall -9 openvpn 09:10 < eX|Nazha> -bash: killall: command not found 09:10 < reiffert> ps auxw | grep openvpn 09:12 < eX|Nazha> i can't kill openvpn 09:12 < eX|Nazha> i have done. killall -9 openvpn only. shall i continue to "netstat -anp | grep 1194" ?? 09:13 < eX|Nazha> ( I am newbie too, ) 09:14 < reiffert> netstat -anp | grep 1194 09:14 < eX|Nazha> suk:~# netstats -anp | grep 1194 09:14 < eX|Nazha> -bash: netstats: command not found 09:14 < reiffert> netstat 09:14 < reiffert> and not netstats 09:14 < eX|Nazha> suk:~# netstat -anp | grep 1194 09:14 < eX|Nazha> udp 0 0 0.0.0.0:1194 0.0.0.0:* - 09:14 < eX|Nazha> suk:~# 09:14 < reiffert> ps auxw | grep openvpn 09:15 < eX|Nazha> suk:~# ps auxw | grep openvpn 09:15 < eX|Nazha> nobody 5291 0.0 0.1 3932 1052 ? Ss 17:00 0:00 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf 09:15 < eX|Nazha> root 8016 0.0 0.0 1648 512 pts/0 S+ 23:15 0:00 grep openvpn 09:15 < reiffert> eX|Nazha: allright, openvpn is allready running, enter: 09:15 < reiffert> /etc/init.d/openvpn and press return. what comes out? 09:18 < eX|Nazha> what u mean "press return" 09:18 < eX|Nazha> suk:~# /etc/init.d/openvpn Usage: /etc/init.d/openvpn {start|stop|reload|restart|force-reload|cond-restart} 09:19 < reiffert> allright, so when 'start' does not work because openvpn is allready running, what could you try next? 09:20 < eX|Nazha> what shall i do ? 09:20 < reiffert> allright, so when 'start' does not work because openvpn is allready running, what could you try next? 09:20 < reiffert> {start|stop|reload|restart|force-reload|cond-restart} <- those are possible options for the init script. 09:21 < reiffert> start does not work. what else could you try? 09:21 < eX|Nazha> suk:~# /etc/init.d/openvpn restart 09:21 < eX|Nazha> Stopping virtual private network daemon: server. 09:21 < eX|Nazha> Starting virtual private network daemon: server(OK). 09:21 < reiffert> you are welcome. 09:21 < eX|Nazha> how to know it's working... can ping right ? 09:21 < reiffert> yep 09:22 < reiffert> got to go, shoppinh 09:26 < eX|Nazha> how to test it's 100% working ? 09:26 < eX|Nazha> what is the command :) 09:46 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 09:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:50 < eX|Nazha> Hi all, I got problem when trying to download the ta.key from my ftp. 09:51 < eX|Nazha> i have done. chmod 777 /etc/openvpn/examples/easy-rsa/keys/ta.key/ but i still got permission denied. ( Debians ) 09:53 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has quit [Nick collision from services.] 09:54 -!- millun [n=r@88.103.127.204] has quit ["—I-n-v-i-s-i-o-n— 3.0 (March '08)"] 09:54 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 09:55 < Luria> damn. if anyone responded to me, plz repeat. got killed somehow. 09:56 < eX|Nazha> i have done. chmod 777 /etc/openvpn/examples/easy-rsa/keys/ta.key/ but i still got permission denied. ( Debians ) 09:59 -!- akriegisch [n=adi@stargate.vrvis.at] has left ##openvpn ["Kopete 0.10.3 : http://kopete.kde.org"] 10:03 < eX|Nazha> i can't connect in client side, I copied the ta.key / ca.crt / client1.key / client1.crt and paste it into my Vista /program files/openvpn/config 10:11 < eX|Nazha> suk:/etc/openvpn# openvpn server.ovpn 10:11 < eX|Nazha> Wed Nov 5 00:09:08 2008 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007 10:11 < eX|Nazha> Wed Nov 5 00:09:08 2008 Diffie-Hellman initialized with 1024 bit key 10:11 < eX|Nazha> Wed Nov 5 00:09:08 2008 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] 10:11 < eX|Nazha> Wed Nov 5 00:09:08 2008 TUN/TAP device tun0 opened 10:11 < eX|Nazha> Wed Nov 5 00:09:08 2008 ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 10:11 < eX|Nazha> Wed Nov 5 00:09:08 2008 route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 10:12 < eX|Nazha> Wed Nov 5 00:09:08 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] 10:12 < eX|Nazha> Wed Nov 5 00:09:08 2008 GID set to nogroup 10:12 < eX|Nazha> Wed Nov 5 00:09:08 2008 UID set to nobody 10:12 < eX|Nazha> Wed Nov 5 00:09:08 2008 UDPv4 link local (bound): [undef]:1194 10:12 < eX|Nazha> Wed Nov 5 00:09:08 2008 UDPv4 link remote: [undef] 10:12 < eX|Nazha> Wed Nov 5 00:09:08 2008 MULTI: multi_init called, r=256 v=256 10:12 < eX|Nazha> Wed Nov 5 00:09:08 2008 IFCONFIG POOL: base=10.8.0.4 size=62 10:12 < eX|Nazha> Wed Nov 5 00:09:08 2008 IFCONFIG POOL LIST 10:12 < eX|Nazha> Wed Nov 5 00:09:08 2008 Initialization Sequence Completed 10:12 < eX|Nazha> ^Aclear 10:12 < eX|Nazha> Wed Nov 5 00:10:59 2008 event_wait : Interrupted system call (code=4) 10:12 < eX|Nazha> Wed Nov 5 00:10:59 2008 TCP/UDP: Closing socket 10:12 < eX|Nazha> Wed Nov 5 00:10:59 2008 route del -net 10.8.0.0 netmask 255.255.255.0 10:12 < eX|Nazha> SIOCDELRT: Operation not permitted 10:12 < eX|Nazha> Wed Nov 5 00:10:59 2008 ERROR: Linux route delete command failed: shell command exited with error status: 7 10:12 < eX|Nazha> Wed Nov 5 00:10:59 2008 Closing TUN/TAP interface 10:12 < eX|Nazha> Wed Nov 5 00:10:59 2008 SIGINT[hard,] received, process exiting 10:12 < eX|Nazha> it's hang in "Wed Nov 5 00:09:08 2008 Initialization Sequence Completed" and stop working 10:20 < eX|Nazha> anyone here? 10:26 < eX|Nazha> i can't connect in client side, I copied the ta.key / ca.crt / client1.key / client1.crt and paste it into my Vista /program files/openvpn/config 10:26 < eX|Nazha> doesn't i cant choose in OPENVPN GUI 10:27 -!- daguz [n=leo@208-1-63-34.celito.net] has quit [Client Quit] 10:28 < eX|Nazha> how to connect in client side ? 10:36 < eX|Nazha> i got an error in my client side.. 10:36 < eX|Nazha> Wed Nov 05 00:35:28 2008 NOTE: --user option is not implemented on Windows 10:36 < eX|Nazha> Wed Nov 05 00:35:28 2008 NOTE: --group option is not implemented on Windows 10:36 < eX|Nazha> Wed Nov 05 00:35:28 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 10:36 < eX|Nazha> Wed Nov 05 00:35:28 2008 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file 10:36 < eX|Nazha> Wed Nov 05 00:35:28 2008 Exiting 10:37 -!- esaym [n=user@cpe-70-120-89-6.satx.res.rr.com] has joined ##openvpn 10:38 < eX|Nazha> Wed Nov 05 00:35:28 2008 NOTE: --user option is not implemented on Windows 10:38 < eX|Nazha> Wed Nov 05 00:35:28 2008 NOTE: --group option is not implemented on Windows 10:38 < eX|Nazha> Wed Nov 05 00:35:28 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 10:38 < eX|Nazha> Wed Nov 05 00:35:28 2008 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file 10:38 < eX|Nazha> Wed Nov 05 00:35:28 2008 Exiting 10:39 < eX|Nazha> Which file shall I copy from the server to my client for .OVPN ? 10:40 < Luria> wtf 10:40 < Luria> pastebin that shit and ask for help 10:41 < eX|Nazha> ? 10:42 < Luria> read the fucking topic. the channel may be quiet, but it does not mean you get to use it like your own personal text editor 10:42 < eX|Nazha> sorry. 10:43 < eX|Nazha> i'm new here. please forgive me. 10:43 < eX|Nazha> Luria, can u help me with tat ? 10:43 < Luria> no problem 10:43 < Luria> google pastebin 10:43 < Luria> you can post logs / code /whatever 10:44 < Luria> ask a general question and offer a link to your pastebin page 10:45 < Luria> im doing such and such, it seems not to work because x keeps happening. i've pasted log here: http://example.com 10:45 < vpnHelper> Title: Example Web Page (at example.com) 10:46 < Luria> you can even repeat yourself at a reasonable rate, say 15-30 minutes. 10:46 < eX|Nazha> ok noted it. 10:47 < eX|Nazha> ok. i am trying to connect from client side right now. 10:48 < eX|Nazha> the OPENVPN gui is yellow now. :( 10:48 < eX|Nazha> http://pastebin.com/md4cbccc 10:49 < Luria> um, what are you trying to connect to? 10:50 < eX|Nazha> to my VPN 10:50 < eX|Nazha> i am doing some test to setup a VPN server. 10:50 < eX|Nazha> now i am trying to use my PC to connect to my VPS. 10:51 < Luria> cause whatever you put in for "remote my-server-1" isnt going to work if your dns server/host file doesnt have an ip for it 10:51 < Luria> does ping my-server-1 work? 10:51 < eX|Nazha> i think i need to change to my VPS IP address and it works now. 10:52 < eX|Nazha> How can i set in my browser now. 10:52 < eX|Nazha> i am using firefox. and my OPENVPN is connected. 10:53 < eX|Nazha> my Assigned IP is 10.8.0.6 10:53 < Luria> i dont know which vps you are using and i am not used to web interfaces for controlling them 10:54 < eX|Nazha> i am using Debian 10:54 < eX|Nazha> btw, it's connected and working now. 10:55 < Luria> i would tell you to not post complete ips, even internal ones, seeing as this and most freenode channels are logged to web searchable sites 10:55 < eX|Nazha> but, how can i change the setting in my web browser? 10:55 < Luria> change what setting? 10:55 < Luria> you want to route your traffic through your vpn? 10:55 < eX|Nazha> yes. 10:55 < Luria> two ways to do that 10:55 < eX|Nazha> i think it is not a full route. 10:56 < eX|Nazha> * I think it is not a full route VPN. 10:56 < Luria> 1)set up a proxy server on your vpn server 10:56 < Luria> 2)push a route with the openvpn server conf 10:59 < Luria> http://openvpn.net/howto.html#redirect 10:59 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 10:59 < Luria> that covers 2) 10:59 < eX|Nazha> ok 11:00 < Luria> that will route all your traffic out of the physical subnet 11:00 < Luria> if you just want your web traffic, set up a proxy on the openvpn server and use a proxy switching extension in firefox 11:02 < eX|Nazha> ok. 11:02 < eX|Nazha> how to do full route in OPEN VPN ? 11:05 < eX|Nazha> how to do full route in OPEN VPN ? 11:06 < Luria> you need to setup push push "route x.x.x.0 255.255.255.0" (assuming a /24) 11:06 < Luria> then push "redirect-gateway" 11:06 < eX|Nazha> can u guide me 1 by 1... :) 11:06 < Luria> should be in your server's conf/ovpn file 11:06 < Luria> sorry, i have to run 11:06 < eX|Nazha> k 11:07 < Luria> read through http://openvpn.net/index.php/documentation/howto.html 11:07 < vpnHelper> Title: HOWTO (at openvpn.net) 11:07 < Luria> and then read the standard sample conf file 11:08 < Luria> mostly, you just need to uncomment some lines and change the IPs if you made your server conf file by modifying it 11:08 -!- Cisien [n=Chris@vps.exoronet.net] has joined ##openvpn 11:08 < Luria> if you wrote your own, ask for help and pastebin you server conf file, but again, obfuscate your ips 11:08 < Luria> bbl 11:21 < eX|Nazha> anyone here ? 11:25 -!- joelsolanki [i=joelsola@124.125.149.10] has joined ##openvpn 11:25 < joelsolanki> Hi all 11:25 < eX|Nazha> anyone here? 11:25 < joelsolanki> i am working on configuring openvpn on windows xp as server and windows vista as client. 11:26 < joelsolanki> i have so far configure the openvpn server and windows vista client is able to connect to openvpn server without any problem 11:26 < eX|Nazha> joel no one is here.. i am looking for help too 11:26 < joelsolanki> oh 11:26 < eX|Nazha> btw, do u know how to use full route ? 11:26 < joelsolanki> naah. n 11:27 < joelsolanki> sorry 11:27 < eX|Nazha> i am connected to my VPN server.. but i want to surf via VPN. do u know how ? 11:28 < joelsolanki> well no. i have not used for that purpose yet. i was using pptp vpn for that stuff. 11:28 < joelsolanki> IPsec for just lan communication. 11:31 < joelsolanki> anybody here to help ? 11:31 < joelsolanki> my vpn is connecting but the vpn server itself doesnt get IP address 11:31 -!- macly [n=andy@ip70-174-136-104.dc.dc.cox.net] has joined ##openvpn 11:34 < macly> I'm having troubles yet again, this time with routing. I'm trying to route from my wireless device (an openwrt box) through to my parents house (at the other end of an openvpn tunnel) 11:38 -!- plaerzen [n=cam@vip2.tundraeng.com] has quit [Remote closed the connection] 11:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:47 < cj> macly: and? 11:47 < cj> did you add a route to their subnet through that interface? 11:48 < cj> sudo ip route add 192.168.0.1/24 dev tap0 11:48 < eX|Nazha> Cj, can u help me to do the full route ? 11:48 < cj> eX|Nazha: I don't know what teh full route is, but maybe. 11:50 -!- Cisien [n=Chris@vps.exoronet.net] has quit [Read error: 110 (Connection timed out)] 11:57 < macly> cj, sorry, the wrt54g is a bridged interface to the main router 11:57 < macly> so I figured that if the main router is the default gateway, and the main router has a route to the other network (which works from any of the other interfaces on the main router) that it would work 11:58 < cj> macly: are you running openvpn on the wrt? 11:58 < jeev> hmm 11:58 < macly> cj no 11:58 < jeev> should i pull one of my servers from a datacenter and send to another one ? 11:58 < jeev> or lease a new one 11:58 < cj> macly: okay. what's the wrt's routing table look like? http://rafb.net/paste 11:59 < cj> jeev: context? 11:59 < macly> http://rafb.net/p/oR0OO183.html 11:59 < vpnHelper> Title: Nopaste - No description (at rafb.net) 12:02 < macly> cj the wrt only has the default gateway and the .184.x network 12:02 < cj> and 184 is your parent's place? 12:02 < macly> the main router on the other hand, has a much larger routing table. 12:02 < macly> no 12:02 < macly> 184 is my wireless network 12:03 < cj> could you re-explain your request? 12:03 < macly> yes 12:03 < PeterFA> How do I make OpenVPN not take the first addy of the subnet it's configured to use and hand addys off of? 12:03 < macly> I have a main rouer that runs openvpn (between my house and my parent's house) 12:03 < macly> that main router has 3 networks 12:04 < cj> PeterFA: set the pool manually... 12:04 < macly> 1 for my stuff, 1 for everything else, and one that is attached to my wrt54g running openwrt 12:04 < macly> the 54g does no routing whatsoever (and sits on eth2 on the main router) 12:04 < macly> all the 54g does is bridges the wireless and switch traffic on the back of it to the main routers eth2 interface 12:05 < macly> I have a feeling it might be iptables rules that are the issue on my main router 12:05 < cj> what are you using to create the iptables rules? shorewall? 12:05 < macly> I have an input and forward rule for traffic on the tun+ interfaces 12:05 < macly> emacs 12:05 < cj> haha, okay 12:05 < macly> I write them by hand 12:06 < macly> :) 12:06 < cj> okay, now I've got an idea of your topology. I may ask for clarification if I'm confused, though. now tell me how you want packets routed... 12:07 < macly> any machine on any network (eth0=internet, eth1=mine, eth2=wrt54g(and wireless), eth3=other) 12:07 < cj> PeterFA: something like this, maybe: server-bridge 10.0.0.1 255.255.255.0 10.0.0.128 10.0.0.160 12:07 < macly> on eth1 or eth3 can ping machines at my parents house 12:08 < macly> machines on wireless however, cannot. I want machines on wireless to be able to ping machines on my parents network. 12:08 < eX|Nazha> how can i ping my VPN server from client side ? 12:09 < cj> eX|Nazha: what's your VPN server's link local address? 12:09 < PeterFA> cj, routing. 12:11 < cj> PeterFA: man openvpn, /--server network netmask 12:12 < macly> cj, so, this is my main router's routing table: http://rafb.net/p/65kFdj59.html as you can see, some of them are inserted by openvpn 12:12 < vpnHelper> Title: Nopaste - No description (at rafb.net) 12:12 < PeterFA> cj, yeah, probably should subnet further, thanks. 12:12 < macly> 173.x is my parents house, 183.x is my stuff, 184.x is wireless 12:13 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has quit ["NO CARRIER"] 12:13 < macly> .1.x is my dad's stuff 12:13 < ecrist> howdy, folks 12:14 < cj> macly: add a log info rule to your iptables filters 12:14 < macly> on the main rotuer? 12:15 * ecrist begins the transfer of ~1.5TB of data to our new backup server. 12:15 < cj> macly: then ping from your wireless to your parents' place. start a tcpdump session beforehand on both interfaces (eth2, tun0) 12:16 < cj> (or whatever the route to your parents' place goes through) 12:16 < cj> macly: yes, on the main router 12:16 * jeev injects ViRiI in the data 12:16 < cj> if you can ping the router from the wireless segment, but not your parents' segment, your router is dropping packets 12:19 < cj> macly: if you use a reject rule instead of drop, you might get some debugging errors on the host issuing the ping 12:19 < macly> cj ok, I added LOG to the forward rule 12:20 < cj> those messages should show up in /var/log/syslog, I'd think 12:20 < macly> cj, http://rafb.net/p/Bo2Pme53.html 12:20 < vpnHelper> Title: Nopaste - No description (at rafb.net) 12:20 < macly> that's the relevant ones during a ping 12:20 < macly> from 192.168.184.2 (the wrt54g) 12:21 < cj> sure, no response from .173.3 12:21 < cj> so tcpdump tun1 to see if the packets hit the wire there 12:21 < cj> then tcpdump (or wireshark if it's windows) the iface on the other end of .173.3 12:22 < cj> you may not be pushing routes to that client... 12:23 < macly> oh crap 12:23 < macly> I bet that's right 12:23 < eX|Nazha> cj : my client side i got assigned to 10.8.0.6 from my OpenVPN and in my server.ovpn i set as 10.8.0.0 12:23 < cj> eX|Nazha: that's probably not a good idea 12:23 < cj> .0 is the network address in most cases. use a host address for your server 12:23 < eX|Nazha> i can't ping from my client side. 12:23 < cj> eX|Nazha: imagine that 12:24 < macly> cj, you win 12:24 < cj> yay :) 12:24 < eX|Nazha> cj, i try to ping "ping 10.8.0.0" but all timeout. 12:24 < macly> I forgot to put a reverse route, my packets from 184.x were getting replied to over the internet :P 12:24 < cj> eX|Nazha: yeah, weird eh? 12:24 < macly> over ppp0 instead of tun0 12:24 < macly> thanks 12:24 < macly> awesome 12:24 < cj> excellent. 12:24 < macly> alright, time to go vote (and if you're 18+ in the US, you should vote too!) 12:25 < macly> /politics 12:25 -!- macly [n=andy@ip70-174-136-104.dc.dc.cox.net] has quit ["Leaving"] 12:25 < eX|Nazha> cj, yes weird 12:25 < cj> eX|Nazha: no, it's not. 12:25 < cj> eX|Nazha: you can't ping a network address 12:25 < eX|Nazha> cj, i did something wrong. 12:25 < cj> eX|Nazha: yes, and I told you what it was :) 12:25 < eX|Nazha> what can i do now ? 12:26 < cj> set your server's address to 10.8.0.1 and you should be good 12:26 < eX|Nazha> ok 12:26 < eX|Nazha> i will it now 12:26 < cj> heh :) 12:28 < eX|Nazha> how to restart VPN ? 12:28 < cj> distribution? 12:28 < eX|Nazha> Bedian 12:28 < eX|Nazha> Debian 12:28 < cj> sudo /etc/init.d/openvpn stop 12:28 < cj> sudo /etc/init.d/openvpn start 12:29 < ecrist> man, nothing but business in here today 12:29 < eX|Nazha> same.. can't ping 12:29 < cj> eX|Nazha: sudo apt-get install tcpdump 12:29 < eX|Nazha> k 12:30 < eX|Nazha> cj, done 12:30 < cj> eX|Nazha: paste the output of 'sudo ip addr show && sudo ip route show' to http://rafb.net/paste 12:31 < eX|Nazha> i'm stuck 12:31 < eX|Nazha> what command shall i type ? 12:31 < cj> sudo ip addr show && sudo ip route show 12:32 < cj> copy the output of those commands and paste it to the form at http://rafb.net/paste 12:32 < eX|Nazha> suk:~# sudo ip addr show && sudo ip route show 12:32 < eX|Nazha> -bash: sudo: command not found 12:32 < cj> apt-get install sudo 12:33 < eX|Nazha> suk:~# sudo ip addr show && sudo ip route show 12:33 < eX|Nazha> sudo: ip: command not found 12:33 < cj> http://cjcollier.livejournal.com/150455.html?nc=8 12:33 < vpnHelper> Title: cjcollier: Installing sudo (at cjcollier.livejournal.com) 12:33 < cj> sudo apt-get install iproute 12:35 < eX|Nazha> ok i got it 12:36 < eX|Nazha> http://rafb.net/p/4FGvOp76.html 12:36 < vpnHelper> Title: Nopaste - No description (at rafb.net) 12:36 -!- ebil [n=ebil@ip70-174-136-104.dc.dc.cox.net] has joined ##openvpn 12:37 < cj> add your non-root user to the adm group 12:37 < eX|Nazha> how, i add an user call "nazha" 12:37 < eX|Nazha> *i got 12:38 < cj> make sure there is a line like the following in /etc/sudoers (edit it using visudo): 12:38 < cj> %adm ALL=(ALL) NOPASSWD:ALL 12:38 < cj> adduser nazha adm 12:38 < eX|Nazha> Adding user `nazha' to group `adm' ... 12:38 < eX|Nazha> Done. 12:38 < cj> log out of your root shell and log in as nazha 12:39 < eX|Nazha> what next ? ( sorry, i am completely noob in linux ) 12:39 < cj> did you make sure that the %adm line was at the bottom of your sudoers file? 12:39 < eX|Nazha> cj, i dont understand what u mean by that ? 12:39 < cj> # grep adm /etc/sudoers 12:39 < cj> output of that? 12:40 < eX|Nazha> no output 12:40 < cj> run visudo and paste this as the last line of that file: 12:40 < cj> %adm ALL=(ALL) NOPASSWD:ALL 12:40 < eX|Nazha> how to run visudo :) 12:40 < cj> # visudo 12:41 < cj> (don't include the #) 12:41 < eX|Nazha> nothing come out 12:41 < eX|Nazha> k 12:41 < eX|Nazha> # User privilege specification 12:41 < eX|Nazha> root ALL=(ALL) ALL 12:41 < eX|Nazha> add another line below root ? 12:42 < eX|Nazha> add (add a line below root) or edit (from root ) 12:43 < cj> yes, add one line below it: 12:43 < cj> %adm ALL=(ALL) NOPASSWD:ALL 12:44 < eX|Nazha> logout n login as nazha ? 12:44 < cj> si 12:45 < eX|Nazha> i think i need to add a new user 12:45 < eX|Nazha> how to add a new user? 12:45 < cj> adduser nazha 12:46 < eX|Nazha> thank for extreme response :) 12:46 < cj> oooh, I'm extreme :) 12:47 < eX|Nazha> next "adduser nazha adm" ? 12:47 < cj> groups nazha 12:47 < eX|Nazha> type "group nazha"? 12:47 < cj> yes 12:47 < cj> output? 12:47 < eX|Nazha> btw, i changed it to vpn instead of nazha ) 12:48 < cj> *shrug* that works 12:48 < cj> adduser vpn adm 12:48 < eX|Nazha> suk:~# group vpn 12:48 < eX|Nazha> -bash: group: command not found 12:48 < cj> did I say group? sorry, I meant groups 12:48 < eX|Nazha> suk:~# groups vpn 12:48 < eX|Nazha> vpn : vpn adm 12:49 < cj> okay, does vpn have a password? 12:49 < eX|Nazha> yes 12:49 < cj> okay, log in as that user 12:49 < cj> test sudo configuration by running 'sudo ls' 12:50 < eX|Nazha> no output / nothing 12:50 < eX|Nazha> after typing "sudo ls" 12:50 < cj> sudo ls / 12:50 < eX|Nazha> ok 12:50 < cj> okay, you should be good to close your root console now 12:50 < eX|Nazha> there is some bin / dev / home 12:51 < cj> sure, that means it's working 12:51 < eX|Nazha> finish ? 12:51 < eX|Nazha> i can ping from client now ? 12:51 < cj> run commands not requiring elevated privs without sudo 12:51 -!- BoomSie [n=gideon@82-168-207-134.ip.telfort.nl] has joined ##openvpn 12:51 < cj> ha, no. 12:51 < eX|Nazha> k 12:51 < eX|Nazha> what next ? 12:51 < cj> okay, do you have a shell on your client? 12:51 < eX|Nazha> my client is using Vista 12:51 < cj> okay, do you have an rdp on your client? 12:52 < eX|Nazha> no. i dont know what is rdp at all 12:52 < cj> remote desktop protocol 12:52 < cj> do you have access to your client in any way? 12:52 < eX|Nazha> the client pc = the one i am using right now :) 12:53 < eX|Nazha> VPN server - i use putty to access it :) 12:53 < cj> install wireshark on vista. is this 64 or 32-bit OS? 12:53 < eX|Nazha> 32bits 12:53 < cj> *whew* 12:53 < cj> okay, let me know when wireshark is installed 12:53 < eX|Nazha> ok i will google it n install now 12:54 < eX|Nazha> downloading.. will be complete in 3minute time 12:55 < eX|Nazha> thank in advance, u are extremely patient and helpful :) credit to u 12:59 < cj> go give me a recommendation: http://www.linkedin.com/profile?viewProfile=&key=15719 :) 12:59 < vpnHelper> Title: LinkedIn: View Profile Sign In (at www.linkedin.com) 13:01 < eX|Nazha> ok installing 13:01 < eX|Nazha> what next ? 13:03 < cj> open wireshark and start listening on the vpn interface 13:03 < cj> we should probably also look at your machine's routing table... 13:03 * cj forgets how to do that on windows... moment... 13:04 < eX|Nazha> lol 13:04 < cj> route print 13:05 < eX|Nazha> dont see any "route print" 13:05 < cj> windows-r 13:05 < cj> run it in a cmd shell, though 13:05 < eX|Nazha> ok done (it's RUN" 13:05 < cj> windows-r run 13:05 < cj> er 13:05 < cj> windows-r cmd 13:05 < cj> take the output and paste it to rafb.net/paste 13:06 < cj> (click the top left of the cmd shell window, select 'edit', 'mark') 13:06 < cj> highlight the area containing the output 13:06 < cj> press enter 13:07 < eX|Nazha> rouhttp://rafb.net/p/uCEcpd60.html 13:07 < vpnHelper> Title: Nopaste - Wires (at rafb.net) 13:07 < eX|Nazha> http://rafb.net/p/uCEcpd60.html 13:07 < vpnHelper> Title: Nopaste - Wires (at rafb.net) 13:08 < cj> you don't have a route to 10.8.0.1 that I can tell 13:08 < ecrist> someone give me a recommendation on linkedin 13:09 < eX|Nazha> :'( so something wrong in my server.ovpn ? 13:11 < eX|Nazha> what can i do next ? 13:11 < cj> eX|Nazha: yes, push a route to 10.8.0.1 to the client 13:12 < eX|Nazha> where shall i edit it... ( in server.ovpn) right ? 13:12 * ecrist wonders if he's invisible 13:15 -!- joelsolanki [i=joelsola@124.125.149.10] has quit [] 13:15 < eX|Nazha> http://rafb.net/p/41QNq684.html 13:15 < vpnHelper> Title: Nopaste - IP (at rafb.net) 13:15 < eX|Nazha> am i right ? 13:18 < cj> sorry, I just got a high priority request from the boss, so I think that may be all for today 13:18 < eX|Nazha> may i know what is the problem.. so i can continue next time 13:19 < cj> you could create a route on the client using server.ovpn, but it might be better to push the route to every client from the server 13:19 < eX|Nazha> my current problem is : unable to connect to 10.8.0.1 ? 13:19 < eX|Nazha> k 13:19 < cj> your vista box has no route to 10.8.0.1, yes 13:19 < eX|Nazha> thank 13:19 < cj> add a route through the tun device and you should be good 13:26 < eX|Nazha> how to add ? 13:28 < eX|Nazha> anyonehere? 13:28 < eX|Nazha> anyone here can help ? 13:30 -!- bandini [n=bandini@host107-105-dynamic.40-79-r.retail.telecomitalia.it] has joined ##openvpn 13:31 < eX|Nazha> bandini can u help ? 13:32 < ecrist> eX|Nazha: what are you trying to do? 13:32 < ecrist> bah, nm.. 13:32 * ecrist goes away. 13:33 < eX|Nazha> ? 13:33 < eX|Nazha> errist. 13:33 < eX|Nazha> i can't ping my VPN server from client 13:33 < eX|Nazha> and now, my OPENVPN.ovpn got error. 13:34 < eX|Nazha> suk:/etc/openvpn# openvpn server.ovpn 13:34 < eX|Nazha> Options error: --server directive network/netmask combination is invalid 13:34 < eX|Nazha> Use --help for more information. 13:36 < bandini> well the error is pretty clear 13:36 < bandini> what's your net/mask combo? 13:39 < eX|Nazha> how can i test ? 13:45 -!- eX|Nazha [n=asd@60.54.112.126] has quit [Read error: 104 (Connection reset by peer)] 13:46 -!- eX|Nazha [n=asd@60.54.112.126] has joined ##openvpn 13:49 -!- eX|Nazha [n=asd@60.54.112.126] has quit [Read error: 104 (Connection reset by peer)] 13:49 -!- eX|Nazha [n=asd@60.54.112.126] has joined ##openvpn 13:50 < eX|Nazha> Anyone can help? bandini u there? 13:51 < eX|Nazha> Anyone can help? bandini u there? 13:52 < bandini> well how about you post our server line with net/mask 13:53 < bandini> s/our/your/ 13:55 -!- eX|Nazha [n=asd@60.54.112.126] has quit [Read error: 54 (Connection reset by peer)] 13:56 -!- eX|Nazha [n=asd@60.54.112.126] has joined ##openvpn 13:56 < eX|Nazha> i got no problem with the net/mask anymore. 13:57 < eX|Nazha> just now cj told me, my client doesn't able to connect to VPN server to 10.8.0.1 / 10.8.0.0 13:57 < eX|Nazha> after i did the route print from client 13:58 < eX|Nazha> http://rafb.net/p/uCEcpd60.html 13:58 < vpnHelper> Title: Nopaste - Wires (at rafb.net) 14:22 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 60 (Operation timed out)] 14:25 < ecrist> eX|Nazha: have you read any of the docs? 14:28 -!- BoomSie [n=gideon@82-168-207-134.ip.telfort.nl] has quit [Read error: 104 (Connection reset by peer)] 14:39 < cj> nazha: re-start your client? 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:57 -!- millun [n=chatzill@kastan.nat.praha12.net] has joined ##openvpn 14:57 < millun> hi 14:57 < cj> hi 14:58 < millun> i get All TAP-Win32 adapters on this system are currently in use. on windows :-( 14:58 < cj> millun: fancy 14:58 < millun> even though i ran it as administrator... 14:58 < cj> how many connections do you have open? 14:58 < cj> vista, right? 14:58 < millun> vista ;-( 14:58 < cj> when you say "ran it as administrator" what do you mean? 14:59 < millun> i can't reinstall as of now 14:59 < millun> it was executed with administrator rights 14:59 < cj> what did you do to execute it with administrator rights? 15:00 < millun> i right clicked, then clicked the "run as administrator" option 15:00 < cj> alrighty. anything interesting in the logs? 15:01 < millun> Tue Nov 04 15:01:41 2008 CreateFile failed on TAP device: \\.\Global\{6B824D61-66E2-48A2-A310-86583658E3F4}.tap 15:01 < cj> 32 or 64-bit? 15:01 * cj guesses 15:02 < millun> 64 15:02 < cj> we have a winner! 15:02 < cj> reboot. hit f8 after bios and before vista logo. select bottom option (disable driver signing policy) 15:03 < cj> the devs need to sign their driver. devs? 15:04 < millun> is that all? 15:04 < cj> you tell me :) 15:04 < cj> I'll wait while you try it 15:04 < millun> ok now... what's this sort of message mean? "route gateway not reachable on any network adapter : 10.20.0.1" ? is it something with my configuration or server configuration? 15:05 < cj> you don't have a route to that address in your routing table 15:05 < cj> route print 15:06 < millun> so it is my fault? 15:06 < millun> ok 15:06 < cj> your server didn't push you a route to them 15:06 < cj> route help 15:07 < cj> route add 10.20.0.1 255.255.255.0 if moo 15:07 < cj> where moo is the name of your interface that openvpn creates 15:07 < millun> ok 15:07 < cj> that probably isn't exactly right. play with it. read the docs that you get when you run 'route help' 15:08 < millun> ok 15:09 < millun> i better go try that fix 15:09 -!- millun [n=chatzill@kastan.nat.praha12.net] has quit ["ChatZilla 0.9.83 [Firefox 2.0.0.17/2008082909]"] 15:13 -!- millun [n=chatzill@kastan.nat.praha12.net] has joined ##openvpn 15:14 < millun> back 15:14 < millun> Tue Nov 04 15:22:00 2008 CreateFile failed on TAP device: \\.\Global\{6B824D61-66E2-48A2-A310-86583658E3F4}.tap 15:14 < millun> Tue Nov 04 15:22:00 2008 All TAP-Win32 adapters on this system are currently in use. 15:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:08 < ebil> cj, thanks again for your help earlier. it was a stupid mistake, but I'm glad I didn't have to rip everything out and start from scratch (this is macly) 16:12 -!- ixs [n=andreas@lacht.ueber.gattinnen-im-netz.de] has joined ##openvpn 16:12 < ixs> evening. two things about openvpn and the routing entry: 16:13 < ixs> using "redirect-gateway def1" the most specific /32 route to the tunnelbroker is added. 16:14 < ixs> but when the underlying link get's reset and is assigned a new ip address, this link is not regenerated. 16:14 < ixs> and the openvpn reconnect fails. 16:14 < ixs> I can work around this through ppp0 routing but is there a nicer way? 16:15 < ixs> second thing: I'd like to add routes to a specific routing table through "ip route add prefix via gw table foo". IS there a nicer way of doing that then calling external scripts? 16:15 < krzee> yes, gimme a sec 16:15 < ixs> thx. 16:15 < krzee> !betaman 16:15 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 16:16 < krzee> ixs... is that syrrus from 0x41? 16:16 < ixs> krzee: pardon? who's syrrus and what is 0x41? 16:16 < krzee> oh ok 16:16 < krzee> someone else used to use your handle on occasion on a diff network 16:16 < krzee> 0x41 was a security group =] 16:17 < ixs> ohh really? dunno, I've been using that handle on irc, dal, ef, oftc, feenode and others since '96 or so... 16:17 < krzee> gotchya =] 16:17 < theromis> krzee, I need to add signal handling in my OpenVPN plugin 16:17 < ixs> the only one who caused some nick colisions was someone from .pl and a guy from .fi on ef... 16:18 < theromis> krzee, did you knew a best way to do it? 16:18 < ixs> krzee: however, that was maybe 2002 or so 16:18 < krzee> !man 16:18 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 16:18 < theromis> krzee, I can see that openvpn has internal mechanism of signal handling 16:19 < krzee> theromis, i missed what you're looking to do, just resumed the screen on this client 16:19 < theromis> krzee, I need to add signal handling in my OpenVPN plugin 16:19 < theromis> krzee, did you knew a best way to do it? 16:20 < krzee> what are you looking to achieve? 16:21 < krzee> ixs, try --float and adding bypass-dhcp to redirect gateway 16:21 < krzee> bypass-dhcp only exists in 2.1 16:21 < krzee> would that do what you're looking for you think ixs? 16:22 < krzee> bypass-dhcp -- Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients). 16:22 < ixs> krzee: ahh nope. I feat that might not work. 16:22 < ixs> krzee: in my case, I'm routing a whole /21 and the tunnelserver is in the middle of that. 16:23 < krzee> i think im mis-understanding you 16:23 < ixs> krzee: works out fine, most specific route to the /32 is added, and then the /21 over the tunnel. perfectly working. 16:23 < ixs> krzee: now, what happens is that the adsl link (pppoe) is disconnected by the provider and instantly reconnected, but gets a different ip assigned. as the interface went down, the route to the /32 is torn down but not reestablished. 16:24 < ixs> krzee: tunnelserver route is now looked up, the /21 is seen and routed through the still existing tun0 device. 16:24 < ixs> catch22 16:25 < ixs> workaround is to tell the system-network script to define the tunnelserver /32 route onto the ppp device. 16:25 < krzee> By setting user to nobody or somebody similarly unprivileged, the hostile party would be limited in what damage they could cause. Of course once you take away privileges, you cannot return them to an OpenVPN session. This means, for example, that if you want to reset an OpenVPN daemon with a SIGUSR1 signal (for example in response to a DHCP reset), you should make use of one or more of the --persist options to ensure that OpenVPN doesn't need to execute 16:25 < krzee> to restart (such as re-reading key files or running ifconfig on the TUN device). 16:25 < ixs> krzee: works, but is not "portable". So I was wondering if there's a "nice" solution inside of openvpn 16:26 < ixs> krzee: persist tun, persist key is set, as is float. 16:30 < krzee> look at --ipchange 16:30 < krzee> Similarly if our IP address changes due to DHCP, we should configure our IP address change script (see man page for dhcpcd(8) ) to deliver a SIGHUP or SIGUSR1 signal to OpenVPN. OpenVPN will then reestablish a connection with its most recently authenticated peer on its new IP address. 16:32 < krzee> the funny thing is that could possibly answer theromis's question 16:32 < ixs> krzee: my reading is, ipchange is used when the remote end of the link changes ip address. doesn't happen, the local ip changes. 16:32 < krzee> depending exactly what he wants to know bout the signal handling 16:32 < krzee> read the bottom of it 16:32 < krzee> it says "Similarly if our IP address changes due to DHCP, we should..." 16:33 < krzee> our is italicized even 16:33 < ixs> ohh 16:33 < ixs> that I already have 16:33 < ixs> [root@rtr ~]# grep -A 3 openvpn /etc/ppp/ip-up.local 16:33 < ixs> # Tell openvpn to reconnect 16:33 < ixs> for i in `cat /var/run/openvpn/*.pid` 16:33 < ixs> do kill -SIGUSR1 $i 16:33 < ixs> done 16:33 < ixs> [root@rtr ~]# 16:33 < krzee> but are you calling that from --ipchange? 16:33 < ixs> krzee: it might be that leaving out persist-tun does solve the problem in question, but that creates different problems. 16:34 < krzee> no, you do want to persist-tun 16:34 < krzee> especially if you use --user 16:35 < krzee> as i pointed out earlier when i pasted stuff from --user 16:35 < krzee> ixs, you have that lil piece of code in ip-up.local 16:36 < krzee> that chunk of code belongs in its own script, called by --ipchange 16:37 < krzee> also see Environmental Variables in the manpage 16:37 < krzee> in case you want to tell --ipchange script what routes to add using variables (i've never used it so i dunno if just sending sigusr1 works as i would expect it would 16:38 < ixs> krzee: uhm. please correct me if I'm wrong, but: I'm reading the ipchange command as: "if the remote end changes, execute ipchange script. if your ip address changes (due to dhcp), please add a sighup or sigusr1 call to the dhcp-client config" the latter part would be unrelated to the ipchange command and is only mentioned for it's informational value. 16:38 < ixs> krzee: but lemme check the env vars. 16:38 < krzee> just try what i said first 16:39 < krzee> oh wait i see, you dont get to choose when to test this 16:39 < krzee> you have to wait every try for your ppoe to change ips on its own 16:40 < ixs> yeah. 16:40 < ixs> the ip link is torn down and brought up with a different ip. but the ip change is not a problem per se. 16:40 < ixs> the problem is that the most specific route to the tunnelbroker disappears. 16:40 < ixs> and openvpn does not add it again. 16:41 < ixs> probably due to preserve-tun. (i haven#t tried) 16:41 < ixs> but lemme just give it a shot. brb. 16:42 < krzee> k 16:45 < krzee> --persist-tun 16:45 < krzee> Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. 16:45 < krzee> SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options. 16:45 < krzee> that should be fine, you dont need the interface closed / opened 16:45 < ixs> aa 16:45 < krzee> in fact, you want it NOT closed 16:45 < krzee> if you use --user 16:46 < krzee> you dont want --persist-local-ip 16:47 < ixs> krzee: for what's it worth: without persist-tun it works perfectly okay: routes are torn down and reestablished... :> 16:47 < krzee> and either client needs to have float, or a keep-alive so it knows to restart its connection 16:47 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 16:47 < krzee> oh ok, you dont use --user? 16:48 < ixs> in this case no. 16:48 < krzee> hey wassup reiffert =] 16:48 < reiffert> +r on the channel sucks. 16:48 < krzee> ixs, oh ok without --user you should be fine with and without --persist-tun 16:48 < ixs> I know. 16:48 < krzee> with --user you will need persist-tun 16:48 < ixs> yeah, due to the dropped privileges, dev can'T be set up 16:49 < ixs> but about the second problem, partially routing related... 16:49 < krzee> but i dunno if your ipchange script will be able to add routes with --user 16:49 < reiffert> Today my Apple iBook died. 16:49 < ixs> nah. 16:49 < ixs> krzee: you need to be root. 16:49 < krzee> reiffert time for intel laptop =] 16:49 < ixs> if the privs are dropped once, no way of regaining them. 16:49 < reiffert> krzee: time for gimme money and I'll get one. 16:49 < krzee> ixs, yup =/ 16:50 < krzee> reiffert, =[ 16:50 < ixs> krzee: second problem: I'd like to pass a "table [0-9]" at the end of the ip route add call. No provision for that in stock openvpn, right? 16:52 < krzee> not that i see 16:52 < krzee> ive never seen table[1-9] used in route 16:52 < krzee> but your ipchange script could do anything it wants 16:53 < krzee> doesnt NEED to send a sigusr1 16:53 < krzee> could just edit routes as you see fit, using variables for portability 16:56 < ixs> krzee: I know, but I wouldn't use ipchange, I'd need route-up and then a ip route change command. 16:56 < ixs> krzee: that seems more fitting. 16:56 < krzee> --ipchange cmd was built for what you are looking for 16:56 < ixs> krzee: and the table is used to have several routing tables in parallel. I need that for source routing 16:56 < krzee> why you wouldnt want to use it baffles me 16:57 < reiffert> Are you sure he isnt looking after --up? 16:57 < ixs> krzee: just to clarify: I'm running openvpn 2.1. the man page says: "The script will be run every time the remote peer changes its IP address." 16:57 < krzee> reiffert, his IP changes due to local DHCP 16:58 < ixs> krzee: my problem: the remote IP is never going to change. 16:58 < ixs> krzee: pppoe but that difference is negligable. 16:58 < krzee> "Similarly if our IP address changes due to DHCP, we should configure our IP address change script" 16:58 < krzee> from --ipchange 16:58 < krzee> it was built for that! 16:59 < ixs> krzee: read that part again. 16:59 < reiffert> ixs: on which side do you want to have several tables? Client or Server side? 16:59 < ixs> krzee: the _our_ part is underlined to IMHO explain the alternative. 16:59 < ixs> krzee: further explaination of _another_ use case, not the case for ipchange. 16:59 < ixs> reiffert: client. 16:59 < reiffert> ixs: check the --up part in the manpage. 17:00 < ixs> krzee: the last paragraph is basically "on the other hand" 17:00 < krzee> ixs, it is saying "it can also be used for this case" 17:01 < ixs> reiffert: --up I know. I've been using that on another setuip for proxy arp. works nifty. 17:02 < krzee> proxy arp, shouldnt that just be a bridged setup? 17:03 < ixs> krzee: don't ask. lengthy story including gems such as broken tap but working tun on that legacy box nobody really wants to touch. :> 17:03 < krzee> heheh gotchya 17:03 < ixs> krzee: strange. my manpage doesn't say that. mine says: Similarly if our IP address changes due to DHCP, we should configure our IP address change script (see man page for dhcpcd(8) ) to deliver a SIGHUP or SIGUSR1 signal to OpenVPN.) The ip change script they are talking about is the one from dhcp client... 17:04 < ixs> krzee: but lemme just check, I'll add a ipchange command and trigger a local ipchange 17:04 < ixs> let's see if it's executed 17:04 < krzee> cool 17:08 < krzee> "If you are running in a dynamic IP address environment where the IP addresses of either peer could change without notice, you can use this script" 17:08 < krzee> ... 17:08 < ixs> and that paragraph says: The script will be run every time the remote peer changes its IP address. 17:08 < ixs> remote peer 17:08 < ixs> not local 17:08 < ixs> but lemme just try... 17:09 < krzee> right, then it goes on to say similarly if OURS does because of DHCP... i really think this is what you need 17:09 < krzee> it keeps alluding to your setup 17:09 < krzee> but we'll see after you test it 17:09 < krzee> first time ive helped someone with your setup so i cant say ive seen it in action 17:10 < ixs> krzee: okay. first the script: 17:10 < ixs> [root@rtr openvpn]# cat /etc/openvpn/ipchange.sh 17:10 < ixs> #!/bin/sh 17:10 < ixs> logger ipchange script executed as $0 $@ 17:10 < ixs> exit 0 17:10 < ixs> [root@rtr openvpn]# 17:10 < ixs> Nov 5 00:09:37 rtr openvpn[12471]: [tunnelserver.bawue.net] Peer Connection Initiated with 193.7.176.14:1195 17:10 < ixs> Nov 5 00:09:37 rtr logger: ipchange script executed as /etc/openvpn/ipchange.sh 193.7.176.14 1195 17:11 < ixs> now. looking at the log and the fact that the only the remote ip is passed... 17:11 < ixs> I'm sceptical of your interpretation. brb. triggering a adsl reconnect 17:12 < ixs> reconnect triggered, new ip assigned: 17:13 < ixs> openvpn restarted by sending sigusr1 17:13 < ixs> Nov 5 00:12:21 rtr openvpn[12471]: [tunnelserver.bawue.net] Peer Connection Initiated with 193.7.176.14:1195 17:13 < ixs> Nov 5 00:12:21 rtr logger: ipchange script executed as /etc/openvpn/ipchange.sh 193.7.176.14 1195 17:13 < ixs> mhm... 17:13 < ixs> I think it's really only for remote ip changes... 17:16 < ixs> but to make sure, let's remove the sigusr1 call from my ip-up script and reactivate persist-tun. 17:17 < krzee> and maybe add a sigusr1 to the ipchange script before you change the route 17:19 < ixs> that would possibly result in an endless loop 17:19 < krzee> whys that? 17:19 < ixs> openvpn is executing the script, which in turn tells openvpn to please restart itself while the script get's executed telling openvpn to please restart... 17:20 < krzee> with persist-tun (which shouldstay enabled) --up wont run on sigusr1 17:20 < krzee> --up 17:20 < krzee> Executed after TCP/UDP socket bind and TUN/TAP open. 17:21 < ixs> krzee: up, but not ipchange. 17:21 < ixs> ipchange is always run. 17:21 < ixs> right after connecting to the server. 17:21 < ixs> krzee: which will not work anyway as in my specific case explained above the connection never succeeds. 17:22 < ixs> no route to the tunnelserver 17:22 < krzee> give it a shot pls 17:22 < ixs> krzee: so I think, you're misreading the manpage. 17:22 < ixs> krzee: i just did. 17:22 < ixs> Nov 5 00:20:43 rtr openvpn[12730]: UDPv4 link remote: 193.7.176.14:1195 17:22 < ixs> Nov 5 00:20:43 rtr openvpn[12730]: TLS: Initial packet from 193.7.176.14:1195, sid=b7b2e9d0 701fd73a 17:22 < ixs> N 17:22 < ixs> ... 17:23 < ixs> Nov 5 00:20:51 rtr openvpn[12730]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA 17:23 < ixs> Nov 5 00:20:51 rtr openvpn[12730]: [tunnelserver.bawue.net] Peer Connection Initiated with 193.7.176.14:1195 17:23 < ixs> Nov 5 00:20:51 rtr logger: ipchange script executed as /etc/openvpn/ipchange.sh 193.7.176.14 1195 17:23 < ixs> Nov 5 00:20:53 rtr openvpn[12730]: SENT CONTROL [tunnelserver.bawue.net]: 'PUSH_REQUEST' (status=1) 17:23 < ixs> Nov 5 00:20:53 rtr openvpn[12730]: PUSH: Received control message: 'PUSH_REPLY,route 86.111.250.0 255.255.255.0,topology net30,ping 8,ping- 17:23 < krzee> pastebin 17:23 < ixs> restart 24,ifconfig 86.111.250.16 86.111.250.17' 17:23 < krzee> !pastebin 17:23 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 17:23 < ixs> yeah, sorry. 17:24 < krzee> but it DOES trigger ipchange to run when you change your ip based on DHCP, right? 17:24 < ixs> nope. 17:24 < krzee> it just isnt doing what you want 17:24 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 17:25 < krzee> so when already connected, and you change local ip by triggering a dsl reconnect, ipchange script runs or not? 17:25 < ixs> krzee: nope. ipchange runs _after_ sucessfully connecting to the remote end. of course, it does after a local ip change as the tunnel times out and get's reestablished but that's cause vs. effect. 17:25 < krzee> forget about what it does, does it run? 17:26 < ixs> krzee: I'll just grab the sources and check to make sure 17:26 < krzee> ahh i see 17:27 < krzee> is it the client or server changing ips> 17:28 < ixs> ipchange is executed inside of the link_socket_connection_initiated() function 17:29 < ixs> that is, only after a connection was established 17:29 < krzee> ahh 17:29 < krzee> i guess i did mis-read that 17:30 < ixs> and all it does in the code is execute the script with the remote ip and port. no checking is done to see if any ip did in fact change. 17:31 < krzee> is it the client or server changing ips? client right? 17:31 < ixs> ahh. and option.c has a good explanation: 17:31 < ixs> "--ipchange cmd : Execute shell command cmd on remote ip address initial\n" 17:31 < ixs> " setting or change -- execute as: cmd ip-address port#\n" 17:31 < ixs> krzee: the client is changing ip. 17:32 < krzee> can i see your configs without comments pls? 17:32 < ixs> initial setting or change means "no checking done at all" 17:32 < ixs> krzee: sure 17:32 < ixs> it's autogenerated anyway and has no comments 17:32 < krzee> you can comment out remote ip for privacy if you wish 17:33 < reiffert> why do we use all the auth stuff then? 17:33 < krzee> reiffert, huh? 17:33 < reiffert> regarding the privacy. 17:34 < krzee> oh, lol 17:34 < krzee> i just hate when people do that when its something like firewall rules 17:34 < ixs> krzee: http://filepile.dicp.de/bawue-net.conf 17:34 < krzee> but for what he needs, and since he is making a successful connection, it dont matter 17:34 < ixs> krzee: ohh yeah, right. Best thing ever: routing and firewalling with changed values. not even worth looking at. 17:35 < krzee> haha totally 17:36 < krzee> and the server? 17:37 < krzee> !sample (for my veiwing) 17:37 < vpnHelper> krzee: Error: "sample" is not a valid command. 17:37 < krzee> !sample 17:37 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 17:37 < ixs> krzee: server config? 17:37 < krzee> yes 17:38 < ixs> http://filepile.dicp.de/tunnel.conf 17:39 < millun> Tue Nov 04 17:47:25 2008 CreateFile failed on TAP device: \\.\Global\{6B824D61-66E2-48A2-A310-86583658E3F4}.tap 17:39 < millun> Tue Nov 04 17:47:25 2008 All TAP-Win32 adapters on this system are currently in use. 17:41 < reiffert> millun: http://openvpn.net/archive/openvpn-users/2005-01/threads.html#00078 17:41 < vpnHelper> Title: openvpn-users by thread (2005-01) (at openvpn.net) 17:42 < reiffert> millun: http://wiki.linuxquestions.org/wiki/OPenVPN#All_TAP-Win32_adapters_on_this_system_are_currently_in_use 17:43 < millun> this is not win32 17:44 < reiffert> so, lemme guess, it's opensolaris! 17:44 < millun> vista 64 17:44 < ixs> doh! 17:45 < millun> :( 17:52 < millun> i have disabled driver signature check 18:17 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 18:41 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [] 18:41 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:46 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 18:50 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 18:51 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 19:00 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 19:44 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 19:44 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 19:44 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 19:49 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 19:56 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:01 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 20:01 -!- mode/##openvpn [+o krzee] by ChanServ 20:01 -!- mode/##openvpn [+b *!*enrique@lidsol.fi-b.unam.mx] by krzee 20:10 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:28 -!- mode/##openvpn [-b *!*enrique@lidsol.fi-b.unam.mx] by krzee 20:28 -!- mode/##openvpn [+b *!*n=enrique@lidsol.fi-b.unam.mx] by krzee 20:28 -!- mode/##openvpn [-o krzee] by krzee 21:09 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 21:09 < mRCUTEO> hi 21:09 < mRCUTEO> anyone knows how to NAT openvpn tap0? 21:10 < mRCUTEO> !menu 21:10 < vpnHelper> mRCUTEO: "menu" is please use !factoids search * 21:10 < mRCUTEO> !factoids search tap0 NAT 21:10 < vpnHelper> mRCUTEO: No keys matched that query. 21:11 < mRCUTEO> !factoids search NAT 21:11 < vpnHelper> mRCUTEO: 'bsdnat' and 'nat' 21:11 < mRCUTEO> !factoids search nat 21:11 < vpnHelper> mRCUTEO: 'bsdnat' and 'nat' 21:11 < mRCUTEO> !nat 21:11 < vpnHelper> mRCUTEO: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 21:16 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has quit [] 21:25 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:28 < krzie> ixs, that was you i was talking to earlier about --ipchange and stuff, right? 21:30 < ixs> krzie: yeah 21:30 < krzie> i recommend asking the mailing list, cause i know there MUST be a clean way 21:30 < krzie> i failed you, but i dont think they will ;] 21:30 < krzie> !mail 21:30 < vpnHelper> krzie: "mail" is http://sourceforge.net/mail/?group_id=48978 21:30 < ixs> krzie: :-> 21:31 < ixs> krzie: yeah. I might do that next week. I'm kinda busy right now. 21:31 < krzie> right on 21:31 < ixs> krzie: something else: why is this channel named ##openvpn and why's there a redirect from the original? 21:31 < krzie> there used to be a #openvpn 21:32 < krzie> but they NEVER came in to manage it 21:32 < krzie> spammers, trolls, etc 21:32 < krzie> so now we manage this one, and consequently theres more activity here now-a-days 21:33 < krzie> the ## means it is not run by the official team 21:33 < krzie> (freenode policy) 21:33 < krzie> only the real openvpn team is allowed to use a single # 21:33 < ixs> bahhh 21:34 < krzie> and the forwarder stops the confusion that would otherwise be created by what i just said 21:34 < ixs> feenode seems to be a stickler for policy... 21:34 < ixs> *sigh* 21:34 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 21:35 < krzie> hehe ya but its all good 21:35 < krzie> its actually useful once you know it 21:35 < krzie> like the fact im in the gentoo and freebsd channels... 21:35 < krzie> #gentoo lets me know the real gentoo team runs it 21:36 < krzie> ##freebsd lets me know its not the real fbsd team running it 21:36 < krzie> *shrug* 21:36 < Dryanta> lol @ gentoo 21:36 < krzie> im not a huge gentoo guy, but its a good OS 21:37 < ixs> krzie: but actually, I don't care who runs the channel I care about the inhabitants of the channel... 21:37 < ixs> :D 21:38 < krzie> hehe ya, for most things i agree with that 21:39 < Dryanta> fbsd is win 21:39 < Dryanta> gentoo is closest line ucks to bsd 21:39 < krzie> although if it was #openVPN any questions about the direction code will go, or if feature 'a' will get added one day, or submitting a patch, would be more meant for here than ##openvpn 21:39 < krzie> Dryanta, they're both good 21:39 < krzie> Dryanta, depends which you are better with 21:40 < krzie> personally, im more for bsd as well 21:40 < krzie> but if im forced to use linux on a server (maybe for HW reasons) i choose gentoo 21:40 < Dryanta> i cant stand lineucks truly 21:40 < Dryanta> hate it even 21:41 < Dryanta> i have a suse box it makes me cry 21:41 < Dryanta> i will migrate it ASAP 21:41 < krzie> hehe 21:41 < krzie> what i really hate is redhat 21:42 < krzie> back in school we had to use it for a class 21:42 < ixs> mhm... 21:42 < ixs> *no comment* 21:42 < Dryanta> hahah lulz 21:42 < Dryanta> line-ucks 21:42 < krzie> ixs, lol 21:42 < krzie> ixs, you like redhat? 21:43 < ixs> krzie: actually, no. It sucks. But it sucks way less then the alternatives. 21:43 < krzie> alternatives being...? 21:43 < ixs> gentoo, novell, arch etc. 21:43 < ixs> solaris 21:43 < ixs> bsd 21:43 < ixs> aix 21:43 < ixs> hpux 21:44 < Dryanta> rofl 21:44 < krzie> wow 21:44 < ixs> IMHO at least. 21:44 < ixs> :> 21:44 < ixs> ohh, i forgot about debian. :> 21:44 < krzie> you'ld take redhat over solaris and bsd? 21:44 < Dryanta> ixs: i can tell you havent been doing *nix for long hahah 21:44 < krzie> Dryanta, actually i disagree 21:44 < ixs> Dryanta: mhm... try again... 20years? 21:44 < krzie> i think ixs has been using nix for awhile 21:44 < ixs> krzie: thx for the vote of confidence... :> 21:44 < krzie> Dryanta, he just has a different opinion, likely from differing experiences 21:44 < Dryanta> are you talking about redhat, rhel, or centos? 21:45 < Dryanta> or all of the above being > *? 21:45 < krzie> ixs, what sort of environment are we talking about redhat being better than all those in? 21:45 < Dryanta> because i can understand saying better than gentoo/novell, but debian is win 21:45 < krzie> server environment? 21:45 < ixs> Dryanta: rhel and centos, both are the same. if you're talking about fedora, I have a very special and very well funded opinion about it. 21:46 < Dryanta> and what is said opinion 21:46 < ixs> Dryanta: abour red hat linux (3.0.3 to 9), well. it's about 7 years since this stuff has been EOLd.. no need to talk about it. 21:46 < Dryanta> ok, so WHY 21:46 < Dryanta> i can tell you why i think freebsd is > in ten points or less 21:46 < ixs> krzie: servers usually. small and larger enterprises whih either have a internal it staff or use external consultants. 21:46 < krzie> ok, servers is what i meant too 21:47 < ixs> red hat has working quality assurance which does save a lot of work and the fact that they do offer about 7 years of stable apis is worth a lot. 21:47 < krzie> so ya, ild like to know why you prefer redhat over debian/gentoo/fbsd/nbsd/obsd for a secure server environment 21:48 < Dryanta> i work for a fairly large company 21:48 < Dryanta> managing about 30 servers 21:48 < Dryanta> and i do it all myself with freebsd 21:48 < Dryanta> portsnap, portmaster, freebsd-update 21:48 < Dryanta> shit its all scripted 21:48 < ixs> Dryanta: my opinion of fedora is: it's an interesting system for seeing where desktop linux is headed for but it's fucking unstable, basically unusable on servers and the developers, especiallythe desktop team with their "you are not our target audience" is horrible. 21:48 < krzie> Dryanta, the best OS is the one you are most comfortable with in most cases 21:49 < ixs> krzie: _THAT_ is exactly the right opinion. 21:49 < Dryanta> im most "comfortable" with osx 21:49 < Dryanta> and i have one osx server 21:49 < Dryanta> and it pains me to no end 21:49 < krzie> then you are most comfy with is for DESKTOP 21:49 < krzie> not for server 21:49 < krzie> hehe 21:49 < krzie> with it for desktop 21:49 < krzie> (so am i) 21:49 < krzie> i love osx on my desktop, i wouldnt bother with it for server 21:50 < krzie> cause i am a minimalist 21:50 < Dryanta> i mean osx server brings the power of nix to clueless sysadmins who dont know how to set up a decent mta 21:50 < krzie> my servers shouldnt have gui 21:50 < Dryanta> there are times where it comes in hand 21:50 < Dryanta> y 21:50 < ixs> Dryanta: if fbsd works out for you, that's good. I am used to a different environment. Either very small companies for which I did consulting with one to six systems which I wanted to have running and do not have to look after. that means rock stable, security updates only and no gimmicks. rhel works for that. 21:50 < krzie> i believe that 21:50 < Dryanta> ixs: freebsd and debian work for that too 21:51 < krzie> ixs, thanx for the explanation... i've never heard anyone take redhat's side 21:51 < Dryanta> i have a fbsd 5.4 box in producton 21:51 < ixs> Dryanta: the alternative are large scale deployments. several thousand systems. There you need management infrastructure. Sun offers stuff, RH offres stuff, Novell offers stuff. 21:51 < Dryanta> rackspace uses freebsd and debian, they have tens of thousands of servers 21:51 < ixs> RHEL wins with QA and Support (Professional services especially) and price 21:51 < ixs> pricewise compared ot novell. 21:52 < ixs> novell itself wins on price and loses on support and services. 21:52 < Dryanta> id go with sun in an enterprise environment, but ive never worked in one that large in an it role 21:52 < ixs> solaris? it's nice on sun hardware, but sun hardware is expensive. the userland is crap and it's not an easy sell anymore, even to banks. 21:53 < Dryanta> banks like hp/ux and aix 21:53 < Dryanta> from the ones ive been in 21:53 < ixs> solaris has some interesting features notably zfs. d-trace is hyped to much IMHO. interesting concept but a small userbase. 21:53 < krzie> they should use openVMS... its rock solid secure 21:53 < Dryanta> zfs and dtrace rock 21:53 < krzie> cause even with root, nobody can figure out how to use it! 21:53 < ixs> hahahaha 21:53 < krzie> lol 21:53 < ixs> :> 21:53 < Dryanta> and freebsd has both now too heh 21:53 < ixs> krzie: RH is going there as well with selinux. 21:53 < ixs> :> 21:53 < ixs> but I'm starting to grok selinux. 21:54 < krzie> ya im loving zfs on fbsd 21:54 < Dryanta> ive had a couple snafus 21:54 < krzie> it still has a ways to go, but its already nice 21:54 < Dryanta> but then again its still "experimental" 21:54 < krzie> ya, it is young 21:54 < krzie> yup 21:54 < Dryanta> i had one of my offices on zfs and it totally took a shit 21:54 < krzie> but even apple has jumped on the zfs wagon 21:55 < Dryanta> and some weird stuff like ps and df hanging the terminal 21:55 < ixs> Dryanta: about debian: horrible security track record, non working update process, nutty developers, kernel problems. and the release maintainer and some other head honchos are personal friends. That means I notice all the bitching they do. :> 21:55 < krzie> so hopefully they'll share where they get with it back to the community 21:55 < krzie> kernel problems... 21:55 < ecrist> howdy, kids 21:55 < ixs> (doesn't mean much though, RH people bitch as much at least. :) 21:55 < Dryanta> krzie: apple has a bad track record with that 21:55 < ecrist> go Obama! 21:55 < krzie> dont they use same kernel has redhat? 21:55 < Dryanta> go mccain 21:55 < krzie> the linux kernel... 21:55 < krzie> go ron paul! 21:55 < krzie> ermmm 21:55 < Dryanta> hahahah 21:55 < krzie> heh 21:55 < ixs> Dryanta: go mccain? I think it's called for obama. :> 21:56 < ecrist> lol 21:56 < Dryanta> ixs: yeah, and he will be our president im sure 21:56 * ecrist apologizes for bringing politics into ##openvpn 21:56 < Dryanta> doesnt change the fact that i hate him 21:56 < ixs> *shrug* 21:56 < ixs> <-- not american 21:56 < ecrist> Dryanta: are you daft? 21:56 < Dryanta> with the fiery passion of a million suns 21:56 < krzie> ecrist, we've been on the religious OS debate for about 30minutes 21:57 < krzie> so politics is prolly a welcome change of topic 21:57 < krzie> lol 21:57 < Dryanta> ecrist: no, im sly 21:57 < ecrist> krzie: orly? 21:57 < Dryanta> i make enough money and own enough guns that i will never vote in a liberal 21:57 < ixs> Dryanta: and my experience with aix and hpux is: legacy os with a horrible userland. There's good money to be made if you know the stuff, SAP customers are sometimes totally in love with AIX :) but it's a royal pain in the ass working with it. :> 21:57 < ecrist> http://secure-computing.net/luv.png 21:58 < krzie> Dryanta, you say that as if there was a conservative running 21:58 < krzie> mccain and obama are both liberals, its just in which ways 21:58 < krzie> neither are conservative 21:58 < ecrist> mccain is liberal with money... 21:58 < Dryanta> krzie: at least mccain is fiscally conservative, for small government, and not a gun grabber 21:58 < krzie> small gov, LOL 21:58 < krzie> bahahahah 21:58 < Dryanta> i voted ron paul in the primary 21:58 < krzie> right about the guns 21:59 < krzie> that might be the only thing me and him agree on 21:59 < Dryanta> im all for 99% of his cooky ideas 21:59 -!- ChanServ changed the topic of ##openvpn to: NO POLITICS rawr... 21:59 < krzie> LOL ecrist 21:59 < krzie> you brought it up! 21:59 < Dryanta> abolish fed reserve, gold standard, give everyone gunz 21:59 < ecrist> yeah, I know 21:59 < ixs> Dryanta: and about bsd: yes, it exists. it works. fbsd is the only real contender, I've seen too many problems with openbsd running on "normal" hardware... friends of mine are selling security servers, firewalls etc. based on openbsd... their openbsd coders are constantly working on the kernel to fix up basic kernel problems. 21:59 < ecrist> http://secure-computing.net/luv.png 21:59 < ecrist> http://secure-computing.net/luv.png 21:59 < ecrist> http://secure-computing.net/luv.png 21:59 < ixs> Dryanta: so fbsd is okay, but it's not my prefered system. 22:00 < ecrist> what a pretty little cuchie. 22:00 < krzie> anyways, time for me to go debug stuffs 22:00 < ecrist> krzie: debug my IPMI nagios scripts 22:00 * ecrist wishes he had a complete spec of Dell IPMI 22:00 < Dryanta> ixs: thats mostly because http://encyclopediadramatica.com/Theo_deraadt 22:00 < vpnHelper> Title: Theo de Raadt - Encyclopedia Dramatica (at encyclopediadramatica.com) 22:01 < krzie> ecrist, sounds fun and all, but im still in my K&R book 22:01 < ecrist> lol @ Theo 22:01 < krzie> haha ya theo is funny 22:01 < Dryanta> bigest fgt on the interwebs, save maybe linus 22:01 < ecrist> krzie: http://www.secure-computing.net/wiki/index.php/BMC_Nagios 22:01 < vpnHelper> Title: BMC Nagios - Secure Computing Wiki (at www.secure-computing.net) 22:01 < Dryanta> MONKEYS MASTURBATING :P 22:02 < ecrist> Dryanta: RMS is the biggest fgt on the interwebs 22:02 < krzie> hey nice man! 22:02 < Dryanta> ecrist: hahahahah 22:02 < krzie> one day im gunna play with nagios 22:02 < ixs> Dryanta: hahaha. Yeah. Theo is a bit special. I fondly remember the NetBSD mousepads with the inscription: "NetBSD - Because Theo is an Asshole" 22:02 < krzie> its been on the to do list forever 22:02 < krzie> LOL 22:02 < ixs> Dryanta: or wait, it was english spelling: Arsehole IIRC 22:02 < krzie> nice 22:03 < Dryanta> all three of them should get on a mantrain 22:03 < Dryanta> with rms as the caboose 22:03 < krzie> no matter if you like them or not, they have contributed to the stuff we use often 22:03 -!- ChanServ changed the topic of ##openvpn to: NO POLITICS see http://secure-computing.net/cuch.png for meditative imagery. 22:04 < ecrist> krzie: re nagios, I know Ethan, personally, and it's a pretty fucking awesome program. 22:04 < krzie> without linus the BSD code would still be stale, he fought ATT and got opensource a chance 22:04 < krzie> without Theo a lot of stuff would be diff 22:04 < krzie> (ssh anyone?) 22:04 < ixs> Dryanta: don't forget about ESR. That sucker is a bitch for mantrains. :D 22:04 < krzie> etc etc 22:04 < ecrist> AND, I can wright pretty much any script you need 22:04 < krzie> ecrist, kick ass! 22:05 < ecrist> SPEAKING OF SSH - did you note that the latest release has chroot!!!!!111!!1!!1!!!1!! OMG 22:05 < krzie> whoa, no i didnt 22:05 < ecrist> krzie: linux *is* linux... without him, linux wouldn't be at all. 22:06 < ecrist> no more $799 for vshell! 22:06 < ecrist> although vshell is pretty tits. 22:06 * ecrist listens to 100 in a 55 22:06 < Dryanta> http://encyclopediadramatica.com/Eric_S._Raymond 22:06 < vpnHelper> Title: Eric S. Raymond - Encyclopedia Dramatica (at encyclopediadramatica.com) 22:06 < Dryanta> hahahah 22:07 < Dryanta> that picture is PRICELESS 22:07 < ecrist> GAY 22:07 < ecrist> <<-- been drinking 22:07 < Dryanta> Reseachers believe that ESR and Richard Stallman were originally one and the same until God decided to split their souls in half. 22:07 < Dryanta> rofl 22:11 < ixs> about ESR and RMS: Two things: 22:11 < ixs> NEVER shake hands with RMS 22:11 < ecrist> oops 22:11 < ecrist> brb 22:11 < ixs> he first scratches his ass and then goes on merrily offering his hand to shake... 22:11 < ixs> (NB: he does scratch his ass, not his trousers) 22:12 < ixs> that guy has absolutely no social grace 22:12 < ixs> and ESR? He's just exhausting. 22:12 < ixs> and an idiot. 22:13 < ixs> e.g. telling everyone on a german linux conference who did not run away screaming when he appeared that hitler would never have happened had the german population had access to weapons... 22:13 < ixs> Yooo, moron. They had weapons at home, hitler was the bastard who demilitarized that country. 22:13 < ixs> and starting that discussion at a german conference is just bad style. 22:14 < ixs> what was the old joke again? If you were trapped in an elevator with RMS and ESR and you only have a gun and only one bullet, who would you go for? 22:14 < ixs> the right answer was: suicide 22:15 < ecrist> back 22:16 < ecrist> ixs: that's the *obvious* answer 22:19 < ixs> ;) 22:19 < ixs> right 22:21 < ixs> krzie: a side note about Red Hat: Did you notice that Raleigh, NC is blue? ;> 22:21 < ixs> and durham, where most of the employees are living, is even bluer. :> 22:23 < ecrist> soothing toons: http://secure-computing.net/100_in_a_55.mp3 22:29 -!- ChanServ changed the topic of ##openvpn to: NO POLITICS see http://secure-computing.net/cuch.png for meditative imagery. Listen to http://secure-computing.net/orgy_dreams_in_digital.mp3 woooooo...... 22:34 < ecrist> Sexual Harrassment Panda is saaaaad... Everyone left and nobody said 'Goodbye.' That makes me a saaaaad paannnndaaaaa. 22:39 < eX|Nazha> anyone here? 22:41 < krzie> kinda 22:42 < eX|Nazha> krzie 22:42 < eX|Nazha> i need some help 22:42 < krzie> mentally, physically, or with openvpn 22:42 < krzie> ? 22:42 < eX|Nazha> i can't ping my VPN server from client 22:42 < krzie> ;] 22:42 < eX|Nazha> this is my route print from client 22:42 < eX|Nazha> http://rafb.net/p/uCEcpd60.html 22:42 < krzie> what ip are you pinging? 22:42 < vpnHelper> Title: Nopaste - Wires (at rafb.net) 22:42 < eX|Nazha> my VPN server is 10.8.0.0 / assigned ip is 10.8.0.6 22:43 < krzie> .6 is client1 22:43 < eX|Nazha> yes. 22:43 < krzie> server is .1 22:43 < krzie> are you on client, pinging 10.8.0.1? 22:43 < eX|Nazha> 10.8.0.1 or 10.8.0.0 = fail / timeout 22:43 < krzie> what os is .1? 22:44 < eX|Nazha> my server.ovpn was set as 10.8.0.0 22:44 < krzie> !sample 22:44 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 22:44 < krzie> server 10.8.0.0 255.255.255.0 22:44 < krzie> like that right? 22:45 < eX|Nazha> yes 22:48 < ecrist> eX|Nazha: i was offering to help you all day 22:48 < ecrist> and you couldn't be bothered... 22:48 < ecrist> although, I suppose I don't know what I'm doing... 22:48 < jeev> sup ecrist. 22:48 < eX|Nazha> sorry, i was too tired just now. it's was 4am just now. 22:48 < eX|Nazha> now it's 12.48pm :) 22:49 < ecrist> but 5 mins before I offered to help, you were very active with cj. 22:49 < ecrist> nm, do what you must 22:50 < eX|Nazha> all the helper from OPENVPN company support ? 22:51 < eX|Nazha> i mean, r u working for ovpn :) 22:52 < eX|Nazha> ok, what shall i do now? change the "server 10.8.0.0 255.255.255.0" to "10.8.0.1 255.255.255.0" ? 22:55 < eX|Nazha> i changed my server.ovpn "server 10.8.1.0 255.255.255.0" and my client assigned as 10.8.1.6 22:59 < krzie> eX|Nazha, ecrist knows his shit 22:59 < eX|Nazha> haha. 22:59 < eX|Nazha> welll, what can i do next. 22:59 < krzie> eX|Nazha, what os are the machines? 22:59 < krzie> any windows? 23:00 < eX|Nazha> VPN server : VPS Debian / Client - Vista ( i am using now ) 23:00 < krzie> all firewalls down? 23:00 < krzie> !logs 23:00 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 23:00 < eX|Nazha> where can i get my log file ? from vpn server? 23:00 < eX|Nazha> tail /etc/openvpn ? 23:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:05 < eX|Nazha> http://pastebin.com/mdb10942 23:08 < krzie> try route exe 23:08 < krzie> !factoids search win 23:08 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', and '2.1-winpass-script' 23:08 < krzie> !winroute 23:08 < vpnHelper> krzie: "winroute" is in windows if the route cannot be added, try route-method exe in your config file 23:08 < krzie> that 23:08 < krzie> route-method exe 23:10 < eX|Nazha> i dont understand. 23:10 < krzie> you sent me a logfile 23:10 < krzie> im saying edit the config file 23:10 < krzie> and add this: 23:10 < krzie> route-method exe 23:10 < eX|Nazha> which config file ? 23:10 < eX|Nazha> client1.ovpn ? 23:10 < krzie> how many logfiles did you send? 23:11 < eX|Nazha> 1 23:11 < krzie> then you should know which config 23:11 < krzie> the one that goes with the log! 23:12 < eX|Nazha> k 23:12 < eX|Nazha> edited. now disconnect OpenGUI and connect again ? 23:13 < eX|Nazha> http://pastebin.com/mb03278a -- new log from my client 23:15 < krzie> can you ping 10.8.1.1? 23:15 < krzie> from client 23:17 < eX|Nazha> http://pastebin.com/m190d5e2c 23:20 < eX|Nazha> . 23:22 < eX|Nazha> i got "Steganos Internet Anonym VPN" installed in this client pc 23:23 < eX|Nazha> now i am trying with my laptop. ( fresh install 2 days ago) 23:26 < eX|Nazha> hello ? 23:32 -!- esaym [n=user@cpe-70-120-89-6.satx.res.rr.com] has quit [Read error: 54 (Connection reset by peer)] 23:36 < eX|Nazha> :"9 23:39 < eX|Nazha> anyone here ? 23:41 < ecrist> nope 23:42 < eX|Nazha> well, krzie afk 23:42 < eX|Nazha> anyone can help ? 23:42 < eX|Nazha> ecrist, i still can not ping 10.8.1.1 23:43 < ecrist> talk to me tomorrow, going to bd. 23:43 < ecrist> bed* 23:44 < eX|Nazha> k 23:49 < eX|Nazha> anyone can help ? 23:57 < eX|Nazha> anyone can help ? 23:57 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 60 (Operation timed out)] --- Day changed Wed Nov 05 2008 00:00 < eX|Nazha> anyone can help ? 00:06 < eX|Nazha> anyone here ? 00:11 < krzie> !logs 00:11 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 00:14 < eX|Nazha> http://pastebin.com/m1680c9f8 00:15 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:16 < eX|Nazha> http://pastebin.com/m1680c9f8 00:16 < eX|Nazha> anyone here ? 00:17 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:20 < eX|Nazha> ok. now i am able to ping :) 00:20 < eX|Nazha> i know y. 00:20 < krzie> firewall? 00:22 < eX|Nazha> weird timeout 00:22 < eX|Nazha> again.. just now. /etc/init.d/openvpn stop and only run server.ovpn 00:24 < eX|Nazha> can't ping again :( 00:27 < eX|Nazha> ahh!! can't ping 00:28 < eX|Nazha> again.. just now. /etc/init.d/openvpn start and only run server.ovpn ( Both must running right?) 00:30 < eX|Nazha> just now, i /etc/init.d/openvpn stop and only start server.ovpn.. it's able to ping. after that, i try to s 00:30 < eX|Nazha> etc/init.d/openvpn start to re-ping again.. and the result, timeout 00:35 < eX|Nazha> it's works again.. then i disconnect and reconnect from my client side... to see what happen 00:35 < eX|Nazha> and now timeout again :( 00:36 < eX|Nazha> it's work again ^.^ 00:43 < eX|Nazha> well, 00:56 < eX|Nazha> any1 here ? 00:59 < ropetin> I think so... 01:00 < ropetin> :D 01:06 < eX|Nazha> ropetin 01:06 < ropetin> Herro! 01:07 < eX|Nazha> how to create another client keys ? 01:07 < eX|Nazha> i mean client#2. 01:08 < eX|Nazha> how to monitor after that ? 01:09 < eX|Nazha> is that possible allow him to use the VPN for 1 day only ? 01:09 < eX|Nazha> ropetin do u know ? 01:19 < eX|Nazha> How to make the crt expire in certain period of time ? / how to monitor my client ? / i am trying to create a new client2 but failed 01:21 -!- mRCUTEO [n=irclunat@vze.bentleytel.net] has joined ##openvpn 01:22 < mRCUTEO> hi 01:22 < mRCUTEO> !menu 01:22 < vpnHelper> mRCUTEO: "menu" is please use !factoids search * 01:22 < mRCUTEO> !openvpn 01:22 < vpnHelper> mRCUTEO: Error: "openvpn" is not a valid command. 01:22 < mRCUTEO> !factoids search multiple user 01:22 < vpnHelper> mRCUTEO: No keys matched that query. 01:22 < mRCUTEO> !factoids search multiple 01:22 < vpnHelper> mRCUTEO: No keys matched that query. 01:22 < mRCUTEO> !factoids search multiple concurrent user 01:22 < vpnHelper> mRCUTEO: No keys matched that query. 01:23 < mRCUTEO> !factoids search multiple certificate 01:23 < vpnHelper> mRCUTEO: No keys matched that query. 01:23 < mRCUTEO> Sign the certificate? [y/n]:y 01:23 < mRCUTEO> failed to update database 01:23 < mRCUTEO> TXT_DB error number 2 01:23 < mRCUTEO> anyone can help? 01:26 < eX|Nazha> How to make the crt expire in certain period of time ? / how to monitor my client ? / i am trying to create a new client2 but failed 01:27 < eX|Nazha> How to make the crt expire in certain period of time ? / how to monitor my client ? / i am trying to create a new client2 but failed ( u must define KEY_DIR) 01:30 -!- millun [n=chatzill@kastan.nat.praha12.net] has quit [Read error: 113 (No route to host)] 01:33 < jeev> mRCUTEO, you probably need to touch index.txt 01:33 < jeev> or serials 01:33 < jeev> i forget 01:33 < jeev> serial or serials 01:33 < jeev> one of the files 01:34 -!- mRCUTEO [n=irclunat@vze.bentleytel.net] has quit [Read error: 145 (Connection timed out)] 01:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:04 < krzie> !learn menu as please use \"!factoids search *\" 02:04 < vpnHelper> krzie: The operation succeeded. 02:05 < krzie> !menu 02:05 < vpnHelper> krzie: "menu" is (#1) please use !factoids search *, or (#2) please use \"!factoids search *\" 02:05 < krzie> !learn menu as please use "!factoids search *" 02:05 < vpnHelper> krzie: The operation succeeded. 02:05 < krzie> !menu 02:05 < vpnHelper> krzie: "menu" is (#1) please use !factoids search *, or (#2) please use \"!factoids search *\", or (#3) please use !factoids search * 02:05 < krzie> bleh 02:05 < krzie> !forget menu 2 02:05 < vpnHelper> krzie: The operation succeeded. 02:05 < krzie> !forget menu 2 02:05 < vpnHelper> krzie: The operation succeeded. 02:06 < krzie> !learn menu as please use '!factoids search *' 02:06 < vpnHelper> krzie: The operation succeeded. 02:06 < krzie> !menu 02:06 < vpnHelper> krzie: "menu" is (#1) please use !factoids search *, or (#2) please use '!factoids search *' 02:07 < krzie> !forget menu 1 02:07 < vpnHelper> krzie: The operation succeeded. 02:08 < krzie> eX|Nazha, when you sign the cert you choose how long to sign it for 02:10 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit ["mv hussein /jail && rm -f /bin/laden"] 02:21 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has quit ["Leaving"] 02:52 -!- ikevin_ [n=kevin@ANancy-256-1-97-121.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 02:53 -!- ikevin_ [n=kevin@ANancy-256-1-23-208.w90-13.abo.wanadoo.fr] has joined ##openvpn 03:37 -!- cousin_luigi [n=luigi@unaffiliated/cousinluigi/x-395723] has joined ##openvpn 03:38 < cousin_luigi> hello 03:39 < cousin_luigi> I'm trying to set up two static tunnels (tap0/tap1) but the second interface fails to appear on the server after being brought up 03:39 < cousin_luigi> any idea why? 03:40 < cousin_luigi> I mean, the connection is estabilished but I have to force an ifconfig tap1 up 04:38 < eX|Nazha> I got problem when creating new client 05:20 -!- cousin_luigi [n=luigi@unaffiliated/cousinluigi/x-395723] has left ##openvpn [] 05:22 < eX|Nazha> I got problem when creating new client 05:23 < eX|Nazha> I got problem when creating new client ( u must define KEY_DIR) 05:41 -!- paruchuri [n=qvantel@61.16.248.247] has quit [Read error: 110 (Connection timed out)] 05:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 06:26 -!- paruchuri [n=paruchur@61.16.248.247] has joined ##openvpn 06:34 -!- dmarkey_ [n=dmarkey@79.97.241.103] has joined ##openvpn 06:34 < dmarkey_> is it possible to make the windows install unattended 06:37 < eX|Nazha> I got problem when creating new client ( u must define KEY_DIR) 06:46 < eX|Nazha> !log 06:46 < vpnHelper> eX|Nazha: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 06:46 < eX|Nazha> whoami 07:08 -!- nazha [n=nchin@56.121.49.60.cbj03-home.tm.net.my] has joined ##openvpn 07:09 < nazha> anyone here? 07:09 -!- eX|Nazha [n=asd@60.54.112.126] has quit [Read error: 110 (Connection timed out)] 07:10 < nazha> anyone here? 07:11 < nazha> anyone here? 07:17 < nazha> anyone here? 07:35 < nazha> I got problem when creating new client ( u must define KEY_DIR) 07:35 < nazha> I got problem when creating new client ( error msg : u must define KEY_DIR) 07:39 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: Dryanta 07:40 -!- Netsplit over, joins: Dryanta 07:43 < nazha> I got problem when creating new client ( error msg : u must define KEY_DIR) 07:48 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 07:48 < onats> hello, is there a difference between tun and tap? 07:49 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 07:54 < nazha> I got problem when creating new client ( error msg : u must define KEY_DIR) 08:12 -!- eX|Nazha [n=nchin@60.53.50.84] has joined ##openvpn 08:12 < eX|Nazha> I got problem when creating new client ( error msg : u must define KEY_DIR) 08:21 -!- intralanman [n=lanman@va-67-76-163-209.sta.embarqhsd.net] has joined ##openvpn 08:26 < eX|Nazha> I got problem when creating new client ( error msg : u must define KEY_DIR) 08:30 -!- nazha [n=nchin@56.121.49.60.cbj03-home.tm.net.my] has quit [Read error: 110 (Connection timed out)] 08:41 -!- zamba [i=marius@sveigde.hih.no] has joined ##openvpn 08:41 < eX|Nazha> I got problem when creating new client ( error msg : u must define KEY_DIR) 08:41 < zamba> what protocols is the built-in vpn client in windows using and can openvpn act as a server for this? 08:42 < eX|Nazha> i have set up the VPN probably. 08:43 < eX|Nazha> i am connected to VPN from client.. but i wont like to create a new client.key for my friend 08:46 < zamba> set up some kind of PKI then 08:47 < eX|Nazha> what do u mean? i am new to my VPN server which running on my Debian 08:47 < zamba> you need to set up a PKI (public key infrastructure) 08:48 < eX|Nazha> how to setup :) 08:48 < eX|Nazha> how shall i begin ? 08:50 < zamba> http://openvpn.net/index.php/documentation/howto.html#pki 08:50 < vpnHelper> Title: HOWTO (at openvpn.net) 08:50 < zamba> by reading 08:54 -!- onats [n=onats@unaffiliated/onats] has quit [Nick collision from services.] 09:06 < eX|Nazha> How can i set expired on the crt ? 09:06 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:06 < onats> hi, what does "unable to write randowm state" mean? 09:06 < eX|Nazha> How can i set expired on the crt ? 09:16 < ecrist> eX|Nazha: you need to revoke the certificate 09:16 < ecrist> I'd suggest reading up on OpenSSL 09:17 < eX|Nazha> mind to teach :) 09:21 < ecrist> not really. there's a perl script to handle much of that for you, though 09:21 < ecrist> !ssl-admin 09:21 < vpnHelper> ecrist: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 09:24 < eX|Nazha> thank for the link 09:25 -!- zirpu [n=zirpu@nefud.org] has joined ##openvpn 09:29 < ecrist> hey, zirpu 09:31 < eX|Nazha> above link, only for how to setup VPN. 09:31 < eX|Nazha> which paragraph said, how to use the SSL? 09:32 < ecrist> look for ssl-admin on that page. it's a perl script to manage SSL certificates 09:34 < eX|Nazha> opss. i got it.. but i dont understand :( 09:36 < eX|Nazha> i need a complete newbie guide :) 09:38 < zirpu> g'morning. 09:39 < ecrist> eX|Nazha: this isn't #openssl, sorry 09:46 < ecrist> eX|Nazha: go read some documentation, then come back. 09:46 -!- mode/##openvpn [+o ecrist] by ChanServ 09:47 -!- mode/##openvpn [+b *!*@60.53.50.84] by ecrist 09:47 -!- mode/##openvpn [-o ecrist] by ecrist 09:51 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 113 (No route to host)] 09:57 -!- drzed [n=drzed@synflood.homelinux.org] has left ##openvpn [] 10:27 < ecrist> it's so quiet around here when krzee is gone 10:34 < jeev> yea 10:35 < PeterFA> Hey, if I make a router and make another subnet local, and affect my router which handles the Internet traffic to point all communication headed for that subnet to the VPN server, how will I make it handle encrypted data such as ssh appropriately? 10:35 < PeterFA> Because as we know, it's not necessary to send ssh through the VPN. 10:40 -!- babyhuey [n=huey@cpe-76-190-247-141.neo.res.rr.com] has left ##openvpn [] 10:57 -!- thefish [n=thefish@unaffiliated/thefish] has joined ##openvpn 10:58 < thefish> anyone know if openvpn has a *client* side parameter that does the same as the server-side push "dhcp-options ..."? 11:06 -!- ebil|work [n=andy@216.64.93.22] has joined ##openvpn 11:07 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 11:08 < onats> helo.. need some help... i have established a vpn connection between two routers already... the devices on the client side can ping the devices on the server side, but when i do the ping the devices on the client side from the server side, i get a respones timeout... 11:08 < ebil|work> what's the 'best practices' for doing DNS over openvpn? both systems run bind on debian, and the outcome I'd like is, if the vpn is up and you request something at sitea.com from siteb.com, it will resolve, however, if the vpn is down, it just doesn't resolve (I'd guess an NXDOMAIN error) any ideas? 11:08 < onats> doing a traceroute to the ip addresses on the client side, the route seems to go out of a third router on top of the two vpn routers... 11:11 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 11:14 -!- eX|Nazha [n=nchin@60.53.50.84] has quit [Client Quit] 11:19 < ecrist> PeterFA: all traffic, even traffic that's going to be encrypted anyway, goes through the vpn 11:20 < ecrist> thefish: read the HowTo, there's discussion of such options, though I'm not sure they work the way you want. 11:20 < ecrist> onats: can you pastebin your traceroutes? 11:21 < onats> ecrist, hold on.. 11:21 < ecrist> ebil|work: you can handle such things with a push option (dns, specifically) 11:22 < ebil|work> ecrist, does that change my dns servers? or just add a new one? 11:22 * ebil|work goes to look at documentation 11:22 < ecrist> not sure, I think it changes, rather than adds, which shouldn't be a problem if you've got your DNS setup correctly. 11:23 < ebil|work> these are dns servers for two different domains 11:23 < ecrist> so? 11:23 < ebil|work> if I change the dns server, I lose the dns information for the current domain and pick up dns for the vpn'd domain 11:24 < ebil|work> but there's no reason that the 2nd dns server should have any information about the 1st domain 11:25 < ecrist> as I said, proper DNS config. test it, the option might add, rather than over-write your client DNS 11:25 < ecrist> I've not used the feature. 11:25 < ebil|work> ok 11:26 < ebil|work> sorry, I was just stating that yes, I could have the vpn'd dns server have data for both domains, but that it's fixing the symptom rather than the problem. I'm looking at the documentation now. thanks :) 11:28 < onats> ecrist, http://pastebin.ca/1245997 11:28 < onats> basically the machines on the server side, when pinging/tracerouting, go out of my network ( i am testing from within lan) 11:29 < onats> it does not get routed to the openvpn subnet (in my case 192.168.66.0) 11:29 < onats> but if i ping from the client router devices, i can ping the machine behind the vpn server... 11:30 < ebil|work> ecrist, Ahh, yeah. push DHCP options is the oposite of what I want. I need the CLIENT's dns server on the server... if that makes any sense lol 11:34 < onats> ecrist? 11:44 < ecrist> sorry, working, too. 11:45 < ecrist> onats: looks like you're missing a route 11:45 < ecrist> your clients need a route for that subnet to hit the vpn server 11:45 < ecrist> they're going out your default gateway 11:46 < ecrist> ebil|work: that makes no sense. 11:46 < onats> should i just put in client-to-client? 11:46 < ecrist> onats, no. 11:47 < ecrist> the machine your having failed traceroutes on isn't aware of the correct route for that subnet 11:47 < ecrist> add it to your default gateway 11:48 < onats> pardon my ignorance, but where can i set that? 11:49 < ecrist> on the default gateway 11:49 < onats> here's my server config btw... http://pastebin.ca/1246033 11:49 < onats> doesn't the line push "route 192.168.0.0 255.255.255.0" do that? 11:50 < ebil|work> ecrist, I think the solution I'm looking for doesn't involve configuration in openvpn. it should be a transient connection, or maybe a bind slave-xfer 11:53 < ecrist> onats: no 11:53 < onats> ecrist, these lines: route add -net CLIENT1INTERNALSUBNET netmask 255.255.255.0 gw 10.0.1.2 11:53 < onats> route add -net CLIENT2INTERNALSUBNET netmask 255.255.255.0 gw 10.0.2.2? 11:53 < ecrist> ebil|work: :) as I said, proper DNS config 11:53 < onats> sorry 11:54 < ebil|work> ecrist, AHH I thought you were refering to openvpn. pardon my hard-headedness 12:00 < onats> ecrist, should i add the route to the tun0 ip address? 12:00 < onats> of the client device i mean 12:11 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit ["Leaving"] 12:12 -!- babyhuey [n=huey@cpe-76-190-247-141.neo.res.rr.com] has joined ##openvpn 12:12 < babyhuey> slight issue, when i connect to openvpn, i can get to the server fine, but every other ip on that subnet is seen as the server 12:13 < babyhuey> like it is 192.168.1.106 and 192.168.1.102 is the same server 12:15 < ecrist> onats: no 12:15 < ecrist> babyhuey: elaborate 12:16 < babyhuey> on which part 12:16 < ecrist> all of it. it doesn't make sense. 12:17 < babyhuey> i connect to openvpn server. i can access the server at its ip: 192.168.1.106 and ssh and everything 12:17 < babyhuey> but i cannot see any other computer on the network 12:17 < babyhuey> all the other ips seem to be pointing at 192.168.1.106 12:25 -!- swemark [i=Mark@c-faa4e055.233-14-64736c16.cust.bredbandsbolaget.se] has joined ##openvpn 12:25 < babyhuey> do you want me to upload my server.conf file somewhere? 12:28 < ecrist> babyhuey: what do you mean 'all the other ips seem to be pointing at 192.168.1.106'? 12:28 -!- intralanman [n=lanman@va-67-76-163-209.sta.embarqhsd.net] has quit ["You call it ADD, I call it multitasking"] 12:28 < babyhuey> if i open a web browser, and i go to say 192.168.1.104, the server at 192.168.1.106 comes up 12:29 < babyhuey> same with every ip that is alive on the network 12:30 < ecrist> what's a traceroute show? 12:30 < babyhuey> traceroute 192.168.1.104 12:30 < babyhuey> traceroute to 192.168.1.104 (192.168.1.104), 30 hops max, 40 byte packets 1 192.168.1.104 (192.168.1.104) 134.112 ms 134.909 ms 135.779 ms 12:32 < ecrist> a complete one, please. 12:32 < ecrist> to pastebin or other 12:33 < babyhuey> that is all that shows up 12:33 -!- ChanServ changed the topic of ##openvpn to: HowTo: http://openvpn.net/howto READ IT 12:33 -!- intralanman [n=lanman@va-67-76-163-209.sta.embarqhsd.net] has joined ##openvpn 12:33 < ecrist> babyhuey: 192.168.1.104 is the local IP, no? 12:33 < babyhuey> no 12:33 < babyhuey> its 192.168.0.106 12:34 < babyhuey> er 1.106 12:34 -!- Cisien [n=Chris@vps.exoronet.net] has joined ##openvpn 12:35 < Cisien> what would cause random high ping times throuhg the tunnel, when pings outside of the tunnel are steady? 12:45 < ecrist> Cisien: processor load at one end of the tunnel. 12:45 < onats> help.... 12:45 < onats> i cant figure out the routing tables...:((( 12:46 < ebil|work> ecrist, does openvpn support crypto-cards? 12:46 < Cisien> ebil|work, yes, it does 12:46 < Cisien> crypto-engine 12:46 < ebil|work> niiiiiiiice 12:47 < Cisien> ecrist, it's not cpu load, server reports 0% usage 12:47 < Cisien> I think it's congestion on the satellite 12:47 < Cisien> the only user that was on the vpn except me, was someone downloading the udpates for EQ 12:47 < Cisien> how can i limit client downloads? 12:48 -!- Esine [i=dbguy@tohveli.net] has joined ##openvpn 12:51 < onats> ecrist, can you take a look at this: http://pastebin.ca/1246088 12:51 < onats> maybe you can see what's wrong? 12:53 < Cisien> where do the 192.168.1.0 and 192.168.0.0 networks sit? 12:54 < onats> cisien, 192.168.1.0 is on the client side, the 192.168.0.0 is on the server side.. 12:54 < onats> i cant ping anyhting in the 192.168.1.0 from the server side... 12:54 < Cisien> it doesn't look like the other side is receiving the routes? 12:54 < Cisien> push "route blah"? 12:55 < onats> cisien, i put the push "route 192.168.0.0 255.255.255.0" on the server config... 12:55 < onats> is there something i have to set too on the client? 12:55 < Cisien> the push route, sends the route to the client 12:56 < onats> what about the route into the server? 12:56 < Cisien> you may need to set a 'route' on the server, and a 'push route' to send the route to the client 12:56 < Cisien> one of these days i'll learn about what i'm suggesting, so i can set it up on this side 12:56 < onats> can you give me a clue? 12:57 < Cisien> right now i have 3 clients behind an openwrt router connecting to the same vpn, instead of connecting the router to the vpn :P 12:57 < onats> basically from the server, i cannot ping anything behind the client! 12:57 < onats> so that's direct client right? 12:57 < Cisien> I think you need to setup the client so it can route 12:57 < Cisien> and make sure iptables isn't blocking those routes 12:58 < onats> but from the client, i can ping to the server devices... 12:58 < Cisien> clientserver 12:58 < Cisien> your setup? 12:59 < Cisien> client needs to know about servernetwork, server needs to know about clientnetwork 12:59 < Cisien> both server and client need to have forwarding enabled 13:00 * ecrist is burned out helping people with OpenvPN 13:00 < Cisien> ecrist, openvpn isnt too hard, after you learn how it works, and what it expects :) 13:01 < Cisien> i've learned a great deal over the past few days about it. 13:01 < onats> cisien, forwarding, as in the iptables? 13:01 < Cisien> i have my unique situation to thank for that 13:01 < Cisien> onats, as in kernel forwarding 13:02 < onats> in the route right? 13:02 < onats> can you take a peek in the pastebin? 13:03 < Cisien> it's a change in /etc/sysctl.conf 13:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:03 < Cisien> net.ipv4.conf.default.forwarding=1 13:03 < Cisien> add that to your /etc/sysctl.conf 13:03 < Cisien> and type sysctl -p to activate the change 13:04 < onats> hold on... 13:04 < onats> on the server right? 13:04 < Cisien> client and server 13:04 < Cisien> server sounds like it's already enabled 13:05 < Cisien> if you can ping the 'servernetwork' 13:05 < onats> ok.. yes i can ping the servernetwork 13:05 < onats> btw, im on dd-wrt using openvpn, if it matters... 13:05 < onats> coz i dont see a sysctl.conf 13:07 < Cisien> hrm, maybe no sysfs 13:07 < ecrist> Cisien: I *know* OpenVPN, I think I'm burned out on helping other people. 13:07 < ecrist> it's always the same problems. 13:07 < ecrist> usually, routing or ssl related. 13:07 < ecrist> which aren't OpenVPN problem.s 13:07 < Cisien> I understand - that happens with any project though 13:07 < ecrist> s/.s/s./ 13:07 < Cisien> I supported an MMO emulator for a good couple years 13:07 < Cisien> always the same thing 13:07 < Cisien> but yeah 13:08 < Cisien> my problem was ... fun 13:08 < ecrist> Cisien: rather than manually setting the sysctl, add gateway_enable="YES" to /etc/rc.conf 13:08 < Cisien> connection taking more than 60 seconds to negotiate 13:08 < Cisien> ecrist, will that work in dd-wrt? 13:09 * Cisien isn't familiar with dd 13:09 < Cisien> openwrt 2.6 has sysctl :P 13:09 < cj> Cisien: get familiar :) 13:10 < cj> oh, dd not as in /usr/bin/dd :) 13:10 < Cisien> lets see if i can figure out tc enough to setup some speed limits 13:10 < Cisien> cj, yeah, dd-wrt :P 13:10 * Cisien knows dd 13:10 < cj> Cisien: shorewall has a nice tc interface 13:10 * onats about to cry 13:10 < cj> but the newer versions depend on perl, so they probably won't fit on the flash 13:10 < ecrist> Cisien: didn't realize you were talking about dd-wrt. was thinking it was *bsd 13:10 < Cisien> may be something to look into 13:11 < cj> you could compile your rules on one machine and apply them on the wrt 13:11 < Cisien> cj, my vpn server is runing on a dual core xeon xen vps 13:11 < Cisien> i think i have enough storage for perl (20gb) 13:11 < Cisien> my openwrt router has an 80gb hdd :P 13:11 < cj> Cisien: oh, then you can probably run shorewall, quagga, and the rest of the world :) 13:13 < Cisien> tc confuses the fuck outta me 13:13 < Cisien> woah now, no need for quagga 13:26 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 13:27 < theromis> http://www.weichert.com/search/realestate/PropertyListing.aspx?P=21882207&cityid=29857&mls=130&ptypeid=30&pg=6&thankyou=445 13:27 < vpnHelper> Title: Los Gatos, CA 95033 Real Estate: MLS # 833537 (at www.weichert.com) 13:32 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:37 < ecrist> hi krzie 13:37 < krzie> good morning 13:37 < krzie> =] 13:45 < jeev> hey guys 13:45 < jeev> anyone know 13:45 < jeev> nortel phone systems 13:45 < jeev> there is a phone wire in the wall 13:45 < jeev> i want to find it on the 66 block 13:45 < jeev> what's the best way to do it 13:46 < ecrist> tone generator 13:46 < Cisien> yep 13:46 < jeev> but do i need to 13:46 < jeev> take the wire out of the 66 block ? 13:46 < ecrist> nope 13:46 < jeev> cause it's making weird noises when i put the tone reader thing 13:46 < jeev> it makes like a very weird noise 13:46 < ecrist> there can even be dialtone on the line 13:46 < jeev> cause i guess it's digital 13:46 < Cisien> no, just toss the tone generator on the wire in the wall 13:47 < ecrist> that's fine, just put the tone generator on the line 13:47 < Cisien> you'll hear the unique noise of the tone generator 13:47 < krzie> jeev, i think i have a shitton of nortel manuals 13:47 < jeev> so i need 13:47 < krzie> want me to find them? 13:47 < jeev> yea please 13:48 < jeev> ok so i get a tone generator 13:48 < jeev> and one of those phones 13:48 < jeev> you put positive and negative 13:48 < jeev> put it on monitor 13:48 < jeev> and listen ? 13:48 < Cisien> the tone generator comes with two parts 13:49 < Cisien> the tone generator (has two wires sticking out of it, and an on/off switch, attach that to the wires of the jack you want to find - then you have a wand with a speaker on it, use that to find the loudest tone that is generated by your tone generator 13:50 < jeev> ok 13:50 < jeev> Cisien 13:50 < jeev> ecrist 13:50 < jeev> will you g uys be here in about an hour 13:50 < jeev> please 13:50 < jeev> i desperately need to fix this 13:51 < ecrist> yes 13:51 < Cisien> hrm, i may be going to grab a midnight snack, but i'll be nearby 13:51 < jeev> please guys 13:51 < jeev> iti's my girlfriends cousins office 13:51 < krzie> why are you in charge of fixing that? 13:51 < ecrist> Cisien: fwiw, the 'want with a speaker on it' is called an inductive amplifier. 13:51 < jeev> he's giving me a new laptop to give to his cousin as a gift 13:51 < jeev> because i dont want him to waste money 13:51 < krzie> if you dunno bout tone generators you arent the right guy 13:51 < jeev> i'll be back in a bit 13:51 < jeev> i do know about them 13:51 < jeev> i have one 13:51 < jeev> i'll get it in a bit 13:52 < jeev> i'll be back in about an hour guys 13:52 < jeev> thank you 13:52 < jeev> or less 13:52 < Cisien> ecrist, thanks, wasn't sure what to call that doo-thingie that made noise :p 13:52 < krzie> having one and having a clue bout phone systems is different 13:52 < krzie> hehe 13:52 < cpm> heh 13:52 < cpm> weelder is what I've always called'em 13:52 < cpm> weedler rather 13:52 < Cisien> noise-maker :PP 13:54 < krzie> hah you know you shoulda gone to sleep earlier when you wakeup to find that you were debugging your program in 2 gdb instances 13:55 < ebil|work> well crap. I broke something 13:56 < krzie> stuff breaker 13:57 < Cisien> lol 13:57 < ebil|work> I knwo :( 13:57 < ebil|work> so, the vpn works, but only from client to server :\ 13:58 < Cisien> sweet 13:58 < ebil|work> and it USED to work both ways 13:58 < ebil|work> I've got my routes set up on both machines, I've got my ccd/client file set up, I've got -i tun+ -j ACCEPT for input and forward rules on both sets of iptables... 13:58 < ebil|work> and no errors in the l9ogs 13:58 < ebil|work> logs 13:59 < ebil|work> I was trying to add client based auth 13:59 < ebil|work> err filtering 14:00 < Cisien> last time i had that problem, a simple 'shutdown -r now' fixed it 14:00 < Cisien> i'm guessing it was an issue with my routing table 14:01 < ebil|work> I'd rather not shut down the machines... 14:01 < ebil|work> hmmm 14:01 < Cisien> this was on the server, when i had the problem 14:02 < ebil|work> I don't see any issues with my routing tables. they look fine... 14:03 < Cisien> probably wont do anything then 14:03 * Cisien goes back to reading the Traffic-Control-HOWTO 14:04 < krzie> nope cant find my nortel manuals 14:05 < krzie> firewall 14:06 < krzie> it cant be routes if the server or client can respond to the other 14:06 < krzie> cause if it can respond, it can initiate 14:06 < krzie> its firewall problem 14:06 < krzie> which should be obvious based on thats what you were changing 14:07 < krzie> you should have a copy from when it worked before you started changing stuff 14:07 < ebil|work> me? I wish I did :( but I'm stupid like that sometimes 14:07 < krzie> !factoids search client 14:07 < vpnHelper> krzie: "someclient2client" is http://openvpn.net/howto.html#policy 14:07 < krzie> !policy 14:07 < vpnHelper> krzie: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 14:07 < krzie> take a look at those 14:07 < krzie> !forget someclient2client 14:08 < vpnHelper> krzie: The operation succeeded. 14:08 < krzie> !learn someclient2client as [policy] 14:08 < vpnHelper> krzie: The operation succeeded. 14:08 < krzie> !factoids search client 14:08 < vpnHelper> krzie: "someclient2client" is "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 14:08 < Cisien> krzee, is there a way to limit the speed of the server-side transmit without using tc? 14:08 < krzie> whats tc? 14:08 < Cisien> traffic control 14:08 < krzie> there is --shaper 14:08 < Cisien> QoS, basically 14:08 < ebil|work> krzie, that's the problem, I removed all my changes (I'm pretty sure anyhow) and it still doesn't work, even without client access rules... 14:08 < krzie> !betaman 14:08 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 14:09 < Cisien> aye, that doesn't work under mode server 14:09 < krzie> ebil|work, whatever, you know where the problem is 14:09 < krzie> the problem is where you changed stuff without backing it up 14:09 < ebil|work> yes 14:09 < krzie> hehe 14:09 < ebil|work> lol 14:10 < ebil|work> ok 14:10 < ebil|work> so it appears to be forwarding 14:10 < krzie> Cisien, realllly? 14:10 < krzie> no --shaper with --server ??? 14:10 < ebil|work> because I can ping the 10.8.0.x address of the client from the server 14:10 < krzie> ebil|work, i gave you 2 links 14:11 < Cisien> krzee, nope, i got an error saying something to that effect when i tried it 14:11 < krzie> k well that sucks 14:11 < krzie> heheh 14:11 < krzie> you could use normal QoS 14:11 < krzie> at the kernel level 14:11 < Cisien> i'm thinking i'll just have to learn how linux's traffic shaping works, and implement that on the tun interface 14:11 < Cisien> yeah 14:11 < Cisien> i've been meaning to learn tc anyway, this just gives me an excuse 14:12 < krzie> TC is a new term to me 14:12 < krzie> we've been calling it QoS for over a decade 14:12 < Cisien> 'tc' is a program thats part of the iproute2 package 14:14 < krzie> ahh, a linuxism 14:15 < Cisien> lol, can't say i've heard that term before 14:15 < krzie> ya i just made it up 14:16 < ebil|work> krzie, I looked over those documents. I've got the firewall access rules in place and it still doesn't work, one thing I'm wondering about though, the tun adapter on the client has an addr of 10.8.0.6 w/ P-t-P of 10.8.0.5 and the server has 10.8.0.1 and 10.8.0.2 would that cause a problem? 14:17 < Cisien> ebil|work, that appears to be normal 14:17 < ebil|work> well crap... 14:17 < Cisien> since the server pushes out a route telling the client it can get to the .0 network through the .4 network 14:22 < krzie> !/30 14:22 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:27 < Cisien> with by reading 14:31 < ebil|work> /30 uses 4ips becuase you have 1 network ip, 1 broadcast ip, and 2 usable IP's inbetween 14:37 < ebil|work> krzie, could you look at this: http://pastebin.com/d2007a04 it's both configs and output from each... I'm utterly lost as to why this is happening now. I'm going to post firewall configs too 14:40 < krzie> actually no, i gotta go 14:40 < krzie> ill bbl tho 14:40 < ebil|work> ok 14:40 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 145 (Connection timed out)] 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 -!- \malex\ [i=CEystHT8@unaffiliated/malex/x-000000001] has joined ##openvpn 14:50 < \malex\> i have several clients connecting a single openvpn server using tap devices. they can all talk to the server just fine, but when they send arp requests over the tunnel for each other, the server doesn't seem to be forwarding them. am i doing something incredibly silly, or should the clients be able to talk to each other? 14:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:09 -!- swemark [i=Mark@c-faa4e055.233-14-64736c16.cust.bredbandsbolaget.se] has quit [Read error: 54 (Connection reset by peer)] 15:10 < ebil|work> the hell... the packets aren't even being routed to the vpn it doesn't look like... 15:11 < ebil|work> they show up in tcpdump on the server side, but not on the client side 15:12 < \malex\> i was doing something silly. i forget to enable client-to-client option. well, that'll teach me to read properly 15:12 < jeev> hey 15:12 < jeev> back 15:17 < ebil|work> hi 15:28 -!- ebil|work [n=andy@216.64.93.22] has quit [Read error: 60 (Operation timed out)] 15:40 < jeev> hi 15:42 < jeev> lol 15:43 < jeev> everyone said they'd be here 15:43 < jeev> nobody is here 15:43 < jeev> bah 15:49 -!- \malex\ [i=CEystHT8@unaffiliated/malex/x-000000001] has left ##openvpn [] 16:14 < ecrist> jeev, I'm her 16:14 < ecrist> here* 16:14 < ecrist> and, fwiw, you're an hour late 16:24 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 16:26 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 104 (Connection reset by peer)] 16:28 < jeev> ecrist 16:28 < jeev> [11:51am] i'll be back in about an hour guys 16:28 < jeev> [01:12pm] hey 16:28 < jeev> ecrist, it's ethernet 16:28 < jeev> i can't trace it anywhere 16:50 < jeev> heh 17:03 -!- bandini [n=bandini@host107-105-dynamic.40-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 17:04 < krzee> you can trace ethernet...\ 17:06 -!- intralanman [n=lanman@va-67-76-163-209.sta.embarqhsd.net] has quit [Read error: 110 (Connection timed out)] 17:07 < krzee> ebil: check client side firewall 17:24 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Connection timed out] 17:46 < ecrist> jeev: you should be able to trace it 17:48 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 17:49 < _Steve_> hi guys. i've got openvpn server setup and running, works fine. but one user can't access it due to their router. anyone heard of this happening before? 17:49 < _Steve_> same user, same computer (laptop) works fine via verizon evdo card 18:00 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 18:00 < krzee> _Steve_ THEY cant access it, or clients on their LAN cant? 18:04 -!- cj [n=cjac@pdpc/supporter/monthlybronze/cj] has quit [Read error: 104 (Connection reset by peer)] 18:22 < _Steve_> they can't access it, the vpn fails to connect 18:22 < _Steve_> well, it fails to initialize the connection 18:22 < _Steve_> i see it coming in to the vpn server in the logs, but they don't get the reply packets, so the connection setup fails 18:26 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 18:30 -!- Cisien [n=Chris@vps.exoronet.net] has quit [Read error: 104 (Connection reset by peer)] 18:33 < krzee> ohhh 18:33 < krzee> soundsrouter or ISP is blocking outbound UDP to the VPN's port 18:33 < krzee> try running the vpn server on udp 53 18:34 < krzee> or udp 123 if you already run a nameserver on that box 18:40 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has left ##openvpn [] 18:45 -!- mode/##openvpn [+o krzee] by ChanServ 18:45 -!- mode/##openvpn [-b *!*n=enrique@lidsol.fi-b.unam.mx] by krzee 18:45 -!- mode/##openvpn [+b *!*@lidsol.fi-b.unam.mx] by krzee 18:47 < jeev> heh\ 18:47 < jeev> nobody was here to help LOL 18:47 < jeev> when i needed everyone! 18:47 -!- mode/##openvpn [-o krzee] by krzee 18:47 < _Steve_> i think i'll just tell the user to get a better router 18:48 < krzee> jeev 18:48 < krzee> !notopenvpn 18:48 < vpnHelper> krzee: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 18:48 < jeev> krzee 18:48 < _Steve_> jeev: here's your money back 18:48 < jeev> lol 18:48 < jeev> !calmdown 18:48 < vpnHelper> jeev: Error: "calmdown" is not a valid command. 18:48 < krzee> _Steve_, it might not be their router 18:48 < jeev> steve, paypal ? 18:48 < _Steve_> your $0.00 is in the mail 18:48 < jeev> ! 18:48 < krzee> _Steve_, its much more likely their ISP 18:48 < krzee> have you tried changing the port like i suggested? 18:49 < _Steve_> no 18:49 < _Steve_> it's bell south, i think 18:49 < krzee> and why havbnt you? 18:49 < _Steve_> because you just told me? 18:49 < _Steve_> and it takes more than 5 seconds 18:49 < _Steve_> and besides, i'm not doing it right now, i'll do it later if at all 18:50 < _Steve_> i'll test when i can afford for it to not work 18:50 < krzee> you can always run a second instance for the test 18:50 < _Steve_> i was asking for advice, not a solution, so i'm happy with the suggestion 18:50 < _Steve_> sure, but i'd have to get the user to test 18:50 < krzee> you dont have to test using the production vpn 18:50 < krzee> yup 18:50 < _Steve_> and i can't do that right now 18:51 < krzee> but if you tell them to get a new router its unlikely to fix the problem 18:51 < _Steve_> besides, i hate the user and i'm just as happy to tell them to use the evdo card 18:51 < _Steve_> you don't think it's the router? 18:51 < _Steve_> you said it could be the router or the ISP 18:52 < krzee> much more likely the ISP, but theres a chance it is their settings on their router 18:52 < krzee> or their firewall, if those are seperate 18:53 < _Steve_> if it's the ISP i'll tell the user to call and complain 18:53 < krzee> in fact it could be the firewall on the OS being enabled for the LAN interface and not evdo interface 18:53 < _Steve_> interesting 18:53 < _Steve_> i hadn't considered that 18:54 < krzee> so you can test router by bypassing it and plugging directly in 18:55 < krzee> then you check local firewall 18:55 < _Steve_> yeah, i was going to tell the user to do that 18:55 < krzee> if it still dont work, it is ISP 18:55 < _Steve_> dude 18:55 < _Steve_> this is basic troubleshooting 18:55 < _Steve_> i know how to do that. :) 18:55 < krzee> can test isp port 53 by querying a NS directly for a zone it has 18:55 < krzee> lol it was basic troubleshooting the whole time, but you did ask ;] 18:55 < _Steve_> my question was if anyone has heard of this happening before? 18:55 < krzee> yes 18:55 < krzee> it happens often 18:56 < _Steve_> ie, is it common for routers to block the port? 18:56 < krzee> no 18:56 < krzee> not by default 18:56 < _Steve_> i'm looking for if anyone has experience and suggests which thing is best to investigate first... 18:56 < krzee> but ive seen plenty of people running homebrew routers or those linksys linux firmwares 18:56 < _Steve_> ok, not common 18:56 < krzee> and in those cases its more common 18:56 < _Steve_> this is a linksys, but using default stuff 18:57 < krzee> the best order would be what i said above 18:57 < _Steve_> firewall (on system), ISP, then router? 18:57 < krzee> bypass the router 18:57 < krzee> check local firewall 18:58 < krzee> if still no work, it is ISP, in which case test port 53 udp outbound by querying a NS for a zone it controls 18:58 < krzee> a NS that the ISP wouldnt know/care about 18:59 < krzee> ie: host doeshosting.com ns1.doeshosting.com 18:59 < _Steve_> good lord, if they're blocking DNS out bound, or intercepting it, that would be horrible 18:59 < _Steve_> do ISPs do that? 18:59 < krzee> if it can ask ns1.doeshosting.com for doeshosting.com then you can change to port 53 and it will work 18:59 < krzee> ive seen ISPs do equally stupid stuff 19:00 < krzee> if they're blocking the UDP port you are using, check for udp 53 since its most commonly unblocked 19:01 < krzee> other advantage of that is its most common to be unblocked for your road-warriors 19:01 < _Steve_> right 19:05 < krzee> one reason an ISP would demand you to use their NS would be to counter the 50x amplification recursive ddos attack 19:06 < _Steve_> that makes sense 19:06 < _Steve_> my ISP doesn't tho, i think 19:06 < _Steve_> (TWC) 19:06 < _Steve_> i used to run my own NS and have it recurse to the roots... :) 19:07 < _Steve_> naughty i know, but it wasn't until i stopped doing that (didn't feel like running a server any more) that I noticed they are redirecting NXDOMAIN requests to their search/ad page now... :/ 19:07 < _Steve_> i may start running a server again soon.... 19:21 < krzee> <_Steve_> i used to run my own NS and have it recurse to the roots... :) 19:21 < krzee> nothing naughty bout that 19:21 < krzee> hell its one less request than those who forward recursion 19:22 < krzee> and since im sure you blocked recursion to the allowed hosts, its safe 19:22 < krzee> of course if you didnt, you could be used as a ddos amplifier/bouncer 19:30 < _Steve_> well, at the time i allowed requests for my own domain, but that's all, since i served it there 19:31 < krzee> i thought you said you allowed recursion 19:31 < _Steve_> for internal hosts only 19:31 < krzee> ahh ya 19:31 < krzee> nothing bad bout that 19:31 < krzee> thats the best way 19:31 < _Steve_> yeah 19:53 * _Steve_ emails with user 19:53 < _Steve_> blah 20:15 < _Steve_> ok, the user is using the same ISP i am, i know they're not blocking anything 20:15 < _Steve_> and the user verified the firewall on the computer is off 20:16 < _Steve_> so it's gotta be the stupid router 20:23 < jeev> 0.0.0.0 128.0.0.0 10.10.2.9 10.10.2.10 1 20:23 < jeev> hmm 20:23 < jeev> how is that getting there? 20:23 < jeev> i'm not pushing gateway 20:24 < jeev> ahh 20:24 < jeev> it's being pushed on server 20:24 < jeev> ;D 20:24 < ebil> krzee, sorry, I just got home 20:25 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 20:25 -!- jfkw [n=jtk@static-64-65-249-140.buf.choiceone.net] has quit [Read error: 113 (No route to host)] 20:26 < jeev> hmm 20:27 < jeev> now, everything is going WRWRRWR RWRW 20:27 < jeev> heh 20:29 -!- CppIsWeird [i=dude@unaffiliated/cppisweird] has joined ##openvpn 20:30 < jeev> wtf 20:33 < _Steve_> oh great 20:33 < _Steve_> so that's not even the problem 20:34 < _Steve_> it sets up the vpn connection fine 20:34 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 20:34 < _Steve_> but they can't see the samba file server 20:34 < _Steve_> i wonder why. 20:35 < jeev> uh 20:35 < jeev> if i dont push default gateway now 20:35 < jeev> i get WRWRWRWRWRWR going crazy 20:35 < jeev> and it doesn't work 20:35 < jeev> ;/ 20:35 < _Steve_> is that my problem? no default gateway? 20:36 < _Steve_> probably not 20:36 < _Steve_> i guess 20:36 < _Steve_> i dunno 20:36 < jeev> huh 20:36 < jeev> what's your problem 20:37 < jeev> i dont know much about the 20:37 < jeev> internal LAN 20:37 < _Steve_> user can connect via vpn, but connecting to samba doesn't work 20:37 < jeev> about VPN so sorry 20:37 < jeev> have you tried iroute ? 20:37 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 20:37 < _Steve_> ? 20:38 < jeev> in your ccd 20:38 < jeev> irout the proper lan address? 20:38 < jeev> i dont know :( ask krzee 20:38 < _Steve_> krzee? 20:39 < jeev> he's not here right now 20:39 < _Steve_> damn 20:39 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 20:40 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 20:50 < ebil> if someone has a second, I have a problem I was working on earlier 20:50 < ebil> I have a server and a client 20:51 < ebil> server is a router with 2 networks behind it, client is a router with 2 networks behind it. the client and machines behind it can ping/connect to the server however the server and machines behind it can't ping/connect to the client or machines behind it. they can ping the tun address, but that's it (tcpdump on the client isn't picking up any packets on the tun device) 20:52 < ebil> configs/logs/route table here: http://pastebin.com/d731ad184 20:55 < ebil> it used to work, and I screwed something up I think :( 21:06 < ebil> so if anyone could look at those and offer any suggestions I'd be very appreciative 21:16 < krzee> <_Steve_> user can connect via vpn, but connecting to samba doesn't work 21:16 < krzee> connecting to samba by IP right? 21:17 < krzee> by VPN ip 21:17 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 21:18 -!- KyleK [n=Kyle@allspark.shadowmage.org] has joined ##openvpn 21:18 < krzee> ebil: check client side firewall 21:18 < KyleK> hey is there a client side configuration option for setting default route? 21:19 < krzee> !def1 21:19 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 21:19 < krzee> see #2 21:20 < ebil> krzee, what should I check about it? I added those rules (or their equivalents) from that post you gave me... 21:20 < KyleK> thx 21:20 < ebil> lemme double check 21:23 < _Steve_> krzee: yeah 21:23 < _Steve_> krzee: one thing i've noticed, i can't ping IPs inside the lan on the other side of the VPN, so something else is off, it's not just samba 21:31 < ebil> krzee, it's not a firewall issue, I'm 90% sure (I set all targets on iptables to ACCEPT, still no data coming through the vpn) 21:31 < ebil> I'm really stumped this time :\ 21:33 < krzee> its still a firewall issue 21:33 < krzee> _Steve_ 21:33 < krzee> !route 21:33 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:33 < krzee> you need that doc 21:33 < _Steve_> krzee: i'm using tap 21:34 < krzee> oh well i have no clue then 21:34 < _Steve_> but, here's the thing 21:34 < krzee> i dont use tap, nor do i troubleshoot it 21:34 < _Steve_> i can't even ping the IP of my tap interface 21:34 < krzee> maybe someone else will be able to help 21:34 < ebil> krzee, you are saying that steve's problem is a firewall issue, or my problem is? (sorry, long day at work today) 21:35 < krzee> your problem is 21:35 < krzee> you have 1-way connectivity 21:35 < krzee> thats a firewall issue 21:35 < krzee> his, i have no clue 21:35 < krzee> he lost me at "tap: 21:35 < krzee> s/:/"/ 21:40 < ebil> did my routing look ok? 21:40 < ebil> I'm wondering if it's not routing the .173.x network to the tunnel... 21:41 < ebil> because it doesn't evne show up in tcpdump (which should show the packets even if they're dropped by iptables) 21:43 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 22:08 < ebil> krzee, I can ping the TUN address of the client router from the server. so it's forwarding it appears (which is set to ACCEPT). I'm at a loss, I've double checked everything, I've disabled my firewalls and it's still not connecting past the client router. I'm sorry, I'm being so stubborn, but I don't see how it can be a firewall issue :\ 22:16 < ebil> yeah. the packets aren't even making it to the client, they're never even picked up by iptables 22:17 < ebil> if I ping 10.8.0.6 I get this: Nov 5 23:16:33 noodles kernel: IN=tun0 OUT= MAC= SRC=10.8.0.1 DST=10.8.0.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=53770 SEQ=6 22:17 < ebil> if I ping 192.168.173.3 I get nothing 22:17 < krzee> ohhh 22:17 < krzee> did you look at: 22:17 < krzee> !route 22:17 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 22:18 < ebil> yes. I'm not using client-to-client, so I left off the last 2 route statements, but that's it 22:18 < ebil> (it was working earlier without those statements) 22:19 < krzee> didnt you say at one point that everything used to be working 22:19 < ebil> yes :( 22:19 < krzee> then you started playing with firewall, not it doesnt all work? 22:19 < krzee> s/not/now/ 22:19 < ebil> no, I started playing with client-access controls 22:19 < krzee> client-access controls... like what? 22:20 < krzee> not firewall? 22:20 < ebil> well 22:20 < ebil> I barely got that far 22:20 < ebil> my firewall rules reset 22:20 < ebil> but I added back the rules I had in place 22:20 < krzee> thats all you change for controlling per client access 22:20 < krzee> the firewall! 22:20 < krzee> heh 22:20 < krzee> what else were you changing for that? 22:20 < ebil> -A INPUT -i tun+ -j ACCEPT and -A FORWARD -i tun+ -j ACCEPT 22:21 < krzee> i cant help with linux firewall 22:21 < ebil> I had changed the server to use tun0 explicitly 22:21 < krzee> you have iroute entries in place? 22:22 < ebil> iroute 192.168.0.0 255.255.255.0 22:22 < ebil> iroute 192.168.173.0 255.255.255.224 22:22 < krzee> where? 22:22 < ebil> for the client 22:22 < ebil> ccd/noodles 22:22 < krzee> both?? 22:22 < ebil> yes... it's a f'd up router at my parents house... 22:22 < krzee> the client can ping 10.8.0.1? 22:23 < ebil> yes 22:23 < ebil> and the server can ping 10.8.0.6 22:23 < krzee> where is 192.168.183.0 22:23 < krzee> and where is 192.168.184.0 22:23 < ebil> server side 22:23 < ebil> both of those are server side 22:23 < ebil> 1 is the 'wired' network one is wireless 22:23 < krzee> 2 lans behind server, 2 lans behind client 22:23 < ebil> yes 22:24 < krzee> ok 22:24 < krzee> your setup is correct 22:24 < krzee> its your firewall 22:24 < ebil> but it's off... 22:24 < ebil> lol 22:24 < krzee> you'd lol at how many times ive heard that, then was told a day or 2 later they figured it out and it was the firewall 22:25 < krzee> im no iptables expert so i cant be much help 22:25 < krzee> but its your firewall 22:25 < ebil> I'll keep at it... 22:25 < krzee> what you want is: 22:25 < krzee> to allow the following ips to access to following: 22:26 < krzee> 192.168.0.0 , 192.168.173.0 , 10.8.0.x should all be able to access 192.168.183.0 , 192.168.184.0 , 10.8.0.0 22:26 < krzee> and visa versa 22:26 < ebil> ok, well I currently have the firewall turned off in BOTH directions now, let's see if htat fixes it... 22:27 < krzee> ip forwarding turned on? 22:27 < ebil> set to ACCEPT 22:27 < ebil> err 22:27 < ebil> yes 22:27 < ebil> it is in /proc/sys/net/ipv4/ip_forwarding 22:27 < krzee> k 22:27 < krzee> that file should just ahve a 1 22:29 < krzee> i think the client needs ip forwarding on too... 22:30 -!- ebil [n=ebil@ip70-174-136-104.dc.dc.cox.net] has quit [Read error: 104 (Connection reset by peer)] 22:30 -!- ebil [n=ebil@ip70-174-136-104.dc.dc.cox.net] has joined ##openvpn 22:30 < ebil> lol 22:30 < ebil> yeah, both routers have forwarding turned on 22:32 < ebil> so if I'm at 10.8.0.1, should the proper 'path' of a ping to 192.168.173.3 be 10.8.0.1 > 10.8.0.6 > 192.168.173.3? 22:34 < ebil> the gateway for 192.168.173.0 is 10.8.0.2 which is the ptp address for tun0 on the server. I dunno. 22:41 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:42 -!- intralanman [n=lanman@99-196-41-90.cust.wildblue.net] has joined ##openvpn 22:42 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: Luria, [intra]lanman 22:46 < krzee> 192.168.173.3 is behind the client right? 22:47 < krzee> intralanman, your spoof is down 22:47 < ebil> krzee, yes, it is 22:48 < ebil> I'm starting the config process over meticulessly step by step not even making any speeling mistaykes while I'm at it 22:48 < ebil> (I can't spell worth crap :( 22:48 < ebil> but I do know the difference between your you're and yoar 22:48 < intralanman> krzee: huh? 22:50 < krzee> ... intralanman [n=lanman@99-196-41-90.cust.wildblue.net] has joined ##openvpn 22:50 < krzee> ebil your config is right 22:50 < krzee> its your firewall 22:51 < krzee> i can set my bot to just tell you that hourly if you prefer 22:51 < ebil> it can't be my firewall. I turned it completely off :\ 22:51 < intralanman> krzee: oh, yeah.... [intra] needs to be ghosted 22:52 < ebil> krzee, for some reason it's not even hitting the tun adapter on the client side if I ping an address behind the client side router, at the very least it should hit the tun adapter and then fail 22:52 < ebil> the kernel never even sees the packet hit 22:56 < krzee> ya, it would if there wasnt a firewall stopping it 22:56 < krzee> heheh 22:56 < krzee> set your firewalls to allow everything like you had, then set a default log 22:56 < krzee> log it all, see where it blocks 22:57 < krzee> !policy 22:57 < vpnHelper> krzee: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 22:58 < krzee> mario who wrote the second link went through this entire same conversation with me 22:58 < krzee> eventually he came back and said 'turns out it WAS my firewall' 22:58 < krzee> then he made that writeup for anyone else in his problem 23:01 < krzee> hey intralanman 23:02 < krzee> i dont have time to look right now, could you tell me something i should be looking up myself? 23:02 < intralanman> hey krzee 23:02 < krzee> i wanna make freeswitch re-read my configs 23:02 < krzee> can i just HUP the pid of /home/krzee/freeswitch-1.0.1/.libs/freeswitch 23:02 < krzee> ? 23:03 < intralanman> krzee: is the bot supybot or blootbot? 23:03 < krzee> supy 23:03 < intralanman> do you have the console up? 23:03 < krzee> i dont 23:03 < intralanman> reloadxml if you do 23:03 < krzee> i just sshed on in and grabbed root\ 23:04 < intralanman> echo -t "auth Cluecon\n\napi reloadxml\n\nexit\n\n" | nc localhost 8021 23:04 < krzee> Content-Type: auth/request 23:05 < krzee> thanx 23:05 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 110 (Connection timed out)] 23:06 < intralanman> did that work? 23:06 < krzee> i think it did 23:06 < krzee> ill find out later =] 23:07 < krzee> thanx man, ill bbiab 23:07 < intralanman> alias fs_reloadxml='echo -t "auth Cluecon\n\napi reloadxml\n\nexit\n\n" | nc localhost 8021' 23:07 < intralanman> then you can do it easier next time :-) 23:09 < intralanman> yeah, i think i'm gonna split too... time for bed 23:09 < ebil> krzee, I have to say this. it's not my firewall. it's not making it that far. my FIRST firewall rule for input is to log level DEBUG all the packets. if I ping 10.8.0.6, they show up. if I ping 192.168.173.x they don't. meaning they never make it to the client. the route for 192.168.173.0/27 on the server is: 192.168.173.0 10.8.0.2 255.255.255.224 UG 0 0 0 tun0. it's not leaving my server basically, though tcpdump sh 23:09 < ebil> ows that it is. I wonder if verizon is blocking it :( 23:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:19 < ebil> I dunno. if it's any help, when I ping 192.168.173.3 from the router, here's what I get in tcpdump on the server 23:20 < ebil> 18:59:24.869186 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 10.8.0.1 > 192.168.173.3: ICMP echo request, id 7692, seq 1, length 64 23:20 < ebil> if I ping from a machine behind the server router I get this: 23:21 < ebil> 18:59:57.824862 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.183.10 > 192.168.173.3: ICMP echo request, id 64617, seq 7, length 64 23:47 < krzee> hehe 23:50 < ebil> is that correct? or no? (i'm hoping no) 23:50 < ebil> lol 23:52 < krzee> no idea 23:52 < krzee> i just hopped on to fix something of mine 23:52 < krzee> ill bbiab still 23:52 < ebil> lol 23:56 < ebil> in any case, i've proven it's not MY firewall, it's one of my ISP's I think (tcpdump still shows packets even if iptables is firewalling the interface, so, because it's not showing packets means the packets are never reaching the client 23:57 < krzee> your isp cant even tell what you're trying to do 23:57 < krzee> all they see is the same tunnel you can ping over --- Day changed Thu Nov 06 2008 00:00 < ebil> I figured they could check whether or not packets are going across 00:00 < krzee> they cant tell what is inside the vpn tunnel 00:00 < krzee> if they did, you wouldnt have a vpn 00:00 < krzee> i mean, that is the point 00:09 -!- intralanman [n=lanman@99-196-41-90.cust.wildblue.net] has quit [Read error: 104 (Connection reset by peer)] 00:13 < ebil> krzee, I just meant they could tell me: when I ping 10.8.0.1 "Yes, packets are showing up on our network" and when I ping 192.168.173.3 they could tell me whether or not packets (to the same destination) were leaving my modem. 00:14 < ebil> and whether or not their network was dropping them 00:14 < ebil> true they couldn't tell me what was inside of them 00:14 < ebil> :) 00:14 < krzee> their network is not dropping them 00:14 < ebil> but they could say whether or not they were there 00:14 < krzee> and im busy, bbiab 00:14 -!- krzee [i=krzee@unaffiliated/krzee] has left ##OpenVPN [] 00:14 -!- ebil is now known as ebil|asleep 00:23 -!- jfkw [n=jtk@static-64-65-249-140.buf.choiceone.net] has joined ##openvpn 00:28 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 00:29 < Luria> ok, so my routes dont seem to be getting pushed to my client 00:30 < Luria> though this server and client conf has worked for a long time 00:30 < Luria> openvpn just seems to be clearing my routing table 00:31 < Luria> any thoughts? 00:32 < Luria> except i am able to connect to machines on my lan, just not use the gateway 01:13 -!- whaletales [n=Paul@5ad2c3bc.bb.sky.com] has joined ##openvpn 01:13 -!- whaletales [n=Paul@5ad2c3bc.bb.sky.com] has quit [Read error: 104 (Connection reset by peer)] 01:14 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:36 -!- Cisien [n=Chris@vps.exoronet.net] has joined ##openvpn 02:05 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Remote closed the connection] 02:24 -!- krzee [i=krzee@unaffiliated/krzee] has joined ##OpenVPN 02:24 -!- krzee [i=krzee@unaffiliated/krzee] has left ##OpenVPN [] 02:24 -!- krzie is now known as krzee 02:25 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##OpenVPN 02:42 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 02:47 -!- intralanman [n=lanman@99-196-41-90.cust.wildblue.net] has joined ##openvpn 02:50 -!- intralanman [n=lanman@99-196-41-90.cust.wildblue.net] has quit [Read error: 104 (Connection reset by peer)] 03:01 -!- millun_ [n=chatzill@88.103.127.204] has joined ##openvpn 03:01 < millun_> hello 03:02 < millun_> i wonder what "route gateway not reachable on any active network adapters" means ? 03:10 < millun_> it is not a problem with firewall, of that i am almost sure 03:15 < thefish> millun_: maybe double check that the gateway for all the pushed routes is reachable by the openvpn adapter? 03:17 < millun_> how would i do that please? 03:17 < millun_> Thu Nov 06 10:16:24 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.0.6/255.255.255.252 on interface {E1A3E514-B820-4B54-9410-53EC4831CBCC} [DHCP-serv: 10.20.0.5, lease-time: 31536000] 03:17 < millun_> Thu Nov 06 10:16:24 2008 Successful ARP Flush on interface [3] {E1A3E514-B820-4B54-9410-53EC4831CBCC} 03:17 < millun_> Thu Nov 06 10:16:55 2008 Warning: route gateway is not reachable on any active network adapters: 10.20.0.1 03:44 < millun_> any ideas? 03:44 < millun_> i tried googling but with no result 04:05 -!- jfkw [n=jtk@static-64-65-249-140.buf.choiceone.net] has quit [Read error: 110 (Connection timed out)] 04:42 < Cisien> seems like the client isn't receiving the route for the 10.2.0.0 network 04:42 < millun_> so the problem is not on my part? 04:43 < Cisien> Thu Nov 06 03:27:07 2008 C:\WINDOWS\system32\route.exe ADD 10.0.10.0 MASK 255.255.255.0 10.0.10.9 04:43 < Cisien> Thu Nov 06 03:27:07 2008 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4 04:43 < Cisien> Thu Nov 06 03:27:07 2008 Route addition via IPAPI succeeded [adaptive] 04:43 < Cisien> should be something very similar to that in your client log 04:44 < Cisien> you can probably add a 'route 10.20.0.0 255.255.255.0' to your client config 04:44 < Cisien> see if that fixes things 04:44 < Cisien> if you don't control the server, anyway 04:44 < millun_> my friend controls the server 04:44 < Cisien> may be mis-configured on his end 04:44 < millun_> i use config created by openvpn 04:45 * Cisien thinks he implemented QoS on his vpn tunnel 04:46 < Cisien> 8 links, 1mbit, 128k per link CIR, burstable to 1mbit total between all the links 04:46 < Cisien> 'links' == clients 04:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:46 < Cisien> what they do with their 128k is on them 04:47 < millun_> Cisien: didnt help 04:47 < Cisien> try adding 10.20.0.5 to the end of that route line 04:47 < Cisien> ...keep in mind, if your ip changes, then this command wont work anymore 04:48 < millun_> route 10.20.0.0 255.255.255.0 10.20.0.5? 04:48 < Cisien> yeah 04:48 < Cisien> btw, if somoene who knows better thinks i'm wrong, please, slap me :P 04:50 < millun_> no improvement 04:50 < Cisien> hrm 04:51 < Cisien> lemme post my client/server configs for you to compare with yours, and your friend to compare against 04:51 < krzee> !route 04:51 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:51 < krzee> !sample 04:51 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:51 < krzee> *back to sleep* 04:51 < Cisien> lol, krzee 04:51 < Cisien> am i right though, that he's missing a route somewhere? 04:52 < Cisien> maybe it's the windows firewall - did you disable it? 04:52 < krzee> i dunno, havnt seen his configs 04:53 < krzee> !configs 04:53 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 04:53 < krzee> !logs 04:53 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:53 < millun_> http://www.paste2.org/p/97635 04:55 < millun_> i cant access the server config as of now 04:55 < millun_> i will try to post it when i get home 04:56 < krzee> k, ill go back to sleep for a bit 04:56 < krzee> !route 04:56 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:56 < krzee> be sure to understand that 04:56 < krzee> as i have no clue what is wrong, that may or may not help 04:56 < krzee> hehe 04:57 < krzee> im guessing you have a lan behind the server 04:57 < krzee> and you cant reach it? 04:58 < Cisien> he can't access the .1 address 04:58 < millun_> no, i need to connect to the server (10.20.0.1 probably?) 04:58 < Cisien> from the tunnel's subnet 04:58 < millun_> i have been assigned 10.20.0.6 04:58 < krzee> and cant ping 10.20.0.6? 04:58 < krzee> err 04:58 < krzee> .1 04:58 < millun_> no 04:58 < millun_> packets get lost 04:58 < krzee> !logs 04:58 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:58 < millun_> ok 04:59 < millun_> will try to get them 04:59 < krzee> got client not? 04:59 < krzee> now? 04:59 < millun_> yes 04:59 < krzee> set to 6 04:59 < millun_> i dont know where to set the verbose option 04:59 < krzee> verb 6 04:59 < krzee> in the config 05:00 < Cisien> http://pastebin.com/d2b787fbe - if you feel like comparing what i have to yours 05:00 < Cisien> keep in mind, some of those settings apply only to my situation 05:00 < Cisien> krzee, mtu at default gives me the best performance, even thoguh this is a sat link :) 05:01 < millun_> http://www.paste2.org/p/97640 05:02 < Cisien> thats not verb=6, is it? 05:02 < millun_> verb=6 ? i thought it was "verb 6" 05:02 < krzee> Cisien, sweet 05:03 < Cisien> millun_, it is 05:03 < Cisien> verb 6 05:03 < Cisien> that just looks short :P 05:03 < krzee> its not verb 6 05:04 < krzee> !winroute 05:04 < vpnHelper> krzee: "winroute" is in windows if the route cannot be added, try route-method exe in your config file 05:04 < Cisien> add 'pull' to your client config 05:04 < Cisien> see if that does something 05:04 < millun_> crap ! i was editing wrong config file 05:04 < Cisien> lol 05:04 < krzee> Cisien, --client implies --pull 05:04 < Cisien> yeah 05:04 < Cisien> thats right 05:05 < Cisien> i'm using tls-client (which is also implied by client) 05:05 < Cisien> millun_, my log = this is what it should look like after verb3 05:05 < Cisien> http://www.paste2.org/p/97644 05:06 < millun_> i inserted verb 6 at the start of the file 05:06 < Cisien> is verb 3 at the bottom somewhere? Check that first 05:06 < krzee> it has verb 2 in the middle 05:06 < millun_> good point ! there was verb 2 05:07 < krzee> and im going back to sleep in a minute either way 05:07 < krzee> add route-method exe as well 05:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:09 < Cisien> krzee, good suggestion, i'll do that with mine 05:09 < Cisien> the wranings are annoying 05:09 < millun_> http://www.paste2.org/p/97645 05:09 < millun_> there it is :) 05:10 < krzee> millun_, did you add what i said? 05:10 < krzee> [07:07] add route-method exe as well 05:10 < Cisien> route is pushed twice 05:11 < Cisien> route 10.20.0.0 05:11 < Cisien> but yeah, that setting that krzee suggested, should fix your problem 05:16 < millun_> unrecognized option or missing parameter 05:16 < krzee> oh that could be just 2.1 05:17 < millun_> ? 05:25 < millun_> Thu Nov 06 12:24:28 2008 us=280648 route ADD 10.20.0.0 MASK 255.255.255.0 10.20.0.1 05:25 < millun_> The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine. 05:25 < millun_> Thu Nov 06 12:24:28 2008 us=386217 route ADD 10.20.0.0 MASK 255.255.255.0 10.20.0.1 05:25 < millun_> The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine. 05:25 < millun_> Thu Nov 06 12:24:28 2008 us=457256 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv ) 05:25 < vpnHelper> Title: OpenVPN FAQ (at openvpn.net) 05:26 < krzee> cool 05:26 < krzee> have a gnite 05:26 < krzee> talk to ya later when you have server side 05:26 < millun_> ok 05:26 < millun_> thanks 05:51 -!- Cisien [n=Chris@vps.exoronet.net] has quit [Read error: 60 (Operation timed out)] 06:06 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 06:06 < paruchuri> hi 06:06 < paruchuri> any one knows format of dtime? 06:07 < onats> ecrist, are you there? 06:25 -!- Cisien [n=Chris@vps.exoronet.net] has joined ##openvpn 06:29 < onats> cisien, hi 06:30 < onats> for my tun0 interface, there are two ip's one is the inet addr, the other is P-t-P. whats the difference? 07:12 < ebil|asleep> onats, I think one is your internal tunnel address and the other is the actual endpoint address 07:13 < ebil|asleep> also, I removed the possibility that it is the firewall on my client router that is the problem. I completely removed iptables from the kernel (so, no packet inspection AT ALL) still no dice. ::sighs:: 07:14 -!- ebil|asleep is now known as ebil|gonetowork 07:26 < onats> should i be pointing to the routes to the actual endpoint address or to the internal tunnel address? 07:27 * onats just needs to be able to ping devices behind vpn clients... 07:44 -!- babyhuey [n=huey@cpe-76-190-247-141.neo.res.rr.com] has left ##openvpn [] 07:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 08:07 < onats> where does openvpn get the initial values it uses to create tun0 inet and pointopoint? 08:11 < onats> hi, last question guys, 08:12 < onats> i do a 'ifconfig tun0', and the inet address is 192.168.66.1, P-t-P is 192.168.66.2 08:12 < onats> then on my routing table, the routes point to 192.168.66.2. is this correct? 08:14 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:15 -!- intralanman [n=lanman@va-67-76-163-209.sta.embarqhsd.net] has joined ##openvpn 08:35 -!- ebil|work [n=andy@216.64.93.22] has joined ##openvpn 08:51 < ecrist> onats: I am now 08:53 -!- ebil|work [n=andy@216.64.93.22] has quit ["Leaving"] 08:57 < ecrist> onats: yes, that's correct. 08:57 < ecrist> for the record, iirc, you can't ping the remote p2p ip address, which is normal 08:57 < ecrist> onats: you need to setup iroute and route 08:57 < ecrist> see the howto 09:03 -!- CppIsWeird [i=dude@unaffiliated/cppisweird] has quit [Read error: 104 (Connection reset by peer)] 09:08 < dmarkey_> hmm.. im having trouble getting an openvpn server to work in ubuntu intrepid 09:08 < dmarkey_> has anyone tried an openvpn routed server on interpid? 09:10 < dmarkey_> i get an ip of 192.168.60.1 with a gw of 192.168.60.5 but i cant ping 192.168.60.5 09:10 < dmarkey_> i should be able to right? 09:11 < ecrist> no, you shouldn't 09:11 < dmarkey_> oh? 09:11 < ecrist> the server usually will grab x.1, which you should be able to ping, once you've connected to the vpn server 09:12 < ecrist> you won't be able to actually ping the remote end point from the client 09:12 < dmarkey_> oh sorry client has an ip of 192.168.60.10 09:12 < ecrist> that's fine. can you ping 192.168.60.1? 09:13 < dmarkey_> nope 09:13 < ecrist> are you connected to the vpn? 09:14 < dmarkey_> yup 09:14 < dmarkey_> although its seems to be up and down 09:14 < ecrist> what does that mean? 09:15 < dmarkey_> maybe its my imagination 09:15 < dmarkey_> i'll show you my routing tables 09:16 < dmarkey_> Inactivity timeout (--ping-restart), restarting 09:16 < dmarkey_> thats why its reconnecting 09:19 < dmarkey_> http://pastebin.com/m3d07413e 09:22 < dmarkey_> iv enable ip forwarding also 09:22 < ecrist> dmarkey_: you didn't show me the client's ifconfig output in that paste 09:23 < dmarkey_> http://pastebin.com/m25c1ae75 09:24 < ecrist> looks good to me. 09:25 < dmarkey_> i know, im pulling my hair out 09:25 < ecrist> and you can't ping 192.168.60.1? 09:25 < dmarkey_> nope 09:25 < ecrist> firewall? 09:25 < dmarkey_> and i have 2 other openvpn connections on the client side that work perfectly 09:26 < dmarkey_> client side there is none 09:26 < ecrist> server side 09:26 < dmarkey_> server side i dont think theres one on a minimal ubuntu install 09:26 -!- millun_ [n=chatzill@88.103.127.204] has quit ["ChatZilla 0.9.83 [Firefox 3.0.3/2008092417]"] 09:27 < dmarkey_> what iptables command would tell me if ones active? 09:28 < ecrist> no idea, I'm not a linux guy 09:28 < ecrist> 100% windows for me.... 09:31 < ecrist> that was a joke, btw... 09:38 < dmarkey_> ohh 09:38 -!- [acer]lanman [n=lanman@67.76.163.209] has joined ##openvpn 09:38 < dmarkey_> but you still dont know iptables 09:39 < ecrist> right, because I'm not a linux guy. FreeBSD is the way for meeeeeeeeee. 09:39 < dmarkey_> bah 09:49 -!- c64zottel [n=frank@pD9E0AD4D.dip.t-dialin.net] has joined ##openvpn 09:49 < c64zottel> hello 09:49 < ecrist> hello 09:50 < c64zottel> is there a web page about how secure VPN is? 09:50 < c64zottel> or, how secure is openvpn? 09:51 < ecrist> openvpn uses standard SSL encryption 09:51 < ecrist> read up on that 09:51 < c64zottel> i need something for a small company, lik 50 people on 3 different cities 09:51 < ecrist> OpenVPN should be able to work for you. 09:51 < c64zottel> ok, thks 09:59 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 10:02 < onats> ecrist, hi 10:03 < onats> finally, after a day of no sleep 10:03 < onats> 3 routers using CA certs, connect. 10:04 < onats> one question though, for the devices behind vpn clients, in order for them to see each other, do i just need to specify "client-to-client"? 10:04 < ecrist> no 10:04 < ecrist> I've told you that. 10:04 < ecrist> you need iroute/route statements. 10:04 < ecrist> !iroute 10:04 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 10:04 < ecrist> !route 10:04 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 10:05 < ecrist> read that link, onats 10:05 < onats> ok just checking.. 10:05 < onats> so what's the use of the client-to-client setting? 10:06 < ecrist> just as it implies, so that clients are able to communicate with eachother. 10:06 < ecrist> otherwise, openvpn blocks it 10:06 < onats> that's for "remote clients" right? 10:06 < ecrist> yes 10:06 < onats> there. that's clear, similar to restricting access between wireless clients... 10:09 < ecrist> onats, iirc, I told you that a couple days ago. 10:10 < onats> between devices behind 2 separate VPN clients, all i had to do was add routes to the vpn clients themselves.. 10:10 < onats> this exercise sure increased my EXP points in networking 10:10 < onats> hehehe 10:10 < onats> Level UP! 10:13 < onats> i have another question 10:14 < ecrist> shoot 10:14 < onats> since the tun0 on the vpn client is not yet up, and i want to add a route using that interface, what/where is the best way to do it? 10:14 < onats> upon restart of the router... 10:14 < ecrist> what? 10:15 < onats> ok, rephrasing 10:15 < onats> I have router A, which acts as VPN Server, router B, and router C as clients. B and C have other devices behind them , and i'd like them to be able to ping each other 10:16 < ecrist> got that 10:16 < onats> i found out that an additional route must be added to router B and router C, but i can only add this once the tun0 interface is up 10:16 < onats> router B and C devices can already ping router A's devices... 10:16 < onats> so its between B and C where the problem lies 10:16 < ecrist> no, add it to the server config in a client-config-dir for each of the two for a special push route 10:17 < ecrist> onats: you should really try reading the docs 10:17 < onats> i did already.. 10:17 < onats> i mean, what i have in the client-config dirs, 10:17 < onats> is iroute 192.168.1.0 255.255.255.0 10:17 < ecrist> do this for me. 10:18 < ecrist> write something up that gives more detailed information (ips, etc) for each component. the server and the two clients. 10:18 < ecrist> pastebin it 10:19 < onats> ok.. will work on it. 10:20 < jeev> sup ecerist 10:20 < jeev> ecrist 10:20 < onats> are the tun0 ip's assigned to clients dynamic? is it best practice to --ifconfig-push? 10:20 < ecrist> they're dynamic 10:20 < ecrist> generally 10:20 < ecrist> they can be static, but it's not required. 10:20 < ecrist> just get me the config info and let me know when it's in pastebin 10:24 < onats> you need the config of the server? 10:25 < ecrist> write something up that gives more detailed information (ips, etc) for each component. the server and the two clients. 10:25 < ecrist> seriously, can't you reaD? 10:25 < dmarkey_> ecrist: firured out what was wrong 10:26 < ecrist> what was it? 10:27 < dmarkey_> compression on one side and not the other 10:27 < dmarkey_> another schoolboy error 10:31 < ecrist> ah 10:31 < onats> ecrist, im ok now.. problem solved 10:32 < onats> i pushed the routes on the ccd files as you said 10:32 < onats> next step would be to test this on actual loads 10:32 < onats> this setup was meant to replace linksys befvp41s... 10:33 < onats> ecrist, on what hardware are you running openvpn? 10:36 < ecrist> onats: Our primary vpn server is a Dell PowerEdge 1650 with FreeBSD 6.3 10:36 < ecrist> our clients are everything from Windows to linux to Mac. 10:37 < dmarkey_> hmm.. without topology subnet with a /24 subnet i'll not get the full 254 addresses, this is correct? 10:37 < dmarkey_> i'll only get approx 80? 10:39 < ecrist> dmarkey_: yes 10:40 < dmarkey_> can i tell openvp to consule 2 subnets? 10:40 < dmarkey_> openvpn* 10:40 < dmarkey_> consume* 10:40 < ecrist> dmarkey_: sure, it's all in the subnet mask. 10:41 < ecrist> I'm running 3 /24s 10:41 < dmarkey_> ah i hate trying to work them out 10:41 < ecrist> give me the numbers, I'll work it out 10:41 < dmarkey_> ha, ok 10:41 < dmarkey_> lemme see 10:41 < dmarkey_> 192.168.60.0 - 192.168.70.0 10:42 < dmarkey_> to be on the safe side 10:42 < ecrist> that's 10 subnets 10:43 < dmarkey_> 60 - 65 then 10:43 < dmarkey_> that more reasonable? 10:44 < dmarkey_> just we have maybe 100 computers to serve 10:44 < ecrist> 192.168.60.0/18 10:44 < ecrist> 255.255.192.0 10:44 < ecrist> erm, wait 10:45 < ecrist> 192.168.60.0/22 10:46 < ecrist> 255.255.252.0 10:46 < ecrist> 192.168.60.0 - 192.168.63.255 10:46 < dmarkey_> sound sgood 10:46 < ecrist> 1022 IPs, /4 for /30 and you get about 250 usable IPs 10:48 < dmarkey_> excellent 10:48 < dmarkey_> just i dont want to use a release candidate in produection 10:49 < dmarkey_> id be using topology subnet otherwise 10:51 < dmarkey_> so /18 and 255.255.252.0 are the same thing only /18 is CIDR notation? 10:51 * dmarkey_ remembers back to college 10:53 < ecrist> yes 10:54 < dmarkey_> IFCONFIG POOL: base=192.168.60.4 size=254 10:55 < dmarkey_> should this not have increased? 10:55 < dmarkey_> hmm.. maybe not 10:55 < ecrist> what did it say before/ 10:55 < ecrist> I think that's number of /30 subnets 10:57 < dmarkey_> IFCONFIG POOL: base=192.168.60.4 size=62 10:57 < dmarkey_> correct 11:02 < ecrist> :) 11:02 < ecrist> I should get paid for this shit 11:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 11:11 * onats pays ecrist gratitude 11:13 * ecrist writes perl nagios plugin to wrap around megacli 11:25 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 11:26 < jeev> oh shit 11:26 < jeev> ecrist 11:26 < jeev> nagios is missing a cool feature 11:26 < jeev> want to write it ? 11:27 < ecrist> what feature? 11:27 < jeev> uh 11:27 < jeev> so like 11:27 < jeev> i was out last night 11:27 < jeev> was getting pages that the people in holland would take care of 11:27 < ecrist> I'll just call Ethan on his cell... 11:27 < jeev> i wish i could reply 11:27 < jeev> oh 11:27 < jeev> i mean a plugin 11:27 < jeev> if we could reply with a 1 11:27 < jeev> it'd stop notifications for the host 11:27 < jeev> if reply with 2 11:27 < jeev> schedule downtime 11:27 < jeev> like 2 24 11:28 < jeev> schedule 24 hours of downtime 11:28 < jeev> wouldn't that be awesome ?? 11:28 < ecrist> jeev, that requires a bit of external config 11:28 < jeev> :_) 11:28 < ecrist> you need an email/sms responder 11:28 < ecrist> from there, a simply nagios plugin could take that data and build an action for it 11:29 < ecrist> nagiosexchange.com has lots of pre-written plugins 11:29 < ecrist> I've got a few on there. 11:29 < jeev> ahh 11:29 < jeev> so anyway 11:29 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 11:30 < jeev> if i'm gonna test those phone lines 11:30 < jeev> i should unplug the nortel system, right ? 11:30 < ecrist> shouldn't need to, no 11:30 < ecrist> your tone generator should be able to handle the voltage just fine 11:30 < jeev> it's noisy 11:30 < ecrist> so? 11:31 < jeev> hm 11:31 < jeev> i dont know man! 11:31 < jeev> i can't find it 11:31 < jeev> i dont think that the asshole who installed the cables 11:31 < jeev> attached those 11:31 < ecrist> tell you what, get me a plane ticket and I'll come locate the line for you. 11:31 < jeev> i think it's behind the wall 11:31 < jeev> ;) 11:39 -!- Pretto [n=pretto@ubuntu/member/pretto] has joined ##openvpn 11:42 < Pretto> hi there, whem an openvpn client has a connection established to a server, is the server able to acces the client workstations? 11:43 < Pretto> ?? 11:43 < ecrist> holy shit 11:43 < ecrist> have some patience 11:44 < ecrist> it depends on the firewall on the client. 11:44 < Pretto> ecrist, thank you :D 11:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:58 -!- [acer]lanman is now known as [intra]lanman 12:17 < Cisien> what is the "lightest" encryption i can use - for the lowest cpu overhead? 12:18 < jeev> nice question 12:18 < jeev> i wouldn't mind knowing 12:18 < jeev> but my servers dont use enough cpu for me to care heh 12:19 < Cisien> i'm not really sure if cpu usage is being reported properly on my shared host 12:19 < Cisien> so i don't want to risk being a CPU hog 12:19 < jeev> ah 12:19 < jeev> i wouldn't run a vpn on a shared box either 12:19 < jeev> heh 12:19 < Cisien> i don't really want to spend 150/mo on a dedicated host though 12:19 < Cisien> it's a xen host, but still 12:20 < jeev> yea 12:20 < jeev> where do you live 12:20 < Cisien> i'm "live" in iraq, but i'm from the states 12:20 < jeev> ahh 12:20 < jeev> you're iraqi? 12:20 < jeev> cool 12:20 < jeev> o9h 12:20 < jeev> from the states 12:20 < Cisien> naw 12:20 < jeev> what you doin there 12:20 < Cisien> i'm in the army 12:20 < jeev> ahh 12:20 < jeev> shooting up iraqi's? or actually caring about them 12:21 < Cisien> naw, i just provide comms for the people who need it 12:21 < jeev> oh 12:21 < jeev> lol 12:23 < jeev> woo hoo 12:23 < jeev> saturday night 12:23 < jeev> arthur abraham fight 12:24 -!- Esine [i=dbguy@tohveli.net] has quit ["Save your souls, install Linux"] 12:28 < c64zottel> when i do VPN over bridging, can i still compress the data? 12:32 < jeev> i dont see the prob with compressing data 12:32 < jeev> from client to server 12:33 < jeev> in any situations? 12:33 < c64zottel> i have no experience about VPN, i just read that it's possible to use, i think libzipo or something, to compress the data before sending 12:34 < c64zottel> and i would like to know if this count for both, bridging and routing 12:36 < ecrist> c64zottel: bridging vs routing only really has to do with bridging vs routing, non of the underlaying vpn tech used 12:37 < Cisien> c64zottel, in your config, you have the option to enable compression 12:37 < Cisien> it's lzo compression 12:37 < Cisien> and it compresses the whole tunnel 12:37 < c64zottel> and, does it help much? 12:37 < Cisien> it can 12:37 < Pretto> i am not able to ping any client's subnet from the server, even having set the route and without firewall 12:37 < c64zottel> cool 12:38 < c64zottel> thanks 12:38 < Cisien> I have not compared it with and without compression thoguh 12:38 < c64zottel> why not? 12:38 < c64zottel> not interessted? 12:38 < Cisien> i would imagine text documents, web pages (except the images), etc would be compressed well 12:38 < c64zottel> i think it's a very nice feature 12:39 < Cisien> c64zottel, my internet connection isn't only for me, there are about 200 users on it, so i can't get a reliable result 12:39 < c64zottel> sure, but i am sure i go to test it in the lab 12:40 < Cisien> 200 users sharing a 2mbit connection :P 12:40 < Cisien> fortunately - for me - it appears that traffic on port 123 UDP has priority over everything else 12:40 < Cisien> i can saturate this link durring peak hours :P 12:41 < c64zottel> do you use squid? or other caching stuff? 12:41 < Cisien> i implemented QoS on it, so i couldnt, i don't want to get booted off the network just because i download too fast 12:41 < Cisien> I don't. this network uses a transparent proxy (which i bypass with this vpn) 12:42 < c64zottel> ok, i am sorting a bit, i am new with this network stuff 12:42 < Pretto> any advice? 12:43 < c64zottel> ok, you use QoS to shape the traffic, but why are you not using a cache? 12:43 < c64zottel> do you think it's worth for nothing? 12:43 < Cisien> currently 12:43 < Cisien> it's not feasable 12:43 < Cisien> the only place i can setup a cache is on the server - and that's 800ms away 12:43 < Cisien> the cache needs to be in iraq :P 12:44 < c64zottel> ok .) 12:44 < Cisien> one of these days i'll bring the client of the tunnel to my openwrt router, and setup squid 12:45 < c64zottel> i am working in a company, spreaded over 4 cities, and i have to connect them via VPN 12:45 < c64zottel> and they make a lot of traffic 12:46 < c64zottel> so, i guess i have to try squid, AFS, and compressing VPN 12:46 < Cisien> shouldnt be too big of a deal, if they have a decent budget for their WAN links :P 12:47 < c64zottel> .) i think, this word budget, is the point 12:47 < Cisien> if the link isn't symetric, they may not be happy with performance 12:48 < c64zottel> we have both 13:32 < jeev> lol 13:32 < jeev> someone i know, from east coast 13:32 < jeev> outbid and won something off ebay AGAINST ME 13:32 < jeev> hahaha 13:32 < jeev> what a freakin coincidence 13:33 < jeev> WTF 13:33 < jeev> i lost it twice, 2 different auctions 13:33 < jeev> cause i bid 202 13:33 < jeev> 200 13:33 < jeev> and they bid 202 13:33 < jeev> LOL 14:05 < zirpu> is openvpn 2.1 server backwards compatible with a 2.0.9 client? 14:05 < zirpu> i'm setting up an openvpn server on ubuntu, and will have a bunch of macosx clients. the ports version of openvpn2 seems to only be 2.0.9. 14:07 -!- Pretto [n=pretto@ubuntu/member/pretto] has quit ["Saindo"] 14:07 < jeev> yea 14:08 < jeev> that's what i was doing 14:08 < jeev> and didn't know ;) 14:08 < ecrist> zirpu: yes 14:09 < zirpu> cool. thanks. :) 14:13 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 14:30 < ecrist> woot 14:30 < ecrist> got some rudimentary sensible output for my megaraid nagios plugin 14:30 < ecrist> ./check_mega_raid 14:30 < ecrist> RAID Volume Degraded. 12:0 Offline, 12:1 ok, 12:2 ok, 12:3 ok, 12:4 ok, 12:5 ok, 12:9 ok, 12:10 ok, 12:11 ok, 12:12 ok, 12:13 ok, 12:14 ok, 12:14 ok, 14:31 < ecrist> you wouldn't believe how much data I've gotta parse from LSI 14:31 < ecrist> s shitty cli util to get that 14:34 < zirpu> indeed it is. 14:35 < ecrist> lol 14:35 < ecrist> http://www.youtube.com/watch?v=fd4MKflsPtg 14:35 < vpnHelper> Title: YouTube - Telemarketer Murder (at www.youtube.com) 14:37 < zirpu> that's too funny. 14:40 < jeev> ecrist 14:40 < jeev> i can't read that thing 14:40 < jeev> wtf is it 14:40 < ecrist> jeev, it's a youtube video. it's funny. 14:41 < ecrist> you don't have to read it, the text is just poor man's CC 14:41 < jeev> no 14:41 < jeev> your raid thing 14:41 < ecrist> oh 14:41 < ecrist> it's 1) RAID status, in this case, Degraded. 14:42 < ecrist> 2) a list of each enclose:drive combo, and it's status 14:42 < jeev> degraded = bad 14:42 < jeev> ehheh 14:42 < ecrist> if RAID is Optimal, there is not individual drive output 14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:05 -!- c64zottel [n=frank@pD9E0AD4D.dip.t-dialin.net] has left ##openvpn ["Leaving."] 15:06 -!- ernesto414 [n=ernesto@66-100-35-19-static.dsl.oplink.net] has joined ##openvpn 15:12 < ernesto414> Does anyone know of any documentation to configure openvpn (or iptables) to allow me to connect to a LAN on an openvpn server that has 2 network cards, one of them with a public IP and the other with private IP. 15:12 < ernesto414> What happens now is that I can VPN in from the public IP but can only ping the private IP of the server, not any hosts behind the LAN 15:14 < ernesto414> I am using CentOS 4.4 OpenVPN 2.0.9 15:17 < KyleK> well packets from the LAN for the VPN need to get routed properly 15:18 -!- millun [n=kvirc@kastan.nat.praha12.net] has joined ##openvpn 15:18 < KyleK> also I think theres an option in configuration for allowing traffic like that 15:18 < millun> hello 15:18 < ernesto414> KyleK: great! what is it? 15:18 < millun> http://paste2.org/p/97859 <- i kept on getting errors like "route gateway not reachable on any active network adapters: 10.20.0.1" 15:19 < KyleK> i dunno off the top of my head 15:20 < KyleK> oh haha i was maybe thinking client-to-client 15:20 < KyleK> are you sure the routing both ways is working? 15:21 < ernesto414> KyleK: i dont need routing back to my clients, just server to client 15:21 < ernesto414> millun: can you paste the output of a client? 15:21 < KyleK> well the packets have to have a route BACK 15:22 < ernesto414> KyleK: ok, how do I test that? 15:22 < KyleK> well is that centos box the gateway for the lan? 15:23 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 15:23 < millun> ernesto414: i can't as i am on linux now 15:23 < millun> there was this error "route gateway not reachable on network adapters: 10.20.0.1" 15:24 < millun> i got 10.20.0.6 assigned 15:24 < millun> but couldn't ping 10.20.0.1 15:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:38 < ecrist> woot 15:38 < ecrist> RAID Volume Degraded. 12:0 Rebuild (11%); 15:40 < jeev> dood 15:40 < jeev> degraded is bad! 15:40 < ecrist> i cleaned up the output, so it's not listing OK drives. 15:41 < ecrist> I'm excited because I finally got to the point where i've got the rebuild progress in the output. 15:41 < ecrist> :) 15:41 < ecrist> jeev: if you wanna see the perl: http://pastebin.ca/1247306 15:42 < ecrist> still need the rest of the nagios bits, but mostly done 15:45 < jeev> i thought youy did a nagios thing for me 15:45 < jeev> where you reply to it 15:46 < jeev> NOT INTERESTED! 15:51 * ecrist != jeev's bitch. :P 15:54 < jeev> never said i was 15:54 < jeev> i mean 15:54 < jeev> never said you were 15:54 < jeev> but the community would LOVE that thing 16:10 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 16:21 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 16:42 < ecrist> I'm done for the day. 16:42 * ecrist quits. 16:45 < jeev> WHAT 16:45 < jeev> you said you'd be on 16:45 < jeev> ! 16:58 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:14 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 17:16 -!- KyleK [n=Kyle@allspark.shadowmage.org] has left ##openvpn [] 17:22 -!- intralanman [n=lanman@va-67-76-163-209.sta.embarqhsd.net] has quit [Read error: 60 (Operation timed out)] 17:36 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 17:38 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 17:41 < Dougy> hey yo 17:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:52 -!- intralanman [n=lanman@99-196-41-90.cust.wildblue.net] has joined ##openvpn 17:52 -!- intralanman [n=lanman@99-196-41-90.cust.wildblue.net] has quit [Nick collision from services.] 17:53 -!- intralanman [n=lanman@99-196-41-90.cust.wildblue.net] has joined ##openvpn 17:54 -!- intralanman [n=lanman@99-196-41-90.cust.wildblue.net] has quit [Client Quit] 17:57 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: Dougy, Dryanta 17:58 -!- Netsplit over, joins: Dougy, Dryanta 18:04 -!- CppIsWeird [i=dude@unaffiliated/cppisweird] has joined ##openvpn 18:04 < Dougy> jeeeeeeeez damn 18:04 < Dougy> JEEEEEEEEEEEEV 18:26 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 18:27 < jeev> hahahah 18:27 < jeev> doug 18:27 < jeev> ? 18:30 < Dougy> jeeeeeeev 18:30 < Dougy> whats up dood 18:30 < jeev> heh 18:30 < jeev> stupid interserver mike 18:30 < jeev> i was bidding on a server 18:30 < Dougy> o.O 18:30 < Dougy> sup 18:30 < jeev> and i was bid fighting 18:30 < jeev> and he won 18:30 < jeev> lol 18:30 < Dougy> lmfao 18:30 < Dougy> haha 18:30 < Dougy> where 18:30 < jeev> ebay 18:30 * Dougy is playing with his new VPS in NYI 18:30 < jeev> so im'd him 18:30 < jeev> i'm thanks bastard 18:30 < jeev> you owe me 18:30 -!- krzie [i=krzee@unaffiliated/krzee] has left ##OpenVPN [] 18:32 < jeev> doug 18:32 < jeev> i'm trying to get a gigabit PTP to one wilshire 18:32 < jeev> but the quotes are outrageous 18:34 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 18:36 < Dougy> lol 18:36 < Dougy> nice 18:36 < Dougy> i have my nagios in nyi now 18:36 < Dougy> 512MB RAM, 20 gB HDD, 400 GB bw VPS for 10/mo 18:37 < jeev> where is my access 18:38 < Dougy> jeev: you dont get any 18:38 < Dougy> buy one 18:39 < jeev> w0w! 18:39 < jeev> who's the provider anyway 18:41 < Dougy> www.creativevps.com 18:41 < jeev> who is the isp 18:41 < jeev> i mean like 18:41 < jeev> backbone 18:41 < jeev> network 18:42 < jeev> ahh 18:42 < jeev> how you doin for 10/month 18:43 < jeev> by the way 18:43 < jeev> i have a lot of servers 18:43 < jeev> but i like shit, i dunno why 18:46 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 18:47 < jeev> ahh 18:47 < jeev> WHT 18:51 < jeev> dougy 18:51 < jeev> answer 18:59 < Dougy> yo 18:59 < Dougy> sup 18:59 < Dougy> jeev: its mzima bandwidth 19:11 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 19:25 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##OpenVPN 20:13 < ecrist> jeev: I'm here. 20:14 < krzie> wassup eric 20:14 < ecrist> nm, u? 20:14 < krzie> same 20:14 < krzie> just finished fixing my pbx 20:14 < ecrist> what was wrong with it? 20:15 < krzie> well i added an inbound only ipkall account 20:15 < ecrist> ah 20:15 < ecrist> I don't get involved with all that stuff. 20:15 < krzie> what i didnt know was that since i dont register it needed to send to my port 5080 20:15 < ecrist> we pay someone else to handle all that, they run asterisk and all our phones connect directly to them 20:15 < krzie> 5060 is only for registernig and things i reg with 20:15 < onats> krzie, what pbx are you using (sorry for butting in) 20:16 < ecrist> asterisk 20:16 < krzie> freeswitch 20:16 * ecrist guesses 20:16 < ecrist> so, asterisk 20:16 < krzie> asterisk < freeswitch 20:16 < onats> have you tried trixbox? 20:16 < krzie> no, they are fundamentally different 20:16 < krzie> trixbox is asterisk 20:16 < krzie> its just got gui 20:16 < ecrist> onats: trixbox is asterisk, with some proprietary code 20:16 < ecrist> krzie: they do a bit more than that, but it's basically the gui 20:17 < krzie> right 20:17 < ecrist> oh, have I mentioned I love cacti? 20:17 < krzie> i dont believe you have 20:17 < jeev> cacti 20:17 * jeev hate 20:17 < onats> cacti is network monitoring right? 20:17 < jeev> ecrist, i'm too lazy, didn't go 20:17 < jeev> and you came too late! 20:17 * jeev stabs ecrist again 20:17 < krzie> http://www.freeswitch.org/node/117 20:17 < vpnHelper> Title: How does FreeSWITCH compare to Asterisk? | FreeSWITCH (at www.freeswitch.org) 20:17 < jeev> krzie 20:18 < jeev> you're next 20:18 < krzie> for anyone who wants to know about asterisk and freeswitch in relation to eachother 20:18 < krzie> jeev, am i the big winner? 20:18 < jeev> no 20:18 < jeev> but i did part the asterisk chan 20:18 < jeev> one person talks shit, i talk shit back and everyone hates me. 20:18 < jeev> anyway. 20:18 < ecrist> onats: no, it's a graphing engine 20:18 < jeev> i forgot why i left freeswitch 20:18 < jeev> i tried it once 20:18 < ecrist> well, a graphing configurator and data gatherer 20:19 < jeev> ecrist 20:20 < ecrist> jeev: this is better 20:20 < jeev> ok 20:20 < jeev> so 20:20 < jeev> like, i was showering 20:20 < jeev> just kidding 20:20 < jeev> ok so i'm working on getting a gig PTP 20:20 < jeev> ~12 miles 20:20 < jeev> or maybe ~1 mile to qwest cybercenter 20:20 < jeev> uh 20:20 < jeev> what should i use to route ? 20:20 < jeev> i dont wanna get anything high end 20:20 < jeev> i want to do something linuxy. 20:20 < jeev> what do you suggest 20:20 < ecrist> freebsd on a solid piece of hardware will do it. 20:21 < jeev> with Quagga or something ? 20:21 < krzie> any reason a standard routing table isnt enough? 20:21 < ecrist> don't know what Quagga is, but freebsd has native bgp 20:21 < krzie> <-- doesnt know much bout real routing protocols =/ 20:21 < krzie> like ospf,bgp, etc 20:22 < jeev> well 20:22 < jeev> i'm gonna have a server at the datacenter 20:22 < jeev> acting as a router 20:22 < jeev> and one at the office building 20:22 < jeev> that's what i should do, right ? 20:22 < jeev> then send it out a switch 20:22 < ecrist> jeev: if you're not doing *real* routing, it doesn't matter 20:22 < onats> ecrist, is there a tool to monitor openvpn performance? 20:22 < jeev> like bgp and shit 20:23 < ecrist> just throw a 3com switch at either end with a fibre card 20:23 < krzie> jeev, multiple uplinks? 20:23 < jeev> ecrist, i want to do BGP but 20:23 < jeev> no 20:23 < jeev> not yet,. 20:23 < jeev> i want to eventually 20:23 < jeev> but i'd need an AS and shit, rigt 20:23 < jeev> right 20:23 < krzie> i lean twords what ecrist said too 20:23 < krzie> but when you get multiple uplinks things change 20:23 < jeev> that'st why i'm hoping that i could get good loop pricing to downtown 20:23 < ecrist> jeev: yes, you'd need an AS and shit. In reality, you're probably not going to have enough IPs to warrant an AS 20:23 < jeev> so i can have another isp be my multihome 20:23 < jeev> not me. 20:23 < onats> jeev, how easy/difficult is it to setup freeswitch? 20:23 < jeev> ask krzie 20:24 < jeev> he loves it 20:24 < onats> sorry, its krzie 20:24 < jeev> it's all xml stuff 20:24 < krzie> onats, easy if you read the docs 20:24 < onats> hahaha 20:24 < onats> guilty 20:24 < krzie> if you know asterisk its simple, and your existing confs can be used 20:24 < krzie> but even if you dont its easy 20:24 < krzie> my first install took around 2 hours 20:24 < krzie> and re-did it last night, ild say compiling took more time than configuring 20:25 < krzie> of course im no expert, but it is easy to learn 20:25 < krzie> and if you do the reading, the help channel is very active and friendly 20:25 < ecrist> jeev: for now, just get some good switches with fibre cards 20:25 < krzie> of course like any help channel im sure they appreciate people reading all those docs they took the time to write 20:25 < jeev> ecrist 20:25 < krzie> btw, use trunk 20:25 < jeev> that's the thing 20:25 < jeev> i dont want to spend a lot 20:25 < jeev> ;) 20:25 < krzie> its one of those rare projects where trunk is the best to use 20:26 < ecrist> when the time comes your routing BGP across multiple Gig links, buy a real router 20:26 < jeev> i guess i can get a good managed switch 20:26 < jeev> it's a small office building 20:26 < jeev> i dunno if the people upstairs will buy into it 20:26 < jeev> if i get them 20:26 < jeev> i'm sure they're paying 1000-2500/month right now 20:26 < jeev> for internet + phones 20:26 < jeev> i can help them stabalize internet 20:26 < jeev> for VOIP 20:26 < ecrist> jeev: you don't need a managed switch 20:26 < jeev> and guarantee my connect 20:26 < jeev> how could i manage their bw 20:26 < jeev> ? 20:26 < jeev> QoS on IP? 20:26 < jeev> i can do that ? 20:26 < krzie> jeev, then you can run a fs box and handle the voip for the building too 20:26 < krzie> of course you can jeev 20:26 < jeev> i already run an asterisk box 20:26 < jeev> ;) 20:26 < ecrist> jeev: freebsd + pf + ALTQ 20:27 < jeev> but i can monitor bandwidth per ip? 20:27 < jeev> ok cool 20:27 < jeev> i'll bother you for that soon 20:27 < jeev> i already do voip for a 30 phone place 20:27 < krzie> ya but with asterisk in production environment it sucks (i used to run a phone company on asterisk) 20:27 < jeev> i want to do it for the neighbor 20:27 < ecrist> with CARP and arp-balancing 20:27 < jeev> 3 phones 20:27 < jeev> what the hell is arp balancing 20:27 < jeev> jeebus 20:27 < krzie> arp-balancing is like automated arp-poisoning for redundancy 20:27 < krzie> you can think of it that way at least 20:28 < krzie> read up on CARP for real understanding 20:28 < jeev> ahh 20:28 < jeev> so 20:28 < jeev> isn't that if you have like 2+ routers 20:28 < krzie> and ecrist IS RIGHT TO RECOMMEND IT, CARP IS A WIN 20:28 < krzie> ITS FOR FAILOVER 20:28 < ecrist> https://www.secure-computing.net/wiki/index.php/Traffic_Shaping_with_pf/ALTQ 20:28 < krzie> oop[s 20:28 < vpnHelper> Title: Traffic Shaping with pf/ALTQ - Secure Computing Wiki (at www.secure-computing.net) 20:28 < krzie> tapped capslock 20:29 < onats> pf = pfsense? 20:29 < ecrist> http://www.secure-computing.net/wiki/index.php/Traffic_Shaping_with_pf/ALTQ if you prefer no ssl 20:29 < jeev> no 20:29 < jeev> pf 20:29 < vpnHelper> Title: Traffic Shaping with pf/ALTQ - Secure Computing Wiki (at www.secure-computing.net) 20:29 < jeev> packet filter 20:29 < ecrist> onats: no, pf is pf. pfsense uses pf 20:29 < onats> i see 20:29 * jeev can't believe ecrist paid for an ssl cert 20:29 < ecrist> jeev: I didn't pay for an ssl cert 20:29 < krzie> he did?? 20:29 < ecrist> mine is self-signed 20:29 < jeev> oh 20:29 < jeev> how come mine accepted it 20:29 < jeev> maybe i stored it in the past 20:29 < jeev> ;D 20:30 < ecrist> you probably did. 20:30 < krzie> jeev, he took off the https:// 20:30 < krzie> its just http:// 20:30 < krzie> no cert 20:30 < jeev> noped 20:30 < jeev> i was on ssl 20:30 < jeev> dork 20:30 < onats> what's the advantage of paying for a ssl cert? 20:30 < ecrist> krzie: the first link was https 20:30 < krzie> ok, the link he posted was without 20:30 < krzie> oh ok 20:30 < onats> rather than generating it your own? 20:30 < krzie> missed that 20:30 < jeev> ok so 20:30 < jeev> before i go to the dood upstairs to propose it 20:30 < jeev> i have to find out the pricing 20:30 < ecrist> onats: search google for 'self-signed SSL' 20:30 < krzie> onats, browsers ship trusting some CAs 20:30 < jeev> then calculate the lowest i can offer to him 20:31 < ecrist> jeev: if you guys can afford a gig link to your ISP for a 12 mile run (leased fiber isn't cheap), you can afford some decent switches. 20:32 < onats> ok 20:32 < jeev> i'/ trying to calculate 20:32 < jeev> so i can profit off the people in the building 20:32 < jeev> heh 20:32 < jeev> for computer work 20:32 < jeev> i'm trying to provide the service. 20:33 < ecrist> jeev: the fibre itself will probably be reasonable. having someone put light on it at the other end is expensive 20:34 < jeev> the lease 20:34 < jeev> ok check this 20:34 < jeev> if i can get the qwest cybercenter 20:34 < jeev> the fiber may cost $150/month for loop 20:34 < jeev> loo 20:34 < jeev> since qwest is like a mile away 20:34 < jeev> if i take it 12 miles 20:34 < jeev> it'll be maybe 1500/month 20:34 < jeev> too much. 20:34 < jeev> i wouldn't mind dropping some cogent on it. 20:38 < ecrist> why would anyone go with cogent right now, losing their peer with sprint and all... 20:39 < krzie> they're losing sprint link? 20:39 < krzie> ouch 20:39 < jeev> it's up still, no? 20:39 < jeev> screw sprint 20:39 < jeev> i'll take cogent any day over sprint 20:39 < ecrist> they're not losing it, it was terminated 20:40 < ecrist> sprint claims cogent hasn't paid the bill in 2 years 20:40 < ecrist> so, they told them to pay in full or be cut off 6 months ago 20:40 < ecrist> every month for the past 6 months, sprints been severing more and more of their connections. 20:41 < jeev> screw, sprint. 20:41 < jeev> serves them right 20:41 < jeev> they overbill EVERYONE 20:41 < ecrist> jeev: rant all you want, congent is the loser here, sprint was cogent's primary peering provider 20:42 < ecrist> btw, I meant to you link you this: 20:42 < ecrist> http://www.secure-computing.net/wiki/index.php/CARP 20:42 < vpnHelper> Title: CARP - Secure Computing Wiki (at www.secure-computing.net) 20:45 < krzie> ya thats gunna REALLY hurt cogent 20:45 < krzie> or kill them 20:58 < jeev> that wont kill them 20:58 < jeev> i'll do the carp stuff when ready 20:58 < jeev> i know aout em 20:58 < jeev> about 21:00 < ecrist> bah 21:00 < ecrist> I forgot to compile in options ALTQ_PRIQ. :( 21:00 < jeev> :< 21:00 < jeev> if i could get the loop 21:00 < jeev> + bandwidth 21:01 < jeev> for ~2000 21:01 < jeev> i'd be so happy 21:01 < jeev> but ideal would be 21:01 < jeev> 1000 haha 21:01 < jeev> for cogent to bring fiber there but fark 21:01 < jeev> i may be able to get it to cogent 21:01 < jeev> a loop to cogent for like 200 elts say 21:01 < jeev> but then i'd have to get a cabinet 21:01 < jeev> and qwest banwidth 21:01 < jeev> i'd rather pay more? 21:01 < jeev> and have access to toher ISP? 21:01 < jeev> yea, i dunno 21:01 < krzie> but ideal would be 21:01 < krzie> 1000 haha 21:01 < krzie> hell, why not free 21:02 < krzie> since you're in fantasy land already... 21:02 < jeev> ;) 21:02 < jeev> ok 21:02 < jeev> red alert 3 time 21:02 < jeev> actually 21:02 < jeev> some tv 21:02 < jeev> bbiab 21:06 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has quit ["Leaving"] 21:11 < onats> you guys are in the US? 21:12 < krzie> not me 21:12 < krzie> although i was 21:16 < ecrist> I am 21:16 < ecrist> krzie is a defector 21:19 < krzie> yup 21:19 < krzie> i wouldnt even visit if my family wasnt there 21:21 < onats> krzie, where are you? 21:21 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 21:22 < ecrist> krzie's going to pay for me and my family to move when the republicans get back in office 21:25 < krzie> im in the caribbean 21:25 < krzie> repubs==dems nowadays 21:26 < onats> hey, has anyone tried openvpn-control? 21:26 < krzie> never even heard of it 21:28 < krzie> sounds like a decent idea tho 21:28 < krzie> if you try it out, lemme know what you think 21:28 < onats> ok will do. 21:29 < onats> just asked, coz the last update was 2006? 21:29 < krzie> if its working right i doubt thered be much to upgrade since then 21:29 < krzie> since its not used to configure openvpn 22:00 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: Dougy, Dryanta 22:02 -!- Netsplit over, joins: Dougy, Dryanta 22:05 -!- Dryanta [i=dryanta@dev.hockingits.com] has quit [Remote closed the connection] 22:09 -!- sinist3r [n=pwn@laxnoc.alchemy.net] has joined ##openvpn 22:37 -!- sinist3r [n=pwn@laxnoc.alchemy.net] has quit [] 22:37 < millun> -----------------------------------l<^^^^^^^^^L'ooooooooooooooooooooooooooooooooooooooooooooooooooooookl'a'a'a'a'a'a'a'y) 22:39 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: Dougy 22:44 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:47 < millun> \uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS0888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888885**************** 23:09 < Cisien> what? 23:10 < Cisien> does anyone know the least expensive encryption type (encryption strength isn't a concern) 23:26 < millun> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////"""""""""""""""""""""""""""""*************+/0 23:40 < millun> \1fddddd 23:44 < onats> what is that 23:46 -!- Cisien [n=Chris@vps.exoronet.net] has quit [Read error: 110 (Connection timed out)] 23:49 < jeev> heh 23:49 < jeev> what is this guy doing 23:53 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Fri Nov 07 2008 00:13 -!- justdave [n=dave@unaffiliated/justdave] has quit [Read error: 104 (Connection reset by peer)] 00:14 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 00:27 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has quit [Read error: 60 (Operation timed out)] 00:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:29 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:40 < millun> sorry, my cat must have been on the keyboard :) 00:45 < krzee> hey =] 00:49 < jeev> damn 00:49 < jeev> that's your cat? 00:49 < jeev> that thing was throwing gang signs at us 00:50 < millun> heh. sorry 00:50 < jeev> :) 00:51 < millun> krzee: http://paste2.org/p/97859 02:16 -!- esine [n=mank@dsl-81-175-173-153.phnet.fi] has joined ##openvpn 02:17 < esine> Hey everyone. I need a little help with openvpn here. We have a lan in the office (with all computers using public ips, no private ones at all) and I'd like to connect to it from home. 02:18 < esine> At home I have a static ip, and so does everything here in the office. Lets say office ip range is 81.xx.xx.128/25 and my home ip would be 62.xx.xx.xx. I've tried setting openvpn up.. and failed 02:19 < esine> I can get it work with tunneling so that I can ping the vpn server from home machine if they're on their own private network 10.0.8.0/24 as the default conf is.. but that's that. I can connect to vpn server through vpn, yay. Now how do I connect to the rest of the 62.xx.xx.xx ips? 02:19 < esine> sorry, rest of the 81.xx.xx.128/25 ips* 02:21 < esine> I tried putting push "81.xx.xx.128 255.255.255.128" to the server config file but that didn't do any good - I could no longer ssh to my home computer. Lucklily I could use my phone to ssh home and stop the openvpn client 02:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:23 < onats> esine, does each machine in your office act as a unique client to your home vpn server? 02:23 < esine> so.. how can I connect to the office network via vpn from home? should all of the computers I want to access have openvpn client installed so they can be in their own little 10.0.8.0 net? 02:23 < esine> office vpn server, home client 02:23 < esine> and no 02:24 -!- millun [n=kvirc@kastan.nat.praha12.net] has quit [Nick collision from services.] 02:24 < esine> onats: should they? 02:24 -!- millun [n=r@88.103.127.204] has joined ##openvpn 02:24 < onats> on what device/machine is openvpn server installed? 02:24 < esine> all linux boxes 02:24 < esine> servers/desktop computers 02:24 < onats> and on your home, you have several public machines too? 02:24 < esine> well, only one 02:25 < onats> therefore, if i understand the setup correctly, you can access the machines on your office one at a time only? 02:25 < millun> hi, this is my server config http://paste2.org/p/97859 my client tells me "route gateway" is not reachable on any active network adapters... 02:25 < millun> ... 10.20.0.1 02:26 < esine> onats: I can access the computers that have openvpn client installed thus have tun0 up 10.0.8.0, but should this really be necessary? there's so many computers here in the office I need to access from home it wouldnt be feasible to install openvpn client to all of them 02:27 < esine> so my question is, is there a way to make the vpn server forward traffic to office lan? 02:28 < onats> i think its a complicated setup... 02:29 < esine> I just want my home computer to be part of office lan :( is there a way to get my home computer get 81.xx.xx.128/25 ip as well then? via bridging or.. 02:29 < onats> i thought your computers in the office are all public, therefore not part of a LAN? 02:30 < esine> onats: well, they all have public ip address.. but their ports are firewalled by the isp so I cant ssh to them from the internet. Also there's a file server here 02:31 < esine> we have lots of internal servers (file,dns,test servers) 02:32 < onats> what about if you setup a vpn between home and a single server in your office, 02:32 < onats> ssh into the server, then ssh into the other machines 02:32 < esine> oh well, maybe I'll keep the setup as is, just the server and home computer have openvpn installed and if I need anything I can 02:33 < onats> problem solved! 02:33 < esine> yes 02:33 < esine> ^ thats what I was typing 02:33 < esine> it's just not as nice as the alternative 02:35 < esine> with this setup I could ditch openvpn altogether and just set up an ssh server running on the openvpn port 02:37 < esine> .. or setup a NAT on the vpn server.. 02:57 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 03:56 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 03:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:45 -!- esine [n=mank@dsl-81-175-173-153.phnet.fi] has left ##openvpn [] 05:03 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:21 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 06:41 -!- mRCUTEO [n=info@58.26.192.67] has joined ##openvpn 06:41 < mRCUTEO> anyone tested openvpn in openvz guest? 06:50 -!- mRCUTEO [n=info@58.26.192.67] has quit [] 07:19 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 07:20 < ecrist> morning, folks 07:21 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 07:24 < cpm> good morning ecrist 07:24 < ecrist> how goes, cpm? 07:25 < cpm> it goes 07:25 < ecrist> nrpe is kicking my ass today. :( 07:26 < cpm> nrpe? 07:26 < cpm> stomp on it! don't let it treat you that way! 07:26 < ecrist> Nagios Remote Program Execution, iirc 07:30 < cpm> ah, nagios doesn't treat me very well, so I broke up with it. Went to opennms 07:32 < ecrist> nagios generally treats me very well 07:33 < ecrist> and, I feel obligated to use it, a bit, I know ethan. 07:55 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 07:57 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 07:58 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:00 -!- Irssi: ##openvpn: Total of 34 nicks [0 ops, 0 halfops, 0 voices, 34 normal] 08:29 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 08:31 -!- dmarkey_ [n=dmarkey@79.97.241.103] has quit [Remote closed the connection] 09:07 < ecrist> quiet in here today 09:10 < _Steve_> ecrist! 09:10 < _Steve_> help me fix my vpn! :) 09:10 < _Steve_> openvpn connects fine, but freebsd isn't bridging things 09:11 < ecrist> _Steve_: you need to bridge manually, or with a script 09:11 < _Steve_> i was bridging manually, but then i rebooted and it broke, so i guess i want to use a script. :) 09:11 < _Steve_> can you help? :) 09:12 < _Steve_> i'm not even sure how to do it manually any more 09:12 < _Steve_> i mean, i thought i did, but it's not working 09:13 < ecrist> read the howto 09:14 < _Steve_> i did 09:15 < ecrist> what don't you understand, then? 09:17 < _Steve_> why it's not working 09:17 < _Steve_> but, re-reading a bit of the thing about bridging, i may need "dev tap0" instead of "dev tap" 09:17 < _Steve_> so i just changed that, but have no way to test right now... 09:17 < ecrist> well, when you do, test. 09:18 < ecrist> dev tap0 is so that you're using a specific tap device for your scripts 09:19 < _Steve_> i don't have any scripts 09:44 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 09:59 -!- millun [n=r@88.103.127.204] has quit ["—I-n-v-i-s-i-o-n— 3.0 (March '08)"] 10:48 -!- ernesto414 [n=ernesto@66-100-35-19-static.dsl.oplink.net] has left ##openvpn [] 10:58 -!- py_ [n=py@179.155-67-87.adsl-dyn.isp.belgacom.be] has joined ##openvpn 10:58 < py_> hello 11:00 < py_> I've installed openvpn and got it properly working on few systems here. As openvpn doesn't re-read /etc/resolv.conf after having been started, I created a small script to check (amongst other things) if /etc/resolv.conf has changed, and restart openvpn if it has 11:00 < py_> Then, I did put this script in a cronjob 11:02 < py_> but I get this in the log, which I never get when I run the script manually: "Linux ifconfig failed: could not execute shell command" 11:02 < py_> what's happening here? how can i figure out what's wrong? 11:07 < py_> just checked, the cronjob is properly executed as root 11:08 < py_> maybe a PATH problem? 11:10 < _Steve_> ecrist: you here? 11:17 < ecrist> _Steve_: just got back. what's up? 11:19 < jeev> ecrist, what were you doing ? 11:19 < _Steve_> i can test now 11:19 < _Steve_> ... 11:19 * _Steve_ waits on something to finish 11:19 < ecrist> jeev: getting snow tires put on the wife's car 11:19 < _Steve_> ok, going to test... 11:20 < jeev> ahh 11:20 < jeev> "snow tires", "wife's car" 11:20 < jeev> ok 11:20 < ecrist> oh, yeah, the wife's pregnant, if I didn't tell you 11:21 < jeev> wow 11:21 < jeev> that's awesome 11:21 < jeev> i hope you're naming it jeev. 11:21 < ecrist> lol, no 11:21 < jeev> no to which 11:21 < jeev> the one i said 11:21 < jeev> or the name ? 11:22 < ecrist> not naming it jeev 11:22 < jeev> oh 11:22 < ecrist> jack or taylor, depending 11:22 < jeev> wow 11:22 < jeev> lol 11:22 < jeev> ok 11:31 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 11:33 < _Steve__> ok, i can test now 11:34 < _Steve__> so the firewall that's running the openvpn server has two interfaces, em0 and em1. em0 is outside, em1 is inside. i want to use openvpn to bridge to the inside on em1, so i've setup bridge0 with members em1 and tap0 11:34 < _Steve__> i have "dev tap0" in my openvpn conf 11:35 < ecrist> ok, looks good 11:35 < _Steve__> i've setup the firewall software to skip the tap0, bridge0 and lo0 interfaces 11:35 < _Steve__> set skip on { lo0 tap0 bridge0 } in pf.conf 11:35 < _Steve__> i have all my keys and stuff setup 11:36 < _Steve__> i can connect from the client and the vpn itself connects fine 11:36 < _Steve__> the problem i'm having is once the vpn is up, i can't reach any internal hosts 11:37 < ecrist> firewall, I'm guessing. 11:38 < _Steve__> i even tried disabling the pfil hooks on the bridge interface per the bridge man page, but no luck 11:38 < ecrist> disable the fw rules on em1 11:38 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Connection timed out] 11:39 < _Steve__> can't do that, i have to have the rate limiting 11:39 < ecrist> um, temporarily. 11:39 < _Steve__> can't do it even temporarily 11:40 < ecrist> jeev: why won't my damn script run in nrpe? 11:40 < ecrist> it runs locally as root, but exits 1 when run via nrpe 11:40 < _Steve__> just realized, thinking about the kernel, i may have broken things by using a custom kernel and then using freebsd-update to update... going to cvsup and rebuild/install kernel now. 11:41 < jeev> i dont know ecrist 11:41 < ecrist> well, what good are you? 11:41 < jeev> i'm the shit man 11:41 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 11:41 < jeev> ecrist, so i can get "premium" bw for about 11 bux a meg 11:42 < ecrist> jeev: so, 11000 for a gig connection? 11:42 < ecrist> that's more than your 1000 hope yesterday... 11:45 < jeev> no 11:45 < jeev> i dont want 11:45 < jeev> LOL 11:45 < jeev> id din't say i wanted gig for 1000 11:45 < jeev> i said i wanted 100mbit for 1000 11:45 < jeev> which i can 11:45 < jeev> crapgent 11:45 < jeev> so i'll just pay 100 more and get redundancy 11:46 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 104 (Connection reset by peer)] 11:46 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 60 (Operation timed out)] 11:46 < jeev> i just have to get a nice priced PTP 11:47 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 11:52 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:55 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:12 -!- py_ [n=py@179.155-67-87.adsl-dyn.isp.belgacom.be] has quit ["Ex-Chat"] 12:20 -!- Pretto [n=pretto@ubuntu/member/pretto] has joined ##openvpn 12:21 < Pretto> why my server is unable to ping client's subnet? 12:23 < krzee> !route 12:23 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:26 < Pretto> krzee, the route is ok 12:27 < krzee> did you read the whole page? 12:27 < Pretto> krzee, sorry, not yes... 12:27 < Pretto> yet* 12:27 < krzee> k 12:27 < krzee> theres more than route entries on it 12:28 < krzee> it attempts to tell you everything you need to connect a subnet behind a client and one behind a server 12:28 < Pretto> krzee, i will read it, thank you 12:30 < krzee> np 12:32 < ecrist> how goes, krzee? 12:33 * jeev is anxious 12:33 < krzee> good, and you? 12:33 < ecrist> OK, my new backup box just kernel paniced. 12:34 < ecrist> oh, you being a freebsd guy, mega raid monitoring: http://www.secure-computing.net/wiki/index.php/Megacli 12:34 < krzee> doh 12:34 < vpnHelper> Title: Megacli - Secure Computing Wiki (at www.secure-computing.net) 12:34 < ecrist> krzee: 4.4TB to fsck 12:38 < krzee> hehehe werd 12:39 * krzee tells his zfs raidz to scrub itself 12:39 < krzee> dide, 1.5 tb drives at tigerdirect for like $150 12:40 < ecrist> krzee: I can't trust this data to zfs at this point. 12:40 < ecrist> I wish I could. 12:40 < krzee> understandable 12:40 < krzee> for sure 12:41 < krzee> none of my stuff is production 12:41 < krzee> its for play 12:56 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has quit ["Leaving"] 12:58 < Pretto> krzee, i found the problem, client firewall 12:59 -!- ChanServ changed the topic of ##openvpn to: HowTo: http://openvpn.net/howto READ IT | Your problem is probably your firewall. 13:03 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 13:06 < _Steve_> heh 13:07 < _Steve_> ecrist: that megaraid monitoring link is spiffy, thanks 13:07 < _Steve_> now if only it were possible to do something like that with the LSI fusion stuff 13:07 < krzee> ecrist, nice topic change, it has been a theme in here lately 13:17 < ecrist> _Steve_: megaraid is an LSI product... 13:18 < _Steve_> but megaraid isn't fusion, right? 13:19 < ecrist> don't think so, but the utility *may* work. 13:19 < _Steve_> i have dell 1950s that have hardware raid 13:19 < ecrist> oh, monitor it through IMPI 13:19 < ecrist> IPMI* 13:19 < ecrist> that's what we do with our 2950 13:19 < _Steve_> yeah, need to set that up and not sure how 13:19 < ecrist> let me get you my link 13:20 < ecrist> http://www.secure-computing.net/wiki/index.php/BMC_Nagios 13:20 < vpnHelper> Title: BMC Nagios - Secure Computing Wiki (at www.secure-computing.net) 13:20 < ecrist> that page has the perl scripts I wrote for it, too 13:20 < _Steve_> awesome, tanks! 13:20 < ecrist> well, hopefully, next week, I'm getting comact business class 13:20 < _Steve_> thanks even 13:21 < _Steve_> whazzat? 13:21 < ecrist> going from my 5M/870K DSL to 16M/2M 13:21 < _Steve_> ah 13:21 < ecrist> hosting websites on 870K sucks 13:21 < _Steve_> yeah 13:24 -!- Pretto [n=pretto@ubuntu/member/pretto] has left ##openvpn ["Saindo"] 13:28 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 13:41 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 13:48 -!- ixs [n=andreas@lacht.ueber.gattinnen-im-netz.de] has quit [Read error: 113 (No route to host)] 14:03 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 14:03 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 104 (Connection reset by peer)] 14:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:28 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 14:39 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 104 (Connection reset by peer)] 14:39 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 14:45 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 14:45 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 104 (Connection reset by peer)] 15:06 -!- Alives [n=Alives@cpe-74-66-27-246.nyc.res.rr.com] has joined ##openvpn 15:07 < Alives> how can i modify my push "route ... ..." so that it also assigns a metric? 15:09 < ecrist> add the metric to the end... 15:11 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 145 (Connection timed out)] 15:24 < Alives> push "route ... ... metric ..." ? 15:35 -!- reiffert [n=thomas@78.46.105.68] has joined ##openvpn 15:46 -!- vishous [n=jqk@ner-as21190.alshamil.net.ae] has joined ##openvpn 15:46 < ecrist> i'd give that a shot, yes 15:47 < vishous> hey .. I can't seem to get my vpn up and running .. keep getting "cannot load certificate file server.crt" "system library:fopen:no such file or directory" .. 15:47 < vishous> what gives? 15:47 < ecrist> um 15:48 < ecrist> server.crt doesn't exist... just like the error says 15:48 < vishous> sure it does .. it's in easy-rsa/keys 15:48 < vishous> but server.conf is under sample-config-files .. 15:48 < vishous> is that the cause of the problem? .. 15:49 < ecrist> you need to define the full path in the openvpn config file 15:49 < vishous> server.conf and the cert/key both on different path? 15:49 < vishous> ecrist: $KEY_DIR/server.crt should do the trick? .. after all $KEY_DIR is tied up to easy-rsa/key . 15:49 < ecrist> oh, this is an easy-rsa question? 15:50 < ecrist> follow the directions. 15:50 < vishous> just asking, if I can shorten it by placing $KEY_DIR/ before server.crt in the server.conf rather than typing the whole path out 15:51 < ecrist> no, you can't 15:52 < vishous> ecrist: and the same goes with ca.crt, client(s).crt/key , correct? 15:52 < ecrist> yes 15:56 < vishous> ecrist: Thanks. 15:57 < jeev> so i got cogent off net pricing 15:57 < jeev> 4k/month for 200mbit on gigE 15:57 < jeev> so that means the loop is costing 2k 16:17 < jeev> ecrist 16:18 -!- vishous [n=jqk@ner-as21190.alshamil.net.ae] has quit ["Lost terminal"] 17:28 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 17:36 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 17:36 < _Steve_> ecrist: you around? 17:38 < ecrist> yep 17:42 < ecrist> _Steve_: I probably won't be very much longer... 17:55 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 110 (Connection timed out)] 18:00 < jeev> ecrist 18:01 < ecrist> what? 18:03 < jeev> sup baby! 18:03 < jeev> haha 18:04 -!- ebil|gonetowork [n=ebil@ip70-174-136-104.dc.dc.cox.net] has quit ["Leaving"] 18:11 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 18:12 < _Steve_> ecrist? 18:13 < ecrist> what? 18:13 < _Steve_> just wondering if you're here 18:13 < _Steve_> still working on my system 18:13 < _Steve_> i tried disabling the firewall on the internal interface completely, but my problem still presists. 18:14 < _Steve_> so i don't know what the heck to do next 18:14 < _Steve_> i still get connected to the vpn fine, but can't ping the internal interface. 18:14 < _Steve_> or any internal IP 18:15 < ecrist> sounds like your bridge isn't set up 18:17 < _Steve_> member: em1 flags=143 18:17 < _Steve_> member: tap0 flags=143 18:17 < _Steve_> it's up 18:18 < _Steve_> and yet, screwing with it, waiting and finally it is all working 18:18 < _Steve_> is bridging on 7.0 flaky? 18:19 < _Steve_> Fri 11/07/08 07:19 PM: Replay-window backtrack occurred [1] 18:19 < _Steve_> Fri 11/07/08 07:19 PM: Replay-window backtrack occurred [2] 18:19 < _Steve_> weird. 18:23 < _Steve_> brb, going to reboot the server and test that this comes up right this time... 18:23 < _Steve_> tired of having it break every time i reboot... 18:23 < _Steve_> oh wait, heh, i'm not using that right now.... 18:26 < _Steve_> ecrist: ok, so i'm finding that i need to "ifconfig bridge0 up" after a reboot 18:27 < ecrist> sure 18:27 < _Steve_> the question is why 18:27 < ecrist> how are you building the bridge? 18:27 < _Steve_> would you take a look at my rc.conf? 18:27 < _Steve_> one sec 18:27 < ecrist> ah, in rc.conf 18:28 < ecrist> well, the bridge can't come 'up' becuase tap0 hasn't been built yet when the bridge is created. 18:28 < ecrist> as I said, build the bridge with a script and have openvpn run it 18:28 < ecrist> iirc, i told you that two days ago 18:28 < _Steve_> http://pastebin.com/d14021885 18:29 < _Steve_> you said to use the scripts, but that's all. i'm not sure how. i've seen example of using the scripts with tun setups, but no examples for tap setups. 18:29 < _Steve_> i'm not trying to be a dufus, i just haven't seen the right examples i guess, so i'm doing what i can. 18:30 < ecrist> well, for your sake, I hope I don't go look at the howto and find the information you need... 18:31 < _Steve_> you can beat me all you want if you find it, but i haven't found it. 18:33 < ecrist> roh-roh jorge... 18:33 < ecrist> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 18:33 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 18:33 < ecrist> look for bridge-start and bridge-stop 18:34 < ecrist> alternatively, there is an up-script and down-script you have as part of the server.conf 18:34 < _Steve_> where? 18:35 < ecrist> http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html 18:35 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 18:35 < ecrist> search for --up and --down 18:35 < ecrist> amazing what you can find when you read the docs... 18:36 < _Steve_> none of that looks as plug and play as i was hoping 18:36 -!- ebil [n=ebil@ip70-174-136-104.dc.dc.cox.net] has joined ##openvpn 18:36 < _Steve_> and, i am heading out of town monday 18:36 < _Steve_> so i just want to get it pseudo working until i get back 18:37 < _Steve_> so manually bringing the bridge up after reboot is ok. everything else seems to just work after that. 18:37 < _Steve_> and actually i'm not sure why i need the scripts 18:37 < ecrist> to bring the bridge up 18:38 < ecrist> although you may not be trying hard, you are succeeding in being a dufus 18:38 < _Steve_> heh 18:39 < _Steve_> i guess what i don't understand is if i have the system build the interfaces and bring them up, what does openvpn need the scripts for? you said "to bring the bridge up", but i do that manually, once, after booting, setting up interfaces and starting openvpn, and it doesn't need to be done again, does it? 18:41 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 18:42 < Luria> so, ive been running stable for ages, and now for some reason, over the last few days, openvpn can't seem to use route to do my routing table pull 18:43 < Luria> if i pkill openvpn, i get route delete command failed: shell command failed with error status: 7 18:44 < Luria> any thoughts? 18:46 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 18:46 < ecrist> changes to your kernel? 18:47 < onats> morning 18:48 < Luria> hmm. could be. 18:49 < Luria> sigh, i hate linux sometimes. 18:51 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 18:55 < _Steve_> ecrist: is the answer to my question obvious and in the docs? 18:57 < _Steve_> i just don't get what it needs the scripts for. i'll set them up later if that's the right thing, but i don't want to risk breaking what's sorta working for me right now. 19:12 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 19:19 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Remote closed the connection] 19:29 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 110 (Connection timed out)] 19:32 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 110 (Connection timed out)] 20:20 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 20:45 * ecrist thinks _Steve_ needs to get a clue. 20:57 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 20:57 * jeev thinks ecrist is a dork 20:58 * ecrist doesn't care what jeev thinks 20:58 * jeev is #1 20:58 < jeev> ecrist, i'll show my friends dad, he'll give me a quote on wiring 20:58 < jeev> then i'll get the speakers, quote those 20:59 < jeev> and find a good amp, quote that 20:59 < jeev> if they want it, ok 20:59 < jeev> it's his restaurant, he has two houses at mount olympus 20:59 < jeev> has race horses 20:59 < jeev> he's rich++ 20:59 < ecrist> Speco on the speakers, good 6 1/2 with voice coil, and a crown amp. 21:00 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 21:03 < jeev> they dont want the speakers visible 21:03 < jeev> i'll take a pic for you and show it 21:03 < jeev> when i can 21:03 < jeev> it's like a car speaker 21:03 < jeev> recessed i guess you could say 21:03 < ecrist> jeev: I'm not an idiot 21:03 < jeev> you look at the wall, maybe the caging sticks out 1 cm or 2cm 21:03 < jeev> ;) 21:04 < ecrist> That's the speakers i've been recommending. in-wall or in-ceiling. 21:04 < jeev> oh oki cool 21:04 < ecrist> I recommend in-ceiling, easier to design a thorough system. 21:04 < jeev> i'll definitely check it out 21:04 < jeev> it is in-ceiling 21:04 < jeev> it has good bass, all that crap right 21:04 * ecrist wonders why jeev is trying to sell something he knows nothing about. 21:04 < jeev> :) 21:05 < ecrist> jeev: to give you an idea, i used to install $200K home theatre systems, and $100K commercial audio systems. 21:05 < jeev> ok o kok 21:05 < ecrist> a little restaurant like that is childs play 21:05 < jeev> okie dokie 21:05 < jeev> karaoke 21:06 * ecrist installed home theatre for a bunch of former, really well known viking players 21:10 < jeev> cool fool 21:10 < jeev> how is your box 21:10 < jeev> is it back up 21:10 < jeev> or still fscking 21:10 < jeev> D 21:10 < jeev> ;D 21:16 < ecrist> it would still be fscking, so I just blew the array away and started over. 21:17 < ecrist> only 700GB of actual data on there at the time. 21:17 < jeev> heh 21:17 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 21:18 < ecrist> off for the night 21:18 < jeev> good night 21:23 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 22:05 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 22:11 -!- Luria [n=trashed@pool-151-202-77-13.ny325.east.verizon.net] has joined ##openvpn 22:16 -!- wjn7 [n=will@lakecity.kanobe.net] has joined ##openvpn 22:16 < wjn7> hi everyone I was wondering if I could get some help? 22:18 < wjn7> is this the correct room to be in for help? 22:30 -!- wjn7 [n=will@lakecity.kanobe.net] has quit [Read error: 145 (Connection timed out)] 22:46 < krzee> 1ask 22:46 < krzee> !ask 22:46 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/ 22:47 -!- intralanman [n=lanman@99-196-41-90.cust.wildblue.net] has joined ##openvpn 22:48 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Nick collision from services.] 22:48 -!- intralanman is now known as [intra]lanman 23:59 < _Steve_> wow, user had LAN IPs conflicting with internal IPs 23:59 < _Steve_> couldn't change it, firmware had it hard coded. 23:59 < _Steve_> user upgraded firmware, everything was fine. --- Day changed Sat Nov 08 2008 00:43 -!- CppIsWeird [i=dude@unaffiliated/cppisweird] has quit [] 01:25 -!- Luria [n=trashed@pool-151-202-77-13.ny325.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 01:43 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 02:13 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 02:14 < onats> anyone up? 02:14 < onats> how should i configure my vpn server /client so that hostnames on one side get resolved on the other? 02:19 -!- gallatin [n=gallatin@dslb-092-073-116-128.pools.arcor-ip.net] has joined ##OpenVPN 02:26 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 03:57 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 04:15 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 05:51 -!- LordDoskias [i=Nikisoft@unaffiliated/lorddoskias] has joined ##openvpn 05:52 < LordDoskias> hello - i've got a question regarding the cipher option - what does it pertain to ? 05:52 < LordDoskias> the HMAC firewall? That is - the cipher option tells openvpn which cipher to use for the HMAC firewall capability ? 05:56 -!- FlaPer87 [n=FlaPer87@unaffiliated/flaper87] has joined ##openvpn 05:58 < FlaPer87> hey guys, does any of you use openvpn with linux ? I can't connect, I get this tun0 device error http://pastebin.com/m4429b31b 05:58 < FlaPer87> I've loaded the tun module 05:58 < FlaPer87> and there's the /dev/net/tun device 05:58 < FlaPer87> but not the tun0 network device 06:01 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 06:02 < reiffert> paste your server and client config. 06:04 < FlaPer87> reiffert: http://rafb.net/p/XhEEdd49.html 06:04 < vpnHelper> Title: Nopaste - conf (at rafb.net) 06:04 < FlaPer87> I don't have the server conf 06:06 < LordDoskias> no one has idea about the cipher directive? 06:07 < FlaPer87> reiffert: any idea? 06:08 < reiffert> FlaPer87: paste the complete log please. 06:10 < FlaPer87> reiffert: http://rafb.net/p/fbfBtc50.html 06:10 < vpnHelper> Title: Nopaste - No description (at rafb.net) 06:11 < reiffert> Sat Nov 8 13:08:33 2008 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: topology (2.0.9) 06:12 < reiffert> Get the recent 2.1rc openvpn. 06:12 < reiffert> 2.1_rc13 06:12 < FlaPer87> reiffert: ok, let's try 06:21 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 06:25 -!- LordDoskias [i=Nikisoft@unaffiliated/lorddoskias] has quit ["cold as ice"] 06:35 -!- FlaPer87 [n=FlaPer87@unaffiliated/flaper87] has quit [Read error: 110 (Connection timed out)] 06:48 -!- reiffert [n=thomas@78.46.105.68] has quit ["Reconnecting"] 06:48 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 07:19 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:31 -!- Cisien [n=Chris@vps.exoronet.net] has joined ##openvpn 07:32 < Cisien> I am trying to setup my router as the client (OpenWrt), and have it advertise the 192.168.1.0 network, however, I am getting a destination port timeout error when i try to ping the vpn server's tunnel address, the router can access everything over the tunnel fine 07:33 < Cisien> i added the route and irotue statement with the 192.168.1.0 address in the client's ccd file, i see the server loads this info, and i see the 192.168.1.0 route being pointed to the tunnel interface on the server 07:33 < Cisien> I don't see anything in the client's routing table or log (assuming redirect-gateway ref1 accomplishes this) 07:38 < krzee> what do you expect to see in clients routing table about its lan? 07:38 < krzee> i would expect it already has a route to its own lan 07:40 < Cisien> aye, the router knows about it's own lan 07:40 < Cisien> and about the 10.x network 07:40 < Cisien> the server knows about the 10.x network and the 192.168.1.x network 07:41 < Cisien> the router has a default gateway (with a mask of 128.0.0.0) which points to the vpn tun 07:42 < Cisien> both sides have firewall rules which accept and forward tun0 stuff 07:49 < Cisien> Configs: http://pastebin.com/d7147f30e 07:52 -!- gallatin [n=gallatin@dslb-092-073-116-128.pools.arcor-ip.net] has quit [Read error: 145 (Connection timed out)] 07:53 < krzee> and does the router on 192.168.1.0 network know about the route to the VPN? 07:54 < krzee> oh the router IS the client, so of course it does 07:57 < Cisien> yeah 07:58 < Cisien> let me collect the logs, i'll probably be disconnected 08:10 < krzee> http://www.lukesurl.com/archives/198?retry 08:10 < vpnHelper> Title: Luke Surl Comics » Archive (at www.lukesurl.com) 08:11 -!- Cisien [n=Chris@vps.exoronet.net] has quit [Nick collision from services.] 08:11 -!- Cisien [n=Chris@210.5.236.28] has joined ##openvpn 08:13 < Cisien> server log: http://www.exoronet.net/apache2-default/openvpn.log client log: http://pastebin.com/d2b0fe7e5 08:18 < krzee> Sat Nov 8 06:01:07 2008 us=774913 user4.client.vps.exoronet.net/210.5.236.28:58014 MULTI: bad source address from client [192.168.190.41], packet dropped 08:18 < krzee> that is the machine with 192.168.1.x behind it? 08:18 < Cisien> yeah 08:18 < Cisien> thats the "wan" ip for this router 08:19 < Cisien> the server shouldn't even be seeing it 08:19 < krzee> it is sending packets to the server with that source 08:20 < krzee> you could give an iroute to fix that 08:20 < krzee> well, by fix i mean to accept that source address as being tied to that client 08:20 < Cisien> the client config specifically routes those packets to the 190.1, or do i need to add an iroute on the client to do that? 08:21 < krzee> your server is getting packets from 192.168.190.41 and saying "wtf?" 08:22 < krzee> an iroute will stop it from saying "wtf" cause it'll know about the 192.168.190.x network being behind that client 08:22 -!- sibiria [n=sibiria@ua-83-227-160-33.cust.bredbandsbolaget.se] has joined ##openvpn 08:22 < sibiria> hello. anyone using the windows openvpn gui? 08:22 < sibiria> it's giving me weird problems 08:22 < sibiria> i am trying to set up a static link, using "secret blah.key" 08:22 < Cisien> the server shouldnt know about that network thoguh, it's the router's 'wan' network 08:23 < sibiria> but it whines at me, saying "specify only one of --tls-server, --tls-client or --secret" 08:23 < sibiria> and i am not specifying anything tls 08:23 < Cisien> client or server both imply tls-client (server) 08:23 < Cisien> you need to specify secret in plavce of client or server 08:24 < sibiria> ah, the "client" keyword was troubling 08:24 < sibiria> thank you, it now fires up (but refuses to establish connection) 08:24 < sibiria> at least i'm this far 08:25 < Cisien> 192.168.1.0 -> router -> (no vpn.. -> NAT to 192.168.190.41) (with vpn route to 10.0.10.1), etc 08:26 < Cisien> sibiria, port forwarding, blocked ports, etc 08:28 < sibiria> i believe that part is working on the server 08:28 < sibiria> i think, anyway... i'm not familiar with using openvpn to provide a single, static link 08:28 < sibiria> i am running another instance on another port, as tls server 08:29 < sibiria> but i need to run one single static key link as well 08:29 < sibiria> i've set the static server to "ifconfig 192.168.5.1 192.168.5.2" 08:30 < krzee> Cisien, well you gotta figure out why the OS is using the 190 source address 08:30 < sibiria> do i need to set the client's virtual interface to 192.168.5.2? 08:30 < krzee> i think you just use ifconfig 08:30 < krzee> on both client and server 08:30 < krzee> like ifconfig 10.8.0.1 10.8.0.2 on one 08:31 < krzee> and reverse the ips on the other 08:31 < sibiria> so i should let the client's network configuration sit as dhcp 08:31 < krzee> and use mode p2p 08:31 < sibiria> (it's a windows box) 08:31 < krzee> you're using tun right? 08:31 < sibiria> yes 08:31 < Cisien> ooh, bind it to the ip 08:31 < krzee> then theres no dhcp 08:31 < krzee> openvpn will give client the ip 08:32 < krzee> the vpn ip 08:32 < krzee> how the client machine gets its LAN ip on the network dont matter 08:33 < sibiria> just curious... do the interfaces specified in ifconfig need to reside in the network the actual link is on? 08:33 < sibiria> the hardware link that is 08:34 < Cisien> bah, that didn't work 08:34 < Cisien> i wasn't getting the 'wtf' messages from the server anymore, thoguh 08:36 < Cisien> hrm, wait, i think i may have forgotten the client's iptables rules 08:37 < sibiria> hm... the wireless interface is 192.168.2.1 08:37 < sibiria> the PC is 192.168.2.2 08:38 < Cisien> hrm? 08:38 < sibiria> must i put the two virtual endpoints inside the same network? 08:38 < sibiria> ifconfig 192.168.1.128 ...1.129 f.e. 08:38 < sibiria> ? 08:38 < Cisien> route? 08:39 < sibiria> route? 08:39 < sibiria> where? how? what? 08:39 < sibiria> problem is the client doens't even contact the server 08:39 < sibiria> server is up, listening 08:39 < Cisien> the ports are open, no firewall rules in the way? 08:40 < krzee> sounds firewalltastic 08:40 < sibiria> sure 08:40 < sibiria> no fw problem 08:40 < krzee> ISP firewall could be 08:40 < krzee> try port 53 udp 08:40 < sibiria> it's in my LAN 08:40 < krzee> oh 08:40 < Cisien> this is going from wireless client to router, right? 08:40 < krzee> you using redirect gateway? 08:40 < sibiria> yes, and yes 08:40 < krzee> dont forget to use local 08:40 < Cisien> you specified a local and remote? 08:40 < sibiria> but first things first: client must talk to vpn server to begin with 08:40 < sibiria> yes 08:40 < krzee> !local 08:40 < sibiria> i used my tls server configs as a base 08:40 < vpnHelper> krzee: Error: "local" is not a valid command. 08:40 < sibiria> just modded them 08:41 < krzee> hrmz 08:41 < krzee> !wireless 08:41 < vpnHelper> krzee: Error: "wireless" is not a valid command. 08:41 < krzee> !wifi 08:41 < vpnHelper> krzee: Error: "wifi" is not a valid command. 08:41 < Cisien> fail 08:41 < krzee> weakness 08:41 < krzee> ya 08:41 < krzee> failboat 08:41 < sibiria> wireless has nothing to do with it 08:41 < krzee> no it doesnt 08:41 < sibiria> it'd be the same had i used ethernet 08:41 < krzee> but i thought i had stuff in their on the bot for them 08:41 < krzee> !man 08:41 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 08:42 < Cisien> Sat Nov 8 06:01:05 2008 us=456782 user4.client.vps.exoronet.net/210.5.236.28:58014 OPTIONS IMPORT: reading client specific options from: ccd/user4.client.vps.exoronet.net 08:42 < Cisien> Sat Nov 8 06:01:05 2008 us=456876 user4.client.vps.exoronet.net/210.5.236.28:58014 Options error: option 'route' cannot be used in this context 08:42 < Cisien> could that be a problem? 08:42 < krzee> !learn local as a flag for --redirect gateway, Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. 08:42 < vpnHelper> krzee: The operation succeeded. 08:43 < Cisien> where does route go if not in the ccd file? 08:43 < krzee> for the .190? 08:43 < Cisien> for the 1.0 08:43 < krzee> server config file 08:43 < krzee> !route 08:43 < Cisien> ahh 08:43 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 08:43 -!- sibiria [n=sibiria@ua-83-227-160-33.cust.bredbandsbolaget.se] has quit ["My damn controlling terminal disappeared!"] 08:43 < krzee> i made a writeup for everything you need to know 08:44 -!- sibiria [n=sibiria@ua-83-227-160-33.cust.bredbandsbolaget.se] has joined ##openvpn 08:44 < sibiria> found it :p 08:44 < sibiria> crlf vs cr/lf issue on the windows side 08:44 < sibiria> damned microsoft "standards" 08:44 < sibiria> a keyword was ignored 08:49 < sibiria> brb, screen 08:49 -!- sibiria [n=sibiria@ua-83-227-160-33.cust.bredbandsbolaget.se] has quit [Client Quit] 08:49 -!- sibiria [n=sibiria@ua-83-227-160-33.cust.bredbandsbolaget.se] has joined ##openvpn 08:52 < krzee> aww 08:52 < krzee> i just noticed your hostname 08:52 < krzee> and im jealous 08:55 < Cisien> bah, moving the route command form the ccd to the server config didn't help 08:56 < krzee> did you read all of !route? 08:56 < krzee> !route 08:56 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 08:57 < Cisien> krzee, havn't read any of it yet 08:57 * Cisien reads 08:57 < krzee> well i took a lot of time to go over everything you should need to know there 08:57 < krzee> even made a drawing to accompany it at the bottom 08:57 < Cisien> pretty 09:01 < Cisien> other than the push "route" entries, which i don't need, i have everything in this example that applies 09:09 < krzee> !topology 09:09 < vpnHelper> krzee: "topology" is it is possible to avoid the !net30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 09:09 < krzee> (that was for me) 09:15 < sibiria> man, i found another mistake 09:15 < sibiria> i was using tun0 for both instances of openvpn 09:15 < sibiria> no wonder one dropped when i initiated the other 09:22 < krzee> i never caught that you were running 2 09:22 < krzee> you're running 2 p2p vpns? 09:24 < krzee> just use certs and you only need 1 instance of ovpn on each machine 09:28 < sibiria> one is runnings certs 09:28 < sibiria> problem with that is that windows keeps experiencing timeouts and latency 09:28 < sibiria> doesn't happen with a static setup 09:29 < sibiria> and my roommate is all over me 'coz he plays WoW etc. 09:29 < krzee> werd 09:29 < krzee> hey if it works better, then cool 09:29 < krzee> heh 09:29 < krzee> !dhcp 09:29 < vpnHelper> krzee: Error: "dhcp" is not a valid command. 09:29 < krzee> !learn dhcp as "redirect-gateway bypass-dhcp" gets around the problem of DHCP packets 09:29 < krzee> to the local DHCP server being incorrectly routed into the tunnel. 09:29 < vpnHelper> krzee: The operation succeeded. 09:29 < krzee> bleh 09:29 < sibiria> my OS X and FreeBSD machines have no latency what so ever with the cert-setup.... just windows which is giving me a pain here 09:30 < krzee> !learn dhcp as "redirect-gateway bypass-dhcp" gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. 09:30 < vpnHelper> krzee: The operation succeeded. 09:30 < krzee> !forget dhcp 1 09:30 < vpnHelper> krzee: The operation succeeded. 09:31 < krzee> !learn dhcp as "redirect-gateway bypass-dhcp" gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1 09:31 < vpnHelper> krzee: The operation succeeded. 09:31 < krzee> !forget dhcp 1 09:31 < vpnHelper> krzee: The operation succeeded. 09:46 < sibiria> when using a static setup, is there anything different i have to do in order to get the "redirect gateway local def1" statement to work? 09:46 < sibiria> i know i removed the "client" keyword from the static config 09:46 < sibiria> i believe that is what's requesting this info from the other point 09:46 < krzee> tbh ive never used static setup 09:47 < sibiria> seems the client in the static setup isn't getting info about its gateway and dns etc. 09:47 < sibiria> the connection itself works fine now, though, thanks to your hints 09:47 < krzee> maybe you gotta push the routes manually 09:47 < krzee> instead of using redirect-gateway 09:48 < sibiria> let's see what the docs have to say 09:48 < krzee> would make sense that redirect-gateway had been made for mode server to use the ip that mode server gave it 09:49 < krzee> whereas you are assigning ip based on ifconfig 09:49 < krzee> you prolly hafta push the route manually instead of relying on redirect-gateway to know what ip you gave yourself 09:50 < sibiria> what would the command for this be? 09:50 < krzee> push route 09:50 < sibiria> all traffic needs to be redirected 09:50 < krzee> !push 09:50 < vpnHelper> krzee: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 09:50 < krzee> !def1 09:50 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 09:50 < sibiria> that is, use the vpn as the default gateway for all outgoing 09:50 < krzee> look at how def1 accomplishes it 09:51 < krzee> do the same manually 09:51 < krzee> push the route to clients 09:51 < krzee> so use the route command, inside the push command 09:51 < sibiria> push route def1 <- like so? 09:51 < krzee> no 09:51 < krzee> def1 uses 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0 09:52 < krzee> sending traffic headed to 0.0.0.0/1 and 128.0.0.0/1 is a new default route 09:52 < krzee> that does not over-write the old default route 09:52 < krzee> This has the benefit of overriding but not wiping out the original default gateway. 09:52 < sibiria> that is what i want to do, though 09:52 < krzee> so if vpn goes down, no inet? 09:53 < sibiria> correct, 'coz that would mean someone else would be able to route outside of the vpn 09:53 < sibiria> the link is wireless, and 50 ppl are in our vincinity 09:53 < krzee> ok so push a route to 0.0.0.0/0 09:54 < krzee> !man 09:54 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 09:54 < krzee> read --route 09:54 < krzee> if using 2.1, use !betaman instead 09:54 < krzee> !learn man as [betaman] for 2.1 09:54 < vpnHelper> krzee: The operation succeeded. 09:54 < krzee> !man 09:54 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 10:10 < sibiria> seems it's not possible to 'pull' info from the server endpoint in static mode 10:10 < sibiria> hence no point pushing it 10:11 < Cisien> have you tried adding 'pull' to the client-side config? 10:11 < sibiria> 'pull' keyword only available when connecting to a cert-server 10:11 < sibiria> yes 10:11 < Cisien> doh 10:11 < krzee> oh true 10:11 < sibiria> so i have to manually issue the route commands 10:11 < sibiria> and i don't know how yet :) 10:11 < krzee> no, you just add it to the right config 10:12 < krzee> instead of pushing, add it without push to the other config 10:12 < Cisien> instead of push "route" in the server side config 10:12 < Cisien> just use route x.x.x.x y.y.y.y gw.gw.gw.gw 10:12 < krzee> there is no server side 10:31 < sibiria> how do i delete the default gw using the route command? 10:32 < sibiria> from the config file, that is 10:32 < Cisien> reassign it, maybe? 10:33 < sibiria> windows actually makes two default gw's when i do that 10:33 < sibiria> i now have "route 0.0.0.0 0.0.0.0 vpn_gateway 1" 10:33 < sibiria> which gives me a correct route - in addition to the err one that is present from start 10:34 < sibiria> every traffic sent first tries through the first one, then 3 sec later falls back to the one i added 10:34 < Cisien> try duplicating the ref1 finction, make 2 routes, 0.0.0.0 128.0.0.0 and 128.0.0.0 128.0.0.0 10:34 < Cisien> give yours a lower metric? 10:35 < sibiria> i'll try giving it metric 0 10:35 < sibiria> that gave it metric 30 in windows routing table :) 10:36 < sibiria> i wish i could see exactly what the "redirect-gateway" 'macro' executes on the client side of my cert-setup 10:39 < krzee> could have an up script remove the other route 10:39 < krzee> --up 10:40 < krzee> same script could optionally add the new route too 10:41 < sibiria> i'm doing that now 10:41 < sibiria> clumsy, but it will have to do until i can find out how to do it properly 10:41 < krzee> not very clumsy 10:41 < krzee> that is what --up is for 10:41 < krzee> !man 10:41 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 10:42 < sibiria> yeah, but, having openvpn doing it seems "the right way" 10:42 < krzee> Typically, cmd will run a script to add routes to the tunnel. 10:42 < krzee> --up cmd 10:42 < krzee> Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel. 10:43 < krzee> For --dev tun execute as: 10:43 < krzee> cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip [ init | restart ] 10:43 < krzee> up script knows those env variables as $1 $2 etc 10:43 < krzee> or it can just be static 10:44 < krzee> and openvpn is doing it 10:44 < krzee> it is calling your script for you =] 10:44 < krzee> Normally the up script is called after the TUN/TAP device is opened. In this context, the last command line parameter passed to the script will be init. If the --up-restart option is also used, the up script will be called for restarts as well. A restart is considered to be a partial reinitialization of OpenVPN where the TUN/TAP instance is preserved (the --persist-tun option will enable such preservation). A restart can be generated by a SIGUSR1 sig 10:44 < krzee> nal, a --ping-restart timeout, or a connection reset when the TCP protocol is enabled with the --proto option. If a restart occurs, and --up-restart has been specified, the up script will be called with restart as the last parameter. 10:45 < krzee> you dont need that stuff, but just showing you its pretty versatile =] 10:45 * Cisien sets up the up-script for his firewall! 10:46 < sibiria> well this works for now. i'll be back and whine over how to optimize mtu's etc. to get rid of the random stalls another day :p 10:46 < sibiria> thanks a lot for the help, krzee and Cisien 10:46 -!- sibiria [n=sibiria@ua-83-227-160-33.cust.bredbandsbolaget.se] has quit ["[BX] 2000: year of the BitchX"] 10:50 < Cisien> now, that i'm done un tangleing enough cat-5 to wire up a skyscraper, time to continue fucking with this cilent routing problem 10:50 * Cisien has a feeling it's on his router's firewall 10:56 -!- thomas [i=tm@81.92.168.148] has joined ##openvpn 10:56 < thomas> hello. 10:56 < thomas> with the new versions 2.1.X 10:56 < thomas> client-connect "./traffic.php verbunden '' '' '' $trusted_ip $ifconfig_pool_remote_ip $common_name" 10:56 < thomas> client-disconnect "./traffic.php getrennt '' $bytes_received $bytes_sent '' '' $common_name" 10:57 < thomas> is the variable, the value, the name of variable 10:57 < thomas> with echo $argv[4] i have no a ip, i have "$trusted_ip" 10:57 < thomas> is it normal? 10:59 < reiffert> let's have a look into the manpage 10:59 < reiffert> The script is passed the com- 10:59 < reiffert> mon name and IP address of the just-authenticated client as en- 10:59 < reiffert> vironmental variables (see environmental variable section be- 10:59 < reiffert> low). 10:59 < reiffert> The script is also passed the pathname of a not-yet-cre- ated temporary file as $1 (i.e. the first command line argu- ment), to be used by the script to pass dynamically generated config file directives back to OpenVPN. 11:00 < reiffert> what you can do is call a shellscript with the following content: 11:00 < reiffert> #!/bin/bash 11:00 < reiffert> set > /tmp/environment_vars 11:01 < reiffert> echo $ARGV[0] >> /tmp/argv_vars 11:01 < reiffert> echo $ARGV[1] >> /tmp/argv_vars 11:01 < reiffert> echo $ARGV[2] >> /tmp/argv_vars 11:01 < reiffert> you get the idea. 11:03 -!- KillerX [n=anant@gentoo/developer/KillerX] has joined ##openvpn 11:03 < KillerX> Hi, is there anyway I can tell the OpenVPN client to tunnel only /certain/ HTTP traffic through the VPN? 11:03 < KillerX> eg: I want to use the VPN when I visit hulu.com, but not for other websites ;) 11:03 < KillerX> pandora.com maybe :D 11:04 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Remote closed the connection] 11:05 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 11:05 < reiffert> It's part of the routing capabilties of your OS. 11:06 < KillerX> Oh 11:06 < KillerX> I'm on a Mac 11:06 < KillerX> so I use /sbin/route? 11:06 < reiffert> yep. 11:06 < _Steve_> KillerX: you'll want an http proxy for routing certain http traffic through the vpn and others not 11:07 < reiffert> _Steve_: no, he doesnt. 11:07 -!- Cisien [n=Chris@210.5.236.28] has quit [Read error: 60 (Operation timed out)] 11:07 * KillerX looks up man route 11:07 < KillerX> How do I find out what my VPN's gateway is? 11:08 < reiffert> KillerX: on linux i'd write: route add -host 66.151.149.78 dev tun0 or similar. 11:08 -!- Cisien [n=Chris@210.5.236.28] has joined ##openvpn 11:08 < KillerX> oh just say tun0, no need to specify the gateway IP I see 11:08 < KillerX> excellent 11:08 < reiffert> KillerX: you will get the VPN's gateway IP in the --up shell script (you have to write for your own), see manpage. 11:08 < KillerX> reiffert: thanks a bunch! 11:09 < reiffert> See the "Environmental Variables" section below for additional 11:09 < reiffert> parameters passed as environmental variables. 11:10 < reiffert> KillerX: I have *no* idea how osx handles it. However, adding the route in the --up script is a working approach. 11:11 < reiffert> _Steve_: let's have a look at your proposal: It requires to *have* an http proxy and it requires further to tell the http *client*: Send all the stuff to the http proxy. 11:11 < reiffert> _Steve_: what do you think is easier? 11:11 < reiffert> _Steve_: well "Send all the stuff to the http proxy" == "Send all the stuff that wants to go to pandora.com through the proxy" 11:14 < reiffert> _Steve_: using routing, the kernel will just send all packets with destination ip addr pandora.com to whatever is written in the routing table, e.g. the vpn interface. 11:24 < _Steve_> ok, i guess you're right. 11:28 -!- eX|Nazha [n=nchin@60.54.112.191] has joined ##openvpn 11:28 < eX|Nazha> Hi 11:28 < eX|Nazha> anyone here? 11:30 < eX|Nazha> Ok, I have setup VPN and Socks5 in my VPN server... I got slow connection after an hour.. even, i take 15sec to disconnect from VPN.. 11:30 < eX|Nazha> if i reconnect.. my connection become faster. 11:37 < KillerX> thanks all 11:37 -!- KillerX [n=anant@gentoo/developer/KillerX] has left ##openvpn [] 11:41 -!- Cisien [n=Chris@210.5.236.28] has quit [Read error: 110 (Connection timed out)] 11:43 < eX|Nazha> Ok, I have setup VPN and Socks5 in my VPN server... I got slow connection after an hour.. even, i take 15sec to disconnect from VPN.. 11:44 < eX|Nazha> if i reconnect.. my connection become faster. 11:59 -!- bandini [n=bandini@host96-25-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 12:04 < eX|Nazha> Ok, I have setup VPN and Socks5 in my VPN server... I got slow connection after an hour.. even, i take 15sec to disconnect from VPN.. 12:04 < eX|Nazha> if i reconnect.. my connection become faster. 12:46 < krzee> tcp vpn? 12:47 < krzee> actually i think this doc applies either way to that setup 12:47 < krzee> !tcp 12:47 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:48 < krzee> err no it should only apply if you are using tcp vpn 13:00 < jeev> damn 13:00 < jeev> my * is borke 13:09 -!- Cisien [n=Chris@vps.exoronet.net] has joined ##openvpn 13:33 -!- aditsu [n=chatzill@pcd607230.netvigator.com] has joined ##openvpn 13:41 < Cisien> anyone know how i can route port 80 traffic away from the vpn? 13:59 -!- aditsu [n=chatzill@pcd607230.netvigator.com] has quit ["Chatzilla 0.9.75.1 [SeaMonkey 1.1.11/2008072400]"] 14:09 < krzee> huh? 14:12 -!- Luria [n=trashed@151.202.77.13] has joined ##openvpn 14:34 < Cisien> krzee, i want everything except port 80 to be routed over the vpn, port 80 should be routed to another gateway, on the network i'm plugged into 14:34 < Cisien> web browsing is faster if i use this guy's proxy, plus the captive protal times out from time to time and i need to re-login 14:57 -!- Luria [n=trashed@151.202.77.13] has quit [Nick collision from services.] 14:57 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 14:57 < Luria> quick question, can i use two port commands in one server conf to listen on two ports? 14:57 < Luria> (sorry, vpn problems killed me earlier) 15:02 -!- bandini [n=bandini@host96-25-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 15:29 < Cisien> Luria, you have seperate openvpn config files/instances 15:36 < Luria> ah, yeah, i found that on the mailing lists. not ideal, but ok 15:36 < Luria> thanks 15:36 < Luria> yay, now i have a vpn for me and a vpn for my parents' house 15:36 < Luria> next, to link them 15:37 < Luria> for great routing justice 15:38 < Cisien> hrm, wrong channel? :P 15:38 < Luria> yes 15:39 < Luria> well, since its on two wrt installs, i should have just cross posted 15:39 < Luria> but i digress. apparently, white russian has problems with config files in initd 15:40 < Luria> first ntpclient neglects to put -s in the command line (brilliant. poll the ntp server, but dont actually set the time) 15:40 < Luria> now, no openvpn startup script 16:15 < Cisien> Luria, i always just used ntpd for my time needs 16:16 < Cisien> i get a kick out of openvpn bitching because the cert is not yet valid - only because ntpd hasn't finished setting the time 16:23 < Luria> thats how i figured out i had ntp problems 17:08 -!- Weasel[DK] [n=Weasel[D@93.164.121.150] has joined ##openvpn 17:08 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 17:09 < ecrist> sup bitches? 17:10 < Weasel[DK]> hi... when i put push "route 192.168.1.0 255.255.255.0" on the server side i would expect to see a corresponding routing line on the client side ? 17:11 < Weasel[DK]> but it don't show up ? 17:13 < Weasel[DK]> or do i need to put something int the client config.... if i understand the docs, a push should be enough 17:14 < ecrist> Weasel[DK]: that should show up, yes 17:16 < Weasel[DK]> ok wat could be wrong... the tunnel works fine to the server, but i miss the route to the subnet behind the server 17:17 < Weasel[DK]> besides defining it in the client config 17:29 < Weasel[DK]> maybe it could be because i run the tunnel with static key. ? 17:29 < ecrist> have I seen your client config? 17:30 < Weasel[DK]> ecrist, i just noticed that there is a pull option, when i put it in the log says i need tls-* 17:31 < Weasel[DK]> suppse it is default on in tls mode 17:33 < ecrist> have you read the howto? 17:33 < ecrist> !howto 17:33 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:37 < Weasel[DK]> ecrist, yeah but i jumped over the CA stuff and went for static.key instead... 17:38 < ecrist> afaik, your problem has nothing to do with static key 17:40 < Weasel[DK]> ecrist, ok, but when i place a pull in the client config it complaints about tls in the logs.... i can publish my config if you like. 17:42 < Weasel[DK]> http://pastebin.com/d2a2e3f04 17:45 < Weasel[DK]> for server http://pastebin.com/d6d5f8cf4 18:02 -!- Cisien [n=Chris@vps.exoronet.net] has quit [Read error: 60 (Operation timed out)] 18:11 < Weasel[DK]> ecrist, it is the CA/TLS stuff that prevented the push 18:12 < Weasel[DK]> after i switched to TLS it works great 18:16 < Weasel[DK]> well c u later.... i really need to get some sleep now :) 18:18 -!- Weasel[DK] [n=Weasel[D@93.164.121.150] has quit ["Leaving"] 18:34 -!- itchi [n=David@unaffiliated/itchi] has joined ##openvpn 18:36 < itchi> Hi, openvpn is working like a charm since some years now. Still using it for personal usage... I wonder if i can setup somethings to get hostname lookup. Right now i always need to work on ip and wonder if i can setup bind9 for my issue 18:37 < itchi> Ideally, each client getting a ip should update the bind zone. Dunno if this is possible. Still searching on the web 18:38 -!- AlmightyOatmeal [n=jamie@68-185-102-197.dhcp.mdsn.wi.charter.com] has joined ##openvpn 18:40 < AlmightyOatmeal> i've got openvpn on win32 connecting to freebsd.. it works, but how can i be sure windows is using the vpn connection rather than the regular network connection? 18:40 < itchi> AlmightyOatmeal: Are you able to ping the ip you got of openvpn? 18:40 < AlmightyOatmeal> itchi: good question, never tried that o:) 18:41 < reiffert> AlmightyOatmeal: you can be sure when using apropriate routing rules. 18:41 < AlmightyOatmeal> reiffert: in windows? 18:41 < reiffert> AlmightyOatmeal: yes. 18:42 < itchi> I usually just route all :-) 18:42 < AlmightyOatmeal> how so? i guess i haven't really changed anything :( 18:44 < AlmightyOatmeal> umm k... 18:45 < AlmightyOatmeal> so... 18:46 < itchi> Hmm, found somethings very interesting for that DNS bind9 needs http://howto.landure.fr/gnu-linux/debian-4-0-etch-en/install-and-setup-openvpn-on-debian-4-0-etch 18:46 < vpnHelper> Title: Install and setup OpenVPN on Debian 4.0 Etch Lone-Wolf Scripts (at howto.landure.fr) 18:47 < AlmightyOatmeal> can't openvpn made to route all traffic through the vpn connection once connected? 18:47 < reiffert> AlmightyOatmeal: how so? well from all the details that you allready gave us all I can say is: it depends on so many things. 18:48 < AlmightyOatmeal> reiffert: well all i did was create/connect to the vpn, so i dont know what else you want to know or what else i can do 18:48 < reiffert> AlmightyOatmeal: you might want to tell us about your goal, so we can start giving some hints. 18:49 < AlmightyOatmeal> i want to route all my traffic from my laptop to my router via a vpn connection, from the router i want wan and lan access.. 18:49 < AlmightyOatmeal> so far when my laptop is connected to the vpn, wan access works, but i can't access my lan 18:49 < AlmightyOatmeal> then the vpn connection is down, i can access wan and lan 18:49 < reiffert> Allright, here is the server.conf rule: 18:50 < reiffert> read up the manpage section --redirect-gateway 18:50 < reiffert> an option will be "def1" 18:50 < krzie> !def1 18:50 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:50 < krzie> (couldnt help myself) 18:51 < AlmightyOatmeal> :P 18:51 < reiffert> :) 18:51 < AlmightyOatmeal> reiffert: what exactly woul that do? :) 18:51 < reiffert> AlmightyOatmeal: that would make you start reading the manpage. 18:51 < krzie> my bot just told you, as would the manpage\ 18:51 < krzie> !man 18:51 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 18:52 < AlmightyOatmeal> ... 18:52 < AlmightyOatmeal> i wasn't trying to get an overly obvious answer 18:53 < AlmightyOatmeal> i dont understand what redirect-gateway would does.. i dont get why one would have two gateways.. i just dont understand, which is why i asked 18:53 < reiffert> --redirect-gateway flags... 18:53 < reiffert> Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. 18:54 < krzie> (#2) please see 18:54 < krzie> --redirect-gateway in the man page ( !man ) to fully understand 18:54 < reiffert> What exactly is it you dont understand there? 18:55 < reiffert> krzie: sigh sigh sigh sigh sigh. 18:55 < reiffert> krzie: did I allready mention sigh? 18:55 < reiffert> krzie: or sigh? 18:55 < AlmightyOatmeal> okay, thanks, but the leveled up douche factor isn't helping 18:56 < reiffert> sigh. 18:56 < reiffert> AlmightyOatmeal: tell us what you dont understand, we will help. 18:56 < AlmightyOatmeal> i had to pull up the man page online, seems to be a issue on the openvpn server side, thats why i ask asking as i was finding the man page 18:56 < reiffert> "01:49 < AlmightyOatmeal> i want to route all my traffic from my laptop to my router via a vpn connection" ==============> answer: use redirect-gateway 18:57 < AlmightyOatmeal> but now that we're clear on that.. 18:57 < AlmightyOatmeal> once that's tweaked, how can i verify that all the traffic is going through the vpn? 18:58 < reiffert> you believe in openvpn. It will work. 19:02 < AlmightyOatmeal> lol 19:05 < krzie> by going top whatismyip.com 19:05 < krzie> s/top/to/ 19:05 < krzie> if you see the ip of your vpn, its going through the vpn 19:05 < reiffert> and how to verify permanently? 19:06 < krzie> by listening to reiffert =] 19:07 < reiffert> sigh. 19:08 < krzie> .me sighs with reiffert 19:08 * krzie does too 19:08 < krzie> heh 19:14 < krzie> reiffert, i got apache serving my webpage, but how will i know that it will continue to serve the webpage? 19:15 < krzie> 19:15 < reiffert> while true; do wget $page; do whatever & done 19:18 < krzie> hah 19:18 < krzie> should i do that locally so i can fill my FS real fast? 19:19 < reiffert> sure, why not ... 19:19 < reiffert> :(){:|:&}: 19:19 < krzie> also for while true, can just say while :; 19:19 < krzie> hehe 19:19 < reiffert> umask will rescue here 19:19 < krzie> yay for umask! 19:20 < krzie> hip hip hooray! 19:20 < reiffert> doh ulimit. 19:35 < AlmightyOatmeal> sorry, mom made me give baby a bath 19:35 < AlmightyOatmeal> anyway, the vpn is on my local network, so whether i'm connected to it or not, i'm going to have the same ip 19:36 < AlmightyOatmeal> the only reason i want to use a vpn is to secure data over a wireless network 19:37 < krzie> you also want 19:37 < krzie> !local 19:37 < vpnHelper> krzie: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. 19:37 < AlmightyOatmeal> so i'm after '--redirect-gateway 192.168.1.1 def1? 19:37 < AlmightyOatmeal> oh 19:37 < krzie> dude 19:38 < AlmightyOatmeal> yes? 19:38 < krzie> did you read --redirect-gateway ?? 19:38 < AlmightyOatmeal> obviously not carefully enough 19:38 < krzie> let me know where you saw that you add an ip? 19:39 < AlmightyOatmeal> well when it said [local], i assumed you would insert a variable there, otherwise it doesnt make sense to put it in brackets 19:39 < AlmightyOatmeal> again, turn down the douche factor, thanks 19:39 < krzie> brackets mean it is optional 19:39 < krzie> as with ALL man pages 19:39 < AlmightyOatmeal> well that makes sense 19:39 < AlmightyOatmeal> hm 19:40 < krzie> call either of us a douche again and consider it a ban 19:40 < AlmightyOatmeal> i wasn't calling you a douche, merely the percieved conduct, but very well 19:41 < AlmightyOatmeal> but in either case, i dont appreciate the condescending commentary 19:41 < krzie> alright, im gunna detach my screen 19:41 < krzie> gl to you 19:42 < AlmightyOatmeal> quite, im going to bbiab, going to test the vpn 19:42 -!- AlmightyOatmeal [n=jamie@68-185-102-197.dhcp.mdsn.wi.charter.com] has quit ["bbiab"] 19:47 < reiffert> krzie: why is it that way, I mean he asks 2+2 and we tell him to type that into a calculator and he answers that he doesnt understand "calculator". 20:42 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 20:42 < Luria> what things might cause a tls timeout? 20:43 < Luria> i can ping the server, the server is up, the system times are close enough 20:43 < Luria> iptables is fine, netstat shows it as listening 20:57 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 60 (Operation timed out)] 21:15 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 21:44 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 21:45 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 21:46 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 104 (Connection reset by peer)] 21:58 -!- Armored_Azrael [n=maurer@static-166-28.caltech.edu] has joined ##openvpn 22:02 < Armored_Azrael> Hey, every time that I set up a bridge to the interface that I am getting my connection to the rest of the network from, it brings down the computer's connection to the rest of the network. Is this normal, and there's some work around, or am I just doing it wrong? 22:07 < Armored_Azrael> (My goal here is to be able to VPN from my laptop to my desktop which only has one ethernet port and have both of them be sending broadcast packets to the same subnet) 22:10 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Connection timed out] 22:13 -!- Dougy [n=doug@64.18.159.247] has joined ##openvpn 22:18 < jeev> sup doug 22:30 < Armored_Azrael> Nevermind, I'm an idiot. 22:36 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 22:37 < jeev> how is caltech 22:37 < jeev> it's in pasadena, eh? 23:15 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 23:16 < eX|Nazha> Ok, I have setup VPN and Socks5 in my VPN server... I got slow connection after an hour.. even, i take 15sec to disconnect from VPN.. 23:16 < eX|Nazha> if i reconnect.. my connection become faster. 23:17 < oc80z> Hi there. 23:47 < krzee> eX|Nazha, tcp or udp vpn? 23:47 < krzee> (as i asked you earlier when you asked that) 23:47 < krzee> jeev, caltech is a good school 23:48 < krzee> but of course it depends what you wanna study 23:49 < krzee> and yes, it is in pasadena 23:49 < krzee> or at least in that area 23:49 < krzee> southern cali, LA area 23:49 < krzee> (im from cali) 23:49 < krzee> Caltech is a small school, with only about 2100 students (about 900 undergraduates and 1200 graduate students),[2] but is ranked in the top ten universities worldwide by metrics such as citation index, Nobel Prizes, and general university rankings. 23:50 < krzee> http://en.wikipedia.org/wiki/California_Institute_of_Technology 23:50 < vpnHelper> Title: California Institute of Technology - Wikipedia, the free encyclopedia (at en.wikipedia.org) 23:50 < krzee> and ya, that says it is in fact in pasadena 23:51 < krzee> eX|Nazha, it sounds to me like you are using a tcp vpn, and if that is true i have your answer 23:56 < jeev> krzee 23:56 < jeev> you suck 23:56 < jeev> you from so cal ? 23:58 < krzee> orig from nor-cal 23:58 < krzee> spent some time in so cal 23:58 < krzee> now i live outside usa 23:58 < jeev> ahh 23:58 < jeev> armenian for life! --- Day changed Sun Nov 09 2008 00:02 < krzee> welp 00:02 < krzee> ill be in and out 00:02 < krzee> watching a movie 00:02 < krzee> eX|Nazha, feel free to answer my question when you return... is your VPN using tcp or udp? 00:03 < krzee> my guess is you are using tcp, and if that is true type: !tcp 00:04 < eX|Nazha> UDP i think 00:06 < eX|Nazha> !tcp 00:06 < vpnHelper> eX|Nazha: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 00:06 < krzee> you think? 00:06 < krzee> how could you not know??? 00:06 < eX|Nazha> brb... i gtg now. :( 00:31 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 01:06 -!- assid [n=assid@unaffiliated/assid] has joined ##openvpn 01:08 < assid> hi 01:09 < assid> i need some help with openvpn on dd-wrt.. i cant seem to connect from there 01:09 < assid> it gives me an error 01:10 -!- eX|Nazha [n=nchin@60.54.112.191] has quit [Read error: 113 (No route to host)] 01:13 -!- assid [n=assid@unaffiliated/assid] has quit ["Ex-Chat"] 01:21 -!- Assid [n=assid@unaffiliated/assid] has joined ##openvpn 01:21 < Assid> hey 01:22 < Assid> anyone around? 01:33 < krzee> [03:09] it gives me an error 01:33 < krzee> are you going to say the error? 01:34 < krzee> im watching a movie but i leave fullscreen every now and then 01:41 < Assid> http://assid.pastebin.com/d2cbacee5 01:42 < Assid> i cant seemt to connect from dd-wrt client to a openvpn server 01:45 < krzee> make your certs again 01:45 < krzee> what os's do you use? 01:45 < krzee> if you have freebsd try !ssl-admin 01:47 < Assid> krzee: linux 01:47 < Assid> i think i can connect or atleast retain a connection from windows client.. 01:48 < krzee> it is giving an error on the cert 01:48 < krzee> sure you signed both with the same CA? 01:48 < Assid> yeah 01:48 < krzee> you followed the howto? 01:48 < krzee> !howto 01:48 < Assid> server side.. i get the following: TLS Error: TLS key negotiation failed to occur within 60 seconds 01:48 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:49 < krzee> no you get an error before that 01:49 < krzee> !logs 01:49 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 01:49 < Assid> i used this: http://www.thebakershome.net/openvpn_tutorial 01:49 < vpnHelper> Title: How to Install Openvpn | The Bakers Homepage (at www.thebakershome.net) 01:49 < krzee> what is your goal? 01:50 < Assid> atm im just trying to get a vpn server up.. incase i need to connect from a remote location to another client (incoming connections not allowed), but i will add 1 more server later which is in another office where i help out, so i can be part of their LAN network (again primarily because i cant have incoming connections) 01:51 < krzee> gotchya 01:51 < krzee> when you go into the vpn, you want to be able to access your whole lan at home? 01:51 < Assid> yes 01:52 < krzee> windows filesharing? 01:52 < Assid> but at the moment.. im having issues latching on.. will do the routing stuff once i latch on 01:52 < Assid> more like vnc and stuff 01:52 < krzee> do you need windows filesharing based on netbios? 01:53 < krzee> k, you want routed 01:53 < Assid> dont really care about the file sharing so much.. i can always put it on a server and download via ftp 01:53 < krzee> that tutorial was for a bridge 01:53 < krzee> !sample 01:53 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 01:53 < krzee> !route 01:53 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:53 < Assid> but shoudl that matter with my keys? 01:53 < krzee> nope 01:54 < krzee> im just saying, you should do that too 01:54 < Assid> yeah.. but first i want to authenticate and stay on :| 01:54 < krzee> oh you are remote now and can not login to the vpn? 01:55 < Assid> http://assid.pastebin.com/d56554059 01:55 < Assid> yeah.. as i said.. im first trying it on another server withina vpn 01:55 < Assid> err vps 01:56 < Assid> just to make sure if i screw it up.. its a vps.. i can just reboot that from hardware node.. and i should be fine 01:56 < krzee> you still havnt shown me your logs 01:56 < krzee> but you really want dev tun 01:56 < krzee> and server instead of server-bridge 01:56 < krzee> and you dont push routes in a bridge setup 01:57 < krzee> you would be given an ip in that subnet and communicate over ethernet frames with other machines in the broadcast domain 01:57 < Assid> okay heres the thing.. this vps only has a public ip.. 01:57 < krzee> when you choose to bridge you are encapsulating a whole layer before IP and routes, so pushing a route is pointless 01:58 < krzee> which is the server, the vps? 01:58 < Assid> at the moment yes 01:58 < krzee> tuntap is loaded in its kernel? 01:58 < Assid> as i said, i first decided to try it on another server 01:59 < Assid> nope 01:59 < Assid> FATAL: Module tuntap not found. 01:59 < krzee> i know openvpn can run in vps, but a problem that sometimes happens is the kenel (which user doesnt control) doesnt have tuntap 01:59 < krzee> openvpn gave that error? 01:59 < krzee> give me the whole log 02:00 < Assid> http://wiki.openvz.org/VPN_via_the_TUN/TAP_device 02:00 < krzee> [03:49] krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 02:00 < vpnHelper> Title: VPN via the TUN/TAP device - OpenVZ Wiki (at wiki.openvz.org) 02:00 < Assid> alrite holdup 02:07 < Assid> krzee: http://75.126.224.61/openvpn.log 02:07 -!- Deiz [n=swh@unaffiliated/deiz] has joined ##openvpn 02:08 < Assid> krzee: http://assid.pastebin.com/dedcaa5f -- client 02:12 < Deiz> I currently have a VNC server and for ease of use while maintaining security, I'd like to be able to make it only accept local connections, sans password. 02:13 < Deiz> It seems SSH can't make my vncviewer requests appear local to the remote machine, can OpenVPN? 02:14 < krzee> Sun Nov 9 13:33:45 2008 us=934889 TUN/TAP device tap0 opened 02:14 < krzee> it is in the kernel fine 02:14 < krzee> yes Deiz 02:14 < krzee> you use openvpn in routed mode 02:14 < krzee> like this 02:14 < krzee> !sample 02:14 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 02:15 < krzee> then you have openvpn hand out an ip only for the vpn 02:15 < krzee> and you tell your vnc server to listen on it 02:16 < Assid> okay i changed it to tun.. now i can ping from server to client (atleast using windows client ) still nothing on the dd-wrt router tho 02:19 < krzee> honestly i think you have a problem with your certs 02:19 < Assid> quesiton is why does it work on windows client.. not trhere ? 02:19 < krzee> oh same cert? 02:19 < Assid> yes 02:19 < krzee> same exact config? 02:20 < Assid> tls-client 02:20 < Assid> i think thats missing 02:21 < krzee> i cant tell cause your client log isnt at verb 6 02:21 < krzee> :p 02:25 < Assid> stupid router :( 02:28 < Assid> btw: for a windows client.. how to dou set the paths such that it can access the keys? 02:28 < Assid> the full path 02:34 < krzee> the howto shows 02:34 < krzee> !howto 02:34 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:36 < krzee> # # 02:36 < krzee> # This config should work on Windows # 02:36 < krzee> # or Linux/BSD systems. Remember on # 02:36 < krzee> # Windows to quote pathnames and use # 02:36 < krzee> # double backslashes, e.g.: # 02:36 < krzee> # "C:\\Program Files\\OpenVPN\\config\\foo.key" # 02:36 < krzee> # # 02:39 < Assid> okay its just not happening.. im tired 02:39 < Assid> gonna go for ashower and food 02:39 < Assid> cant get my stupid router to do the auth :( 02:41 < krzee> turn up the verb 02:41 < krzee> verb 6 02:59 -!- Deiz [n=swh@unaffiliated/deiz] has left ##openvpn ["Leaving"] 03:07 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 03:09 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 54 (Connection reset by peer)] 03:11 < Assid> you know what 03:11 < Assid> theres a server in that office isnt being used.. 03:11 < Assid> quick question.. if i get it up.. will it kill the net on it 03:11 < Assid> that is. using route method 03:12 < Assid> hrmm apparently that server is down 03:17 < Assid> how do you convert crt's to pem's 03:17 < Assid> i thinkt hat could be the reason 03:20 < Assid> krzee: you there? 03:23 < reiffert> pem -> crt: http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x175.html 03:23 < vpnHelper> Title: Install the CA root certificate as a Trusted Root Certificate (at tldp.org) 03:27 < Assid> nah want crt->pem 03:35 < Assid> i think thats why it doesnt work on dd-wrt 03:50 < reiffert> do you know what pem -> crt does? 04:12 < Assid> actually nevermind.. apparently the pem files existed . but it didnt help 04:12 < Assid> i just cant figure out how to get my router to connect to an openvpn server 04:28 -!- benofsky [n=ben@86.43.88.82] has joined ##openvpn 04:28 < benofsky> Hi. I'm reading the install guide 04:28 < benofsky> and I've edited vars and run vars and clean-all 04:29 < benofsky> but when I run build-ca I get a usage printout 04:32 < krzee> !ssl-admin 04:32 < vpnHelper> krzee: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 04:32 < benofsky> ty 04:33 < krzee> np 04:35 < krzee> Assid, did you turn up verb on the router yet? 04:35 < krzee> !router 04:35 < vpnHelper> krzee: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 04:36 < Assid> krzee: yeah i did.. but i regenerated all thekeys again 04:36 < Assid> so i gotta sit and test the windows client to make sure they work 04:36 < Assid> will do it in just a bit.. need to shower 04:36 < krzee> hrm thought you said the certs were working for windows client 04:36 < Assid> they were 04:36 < krzee> that meant it wasnt your certs =/ 04:37 < Assid> i just was gettig ready to lose it so i said .. what the hell lets try it again 04:37 < krzee> [04:41] turn up the verb 04:37 < krzee> [04:41] verb 6 04:37 < krzee> shoulda just done that 04:37 < krzee> heh 04:37 < Assid> i did.. but you disappeared.. 04:38 < Assid> http://assid.pastebin.com/dedcaa5f 04:38 < krzee> hah you coulda posted that a long time ago 04:38 < Assid> i did 04:38 < Assid> [13:38:34] krzee: http://assid.pastebin.com/dedcaa5f -- client 04:38 < Assid> [13:43:01] I currently have a VNC server and for ease of use while maintaining security, I'd like to be able to make it only accept local connections, sans password. 04:39 < benofsky> do I want a password for the server certificate & key 04:39 < krzee> that still isnt verb 6 04:40 < krzee> benofsky, that is up to you, do you want to enter the password every time you start your vpn? 04:40 < Assid> it is/was 04:40 < Assid> i think 04:40 < krzee> verb 6 spits out a debug of config stuff when it loads 04:40 < krzee> yours gets right to the network stuff 04:41 < krzee> it is not verb6 04:41 < krzee> did you restart it after changing it? 04:41 < benofsky> krzee, no I don't... thanks :) 04:41 < krzee> benofsky, np 04:41 < krzee> theres ways to read the pw from file, but in that case what protection beyond certs does it provide 04:41 < krzee> hehe 04:44 < Assid> krzee: you wouldnt happen to have a vpn dd-wrt capable router on your would you 04:45 < krzee> i have a linksys router but im not changing its firmware 04:46 < Assid> :| 04:46 < Assid> brb 04:46 < Assid> will try after this on a linux client 04:46 < krzee> http://www.zeroshell.net/eng/forum/viewtopic.php?t=604&sid=7747417eaa6406256dd8fd8cb0491489 04:46 < vpnHelper> Title: Certificate Question (at www.zeroshell.net) 04:48 < reiffert> There is something to read up when using openvpn on dd-wrt, but nevermind. 04:48 < reiffert> especially the part when having the keys in nvram. 05:14 < Assid> reiffert: yeah thats why i was asking how to get the pem 05:15 < Assid> you know what 05:15 < Assid> i could probably get away with reverse ssh forwarding if i can figure out how to do 192.168.1.4:5900 -> 127.0.0.1:5900 05:16 < Assid> redirect just doesnt wanna work 05:21 < Assid> krzee: you there 05:24 < Assid> http://assid.pastebin.com/d2bf7c90f 05:24 < Assid> there you go 05:24 < Assid> thats the verbose 6 05:26 < benofsky> how I can I install the openvpn bridge-utils thingy on fbsd 05:26 -!- toehio [n=sdrowkca@238.29.65-86.rev.gaoland.net] has joined ##openvpn 05:26 < toehio> hello 05:27 < toehio> How do you make sure that your software see's your vpn connection? 05:34 -!- toehio [n=sdrowkca@238.29.65-86.rev.gaoland.net] has quit [Remote closed the connection] 05:46 < reiffert> Assid: pem or crt it really doesnt matter for any software. The difference is just all the candy eyed information you can read when reading the pem file with your eyes. 05:47 < reiffert> openssl x509 -in foo.crt -noout -text will give you the same candy. 05:51 < reiffert> Assid: regarding the command from the link I was pasting I can tell that it also works vice versa and I really wonder why you didnt try that out. 05:55 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 06:00 < Assid> i did try 06:00 < Assid> nothing helped 06:01 < Assid> so decidedto just stick to getting reverse ssh port forwarding 06:01 < Assid> maybe we should rename that 06:01 < Assid> ssh port reversing 06:01 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 07:03 -!- Assid [n=assid@unaffiliated/assid] has quit [Read error: 104 (Connection reset by peer)] 07:05 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 07:15 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 07:50 -!- Ash-Fox [i=M3VXQ@host81-143-16-18.in-addr.btopenworld.com] has joined ##openvpn 07:51 -!- benofsky [n=ben@86.43.88.82] has quit ["The computer went for a nap!"] 07:52 -!- benofsky [n=ben@86.43.88.82] has joined ##openvpn 07:52 < Ash-Fox> Hello, I've been following different howtos on openvpn.net, specifically, http://openvpn.net/static.html and http://openvpn.net/howto.html#redirect - I've followed the directions stated, but for some reason, the default gateway on the client won't set to the IP address of the server on the VPN. 07:53 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 07:54 < Ash-Fox> These are the configs I'm using http://pastebin.com/d7b1d3362 - Can anyone advise me? 07:55 -!- benofsky [n=ben@86.43.88.82] has quit [Client Quit] 08:11 -!- Cisien [n=Chris@vps.exoronet.net] has joined ##openvpn 08:39 -!- Rienzilla [i=rien@sinas.rename-it.nl] has joined ##openvpn 08:41 < Rienzilla> Hi everyone. I have a short question on openvpn on windows. Before starting openvpn, the TAP adapter shows as 'network cable not connected'. When openvpn makes a succesfull VPN connection the adapter shows that it's connected. However, if the machine drops it's internet access, and the vpn tunnel breaks down, the adapter status always stays connected (even though the openvpn-process is retrying and retrying to get a new VPN connection). 08:42 < Rienzilla> Now my users cannot see whether their VPN connection is working or not. Is there anything I can do about that? 08:46 -!- Armored_Azrael [n=maurer@static-166-28.caltech.edu] has quit ["Leaving."] 09:00 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 09:41 < ecrist> Rienzilla: don't think so 09:45 < Ash-Fox> I keep rereading this, http://openvpn.net/howto.html#redirect - I cannot see what I have done wrong with my configs, http://pastebin.com/d509e0c02 connections just are not routing throgh the VPN by default. 09:45 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 09:58 -!- Cisien [n=Chris@vps.exoronet.net] has quit [Read error: 60 (Operation timed out)] 09:59 < Dougy> hi ecrist 10:06 < Rienzilla> hmmm I found it 10:07 < Rienzilla> it's actually a feature, called persist-tun :) 10:07 < Rienzilla> (which breaks if you combine it with redirect-gateway, and pushing of dns servers which are only reachable via the vpn) 10:33 -!- Ash-Fox [i=M3VXQ@host81-143-16-18.in-addr.btopenworld.com] has quit [Remote closed the connection] 10:36 -!- Cisien [n=Chris@vps.exoronet.net] has joined ##openvpn 10:46 < Dougy> exoronet.net) 10:46 < Dougy> er 10:46 < Dougy> http://exoronet.net/apache2-default/owg 10:46 < Dougy> nice 10:46 < vpnHelper> Title: OpenVPN Web GUI : server status [refreshes every minute] (at exoronet.net) 10:46 < jeev> i have a dentist client 10:47 < jeev> said this dood previously set up a monitor for the patient 10:47 < jeev> it's supposed to connect to the chair 10:47 < jeev> and to the cable tv 10:47 < jeev> heh 10:48 < Dougy> nice 10:48 < jeev> i wouldn't know wtf to do there 10:48 < jeev> so i gotta talk to ecrist 10:48 < jeev> ;D 10:49 < Dougy> sounsd fun 10:49 < Dougy> im pissed 10:49 < Dougy> im sitting here at work and literally cant do anything 10:49 < Dougy> so im sitting in the interserver datacenter leaning against this cage 10:51 < Dougy> @ jeev 10:59 < jeev> lol 10:59 < jeev> why 10:59 < jeev> i'm like lol doug to mike 10:59 < jeev> and he for two days he's like 10:59 < jeev> what do you mean 10:59 < jeev> what do you know about dog 10:59 < jeev> doug 10:59 < jeev> haha 11:06 < Dougy> lol 11:06 < Dougy> oh myb 11:06 < Dougy> uhh 11:06 < Dougy> jeev, you want to die ? 11:06 < Dougy> !? 11:06 < vpnHelper> Dougy: Error: "?" is not a valid command. 11:06 < Dougy> ?!?!?!? 11:18 -!- _Steve__ is now known as _Steve_ 11:23 -!- AlmightyOatmeal [n=jamie@68-185-102-197.dhcp.mdsn.wi.charter.com] has joined ##openvpn 11:28 < Cisien> has anyone gotten openvpn to use the broadcom crypto hardware found in some consumer routers? OpenWrt has the drivers for it 11:32 < Dougy> jeev, do you have a freebsd server 11:41 < AlmightyOatmeal> with redirect-gateway local def1 enabled, i can access my local network but i have no wan access, with it disabled, things work just fine but i dont know if any data is going over the vpn.. any ideas? 11:47 -!- jeev [n=email@unaffiliated/jeev] has quit [Excess Flood] 11:50 < AlmightyOatmeal> anyone? 11:54 -!- Cisien [n=Chris@vps.exoronet.net] has quit [Read error: 110 (Connection timed out)] 12:07 -!- AlmightyOatmeal [n=jamie@68-185-102-197.dhcp.mdsn.wi.charter.com] has quit ["Don't suffer from insanity... Enjoy every minute of it."] 12:36 -!- Dougy [n=doug@64.18.159.247] has quit [Read error: 104 (Connection reset by peer)] 12:54 -!- _Steve__ [n=steve@unaffiliated/steve/x-520345] has joined ##openvpn 13:02 -!- aditsu [n=aditsu@pcd653085.netvigator.com] has joined ##openvpn 13:02 < aditsu> hi, what's the purpose of "challenge passwords" when generating keys? 13:03 < aditsu> also, what are the 01.pem and 02.pem files in the keys directory? 13:08 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [Read error: 110 (Connection timed out)] 13:13 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 13:13 < jeev> yea dougy 13:13 < jeev> i have freebsd 13:37 -!- Weasel[DK] [n=Weasel[D@93.164.121.150] has joined ##openvpn 13:56 -!- aditsu [n=aditsu@pcd653085.netvigator.com] has quit [Read error: 110 (Connection timed out)] 13:57 -!- aditsu [n=aditsu@pcd653218.netvigator.com] has joined ##openvpn 14:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:41 -!- AlmightyOatmeal [n=jamie@68-185-102-197.dhcp.mdsn.wi.charter.com] has joined ##openvpn 14:42 < AlmightyOatmeal> well i've successfully reached the point of being so frustrated with openvpn that i'm going to swear it off 14:42 < AlmightyOatmeal> i dont get it, when i connect with redirect-gateway enabled, i only have lan access over the vpn, no wan access 14:43 < AlmightyOatmeal> disabling that doesn't route ANY traffic over the vpn, which renders it useless 14:43 < oc80z> hi 14:43 < AlmightyOatmeal> so what am i missing here? 14:43 < oc80z> well. 14:43 < AlmightyOatmeal> hi oc80z 14:43 < oc80z> keep plugging away, what OS is your gateway? 14:43 < oc80z> maybe there needs to be some routes on there. 14:44 < AlmightyOatmeal> freebsd 14:44 < AlmightyOatmeal> i already have routes setup for the vpn network :\ 14:44 < oc80z> maybe you are trying to install 2 gateways? 14:44 < oc80z> oh 14:44 < oc80z> stick around, we can help, sorry, tied up at the moment. 14:45 < AlmightyOatmeal> with 'redirect-gateway local def1' enabled, my gateway on the vpn client (windows) is 10.0.8.5 and the client ip is .6 14:45 < AlmightyOatmeal> hm 14:47 < AlmightyOatmeal> i cant stick around too long myself, got a 1 year old and a sleeping fiance, so i'm all by myself 15:04 < aditsu> AlmightyOatmeal: bridging or routing? 15:36 -!- aditsu [n=aditsu@pcd653218.netvigator.com] has quit ["Chatzilla 0.9.75.1 [SeaMonkey 1.1.12/2008082916]"] 16:37 -!- Weasel[DK] [n=Weasel[D@93.164.121.150] has quit [Remote closed the connection] 16:45 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Connection reset by peer] 16:46 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 17:55 -!- _Steve__ is now known as _Steve_ 18:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:54 < ecrist> sup bitches? 19:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 19:09 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 19:25 -!- sonnie [n=sonnie@202.141.162.106] has joined ##openvpn 19:26 < sonnie> hi, I want to know if openvpn can be configured to auth without inputting user/pass. I know linux client can do. but windows' can't. 19:40 < jeev> huh 19:40 < jeev> openvpn uses keys 19:40 < jeev> you could generate a key that doesn't require a password 19:40 < jeev> sup ecrist. 19:41 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has quit [Connection timed out] 19:43 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 19:44 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 19:54 < sonnie> jeev, if I use keys, will common name still work? 20:20 < jeev> i dont know dood, just generate the keys 20:20 < jeev> !howto 20:20 < vpnHelper> jeev: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:26 < sonnie> thanks, I'm reading manual pages at present. 20:27 < jeev> ok 20:27 < jeev> it's REALLy simple 20:27 < jeev> i'm just a bad teacher 20:31 < sonnie> all you guys are helpful with warm hearts :) I read HOWTO now. 20:31 < sonnie> byebye 20:32 -!- sonnie [n=sonnie@202.141.162.106] has quit ["leaving"] 20:35 < onats> how do i measure the performance of openvpn? i have a setup that is a site-to-site routed between 3 branches, but when they do some sort of backup/replication to the main branch, it fails.. i'm not sure if its due to the load of the data transfer(I'm assuming vpn connection should be stable and vpn server performance will not be affected by this), or its actually the hardware that can't handle it...? 20:36 < jeev> what is the failure? 20:36 < onats> jeev, the replication fails, request time outs after... 20:37 < onats> so basically, i want to be able to test the performance of the VPN link, some sort of test that can push it to its limit first... 20:37 < jeev> no idea, replication 20:37 < jeev> what is doing the replication ? 20:55 < onats> mssql 21:12 < onats> its a db function of ms sql 22:01 < Luria> is it just me, or is openssh-sftp-client a bit borked on white russian 22:04 < onats> luria, whiterussian is for #openwrt? 22:04 < Luria> um, yeah? 22:05 < Luria> sure, im using xwrt, but this is a cli issue 22:14 < onats> you're on ##openvpn? 22:15 < Luria> oh sh*t sorry 22:15 < Luria> eeepc, small windows 22:15 < Luria> :-) 22:16 < Luria> problem when youre in #openbsd, #openwrt, #openvpn :-0 22:24 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit ["Leaving"] 22:27 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 22:27 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 23:10 < krzee> [21:26] hi, I want to know if openvpn can be configured to auth without inputting user/pass. I know linux client can do. but windows' can't. 23:10 < krzee> by default openvpn doesnt ask for a login/pass 23:10 < krzee> you hafta tell it to! 23:10 < krzee> heh 23:11 < onats> krzee, what hardware do you run openvpn on? 23:50 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 23:56 < krzee> onats, ive run it on a macbook, macbook pro, and pc's running various OSs 23:56 < onats> can you give me a suggestion on the OS? 23:56 < krzee> but never sun or alpha or anything 23:56 < onats> im planning to run the vpn server on an x86 box 23:56 < krzee> what are the choices? 23:56 < krzee> oh 23:56 < onats> just dont know/havent decided what to use 23:56 < krzee> well 23:56 < krzee> which nix do you like most? 23:56 < jeev> wow 23:56 < jeev> i had a sick ass game goping in command and conquer 23:56 < jeev> just owning them 23:57 < onats> well ubuntu 23:57 < jeev> since i modified the memory to give me unlimited money 23:57 < onats> is easiest 23:57 < jeev> it crashed! 23:57 < krzee> its great on bsd or linux 23:57 < onats> cheater! 23:57 < jeev> ;) 23:57 < jeev> i have to have unlimited mone 23:57 < jeev> hehe 23:57 < jeev> money 23:57 < krzee> onats, if ubuntu is what you are most comfortable using, its prolly the best for you then 23:57 < krzee> personally i go for freebsd 23:57 < krzee> but openvpn runs great on bsd and linux, so its more about which os do you know best 23:58 < onats> krzee, so i can run a separate VPN server, which is just a part of my internal lan? do i need two LAN cards for it? 23:58 < jeev> freebsd baby. 23:58 < krzee> so you can secure it and optimize it , etc 23:58 < onats> freebsd is CLI only right? 23:58 < krzee> nah 1 lan card 23:58 < jeev> there is X on fbsd 23:58 < jeev> heeh 23:58 < krzee> onats, that is up to you 23:58 < krzee> most my fbsd is cli only 23:58 < onats> ok.. time to experiment again 23:58 < krzee> but i have a fbsd box for media streaming at my house 23:58 < jeev> krzee, you heard of Vyatta? 23:58 < krzee> so i run X on it 23:58 < krzee> you can run beryl and stuff on fbsd too even 23:58 < krzee> i know people who use it for their desktops 23:59 < krzee> i like apple for desktop tho 23:59 < krzee> jeev, no 23:59 < krzee> !google Vyatta 23:59 < vpnHelper> krzee: http://www.vyatta.com/ - Vyatta - Welcome to the Dawn of Open-Source Networking 23:59 < krzee> (yes, im that lazy) 23:59 < onats> jeev, what's your experience with vyatta? is it easy/difficult? 23:59 < krzee> onats, but as a rule of thumb, you dont need gui on a server --- Day changed Mon Nov 10 2008 00:00 < jeev> i want to try it 00:00 < jeev> ;) 00:00 < jeev> but i'm too lazy 00:00 < krzee> its just more code you have running 00:00 < jeev> if i get the gigabit point to point 00:00 < jeev> i will try vyatta 00:00 < krzee> with servers i am a minimalist =] 00:00 < onats> well its my first time to start with a real server 00:01 < krzee> how much free time do you have to learn and play? 00:01 < krzee> in my opinion its worth diving right in with a real server os 00:01 < krzee> but you need to be willing to read the docs 00:01 < onats> only at night 00:02 < krzee> whereas ubuntu is basically the windows of linux 00:02 < krzee> but you wont learn / understand much from it 00:02 < onats> i like its packaga manager 00:02 < onats> package* 00:02 < krzee> i like ports way more than its package manager 00:02 < krzee> ports being the freebsd way 00:02 < onats> ports is the package manager? 00:02 < krzee> CLI 00:02 < krzee> well ports is how you install stuff 00:02 < onats> i can just do sudo apt-get install openvpn in ubuntu, then thats it 00:03 < krzee> i just cvsup the ports directory 00:03 < krzee> then i go to /usr/ports 00:03 < krzee> theres a bunch of dirs 00:03 < krzee> 1sec 00:03 < onats> do you have to build them? 00:03 < krzee> well 00:04 < krzee> you goto the dir 00:04 < krzee> krzee@hemp:/usr/ports/security> cd openvpn 00:04 < krzee> krzee@hemp:/usr/ports/security/openvpn> 00:04 < krzee> then you just type make install 00:04 < krzee> and it downloads, compiles, installs 00:04 < krzee> but before compiling 00:04 < krzee> it checks for all dependencies 00:04 < krzee> downloads and installs them 00:05 < onats> what about hardware/driver compatibility of freebsd? 00:05 < onats> o btw, why is it your preferred OS? 00:06 < krzee> well it was my first server os just cause i asked my smartest online friends what they used 00:06 < krzee> most said freebsd 00:06 < krzee> so i used that first 00:06 < onats> lol 00:06 < krzee> now that i have experience i can point to some real reasons 00:06 < krzee> like ZFS 00:06 < krzee> pf is WAY nicer to me than iptables/ipchains 00:07 < krzee> and it runs on most hw like linux does 00:07 < krzee> compatible with most stuff 00:07 < krzee> i also like the BSD license a lot 00:07 < krzee> i think it helps computers more than others 00:07 < onats> isn't ZFS part of solaris? 00:07 < krzee> cause it is basically "you can use my code however you want, just dont take my name off my code" 00:07 < krzee> ZFS started with solaris 00:08 < krzee> fbsd and apple are coding opensource ZFS 00:08 < krzee> not as a team, but i believe their work ends up shared to some extent 00:08 < krzee> i know fbsd's is fully opensource, not 100% that apple is giving back to opensource or not 00:09 < krzee> opensolaris started opensource ZFS 00:09 < krzee> then pjd started writing it for fbsd 00:09 < krzee> and its great 00:09 < onats> hmmm 00:09 < krzee> i have it running on my home NFS 00:09 < onats> on what box? 00:09 < krzee> with a filesystem level raid setup (raidz for ZFS) 00:09 < krzee> on a normal pc running freebsd 00:10 < krzee> but ZFS is still experimental 00:10 < krzee> while it is coming along, its NOT something to learn on 00:10 < krzee> (yes) 00:10 < krzee> err 00:10 < krzee> (yet) 00:12 < onats> ok.. is the learning curve high on freebsd? 00:13 < onats> assuming i know linux already 00:13 < krzee> nah its similar, and to me easier to learn where stuff is 00:14 < reiffert> Moin 00:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:14 < krzee> cause they have a more straight forward filesystem hierarchy, IMO 00:14 < onats> alright, im convinced 00:14 < onats> will download it. do i need the 3 cds? 00:14 < krzee> which can be understood by reading man hier 00:14 < krzee> 1 cd 00:14 < krzee> just do a net install 00:14 < onats> ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/ISO-IMAGES/7.0/ 00:14 < krzee> then all you need is boot cd 00:14 < onats> bootonly? 00:15 < reiffert> why not geet opensolaris? 00:15 < onats> iso? that's just 34mb 00:16 < krzee> ya then you just do a net install 00:17 < onats> hmmm, will that be faster than just downloading it all? 00:18 < reiffert> Looks like another BSD helpdesk on #openvpn :p 00:19 < onats> well the end intention is to run openvpn on it anyway 00:19 < krzee> no idea, and you can do it differently than me if you like 00:19 < krzee> thats just how i do it 00:19 * onats has only 1mbps connection 00:19 < krzee> i have less 00:19 < krzee> heh 00:24 < onats> how long did it take? 00:24 < onats> time is of the essence 00:25 < krzee> it doesnt take long 00:27 < reiffert> :) 00:40 * onats is bored 00:44 < krzee> your docs will be here 00:45 < onats> lol 00:54 < Luria> opensolaris is perty neat. 00:55 < onats> Luria, why do you say that? 00:55 < Luria> def going in a vm, maybe an actual machine 00:55 < Luria> its like ubuntu, only stable 00:55 < Luria> and with a neato fs 00:56 < Luria> (once you setup the package mgmt system. the default update tool is weak) 00:56 < Luria> but i only played with it for a few days 01:06 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 01:08 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 01:36 < krzee> www.freebsd.org/handbook 01:36 < krzee> sorry, when i said here i meant to paste that link 01:36 < Luria> good book 01:36 < krzee> http://www.freebsd.org/handbook 01:36 < vpnHelper> Title: FreeBSD Handbook (at www.freebsd.org) 01:43 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit ["up up and away"] 02:04 < onats> free book? 02:06 -!- subdolus [n=subdolus@subby.afraid.org] has joined ##openvpn 02:06 < krzee> it is the freebsd handbook 02:06 < krzee> the main manual 02:06 < krzee> all programs and a lot of the OS have manuals too 02:07 < krzee> even man has a manual 02:07 < krzee> you just type man 'program' 02:07 < subdolus> Hi guys, I install OpenVPN from oBSD packages. Everything is cool, but when I start setting it up, I get to running ./vars nd i get the following error: 02:07 < subdolus> ksh: ./vars[29]: /etc/openvpn/easy-rsa/whichopensslcnf: not found 02:07 < subdolus> NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys 02:08 < subdolus> if I edit ./vars and replace whichopensslcnf to openssl.cnf, I get a huge string of other unfound files 02:08 < subdolus> /etc/openvpn/easy-rsa/openssl.cnf[10]: HOME: not found 02:08 < subdolus> /etc/openvpn/easy-rsa/openssl.cnf[11]: RANDFILE: not found 02:08 < onats> i'm about to encounter that issue. hehehe 02:08 < subdolus> etc. etc. 02:08 < reiffert> http://snap.reifferscheid.org/whichopensslcnf 02:09 < reiffert> subdolus: adjust your openssl.cnf file so that it fits your needs. 02:09 < subdolus> oh wow. 02:10 < subdolus> now I just get: NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys 02:10 < subdolus> no errors messages 02:10 < subdolus> am I alright to move on with the other steps? 02:10 < reiffert> wait, better get some coffee first. 02:16 < subdolus> ./build-key client1 02:16 < subdolus> I go through the minconfig and get the following at the end: 02:16 < subdolus> Sign the certificate? [y/n]:y 02:16 < subdolus> failed to update database 02:16 < subdolus> TXT_DB error number 2 02:16 < subdolus> ??! 02:17 < reiffert> die you source the vars file? 02:17 < reiffert> s,die,did, 02:18 < reiffert> sounds you were using different CN values. Dunno. 02:19 < subdolus> source the vars file? 02:19 < reiffert> Are you following a howto? 02:20 < subdolus> yep. http://www.linux.com/articles/49990?theme=print 02:20 < vpnHelper> Title: Linux.com :: Creating secure wireless access points with OpenBSD and OpenVPN (at www.linux.com) 02:20 < subdolus> exatly the same howto :P 02:20 < subdolus> exactly* 02:20 < reiffert> http://www.linux.com/articles/49990?theme=print 02:20 < vpnHelper> Title: Linux.com :: Creating secure wireless access points with OpenBSD and OpenVPN (at www.linux.com) 02:20 < reiffert> # . ./vars 02:20 < reiffert> look, there is a 2nd dot. 02:21 < subdolus> yeah, I used two dots 02:21 < reiffert> subdolus: then you sourced the file, great. 02:21 < subdolus> ok :) 02:21 < reiffert> subdolus: there is the openvpn howto, why dont you follow that one? 02:21 < subdolus> so TXT_DB error number 2? 02:21 < reiffert> !howto 02:21 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:22 < subdolus> I'm trying to set a simple test situation to see if it's viable for my situation 02:22 < subdolus> the linux.com article was easy to follow 02:22 < subdolus> and I dont see anything about TXT_DB errors in the official howto 02:22 < reiffert> so then please ask linux.com about txt_db errors, thanks. 02:23 < subdolus> heh 02:27 < subdolus> ahh 02:27 < subdolus> all because I was stupid enough to try generate a client key with the same details i used with the server keys 02:27 < subdolus> :)~ 02:27 < reiffert> well, !howto 02:28 < reiffert> it's all in there, way more verbose. 02:30 < subdolus> jah, I'll have to remember to ask you next time I want to read an in-depth howto rather than a one line answer :) 02:35 < reiffert> fine with me. 03:17 < onats> subdolus, what hardware are you usign? 03:23 < subdolus> onats: an OpenBSD box with 2 ethernet NICs and one atheros NIC (running in hostap as an AP) 03:24 < subdolus> at the moment I only want to crete a VPN for the wireless clients 03:24 < subdolus> create even 03:29 < onats> whats the box? 03:31 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 03:35 < subdolus> ...wut.. 03:51 -!- kysucix [n=kysucix@62-101-126-218.ip.fastwebnet.it] has joined ##openvpn 03:51 < kysucix> hi 03:52 < kysucix> is there a limit on the number of vpn clients handled by the openvpn server? 03:54 < krzee> you can set one 03:54 < reiffert> 255^4 - 1 03:55 < krzee> otherwise its usually bandwidth / hardware issue ild say 03:55 < krzee> hah reiffert 03:56 < kysucix> are there vpn networks in production with thousands of client? 03:59 < krzee> i highly doubt it 03:59 < krzee> would make much more sense to spread that out 04:01 < krzee> subdolus, 04:02 < krzee> !local 04:02 < vpnHelper> krzee: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. 04:02 < krzee> that'll come in handy for your setup 04:04 < kysucix> humm ok thx 04:08 < subdolus> krzee: cheers, but I've just about had enough of it 04:08 * subdolus quits 04:13 < krzee> !ssl-admin 04:13 < vpnHelper> krzee: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 04:13 < krzee> andi just scrolled up 04:13 < krzee> your first round of errors was that you didnt edit your vars file 04:14 < krzee> which means you didnt read the docs 04:14 < krzee> right? 04:15 < subdolus> no 04:15 < subdolus> completely incorrect 04:16 < krzee> so you had edited vars? 04:16 < subdolus> yes 04:16 < subdolus> anyway, i donot need to justify myself on that. its over now 04:16 < subdolus> its working 04:16 < subdolus> now the server.conf is a slut 04:17 < subdolus> using the default, with the keys i created 04:17 < krzee> !sample 04:17 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:17 < krzee> i highly suggest getting to know the options in it tho 04:17 < krzee> !man 04:17 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 04:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:18 < subdolus> oh god 04:19 < subdolus> where do you THINK i got the default config from? 04:19 < krzee> you got it from !sample or from the !man? 04:20 < subdolus> had to edit the tun interface from sample. working now 04:21 < subdolus> now how can I test this 04:21 < krzee> by connecting the client to the server i would guess 04:22 < subdolus> do I connect to the IP (10.8.0.1) that openvpn created (tun0)? 04:31 < reiffert> with netcat. 04:42 -!- ikevin_ [n=kevin@ANancy-256-1-23-208.w90-13.abo.wanadoo.fr] has quit [Remote closed the connection] 04:43 < subdolus> far out. all I want to do is encrypt all communications coming in and out on ath0 04:43 < subdolus> fucking ragggeeeeee 04:47 -!- ikevin [n=kevin@ANancy-256-1-23-208.w90-13.abo.wanadoo.fr] has joined ##openvpn 05:24 -!- joh [i=johannj@caracal.stud.ntnu.no] has quit [Read error: 54 (Connection reset by peer)] 05:26 -!- subdolus [n=subdolus@subby.afraid.org] has quit [Read error: 113 (No route to host)] 05:36 -!- stevil [n=stevil@host-2.tntlogistics-3.demon.nl] has joined ##openvpn 05:37 < stevil> anyone know of a free Online Certificate Authority which i can use to generate my ca.crt fils en crl etcs ? 05:41 < Rienzilla> make them yourself 05:54 < reiffert> stevil: openvpnwebgui.sf.net 05:54 < stevil> An error has been encountered in accessing this page. 05:55 < reiffert> http://sourceforge.net/projects/openvpn-web-gui/ 05:55 < vpnHelper> Title: SourceForge.net: OpenVPN Web GUI (at sourceforge.net) 05:55 < stevil> reiffert: thanks, i'm currently using pfSense to run OpenVPN would be nice if they integrated this OpenVPN Web GUI 06:57 -!- maiquelconsalter [n=maiquel@mail.prognus.org] has joined ##openvpn 06:59 < maiquelconsalter> hi, i use the openvpn 2.0.9 in debian etch, the vpn its ok, but show in my syslog, this message: Authenticate/Decrypt packet error: packet HMAC authentication failed, someone have i idea about warn? 07:07 -!- _Steve_ [n=steve@unaffiliated/steve/x-520345] has quit [] 07:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:18 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 07:34 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 07:36 -!- maiquelconsalter [n=maiquel@mail.prognus.org] has quit ["Saindo"] 07:36 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 08:00 -!- espacious [i=espaciou@84-255-235-206.static.t-2.net] has joined ##openvpn 08:00 < espacious> hello 08:00 < espacious> i want to connect wit windows to a vpn server with this settings 08:01 < espacious> http://pastebin.com/m44b31e09 08:01 < espacious> linux based clients connect no problem. 08:02 < espacious> but i want to connect from windows 08:02 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has joined ##openvpn 08:03 < reiffert> paste logfile. 08:03 < espacious> log file in windows? 08:03 < espacious> huh. 08:03 < espacious> where should it be? 08:04 < espacious> as i dont have the admin of the VPN server. 08:04 < espacious> they gave me just an myname.key file 08:04 < reiffert> allright, then use it as you were pasting. It will work. 08:04 < espacious> hmm 08:04 < espacious> i dont ge it. 08:05 < espacious> i want to use the builtin vpn connection 08:05 < espacious> of windows eg. add new connection.... 08:08 < espacious> is this eaven possible' 08:08 < espacious> ? 08:09 < reiffert> no. 08:10 < reiffert> get openvpn, install openvpn and use openvpn to conenct to an openvpn server. 08:10 < reiffert> for connecting to an openvpn server 08:13 -!- sonnie [n=sonnie@202.141.162.106] has joined ##openvpn 08:14 < sonnie> hi there, is it possible to give one client an ip range? 08:14 < sonnie> i have created key/crt for it and set duplicate-cn 08:18 < espacious> reiffert ok thanks. 08:19 < reiffert> you are welcome 08:19 < reiffert> sonnie: "give an ip range to someone"? 08:20 < reiffert> Get me 20 pounds of ip please. 08:22 < sonnie> reiffert, according to manual, i can use "ifconfig-push 10.9.0.1 10.9.0.2" in ccd/client, so client will get a static ip. But I want the 3 machines connecting with the same common name, and get 3 ip addresses. 08:24 < reiffert> --duplicate-cn 08:24 < reiffert> But I have *no* idea how to tell it the ccd file. 08:24 < reiffert> What keeps your from creating two more keys? 08:28 < sonnie> for example, i want to allow 3 machines in one office to connect as client1, and 8 machinese in another room to connect as client2. 08:29 < sonnie> i have tried openvpn-auth-pam plugin, but windows clients have to input user/pass, which is annoying. 08:30 < sonnie> so i changed back to creating keys for client1 and client2 08:35 < reiffert> why not connect one machine PAUL from office1 to the vpn server and have all other machines from office1 route their traffic over PAUL? 08:35 < reiffert> Or why dont you create 11 client key's then? 08:37 < reiffert> Bridging might be an alternative for you instead of routing. 08:40 < sonnie> i will read the bridging part from manual, thank you :) 08:41 -!- djc [n=djc@xavamedia.nl] has joined ##openvpn 08:41 -!- djc [n=djc@xavamedia.nl] has left ##openvpn [] 08:41 -!- djc [n=djc@xavamedia.nl] has joined ##openvpn 08:41 -!- djc [n=djc@xavamedia.nl] has left ##openvpn [] 08:41 -!- djc [n=djc@xavamedia.nl] has joined ##openvpn 08:41 < djc> okay, sorry about that, got confused 08:42 < djc> I'm using the subnet stuff in the 2.1rc's 08:43 < djc> and recently upgraded, I think from rc9 to rc13 08:43 < djc> but the connectivity seems to drop out/fail all the time 08:43 < djc> is this a known issue? can I help debug? 08:44 < reiffert> 1st of all step back to rc9 and check if it works back there. 08:47 < sonnie> djc, plz read http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494998, hope it helps. 08:47 < vpnHelper> Title: #494998 - tunnels that use update-resolvconf do not start after upgrade anymore - Debian Bug report logs (at bugs.debian.org) 08:47 < djc> interesting, thanks 08:47 < djc> will have to look later 08:47 < djc> (as none of my systems are Debian) 08:59 < espacious> ummm reiffert which is the OPENVPN client for windows? 09:00 < espacious> the openvpn-2.0.9-install.exe? 09:00 < espacious> is that the client or the server? 09:04 < reiffert> both. 09:04 < reiffert> I'd probably go for using 2.1rc13 09:09 < espacious> so is the client and server 09:09 < espacious> ok i see 09:10 -!- kysucix [n=kysucix@62-101-126-218.ip.fastwebnet.it] has left ##openvpn ["Sto andando via"] 09:12 < ecrist> morning, kids 09:13 -!- ChanServ changed the topic of ##openvpn to: HowTo: http://openvpn.net/howto READ IT | Your problem is probably your firewall. | If it's not your firewall, you're missing a route. 09:27 -!- lyxan [n=zer0pyth@pdpc/supporter/active/zer0python] has joined ##openvpn 09:29 < lyxan> anyone here ever attempted to use openvpn as a backup solution for MPLS? 09:44 -!- theromis [n=romis@67-207-115-132.static.wiline.com] has quit [Read error: 60 (Operation timed out)] 10:07 < lyxan> no body eh? 10:08 -!- stevil [n=stevil@host-2.tntlogistics-3.demon.nl] has quit [] 10:09 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:30 -!- espacious [i=espaciou@84-255-235-206.static.t-2.net] has quit [Read error: 104 (Connection reset by peer)] 10:31 -!- AukeF [n=auke@x154.flex.surfnet.nl] has quit [Remote closed the connection] 10:40 * AlmightyOatmeal moo's 11:52 -!- fawzy [i=f@pull.akickdoe.com] has joined ##openvpn 11:52 -!- fawzy [i=f@pull.akickdoe.com] has left ##openvpn [] 12:11 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 12:15 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 12:22 < lyxan> anyone about yet? :) 12:23 < Luria> no 12:24 < lyxan> :< 13:25 -!- AlmightyOatmeal [n=jamie@68-185-102-197.dhcp.mdsn.wi.charter.com] has quit [Read error: 101 (Network is unreachable)] 13:59 -!- snejk [n=snejk@c213-89-26-212.bredband.comhem.se] has joined ##openvpn 14:05 < snejk> hi, I want to push a default route to my clients (default VPN gateway 10.92.10.1) , sorry but I cant get it to work... push "redirect-gateway def1". Im trying to use predefined IPs for my clients using ccd. my conf at, http://pastebin.com/d49ce676a any idea? 14:09 < snejk> Im using a TAP device on Windows clients, seems theres a limitation 14:18 < snejk> does Windows clients require a separete network per client?? 14:19 < krzee> !/30 14:19 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:20 < krzee> snejk, that is your answer 14:23 < snejk> krzee, I have followed the instruction, used : user1: ifconfig-push 10.92.10.2 10.92.10.1, user2: ifconfig-push 10.92.10.5 10.92.10.6, but the Client gets .1 as default gw for user1 and .6 for user2. There is no IP listening on .6 on the server, so it doesnt work 14:23 < snejk> !topology 14:23 < vpnHelper> snejk: "topology" is it is possible to avoid the !net30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:23 < krzee> that is not correct 14:23 < krzee> server takes .1 14:23 < krzee> and should not be assigned to a client 14:23 < krzee> where did you read that from? 14:24 < snejk> ah, ok 14:25 < krzee> btw the server statement expands to have tls-server and mode server 14:25 < krzee> !man 14:25 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 14:25 < krzee> see --server for understanding of server statement 14:25 < snejk> my tun adapter on the server is tun0: flags=10011008d1 mtu 1500 index 3, inet 10.72.12.1 --> 10.72.12.2 netmask ffffffff 14:25 < snejk> 10.92.10 sorry 14:26 < snejk> ok, so I should have the first client at 10.5 + 10.6 14:26 < krzee> or use topology subnet with 2.1 14:26 < krzee> and then clients just get .2,.3,.4,.5 14:26 < krzee> etc 14:26 < snejk> oh 14:26 < krzee> [16:23] snejk: "topology" is it is possible to avoid the !net30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:26 < vpnHelper> Title: New subnet topology feature ready for testing: msg#00020 network.openvpn.devel (at osdir.com) 14:27 < snejk> can that be used per client?, I want a "static" IP per client 14:27 < krzee> !static 14:27 < vpnHelper> krzee: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 14:27 < krzee> sure 14:27 < krzee> why not 14:28 < snejk> ok, but if I use ifconfig-push, what syntax to use when using "topology", .2,.3,.4 ? 14:28 < krzee> !learn chooseip as OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). 2 -- Use --client-config-dir file for static IP (next choice). 3 -- Use --ifconfig-pool allocation for dynamic IP (last choice). 14:28 < vpnHelper> krzee: The operation succeeded. 14:28 < krzee> you mean topology subnet 14:28 < snejk> yep 14:29 < krzee> as opposed to topology net30 which you are currently using 14:29 < snejk> yep 14:29 < krzee> !betaman 14:29 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 14:31 < snejk> so, ifconfig-push 10.92.10.5 255.255.255.255 ? 14:31 < snejk> i think 14:31 < snejk> and next client, ifconfig-push 10.92.10.6 255.255.255.255 ? 14:31 < krzee> Push virtual IP endpoints for client tunnel, overriding the --ifconfig-pool dynamic allocation. 14:31 < krzee> The parameters local and remote-netmask are set according to the --ifconfig directive which you want to execute on the client machine to configure the remote end of the tunnel. Note that the parameters local and remote-netmask are from the perspective of the client, not the server. 14:32 < krzee> you can start at .2 14:32 < snejk> ok 14:32 < krzee> and let the server assign the ip first 14:32 < krzee> watch the logs 14:32 < snejk> oki 14:32 < krzee> see how it sets it 14:32 < krzee> then dupe that in a ccd entry 14:33 < snejk> will the server push the default route automatically when using "topology subnet"? 14:33 < snejk> i am guessing I need 10.92.10.1 for all clients 14:33 < krzee> no, redirect-gateway goes that 14:33 < snejk> ok 14:33 < krzee> which you have, so its fine 14:33 < snejk> push "redirect-gateway def1", yep 14:33 < snejk> itis a macro I see 14:34 < snejk> alright, I will try 14:34 < krzee> did you read the link in !topology ? 14:35 < snejk> now I have :) 14:35 < snejk> great 14:35 < snejk> seems to solve the problem then. just need to get a working config 14:36 < krzee> its not so much it solves the problem, it reduces the confusion 14:36 < krzee> now just comment out ccd-exclusive and remove the ccd file 14:36 < krzee> let it connect and get an ip from the server 14:36 < krzee> watch the logs to see how it does it 14:37 < krzee> do it manually the same way it did it automatically 14:37 < krzee> (easiest way in my eyes) 14:37 < krzee> anyways, time for me to go 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 < krzee> later 14:37 < snejk> u mean I will find the correct syntax for ccd client? 14:37 < snejk> in the logs 14:37 < snejk> np 14:37 < krzee> after reading --ifconfig-push 14:37 < krzee> you should be able to tell what to put in ccd entry 14:38 < snejk> thanx!! 14:38 < krzee> after seeing what ips it uses in the logs by itself 14:38 < snejk> alot 14:38 < krzee> you're welcome 14:38 < krzee> =] 14:38 < snejk> :] 14:38 < krzee> you using 2.1, right? 14:38 < snejk> yep 14:39 < snejk> latest 14:39 < krzee> make sure to use !betaman and not !man 14:39 < krzee> 2.1 is nice =] 14:39 < snejk> argbh, not 2.1 on the server i see now 14:40 < snejk> OpenVPN 2.0.9, need to recompile then 14:40 < snejk> but thx, I will fix it somehow now :) 15:38 -!- unixSnob [n=jj@78.110.195.118] has joined ##openvpn 15:40 < unixSnob> is openvpn purely SSL? I just noticed a site for an ipsec vpn provider critisizing SSL for being slow.. I wonder how true that is, and if openvpn is capable of ipsec 16:01 -!- djc [n=djc@xavamedia.nl] has quit ["Lost terminal"] 16:13 -!- snejk [n=snejk@c213-89-26-212.bredband.comhem.se] has quit ["VPN"] 16:59 -!- unixSnob [n=jj@78.110.195.118] has quit ["leaving"] 17:19 < krzie> i wonder if the site critisizing ssl has noticed that ipsec is known for having security concerns 17:21 -!- [intra]lanman [n=lanman@freeswitch/developer/intralanman] has quit ["mv hussein /jail && rm -f /bin/laden"] 17:35 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 18:18 -!- sonnie [n=sonnie@202.141.162.106] has quit ["leaving"] 18:46 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:46 < Dougy> ecrist ecrist 18:49 < krzie> doug doug 18:50 < Dougy> krzie krzie 18:50 < Dougy> sup 18:52 < krzie> nothin 18:52 < Dougy> fun 18:52 < Dougy> im playnig with my new server 18:52 < Dougy> playing 18:52 < krzie> werd 18:52 < Dougy> i want to tell ecrist justedges network isnt as garbage'y as he saw 18:53 < Dougy> i have a different vlan now in a diff port in a diff rack and its zoom zoom zoom 18:54 < Dougy> 2 ge0-4.cr01.lga03.mzima.net (72.37.132.237) 0.550 ms 0.526 ms 0.498 ms 18:54 < Dougy> 3 xe2-0.cr02.lga01.mzima.net (216.193.255.241) 5.196 ms 5.175 ms 5.152 ms 18:54 < Dougy> yay 18:58 < krzie> thats yay? 18:59 < krzie> you lost 5ms between hop 2 and 3 18:59 < krzie> in the same dc 19:01 < Dougy> no it's not 19:02 < Dougy> and thats not justedge 19:02 < Dougy> lol 19:02 < krzie> *shrug* i figured you pasted something relevant to what you were talking about 19:02 < Dougy> yeah 19:02 < Dougy> my b 19:02 < Dougy> ew 19:02 < Dougy> what the f 19:03 < Dougy> 1 64.18.138.33 (64.18.138.33) 0.356 ms 0.557 ms 0.537 ms 19:03 < Dougy> 2 core-11-teb1.us.justedge.net (64.18.128.138) 0.499 ms 0.478 ms 0.461 ms 19:03 < Dougy> 3 core-01-lga1.us.njiix.net (64.20.32.173) 0.668 ms 0.649 ms 0.628 ms 19:03 < Dougy> 4 353.ge-5-2-0.mpr1.lga1.us.above.net (64.124.44.210) 0.849 ms 0.827 ms 0.807 ms 19:03 < Dougy> 5 so-0-2-0.mpr1.dca2.us.above.net (64.125.26.97) 5.276 ms 5.260 ms 5.159 ms 19:03 < Dougy> 19:03 < Dougy> ahh there 19:03 < Dougy> much nicer 19:03 < krzie> my servers in california go through 2 san diego DC's and up through LA before they hit 5ms 19:03 < krzie> 1 66.11.125.37 (66.11.125.37) 34.846 ms 13.813 ms 4.346 ms 19:03 < krzie> 2 usa-sdca-broadway.6509gi5-1.suavemente.net (66.11.125.34) 0.799 ms 0.785 ms 0.802 ms 19:03 < krzie> 3 otaymesa6506.mexico.suavemente.net (66.11.112.125) 1.513 ms 1.511 ms 1.454 ms 19:03 < krzie> 4 owb.dbo.gi2-3.gateway.22358.americanis.net (38.96.3.1) 1.957 ms 3.426 ms 2.327 ms 19:03 < krzie> 5 208.84.48.217 (208.84.48.217) 7.579 ms 5.610 ms 5.781 ms 19:03 < Dougy> nice 19:03 < krzie> 6 te-8-2-464.car4.LosAngeles1.Level3.net (4.71.128.169) 4.890 ms 5.120 ms 4.873 ms 19:03 < krzie> 7 ae-3-89.edge3.LosAngeles1.Level3.net (4.68.20.137) 5.118 ms 4.945 ms 4.907 ms 19:42 < krzie> !betaman 19:43 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 19:50 < jeev> siup foolz 19:52 < jeev> krzie 19:52 < jeev> i think if i get hte loop 19:52 < jeev> i'm geting it from the cable company 19:52 < jeev> stupid cable co 20:28 < krzie> makes sense, they already have the wires run 20:28 < jeev> yea, they'd have to build there i think 20:28 < jeev> depeds on site survey for install costs 20:28 < jeev> but i'm hoping it's something good 20:30 < krzie> it would also be good for them to do that 20:30 < krzie> especially if they can charge you for it, lol 20:30 < jeev> lol 20:30 < jeev> they said it'd be smaller 20:30 < jeev> maybe she can work on 0 instal 20:30 < jeev> depends on their ROI 20:30 < jeev> anywya 20:30 < jeev> i'm thinking about providing 100mbit to the people upstairs 20:30 < jeev> for 3k 20:30 < krzie> o install = not gunna happen 20:30 < jeev> 100mbit to the intern0t. 20:30 < jeev> i know 20:30 < jeev> but i'm hoping 20:31 < jeev> i have good luck with companies like this 21:16 < Dougy> o.O 21:16 < Dougy> hi 21:16 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 21:21 * ecrist yawns 21:32 < jeev> sounded like a queef 21:33 < Dougy> sup ecrist 21:38 * jeev wishes the vps was bsd 21:41 < onats> hello 21:47 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 22:12 < krzee> jeev, in the market for a badass fbsd vps? 22:13 < krzee> Managed FreeBSD 7.0 - This means we keep OS and ports up to date and secure- 22:13 < krzee> 1-64 IP Addresses, with reverse dns. $2 pr extra IP. 22:13 < krzee> Intel core duo 3.0ghz. 22:13 < krzee> 1GB RAM. 22:13 < krzee> 10-50GB disk space, $10 pr extra 10GB. 22:13 < krzee> 1000GB Monthly, DDoS filtered bandwidth. 22:13 < krzee> Superb uptime. 22:13 < krzee> Basic Virtual Dedicated Server: 22:14 < krzee> 10GB disk space, 1GB ram, 1 IP: $20 /mo 22:14 < krzee> Medium Virtual Dedicated Server: 22:14 < krzee> 10GB disk space, 1GB ram, 5 extra IPs (6 total): $29 /mo 22:14 < krzee> Chubby Virtual Dedicated Server: 22:14 < krzee> 20GB disk space, 1GB ram, 5 extra IPs (6 total): $35 /mo 22:14 < krzee> Chubby+ Virtual Dedicated Server: 22:14 < krzee> 20GB disk space, 1GB ram, 15 extra IPs (16 total): $55 /mo 22:14 < krzee> Extra IPs: $2 pr IP pr month. 22:14 < krzee> Extra Disk space: $10 pr 10GB pr / mo 22:14 < krzee> DDoS traffic is not counted as traffic on the traffic meter. 22:14 < krzee> We accept paypal and wiretransers. 22:15 < Dougy> nid3 22:15 < Dougy> nice 22:16 < krzee> yup 22:16 < Dougy> what co 22:16 < krzee> and the person who runs the box has serious skills 22:16 < krzee> server is colo'ed at GigeServers(Chicago), formerly FOONETGigeServers(Chicago), formerly FOONET 22:16 < krzee> its not a company 22:17 < krzee> its someone i know 22:17 < krzee> offsetting the cost of the server 22:17 < krzee> he's had the server awhile but the person who paid for it got fired from his job 22:17 < krzee> so the admin tossed on some VPSs and is only selling a couple 22:17 < Dougy> lol 22:18 < Dougy> hmm 22:18 < Dougy> gigenet eh 22:18 < krzee> and this is a skilled guy, so its actually better that way 22:18 * Dougy knows one of the owners 22:18 < krzee> how well? 22:18 < Dougy> pretty well 22:18 < krzee> get him to give you a free low usage colo 22:18 < Dougy> nop 22:18 < krzee> can use one of my boxes 22:18 < krzee> ;] 22:18 < Dougy> i get colo for 50/mo 22:19 < Dougy> 1u + power 22:19 < krzee> whaaaaat 22:19 < Dougy> + /28 22:19 < krzee> you kidding me? 22:19 < Dougy> too pricy for your blood 22:19 < krzee> and that includes a lil bw? 22:19 < krzee> thats a good price, but ild wanna just pay a bit in advance 22:19 < Dougy> ehh my boss didnt say he was checking my usage 22:19 < Dougy> ;] 22:19 < krzee> werd 22:19 < krzee> i dont use much bw anyways 22:20 < Dougy> me either 22:20 < Dougy> other than the massive xen testing i was doing 22:20 < Dougy> that i used prob 250gb in a day or 2 22:20 < krzee> ive got other boxes to use bw on 22:20 < Dougy> o.O 22:20 < krzee> if i get another it would just be private box 22:20 < Dougy> i got my poweredge @ work 22:21 < Dougy> [doug@sec01 /etc/sysconfig/network-scripts] cat /proc/cpuinfo | grep Xeon 22:21 < Dougy> model name : Intel(R) Xeon(TM) CPU 3.20GHz 22:21 < Dougy> model name : Intel(R) Xeon(TM) CPU 3.20GHz 22:21 < Dougy> model name : Intel(R) Xeon(TM) CPU 3.20GHz 22:21 < Dougy> model name : Intel(R) Xeon(TM) CPU 3.20GHz 22:21 < Dougy> [doug@sec01 /etc/sysconfig/network-scripts] free -m 22:21 < Dougy> total used free shared buffers cached 22:21 < Dougy> Mem: 3042 1946 1096 0 49 1552 22:21 < Dougy> -/+ buffers/cache: 344 2697 22:21 < Dougy> Swap: 1983 0 1983 22:21 < Dougy> not bad for $325 22:21 < krzee> no way 22:22 < krzee> you got a quad for 325? 22:22 < jeev> Dougy steals shipments from UPS 22:22 < jeev> what do you expect 22:22 < krzee> haha 22:22 < Dougy> krzee: not new 22:22 < Dougy> light usage 22:22 < jeev> he dresses up as the driver, goes into the truck 22:22 < jeev> when the delivery guy is delivering 22:23 < jeev> so 22:23 < jeev> i hate centos but i've gotta do smething fun 22:23 < jeev> with this vps 22:23 < Dougy> lol 22:23 < jeev> Dougy, how do i get him to install webmin 22:23 < Dougy> do it yourself 22:23 < Dougy> it takes a whole 2 minutes 22:23 < jeev> oh 22:23 < jeev> do i need to install apache and shit 22:23 < jeev> or 22:23 < jeev> dood, i dont like linux 22:23 < Dougy> nope 22:23 < jeev> linux fell off after slackware 3.5 22:23 < Dougy> install webmin 22:24 < Dougy> then you can go itno webmin 22:24 < Dougy> click a button 22:24 < Dougy> and itll do it for you 22:24 < jeev> http://www.webmin.com/download.html 22:24 < vpnHelper> Title: Webmin (at www.webmin.com) 22:24 < jeev> you're telling me 22:24 < jeev> i'm going to get an RPM ? 22:24 < jeev> ew. 22:24 < jeev> can i use the source 22:24 < Dougy> sure can 22:24 < Dougy> run the script 22:24 < Dougy> its interactive 22:24 < Dougy> its easy 22:25 < jeev> i am getting lag on the vps by the way 22:25 < jeev> when running commands 22:25 < jeev> but i guess 22:25 < Dougy> really? 22:25 < jeev> cause it's east 22:25 < jeev> and i'm west 22:25 < Dougy> i am too but my isp is just a cunt 22:25 < jeev> it's getting http://prdownloads.sourceforge.net/webadmin/webmin-1.441.tar.gz @ ~600kb/s 22:25 < jeev> <400 now 22:25 < jeev> wow 22:25 < jeev> untarring is slow too 22:25 < jeev> it took a whole 25 seconds 22:25 < jeev> before it stared to list files 22:25 < jeev> started 22:25 < Dougy> hmmm 22:25 < Dougy> thats strange 22:26 < jeev> no wonder 22:26 < jeev> "halloween" special 22:27 < jeev> so krzee 22:27 < jeev> quote for 50mbit ptp was 2800 22:27 < jeev> lol 22:27 < Dougy> jeev: 22:27 < jeev> gigabit is 4000 22:27 < Dougy> you're on a brand new node 22:27 < Dougy> as in unboxed today 22:27 < krzee> hah 22:27 < jeev> i think i would get the 50mbit though in the beginning 22:27 < Dougy> its not full yet 22:27 < jeev> until i could get more clients 22:27 < krzee> noway 22:27 < jeev> it takes a few days to update 22:27 < jeev> upgrade 22:27 < jeev> i think 22:27 < jeev> they could even do it instantly for me 22:27 < krzee> just gotta sell bigger connections cheaper and get more to use you 22:28 < jeev> yea 22:28 < jeev> as i said 22:28 < jeev> i thinkt he people upstairs have 4 t1's 22:28 < jeev> at 2k/month 22:28 < krzee> damn dude 22:28 < jeev> so i'll offer hem 100mbit point to point.. and give them a few U 22:28 < jeev> to put a server there 22:28 < jeev> and i'll give them 20 mbit to the internet 22:28 < jeev> for 3k/month 22:28 < jeev> i think they'd take it 22:28 < jeev> they pay a lot for off site 22:28 < krzee> 2k total is what they're paying right now right? 22:29 < jeev> yea 22:29 < Dougy> jeev 22:29 < jeev> without phones 22:29 < Dougy> 23:26:59 (6.10 MB/s) - `webmin-1.441.tar.gz' saved [13881278/13881278] 22:29 < jeev> i'll give them the ability 22:29 < jeev> wtf dougy 22:29 < krzee> what do they do? 22:29 < jeev> give me link. 22:29 < jeev> krzee, they've got 200 people i think 22:29 < jeev> i dunno 22:29 < jeev> dougy 22:29 < Dougy> err 22:29 < jeev> give me your link 22:29 < Dougy> wtf 22:29 < Dougy> its not pasting 22:29 < jeev> gay 22:29 < jeev> brb 22:29 < krzee> starts with / ? 22:29 < Dougy> http://internap.dl.sourceforge.net/sourceforge/webadmin/webmin-1.441.tar.gz 22:31 < Dougy> @ jeev 22:31 < krzee> well man 22:31 < krzee> its movie time 22:33 < jeev> 5.83 22:33 < jeev> mb/s 22:33 < Dougy> thats better 22:33 < Dougy> lol 22:33 < jeev> http://prdownloads.sourceforge.net/webadmin/webmin-1.441.tar.gz 22:33 < jeev> that's what i used 22:33 < Dougy> yes 22:33 < Dougy> me too 22:33 < Dougy> and it redirected to internap 22:33 < Dougy> what did it redirect you to 22:34 < jeev> hey 22:34 < jeev> i duno 22:34 < Dougy> lol 22:34 < jeev> it isn't showing my is any 22:34 < jeev> ip anymore 22:34 < jeev> in the vps control panel 22:34 < jeev> wtf is going on 22:34 < Dougy> youre high man 22:34 < Dougy> no issues going on 22:35 < jeev> dood 22:35 < jeev> my 22:35 < jeev> my.cr... 22:35 < jeev> isn't showing the ip anymore 22:35 < Dougy> i havent logged into my.cr 22:35 < Dougy> ever 22:35 < Dougy> i just log into VZPP 22:35 < jeev> yea 22:35 < jeev> but 22:35 < jeev> except i didn't know my ip 22:35 < jeev> until i saw it on my.cr 22:35 < jeev> then i logged in 22:35 < jeev> now it doesn't show it anymore 22:35 < Dougy> sucks 22:35 < jeev> even though i have the ip 22:35 < jeev> . 22:36 < Dougy> write down your ip 22:36 < Dougy> memorizei t 22:36 < Dougy> something it 22:37 < jeev> so 22:37 < jeev> i install it as a module ? 22:37 < jeev> apache 22:37 < Dougy> err 22:37 < Dougy> when you log in 22:37 < Dougy> under services or something 22:37 < jeev> webmin config? 22:37 < Dougy> infact here 22:37 < Dougy> as root via ssh 22:37 < Dougy> yum install httpd httpd-devel php mysql mysql-devel php-mysql php-gd php-bcmath -y 22:38 < jeev> no yum 22:38 < jeev> ;) 22:38 < Dougy> oh 22:38 < Dougy> sec 22:38 < Dougy> for file in \ 22:38 < Dougy> gmp-4.1.4-10.el5.i386.rpm \ 22:38 < Dougy> python-2.4.3-21.el5.i386.rpm \ 22:38 < Dougy> libxml2-2.6.26-2.1.2.1.i386.rpm \ 22:38 < Dougy> libxml2-python-2.6.26-2.1.2.1.i386.rpm \ 22:38 < Dougy> python-sqlite-1.1.7-1.2.1.i386.rpm \ 22:38 < Dougy> rpm-python-4.4.2-48.el5.i386.rpm \ 22:38 < Dougy> m2crypto-0.16-6.el5.2.i386.rpm \ 22:38 < jeev> http://.../webmin/edit_mods.cgi 22:38 < jeev> go there 22:38 < Dougy> python-urlgrabber-3.1.0-2.noarch.rpm \ 22:38 < Dougy> yum-metadata-parser-1.1.2-2.el5.i386.rpm \ 22:38 < Dougy> python-iniparse-0.2.3-4.el5.noarch.rpm \ 22:38 < Dougy> python-elementtree-1.2.6-5.i386.rpm \ 22:38 < Dougy> rpm-libs-4.4.2-48.el5.i386.rpm \ 22:38 < Dougy> rpm-4.4.2-48.el5.i386.rpm \ 22:38 < Dougy> yum-3.2.8-9.el5.centos.1.noarch.rpm 22:38 < Dougy> do wget http://mirror.centos.org/centos-5/5/os/i386/CentOS/$file; 22:38 < Dougy> rpm -Uvh $file; 22:38 < Dougy> done 22:38 < Dougy> do what i said 22:38 < Dougy> http://josephfasone.info/?p=5 22:38 < Dougy> ^ cvps's owner's blog 22:39 < vpnHelper> Title: Joseph Fasone » How to: Install YUM on your VPS (at josephfasone.info) 22:39 < jeev> yum sucks 22:39 < Dougy> yep 22:39 < Dougy> it has php 5.1.6 22:39 < Dougy> thats the most recent 22:39 < jeev> i installed php 22:39 < Dougy> lol 22:39 < jeev> i mean 22:39 < jeev> apache 22:39 < jeev> through webmin 22:39 < jeev> per the link i gave you 22:39 < Dougy> i see 22:39 < Dougy> i havent used webmin in god knows how long 22:39 < jeev> try it on yours 22:39 < Dougy> id say 4 years 22:39 < jeev> first time for me 22:40 < Dougy> webmin is nice 22:40 < Dougy> skin it 22:40 < Dougy> http://www.stress-free.co.nz/webmin-theme 22:40 < Dougy> @ jeev 22:40 < vpnHelper> Title: Webmin Tiger theme | StressFree (at www.stress-free.co.nz) 22:40 < jeev> oh 22:40 < jeev> this is module 22:40 < jeev> wait 22:40 < jeev> wtf is this 22:40 < jeev> it installed apache i think 22:40 < Dougy> no 22:41 < Dougy> thats definitely not the right area 22:41 < jeev> ahh 22:41 < Dougy> install yum, you need yum for sure 22:41 < Dougy> for webmin 22:41 < jeev> ok 22:41 < jeev> doing it 22:41 < jeev> done 22:41 < jeev> i dont trust yum 22:42 < Dougy> why 22:43 < jeev> dunno 22:43 < Dougy> centos developers packaged that up not some hick, its pretty trustable imho 22:43 < jeev> still 22:43 < jeev> i dont trust anything to do with redhat 22:43 < Dougy> why 22:43 < jeev> dunno 22:43 < jeev> redhat sucks 22:43 < Dougy> meh 22:43 < Dougy> install yum, then run the command i gave you 22:43 < Dougy> yum install httpd httpd-devel php mysql mysql-devel php-mysql php-gd php-bcmath -y 22:44 < jeev> i did 22:44 < jeev> oh 22:44 < jeev> so 22:44 < Dougy> then under Services i believe in webmin 22:44 < jeev> php being outdated is ok? 22:44 < jeev> heh 22:44 < Dougy> ehh 22:44 < Dougy> i guess 22:44 < Dougy> i wouldnt run anything major on it 22:44 < Dougy> all i run is cacti 22:45 < jeev> 8:45PM up 834 days, 27 mins, 1 user, load averages: 0.00, 0.00, 0.00 22:45 < jeev> ;) 22:45 < Dougy> lol 22:45 < jeev> my box at 111 8th 22:45 < jeev> one of them 22:45 < jeev> heh 22:45 < Dougy> let me ssh into our server 22:45 < jeev> sucks 22:45 < Dougy> at work 22:45 < jeev> ok, the other one is 2000+ 22:45 < Dougy> thats been online since 2001 22:45 < jeev> dont make me. 22:45 < jeev> BAH 22:46 < jeev> i was actually removed 22:46 < jeev> from that box 22:46 < Dougy> we have it written on our whiteboard 22:46 < jeev> because it's being put to sleep 22:46 < Dougy> let me log into camera and see 22:46 < Dougy> the date 22:46 < Dougy> sec 22:46 < Dougy> March 17, 2001 22:46 < Dougy> hah 22:46 < Dougy> you lose 22:47 < Dougy> ok going to bed 22:47 < jeev> ok 22:47 < jeev> night 22:47 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 22:49 < krzee> !man 22:49 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 --- Day changed Tue Nov 11 2008 00:15 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: zirpu 00:35 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 00:40 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has quit [No route to host] 00:56 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 02:05 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 02:16 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 02:39 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has quit [Read error: 113 (No route to host)] 03:05 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 05:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:05 -!- AukeF [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 07:07 < ecrist> mornign folks 08:24 -!- meuserj [n=meuserj@c-69-136-186-239.hsd1.in.comcast.net] has joined ##openvpn 08:26 < meuserj> ok... I've set up a simple ptp vpn.. I can ping all machines inside the remote network, but cannot access any services... nmap reports all ports as closed. 08:31 -!- nsaran [n=nikos@acl1-1315bts.gw.smartbro.net] has joined ##openvpn 08:31 < nsaran> hello 08:33 < nsaran> my provider is using dhcp and tunnel to connect me in the internet and as they claim everything even the tunnel will be done automaticaly, maybe in windows but in linux what is the case? 08:41 -!- nsaran [n=nikos@acl1-1315bts.gw.smartbro.net] has quit [] 08:50 < ecrist> meuserj: read the topic in this chan... 09:21 < meuserj> ecrist: ok... well I'm following this guide: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html and it only indicates that you need a route on the client... a server route is only needed if you are using something other than your gateway as the vpn server.... is that true? 09:21 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 09:36 < meuserj> ecrist: ok, I'm dumb.. it was a firewall problem... needed to allow all protocols through on tun0 on the server 09:37 < meuserj> the reason pings worked was that there was a rule allowing any icmp packets through any interface 09:39 -!- meuserj [n=meuserj@c-69-136-186-239.hsd1.in.comcast.net] has left ##openvpn [] 09:47 -!- sigmonsays_ [n=sig@adsl-99-182-233-78.dsl.pltn13.sbcglobal.net] has joined ##openvpn 09:47 < sigmonsays_> Morning 09:48 < sigmonsays_> *evening to some 09:53 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:17 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 10:36 < ecrist> morning, sigmonsays_ 10:47 < jeev> hi 10:54 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 10:54 < kreg> openvpn showing up on any hardware? 10:55 < ecrist> ? 10:56 < kreg> as in, any vendors shipping their products with openvpn as a client 10:56 < kreg> picked up my ipod the other day 10:56 < kreg> came with vpn clients for ipsec, pptp. was thinking if the day comes with openvpn shows up on things 11:08 < ecrist> hrm, not sure. 11:08 < ecrist> openvpn uses ssl for the vpn encryption 11:09 < ecrist> I'm sure that if ssl vpn becomes more main-stream, there will be some efforts toward making it more compatible across-platform. 11:09 < ecrist> it's not there, yet, however. 11:11 < kreg> can't imagine not using ssl for a vpn anymore. 11:19 < ecrist> ipsec is good, use it all the time 11:28 -!- djc [n=djc@xavamedia.nl] has joined ##openvpn 11:29 < kreg> it is 11:29 < djc> a client will try to reconnect if I bring the server down and back up again, right? 11:31 < djc> my current (subnet-based) setup isn't working and seems to have gotten much worse since upgrading to rc13; what was that issue again? 11:49 < djc> no clues? :( 11:49 < ecrist> djc, yes, your clients *should* try to reconnect. 11:49 < ecrist> a lot depends on the client config, though. 11:50 < djc> hmm 11:50 < djc> well, seems like I can work the server a bit still 11:50 < djc> even though it keeps crapping out 11:50 < djc> ecrist: do you know where I can find that subnet-bug? 11:50 < ecrist> dont know which bug you're referring to 11:50 < djc> my screen session with that conversation in it died :( 11:50 < djc> some bug on the debian tracker 11:51 < ecrist> were you talking in here? 11:51 * ecrist logs this chan 11:51 < djc> ecrist: yeah 11:51 < djc> like two days ago 11:51 < ecrist> when/who 11:51 < djc> me, this nick, this weekend, I think 11:51 < ecrist> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494998 11:52 < vpnHelper> Title: #494998 - tunnels that use update-resolvconf do not start after upgrade anymore - Debian Bug report logs (at bugs.debian.org) 11:52 < djc> great, thanks! 11:52 < ecrist> np 11:52 < jeev> my wifi button broke off my lappy 11:53 < djc> well, that bug doesn't seem relevant to my problems, though :( 11:57 < djc> ugh, the connection keeps dropping :| 12:23 < ecrist> djc, using tcp? 12:58 < reiffert> ecrist: can the logfile be reached via browser? 12:58 < reiffert> djc: did you try rc9 again? Afair it was working for you on rc9? 13:03 < ecrist> oh, my log files? I can make them so. 13:04 < ecrist> gimme a few. 13:08 < ecrist> reiffert: yeah, it needs to be parsed a bit. as it is, it's 3.1MB 13:08 < ecrist> uncompressed. 13:09 < jeev> ecrist 13:09 < jeev> +nat in topic? 13:10 < ecrist> jeev: ? 13:10 < jeev> problem could be nat 13:10 < ecrist> so add it 13:11 -!- mode/##openvpn [+o jeev] by ChanServ 13:11 -!- jeev changed the topic of ##openvpn to: HowTo: http://openvpn.net/howto READ IT | Your problem is probably your firewall. | If it's not your firewall, you're missing a route. | dont forget nat 13:11 <@jeev> that good? 13:11 < ecrist> sure 13:11 -!- mode/##openvpn [-o jeev] by jeev 13:11 < jeev> so like 13:11 < jeev> i'm gonna offer the guy the speakers today 13:12 < jeev> for 8 speakers, you're going to have to recommend an amp 13:12 < jeev> that can do decent bass too 13:12 < ecrist> I'm going to? 13:12 < ecrist> amp isn't what does bass. 13:12 < jeev> if you're willing to 13:12 < ecrist> that's a function of the speaker 13:12 < jeev> i need a strong amp though, no ? 13:12 < ecrist> quote good speakers, spec amp after 13:13 < ecrist> you're doing 70-volt system , right? 13:13 < jeev> you said 13:13 < jeev> crap 13:13 < jeev> i forgot what speakers you suggested 13:13 < ecrist> reiffert: Speco, 6.5" two-way with voice coil 13:13 < jeev> uh, ecrist 13:14 < jeev> yea, you said Speco 13:14 < jeev> how do you determine voltage? 13:14 < ecrist> jeev: I'm going to say this as nice as possible, don't quote something you don't understand. 13:14 < ecrist> don't sell a sound system you can't support. 13:14 < jeev> i know, that's why you're nicely helping me 13:14 < ecrist> I'm not willing to support it from here, for you. 13:15 < jeev> damn 13:15 < ecrist> reiffert: you can download the file from http://www.secure-computing.net/logs/openvpn.log 13:15 < ecrist> I'll write a parser and search engine for it later this week or this weekend. 13:15 < jeev> 404 13:15 < ecrist> oops 13:15 < ecrist> reiffert: you can download the file from http://www.secure-computing.net/logs/openvpn.txt 13:25 < reiffert> Thanks! 13:25 < ecrist> that file will be updated every half-hour, as long as my irssi session is online. ;) 13:30 < ecrist> sweet, it updated as it was supposed to. 13:33 < reiffert> hello updated logfile! 14:13 < ecrist> reiffert: I'm going to auto-gzip that file to cut down on the download time a bit. 14:14 < jeev> ecrist, i have a serious issue 14:14 < jeev> i keep buying servers and stuff and have no use for them 14:18 < ecrist> jeev: I would stop. 14:19 < jeev> i dont know heh 14:19 < jeev> ecrist, i can't people use centos and stuff 14:19 < ecrist> new link: http://www.secure-computing.net/logs/openvpn.txt.gz 14:19 < jeev> i'mforced to use it 14:19 < ecrist> forced to use hwat? 14:20 < jeev> centos 14:20 < jeev> heh 14:20 < jeev> when will people learn, bsd. 14:20 < ecrist> I didn't say anything about centos... 14:20 < jeev> ah 14:20 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn.txt.gz 14:20 < vpnHelper> ecrist: The operation succeeded. 14:20 < jeev> ecrist, you think an email to web todo exists? 14:21 < ecrist> what do you mean? 14:21 < jeev> like, send an email to your todo@yourdomain, with your password and things to do 14:21 < jeev> and it outputs to a database 14:21 < jeev> where you can check off, put notes.. 14:21 < ecrist> you could do that manually, really easy with procmail and perl 14:21 < jeev> i dont know aboutp erl 14:21 < jeev> i'm thinking to make something with a shells cript? 14:21 < jeev> run in crontab and add to sql 14:21 < jeev> so difficult in my mind though 14:21 < ecrist> you could do that, too. 14:26 < jeev> hmm 14:26 < jeev> i need to do it 14:26 < jeev> it'd be awesome 14:28 -!- thomas is now known as ThoMe 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:54 -!- katara [n=dak@190.24.218.190] has joined ##openvpn 14:55 < katara> hi i need help with a tunnel. I created the vpn and can ping each side but dont know what ip set as gateway on a static route 15:03 -!- katara is now known as eartham 15:40 < krzie> eartham a static route through openvpn? or a static route on a LAN router to know about the vpn? 15:41 < krzie> if you are going to tell openvpn to make a route through the vpn, you dont need to know the gateway, openvpn knows 15:41 < krzie> if you mean the LAN router to know about the vpn, you use the lan ip of the machine who runs openvpn 15:41 < eartham> krzie, actually im stuck on this:http://www.scriblink.com/index.jsp?act=phome&roomid=116&KEY=16C3551F05785FE4DCE88BA266C91801 15:41 < vpnHelper> Title: Scriblink - Your Online Whiteboard (at www.scriblink.com) 15:42 < eartham> i cant ping both routers, but i cant make ping from the freebsd machine to pfsense local network 15:42 < eartham> i cant = i can 15:42 < krzie> seen this? 15:42 < krzie> !route 15:42 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:43 < eartham> iroute? 15:43 < krzie> it goes over route, iroute, pushing routes, etc 15:43 < krzie> are the openvpn machines routers for their LANs? 15:44 < krzie> which lans do you want reachable over the vpn? 15:44 < eartham> both of them 15:44 < eartham> i only have 2 (one on every router) 15:45 < eartham> i want both lans can communicate as a dedicated link 15:45 < krzie> ok so openvpn does run on the LAN routers? 15:45 < eartham> yes 15:45 < krzie> then all you need is in !route 15:47 < krzie> i made that long writeup so i wouldnt need to explain it 1000 more times ;] 15:47 < krzie> its a common question 15:47 < krzie> there is a drawing at the bottom 15:47 < eartham> thanks 15:47 < krzie> np 15:48 < eartham> krzie, one small question, the iroute needs to be on the client config file right? 15:49 < krzie> dont worry, that is in the writeup 15:49 < krzie> (yes) 15:49 < krzie> please read the whole thing 15:49 < eartham> oki 15:49 < eartham> tomorrow i will, i got enought right now 15:49 < eartham> but really really really thanks 15:49 < krzie> np =] 15:50 < eartham> :) 15:50 < krzie> then make sure your firewalls know they need to be passing packets from the other lan too 15:50 < krzie> cause when a packet from lan1 flows over the vpn, it still shows SRC of lan1_ip 16:18 < krzie> oh and also 16:18 < krzie> check out gliffy for your online network drawings 16:18 < krzie> (if you like the drawing i made for !route) 16:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:07 < reiffert> Hey 17:08 < ecrist> sup krzie 17:08 < krzie> wassup eric 17:09 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has quit ["Leaving"] 17:14 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:14 < Dougy> yoooooooooooooooooooooooooooo 17:15 < ecrist> speaking of fuckwads 17:15 < jeev> Dougy 17:15 < jeev> my vps is piss poor 17:15 < jeev> it's access times as slow 17:15 < Dougy> really? 17:15 < jeev> sometimes, ls /etc will take 15 sec 17:15 < Dougy> ecrist: ouch 17:16 < Dougy> jeev: that's weird 17:16 < Dougy> mine's instant 17:16 < Dougy> i lied, took 4 sec 17:16 < jeev> right now it's 17:16 < jeev> instant 17:16 < jeev> but. 17:16 < Dougy> maybe he was provisioning vps's or something 17:17 < jeev> i told you about it yesterday too 17:17 < Dougy> ecrist: uncool 17:17 < jeev> anyway 17:17 < jeev> god centos is wack 17:17 < Dougy> lol 17:17 < Dougy> you're just used to bsd 17:17 < jeev> bsd for life 17:17 < Dougy> i use centos daily often and its not that bad 17:17 < Dougy> bsd is better of course 17:17 < Dougy> i lied 17:17 < Dougy> freebsd :) 17:17 < jeev> heh 17:18 < jeev> freebsd rules 17:18 < jeev> i had to go to #centos 17:18 < jeev> to learn that bydefault 17:18 < jeev> proftpd and shit isn't in repo 17:18 < jeev> god that's lame 17:18 < Dougy> so? 17:18 < Dougy> install dag's repo 17:18 < Dougy> then you have virtually everything 17:18 < jeev> still 17:18 < jeev> i dont care! 17:18 < jeev> should be there by default!!! 17:18 < Dougy> sorry 17:18 < Dougy> centos doesnt have ports 17:18 < jeev> i wish i could irc off this bad boy 17:18 < Dougy> every distro should have ports 17:18 < Dougy> gentoo is such fail i can't describe it 17:19 < jeev> i hate linux 17:19 < jeev> except slackware 17:19 < Dougy> to be honest 17:19 < Dougy> i dont think i have ever used slack 17:19 < jeev> by he wa 17:19 < jeev> the way 17:19 < jeev> http://my.creativevps.com/ 17:19 < jeev> look at that beautiful error 17:19 < jeev> slack rules 17:19 < vpnHelper> Title: creativeVPS - Client Area (at my.creativevps.com) 17:19 < Dougy> LOL 17:19 < Dougy> jeev: im going to call joe up now 17:19 < Dougy> and scream obnoxiously loud on the phone 17:19 < Dougy> "YOUR BILLING SHIT IS DOWN, FIX NOW" 17:20 < jeev> hey 17:20 < jeev> ultimately 17:20 < jeev> what OS runs on these servers 17:20 < jeev> that builds the VPS ? 17:20 < jeev> is it like windows and vmware 17:20 < Dougy> I would venture to say CentOS 17:20 < jeev> or a vmware OS 17:20 < jeev> oh 17:20 < Dougy> majority of VPS nodes are CentOs 17:20 < Dougy> CentOS* 17:20 < jeev> linux fell off 17:20 < jeev> since i stopped using it 17:20 < jeev> ;D 17:20 < Dougy> 99% of them are either CentOS or Debian 17:21 < jeev> so, i dont really have to worry baout upgrading this kernel? 17:21 < jeev> now to read up on how to build tun 17:21 < Dougy> err 17:21 < Dougy> it should be there 17:21 < Dougy> if its not, you're boned 17:21 < Dougy> if its not there, you cant do anything to create it 17:21 < jeev> really ? 17:21 < Dougy> they have to create it and reboot the node 17:21 < Dougy> iirc 17:21 < jeev> as in everything is rebooted? 17:22 < jeev> everyone's VPS on the server? 17:22 < Dougy> yes 17:22 < jeev> wow 17:22 < jeev> weak 17:22 < Dougy> the actual host server must be rebooted 17:22 < Dougy> thats the weakness of Paravirtualization 17:22 < Dougy> [root@mon01 ~]# ls /dev/net 17:22 < Dougy> tun 17:22 < Dougy> @ jeev 17:22 < jeev> ahh 17:22 < jeev> i have that too 17:22 < Dougy> then you have tun 17:22 < jeev> ifconfig fails 17:22 < jeev> on tun 17:22 < jeev> error fetching interface 17:23 < Dougy> ive never heard someone ifconfig tun 17:23 < Dougy> ll 17:23 < Dougy> lol* 17:23 < Dougy> without something running using it 17:23 < jeev> oh 17:23 < jeev> ok dood cal mdown 17:23 < jeev> linux is wack 17:23 < Dougy> god, i hate virtuozzo :( 17:23 < Dougy> venet0 as the network interface, what crap 17:32 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 17:32 -!- sigmonsays_ [n=sig@adsl-99-182-233-78.dsl.pltn13.sbcglobal.net] has left ##openvpn ["Leaving"] 17:41 < krzie> jeev, you saw the vps info i pasted to the chan last night? 17:45 < jeev> nope 17:45 < jeev> what 17:52 < Dougy> freebsd vps's 17:52 < Dougy> @ jeev 17:52 < Dougy> krzie: ! 17:57 < krzie> i can only paste the info from home 17:58 < krzie> unless you have enough scrollback or someone here is logging 17:58 < krzie> (i know ecrist is) 18:00 < Dougy> i have logging 18:00 < Dougy> not digging it up for jeev though 18:01 < ecrist> !irclogs 18:01 < vpnHelper> ecrist: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz 18:02 < Dougy> nice 18:02 < Dougy> ecrist: how goes it? 18:02 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the hour, when ecrist is online.) 18:02 < vpnHelper> ecrist: The operation succeeded. 18:02 < ecrist> !irclogs 18:02 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz, or (#2) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the hour, when ecrist is online.) 18:02 < ecrist> !forget irclogs #1 18:02 < vpnHelper> ecrist: Error: There is no such factoid. 18:02 < ecrist> !forget irclogs 1 18:02 < vpnHelper> ecrist: The operation succeeded. 18:03 < ecrist> !irclogs 18:03 < vpnHelper> ecrist: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the hour, when ecrist is online.) 18:03 < ecrist> Dougy: it goes. 18:03 < Dougy> i see 18:03 < Dougy> how's your wife 18:03 < ecrist> good, pregnant. 18:04 < ecrist> got her while she couldn't run away. 18:04 < ecrist> wrath of the lich king! 18:04 < Dougy> lmfao 18:04 < Dougy> nice 18:04 < Dougy> another little crist on the way 18:04 < ecrist> actually, the rumor is it might be twins. 18:04 < Dougy> ooh 18:04 < Dougy> two little crist's 18:05 * Dougy is not babysitting 18:05 < ecrist> scary, eh? 18:05 < Dougy> nah 18:05 * Dougy loves babies/little kids 18:05 < ecrist> wrath of the lich king tomorrow! 18:05 * ecrist is excited 18:06 < Dougy> i see that 18:06 < Dougy> by the way, i got another server at work 18:06 < Dougy> im sure you saw 18:06 < Dougy> lol 18:06 < ecrist> the wife and I each have a copy on reserve 18:06 < ecrist> picking it up at midnight tomorrow. 18:06 < Dougy> nice 18:06 < Dougy> i broke sshd on it though so i can't really do anything 18:06 < ecrist> no, wasn't paying attention. 18:07 < Dougy> oh 18:07 < ecrist> VPSes FTL 18:07 < Dougy> not a VPS 18:07 < Dougy> i boughts me a poweredge 18:07 < Dougy> but i do have a VPS in NYC 18:09 < Dougy> i wish my server was a VPS cuz i would have a console 18:09 < Dougy> instead i have a perfectly working server minus ssh 18:17 < ecrist> where is your poweredge? 18:17 < ecrist> tell you what, send it to me, I'll put it in my rack, you pay me money for bw 18:17 < ecrist> :) 18:17 * ecrist has a dedicated server room in his house 18:17 * ecrist goes to play WoW 18:18 < krzie> ecrist, how much BW do you have? 18:21 < ecrist> on saturday I'll have 2Mb up 18:21 < ecrist> I'm considering a 50Mb/10Mb plan, if I have a few people hosting here, though. 18:22 < krzie> oh fios? 18:23 < ecrist> no. :) I live in Minneapolis, Comcast's first locale with their 50Mb/10Mb service 18:23 < ecrist> I'm starting with 16Mb/2Mb 18:23 < krzie> ahhh right 18:23 < krzie> they using that docsis3 right? 18:24 < ecrist> I know about 30 folks who've switched from T1s, DSL, etc, and have been *happy* with the results. 18:24 < ecrist> yep 18:24 < ecrist> only realy beef I've got is they won't give me the read SNMP community to my bridge. 18:25 < ecrist> but I'm not special, that's a well-documented 'feature' of their business-class service. 18:25 < ecrist> which is fine, I suppose, I'll throw a P4 with bridging in the middle of the bridge and my network. 18:25 < ecrist> will allow me to do monitoring and traffic shaping, should the need arise. 18:26 < ecrist> right now, i've just got DSL 18:26 < ecrist> but, it's been more than sufficient. 18:26 < Dougy> nice 18:26 < Dougy> i have 30/2 here 18:26 < ecrist> 50/10 FTW 18:27 < ecrist> $189/mo though, plus 20/mo for the statics 18:27 < ecrist> my 16/2 is going to be $52 + $10 for the /29 18:28 < krzie> and openvpn 18:28 < krzie> oops 18:48 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 18:49 < onats> anyone up? 18:49 < krzie> wassup 18:49 < onats> hey krzie 18:49 < krzie> hey 18:49 < onats> maybe you can help me out 18:49 < krzie> it is possible 18:50 < krzie> stranger things have happened ;] 18:50 < onats> i have a router setup with openvpn, then i setup the LAN behind it to have 2 VLAN's. I want to have my clients that connect to it to get IP addresses from the 2nd vlan (has its own dhcp). do i just put in the server config "server 10.0.20.0 255.255.255.0"? 18:51 < krzie> you want it to be allowed to route to machines in 2nd vlan? 18:51 < krzie> or to GET an ip from the second vlan 18:51 < krzie> first is easier and makes more sense 18:51 < onats> get an ip from the 2nd vlan, and will belong to the 2nd vlan 18:51 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit [Read error: 113 (No route to host)] 18:51 < onats> coz it gets an ip from 10.0.10.0, which is the first vlan.. 18:52 < krzie> and the machine running openvpn is on both vlans (it is the router controlling the vlans?) 18:52 < onats> yes it is the rouetr.. 18:53 < krzie> if you want it IN the vlan you want a bridged setup 18:53 < krzie> although im missing the real purpose 18:53 < krzie> could this be a wifi setup by chance? 18:53 < onats> well the real purpose is that two companies are sharing one internet connection. i split them up into two VLAN's. 18:53 < onats> nope 18:53 < krzie> ahh i see 18:54 < ecrist> I'd setup routed and simply allow routing to VLAN2 18:54 < krzie> you dont need to give the vpn users an ip from vlan2, you can just allow routing to vlan2 18:54 < krzie> ya exactly what ecrist said 18:55 < krzie> give the vpn users their own network, and allow routing to vlan2 18:55 < krzie> then just dont give a route to vlan1 and they stay seperated 18:55 < onats> i see.... 18:55 < krzie> all you will need to bust that is in !route 18:55 < onats> that's possible.. will have to experiment on it.. 18:55 < krzie> which iirc you have already read 18:55 < onats> yes i've read it 18:56 < krzie> not only is it possible, it is the easiest setup too 18:56 < onats> i'll have to put it in the ccd directory 18:56 < krzie> umm no 18:56 < krzie> you arent linking a LAN behind a client, are you? 18:56 < krzie> are you giving any clients directives that are specific to only that client? 18:57 < krzie> if both companies are getting a vpn, i would give them seperate instances of openvpn server, and entirely seperate cert setups 18:58 < onats> krzie, no LAN behind a client, not this one.. 18:58 < krzie> !ccd 18:58 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client 18:58 < onats> only one company has access to a VLAN 18:58 < krzie> if i understand you right you dont need ccd entries 18:59 < krzie> read !route again 18:59 < krzie> you only have a lan behind the server, so ignore the parts about a lan behind the client 18:59 < krzie> it should just be a single pushed route 19:00 < krzie> and since your server is on the LAN router, thats all you worry about 19:00 < krzie> very easy setup 19:03 < onats> you're right! 19:03 < krzie> yup! 19:03 < krzie> ;] 19:03 < onats> so essentially, i just need to put in the server config 19:03 < onats> route 10.0.20.0 255.255.255.0 19:03 < onats> right? 19:03 < onats> right! 19:03 < krzie> push the route 19:04 < onats> sorry, push 19:04 < krzie> the server knows about its route to 20.x already 19:04 < krzie> the clients need it 19:04 < onats> push "route 10.0.20.0 255.255.255.0" 19:04 < onats> and it only applies to VPN clients.. 19:04 < krzie> sounds right to me, 20.x is the vlan right? 19:04 < onats> i'll give it a shot when no one's ther 19:04 < krzie> right 19:04 < onats> yes. 19:04 < krzie> and 19:04 < krzie> for server statement 19:04 < krzie> give it its own network 19:04 < krzie> like 10.8.0.x or whatever 19:05 < krzie> something that no client would have for its lan 19:07 < onats> so "server 10.0.8.0 255.255.255.0" and " push \"route 10.0.20.0 255.255.255.0"? 19:07 < krzie> yup, i think there was slight typos but you knew what to put 19:08 < onats> just the quotes 19:08 < krzie> server 10.0.8.0 255.255.255.0 19:08 < krzie> push "route 10.0.20.0 255.255.255.0" 19:08 < onats> right.. 19:08 < krzie> ya exactly 19:08 < krzie> i knew you knew it 19:08 < onats> thanks. that was fast:D 19:08 < krzie> ;] 19:08 < onats> thanks a lot for the help! 19:08 < krzie> yup, it gets faster and fsater as you've read more docs 19:09 < krzie> n man 19:09 < krzie> np man 19:09 < onats> btw, just some feedback 19:09 < krzie> you did the reading, just needed a lil nudge, always the easiest to help people after they've read it all 19:09 < onats> i did a 3 location site-to-site using dd-wrt/openvpn 19:09 < krzie> right on, sounds like exactly my !route setup 19:09 < onats> and the users seemed to notice that the performance improved, over linksys befvp41s on 3 sites 19:10 < onats> i used a buffalo whr-g125 router (worth $40 bucks wherever you guys are probably) 19:10 < onats> router/ap 19:10 < onats> they say its much faster and stabler, plus, i can remote to it!:D 19:10 < krzie> ahah werd 19:11 < krzie> ild recommend firewalling the remote port 19:11 < krzie> cause ive seen a few of those setups owned 19:11 < krzie> and its hard for the admins to ever have a clue 19:11 < krzie> especially with the reduced logging 19:11 < onats> what remote port? 19:11 < onats> the vpn port? 19:11 < krzie> you can remote to it 19:11 < onats> i just remote to it via SSH 19:11 < krzie> exactly 19:12 < onats> firewall it even? 19:12 < krzie> and when your ssh gets owned, you will have no clue due to reduced logging 19:12 < onats> but wouldn't that mean i get blocked too? 19:12 < krzie> personally, i would only allow ssh to people already in the vpn 19:12 < onats> hmmm, but that's difficult... 19:12 < onats> in case there are problems with the vpn, i might have a hard time connecting to it 19:13 < onats> plus, going on site is somewhat a hassle/costly 19:13 < onats> plane costs and all 19:13 < krzie> you could allow ssh from trusted ips only 19:14 < ecrist> fucking wow, still offline 19:14 < ecrist> grr 19:14 < krzie> im just suggesting, you can do anything you like of course 19:14 < krzie> WOW is offline? 19:14 < krzie> crazy 19:14 < onats> yup, i appreciate the suggestions 19:14 < onats> i'm also on dynamic IP's 19:14 < onats> hehehe 19:14 < krzie> onats your ISP only has so many ips to choose from giving you 19:14 < ecrist> krzie: yes, they are having problems with server upgrades due to the expansion coming out Thursday 19:14 < krzie> allowing their whole netblock is a ton less than 0.0.0.0/0 19:15 < krzie> oh i see 19:15 < onats> brb 19:15 * onats will eat noodles 19:20 * ecrist needs some ass 19:22 -!- TheoMurpse [n=kyle_goe@cpe-72-179-61-169.austin.res.rr.com] has joined ##openvpn 19:22 < ecrist> sup Theo? 19:23 < krzie> you have a pregnant wifey, i know you been getting at least SOME 19:23 < krzie> hahah 19:23 < TheoMurpse> ecrist: Hi. 19:23 < ecrist> krzie: yeah, some. 19:23 < ecrist> was getting more leading up to it, though 19:23 < krzie> haha makes sense 19:28 < TheoMurpse> First off, I'm running superlame XP as my OS, so I can'd do this with awesome Linux iptables. Suppose I pay for a VPN service and I set it up as an interface that all my network traffic goes through. Is it possible to make some traffic go through the VPN (traffic for which I want anonymity but not speed) and some to just not go through the VPN interface (say, streaming video traffic)? I'd like the sorting into VPN and non-VPN tr 19:28 < TheoMurpse> based on port number (say, 80 doesn't go through the VPN because I want to directly connect to Youtube and the like). Someone told me OpenVPN might make this possible. I read the site's documentation and FAQ, but I can't figure out if this is possible. This seems like it should be simple, but I can't find anyone who can tell me how to do this (short of using Linux/BSD (?) iptables). 19:29 < krzie> based on port number, not really 19:30 < krzie> i know I can do itby running a socks server on the vpn ip 19:30 < krzie> and then socksifying based on port 19:30 < krzie> or based on ip range 19:30 < krzie> or based on application 19:30 < krzie> but using openvpn by itself, no 19:31 < TheoMurpse> krzie: can you explain this? If I turn on the VPN interface on my computer, everything automatically goes through the VPN interface. So if I install a SOCKS server on my desktop computer and set my browser and all other internet-using programs to go through the SOCKS proxy, what do I do with the SOCKS proxy to prevent all of its traffic from going straight to the VPN server? 19:32 < onats> hehehe 19:32 < krzie> you just remove the --rediect-gateway 19:32 < krzie> then you locally socksify what you want to go over the vpn interface 19:32 < krzie> or opposite 19:32 < krzie> an app named proxifier can handle that 19:33 < TheoMurpse> krzie: So there is an openVPN setting called --redirect-gateway? And if I remove that from teh command line or whatever, OpenVPN will not send data to the VPN server automatically? 19:33 < krzie> with proxifier you can choose which app/port/ip range is allowed to go through/or bypass the socks server 19:34 < krzie> crrect 19:34 < krzie> correct 19:34 < krzie> by default it doesnt change the refault route 19:34 < krzie> it only changes default route when you use --default-gateway 19:36 < ecrist> krzie: did you see the link to my irc log file? 19:37 < jeev> douglas 19:37 < jeev> ............................................................................../build-dh: line 11: 32300 Killed $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} 19:37 < jeev> [root@server 2.0]# 19:37 < jeev> is that the vps 19:37 < jeev> automatically killing it ? 19:37 < krzie> ecrist, ya thats cool 19:37 < TheoMurpse> krzie: So this is going to expose my lack of knowledge, but I'd like some clarification. So typically, I install OpenVPN and go to Network Connections where the interfaces are listed (LAN, Hamachi, OpenVPN's "Lan TAP-Win32 Adapter", Firewire connection, etc.). Now I would install a SOCKS server. I somehow have the SOCKS server send some data over the VPN but other data over not-the-VPN. But if this is possible with SOCKS install 19:37 < TheoMurpse> isn't it possible without SOCKSifying the data? 19:37 < krzie> !factoids search irc 19:37 < vpnHelper> krzie: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the hour, when ecrist is online.) 19:38 < krzie> TheoMurpse, im sure theres a few ways to do it, but none are openvpn related 19:38 < krzie> you're looking for port based routing 19:38 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.) 19:38 < vpnHelper> ecrist: The operation succeeded. 19:38 < krzie> as you mentioned, iptables could prolly do it 19:38 < ecrist> !forget irclogs 1 19:38 < vpnHelper> ecrist: The operation succeeded. 19:41 < TheoMurpse> krzie: Thank you. I've gone to #windows to see if anyone has an idea as to how to accomplish iptables-like behavior with Windows. But if they cannot help, I'll be attempting the OpenVPN-SOCKS proxy way. The program I want going through teh SOCKS proxy supports SOCKS, so I don't need that Proxifier program you mentioned I think. Thanks thus far. 19:42 < krzie> cool 19:42 < krzie> but i thought you said you wanted to only NOT route a single app 19:43 < krzie> (or port) 19:43 < krzie> and if thats the case, you'd need something like proxifier 19:43 < krzie> if you only want to route a single app through the vpn, then what you said is true 19:44 < krzie> note, i cant help you find a sockd for windows 19:44 < krzie> <== not a windows guy 19:44 < krzie> what you're really looking for is port-based routing 19:45 < TheoMurpse> krzie: That's fine. I found a sockd (assuming "sockd" = "socks server"). There's a freeware one called Socks Puppet. 19:45 < krzie> (might help to know while you're out asking windows guys if they have ideas) 19:45 < krzie> cool, thats exactly what i meant by sockd 19:46 < krzie> jeev, no way for us to know what or who is killing it 19:46 < TheoMurpse> OK. But it's different from port-based routing because port-based routing is just like port-forwarding and such, right? I want port-based routing over different network interfaces that are on the same computer. One interface is LAN and the other is the VPN-over-the-LAN. That's what's making this so difficult. 19:49 < krzie> port forwarding is something different 19:49 < krzie> you want to change the route based on what port it is going to 19:49 < krzie> outbound 19:50 < krzie> same as if you had 2 uplinks and wanted to route based on port you are connecting to 19:57 < TheoMurpse> krzie but because I want to route to different /interfaces/ based on port, is it different than just regular "port routing." 19:57 < TheoMurpse> ? 19:58 < krzie> how would you change the route based on port over the same interface?? 20:14 < jeev> krzie 20:14 < jeev> i can take a dh file generated on another server 20:14 < jeev> and use it on another one 20:14 < jeev> is there a security issue with that ? 20:14 < krzie> no 20:14 < jeev> ok 20:15 < krzie> as long as it hasnt been comprimised 20:15 < jeev> ok 20:15 < jeev> you can't even link the two boxes anyway 20:24 < ecrist> RAWR 20:24 * jeev runs off 20:25 < jeev> arf arf 21:16 -!- TheoMurpse [n=kyle_goe@cpe-72-179-61-169.austin.res.rr.com] has left ##openvpn [] 22:55 -!- renic [n=thatguyr@adsl-69-225-39-215.dsl.skt2ca.pacbell.net] has joined ##openvpn 22:56 < renic> hello, examining openvpn and thought I'd drop by to say hi. Freebsd user, planning to use openvpn. 23:26 < ropetin> Excellent, hope it works out well for you renic, it's a great product --- Day changed Wed Nov 12 2008 00:50 < jeev> HAHAHAHAHAHAH 00:50 < jeev> my mom caught my dad watching chix on tv 00:51 < jeev> hahahahahahahahahahahahah 01:04 < ropetin> :D 01:05 < jeev> lol 01:05 < jeev> so funny 01:06 < ropetin> You should ask him to Tivo it for you... :D 01:06 < jeev> i have over 400 gigs of pr0nage 01:07 < jeev> on my hd's 01:09 < ropetin> So offer to lend him that :D 01:10 < jeev> no way 01:10 < ropetin> :P 01:46 -!- razor2000 [n=razor@70.91.69.194] has quit [Remote closed the connection] 02:07 -!- eartham [n=dak@190.24.218.190] has quit [Read error: 131 (Connection reset by peer)] 02:14 < djc> reiffert: no, haven't reverted to rc9 yet 02:25 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 02:26 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 02:40 -!- ikevin_ [n=kevin@ANancy-256-1-14-248.w90-13.abo.wanadoo.fr] has joined ##openvpn 02:53 < djc> in limited testing, having rc9 on the server seems to be much better than rc13 02:53 < djc> (still rc13 on both clients) 02:53 -!- renic [n=thatguyr@adsl-69-225-39-215.dsl.skt2ca.pacbell.net] has quit ["fell asleep... will be back"] 02:56 -!- ikevin [n=kevin@ANancy-256-1-23-208.w90-13.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 05:16 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 05:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:17 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 06:37 -!- nooga [n=nooga@89.174.55.154] has joined ##openvpn 06:37 < nooga> hi 06:38 < nooga> i've got machines that were connecting to vpn enabled router (a router with vpn server built in) using pptp... can I put a machine with openvpn server instead of the router and allow those machines to connect? 07:02 < ecrist> sure 07:26 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit [Remote closed the connection] 07:31 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 07:42 -!- Keizer [n=keizer@208.50.100.60] has joined ##openvpn 07:54 -!- astor-brazil [n=rsilveir@realad.com.br] has joined ##openvpn 07:56 < astor-brazil> hello, I have a opevvpn configured into 2 servers, but after one day of use, the servers lost the routes. Anyone knows why they lost the routes ? 07:56 < ecrist> no idea astor-brazil 07:58 < astor-brazil> very strange, I put the routes yesterday and today they disappeared 07:58 < ecrist> astor-brazil: you put the routes in manually? 07:58 < ecrist> and they pointed to the VPN? 07:59 < ecrist> if that's the case, your VPN must have gone down briefly at some point. 07:59 < ecrist> A host will drop routes it doesn't have a next-hop for. 07:59 < astor-brazil> ecrist, yes, I put manually, just the internet route is automatic because of my dynamic ip 07:59 < ecrist> I would suggest adding the routes to the openvpn config, or through an up or down script 08:00 < astor-brazil> ecrist, can I put shell commands inside the openvpn.cfg ? 08:00 < ecrist> no 08:01 < ecrist> first, you *should* put the routing that's global across the VPN into the VPN server config file 08:01 < ecrist> second, you can add those routes using client-configs on the server 08:01 < ecrist> third, read the OpenVPN documentation and look for --up and --down as options to the client 08:02 < astor-brazil> ecrist, I'll try this, tks a lot 08:17 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 08:31 * ecrist cheers 08:32 < ecrist> one more client switched from frame to ipsec vpn 08:33 < djc> aren't you supposed to switch them to openvpn? 08:33 < djc> ;) 08:33 < ecrist> djc, no 08:34 < ecrist> for *real* commercial uses, I still prefer Cisco hardware. 08:36 < ecrist> we use OpenVPN for our staff, but not connections to our clients. 08:39 < ecrist> the important part is, I'm only 3 clients away from being able to drop a $600/mo T1 and a slew of PVCs 08:48 < reiffert> You need to get 3 new clients or to loose 3 current ones to drop the $600/mo line? 08:49 < ecrist> I have 3 clients still using the frame and PVCs, so I need to move them to our Cisco VPN, or change their file transfer method, to drop the T 08:49 < ecrist> 1 08:51 < ecrist> I'm OK with either switching them to sftp or VPN, right now they use FTP over a PVC 09:11 < djc> reiffert: if I can help debugging the problems in rc13, let me know 09:11 < djc> but for now, rc9 on the server seems much better 09:25 -!- astor-brazil [n=rsilveir@realad.com.br] has quit ["Ex-Chat"] 09:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:48 < ecrist> morning krzee 09:52 < reiffert> djc: start by installing rc9. 09:53 < ecrist> which part of aus should I move to? 09:53 < reiffert> djc: "much better" is not an acceptable term in debugging. Yes or no sound acceptable. 09:56 -!- nooga [n=nooga@89.174.55.154] has quit ["Lost terminal"] 09:57 < djc> reiffert: I have installed rc9, on the server 09:57 < djc> and this fixes all the problems I had after installing rc13 09:57 < djc> as far as I can see from a few hours of usage 09:57 < reiffert> djc: ok, try rc10, rc11 and rc12 then. 10:04 < jeev> damn 10:04 < jeev> i had a horrible dream 10:17 < djc> reiffert: will do 10:35 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit [Remote closed the connection] 10:52 -!- plaerzen [n=cam@vip2.tundraeng.com] has joined ##openvpn 10:52 < plaerzen> long time no see, ovpn, what's up? 10:59 -!- Keizer [n=keizer@208.50.100.60] has quit [Read error: 110 (Connection timed out)] 11:13 < ecrist> how goes plaerzen? 11:13 < ecrist> where've you been? 11:16 < plaerzen> in #lopsa - but I don't really talk in there. Been busy past few days and whatnot. 11:16 < plaerzen> just had xchat open in background at work... you know how it goes 11:16 < ecrist> yep 11:16 < ecrist> well, if you feel like you missed something 11:16 < ecrist> !irclogs 11:17 < vpnHelper> ecrist: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.) 11:17 < plaerzen> ah, cool. 11:18 < plaerzen> This new job I have is crazy. I love it. We manage everything. network, servers, phones, voip phones, wireless phones. 11:19 < plaerzen> Get to do some interesting stuff. Working now on joining our linux servers to our Active directory realm using kerberos/ldap 11:21 < plaerzen> plus the pay is incredible. 11:21 < ecrist> it's sorta nice doing everything, isn't it? 11:21 * ecrist wishes he had incredible pay. 11:21 < ecrist> actually, it's not bad, for me. 11:22 < plaerzen> it has it's benefits and it's drawbacks. sometimes it's nice to only do one thing. But - like most sysadmins- I'm a control freak. So having control of everything is nice. 11:25 < plaerzen> Everyone in my city who works in the oil and gas industry gets amazing pay. 11:25 < plaerzen> it's also an expensive city to live in - I pay 1050 rent per month, looking at 1300/month starting next month. 11:29 < jeev> ecrist 11:30 < ecrist> plaerzen: that sounds similar to Minneapolis 11:30 < ecrist> jeev 11:33 * ecrist hates it when someone says his name and then goes away. 11:35 < jeev> lol 11:49 < plaerzen> *sigh* this is the first job where I've had to deal with shit like "why does she get a 22" monitor and I don't?" type stuff though. I hate those political aspects. 11:54 < jeev> hmm 12:08 -!- Keizer [n=keizer@208.50.100.60] has joined ##openvpn 12:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 13:10 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 54 (Connection reset by peer)] 13:33 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 13:35 -!- Pagautas is now known as VoIP 13:35 -!- VoIP [n=bigman@ns.voip.ktu.lt] has quit [Client Quit] 13:36 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 13:36 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Client Quit] 14:11 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 14:12 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has joined ##openvpn 14:23 < ecrist> quiet in here today 14:25 -!- ashashash [n=ash@p579853D2.dip.t-dialin.net] has joined ##openvpn 14:25 < ashashash> hi 14:26 < ecrist> hi 14:26 -!- stephenh [i=stephen@69.30.200.88] has joined ##openvpn 14:29 < stephenh> hi, how can i enable my clients to reach networks not connected to my openvpn server? when i do ping -I tun1 x.x.x.x, it works for any IP on either range of my 3 NICs, but not for an IP that is on the otherside of my diginet 14:30 < stephenh> the route is being pushed to client, but i think i should be able to reach the host/network by doing ping -I tun1 from the openvpn server before looking at the client 14:30 < stephenh> ping is still unsuccessful when firewall rules are flushed. 14:30 < ashashash> i've got a small problem, i moved a configuration that used to work to a new opensuse version, the vpn does still work, but exposing the clients network to the server does not work anymore. the routes are set. firewall on/off doesnt change anything. when I ping, i can see the packet going to the ptp destination via tcpdump, but it never leaves the outgoing interface. looks like openvpn is eating it? 14:31 < stephenh> ah, when i mean not connect to my openvpn server, i mean not physically connected. i can ping and tracroute successfully to network i'm trying to reach if i use either of the NICs as the source address for ping. 14:32 < ashashash> stephenh: you mean like routing traffic thru the openvpn then masquerading it? 14:33 < stephenh> yes, i think so 14:33 < stephenh> i have client ---->openvpnserver-eth1--->router--->mpls cloud @ isp---> router--->host 14:33 < ashashash> you push the routes with openvpn and configure your firewall to do nat 14:33 < stephenh> ok, i'll check that out now. 14:34 < ashashash> like: push "route 1.2.3.4 255.255.255.255" 14:34 < stephenh> yes i'm doing that, 14:34 < ashashash> that will tell the client to send all traffic going to 1.2.3.4 thru the vpn 14:34 < stephenh> routes are being pushed successfully 14:34 < ecrist> stephenh: you need NnAT 14:34 < ecrist> NAT& 14:34 < ashashash> now you need to configure your firewall 14:34 < ecrist> grr 14:34 < ecrist> NAT* 14:34 < stephenh> but i cannot even ping -I tun1 on vpn server 14:34 < stephenh> ecrist: ok 14:35 < ecrist> ashashash: you're missing a route somewhere. 14:36 < jeev> ecrist 14:36 * jeev found a huge bug with ms live 14:36 < jeev> domains 14:37 < ashashash> i can ping the network behind the vpn server fine (client->server->net), i can ping the ptp (10.9.0.6) on the other side (on server side: 10.9.0.1/ptp 10.9.0.2)(on remote 10.9.0.6/ptp 10.9.0.5) 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:39 < ashashash> my routes -> http://pastebin.ca/1254616 14:39 < ashashash> the 10.100.0.6 is the net/host behind the client 14:40 < ashashash> pinging 10.100.0.6 shows this in tcpdump -> 21:39:27.889160 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 10.9.0.1 > 10.100.0.6: ICMP echo request, id 34832, seq 7, length 64 14:40 < ashashash> thats tcpdump on tun1 14:40 < ashashash> but it does not show any traffic activity on eth0 (the default route) 14:41 < ashashash> the tunnel itself is running as well 14:42 < ashashash> so the kernel knows it needs to send it thru openvpn, but after going into tun1 its gone 14:47 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:06 < ecrist> ashashash: you're missing routes on the other end. 15:08 < ashashash> i can ping the source address from the other side 15:08 < ashashash> i did not change anything on the other end either 15:09 < ashashash> it doesnt get to the other side, never leaves eth0 on the server 15:22 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Read error: 104 (Connection reset by peer)] 15:27 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: pa, Rienzilla, noriX, ThoMe, thefish, kreg, zamba, ashashash, AukeF, plaerzen 15:45 -!- ashashash [n=ash@p579853D2.dip.t-dialin.net] has joined ##openvpn 15:45 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 15:45 -!- AukeF [n=auke@x154.flex.surfnet.nl] has joined ##openvpn 15:45 -!- Rienzilla [i=rien@sinas.rename-it.nl] has joined ##openvpn 15:45 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 15:45 -!- noriX [i=noriX@csbnc0002.229.162.clanserver4u.de] has joined ##openvpn 15:46 -!- plaerzen [n=cam@vip2.tundraeng.com] has joined ##openvpn 15:46 -!- ThoMe [i=tm@81.92.168.148] has joined ##openvpn 15:46 -!- thefish [n=thefish@unaffiliated/thefish] has joined ##openvpn 15:46 -!- zamba [i=marius@sveigde.hih.no] has joined ##openvpn 15:47 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 15:53 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 15:55 -!- Topgun100 [n=topgun@78-86-133-25.zone2.bethere.co.uk] has joined ##openvpn 15:55 < Topgun100> help please 15:56 < Topgun100> i have 5 users connected to my bridged vpn with no issue. one is having problems connecting to remote desktop but file shares and ping is fine 15:56 < Topgun100> sounds like some kind of mtu problem? set mssfix 1400 on server config 15:57 < Topgun100> the windows client is on Cable and ping -l 1472 gives no fragmentation. 16:03 < ashashash> dont you have to set the no-fragment bit to test that? 16:08 -!- Keizer [n=keizer@208.50.100.60] has quit [Read error: 110 (Connection timed out)] 16:10 < ashashash> ecrist: what routes should i check? 16:12 < ecrist> ashashash: don't know right now - busy doing other things, sorry 16:12 < krzie> ok i just got in 16:12 < krzie> Topgun100 try --mtutest 16:12 < krzie> (if you use 2.1) 16:13 < krzie> ashashash whats your problem? 16:13 < Topgun100> what am i trying to determine with mtutest? 16:13 < krzie> what mtu to be using 16:13 < krzie> as youd see by looking at mtutest in the manual 16:14 < krzie> !betaman 16:14 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 16:14 < Topgun100> does the mtu need to be set in the server/client config, windows, router or all of the above? 16:14 < krzie> just server/client 16:16 < Topgun100> ok thanks 16:26 < ashashash> hi krzie, i'm trying to expose an ip behind the client to the server - the setup used to work, i moved the server to a new opensuse release - now the tunnel is fine, I can ping the ptp endpoint on the other side - but when i ping the exposed ip the packet goes into tun1 (tcpdump) but doesnt cause any traffic on the eth0 (default route) or can be seen on the client sides tun1 16:29 < krzie> you gave it an iroute? 16:29 < krzie> you said ptp? 16:30 < ashashash> yes iroute is there 16:31 < ashashash> err, not the ptp ip, but the clients vpn ip 16:32 < ashashash> the client can also ping the server (the origin of the ping request going out to the exposed ip) 16:33 < krzie> ahh 16:33 < krzie> is the client the router for its LAN? 16:33 < krzie> (im guessing no) 16:36 < ashashash> yes 16:36 < krzie> the client is the default gateway for all clients on its LAN? 16:36 < ashashash> yes 16:36 < ashashash> but the packet never goes there 16:36 < krzie> they all route their normal internet connection through the client? 16:36 < ashashash> it gets lost on the server somewhere in tun1 16:36 < ashashash> yes 16:36 < ashashash> its a xen setup with routing# 16:37 < krzie> so you're using one of those linksys routers? 16:37 < krzie> with a wannabe linux installed on it? 16:37 < ashashash> no, its a production server getting hooked up with the office 16:37 < krzie> ohhh you're trying to route between virtual machines? 16:38 < ashashash> i want to expose the domUs to the office via openvpn 16:38 < krzie> domUs=? 16:38 < ashashash> the whole setup worked until i replaced the firewall with a newer suse install 16:38 < ashashash> domU = vm child of xen 16:38 < krzie> oh so you know it is a firewall issue then 16:38 < krzie> make sure it is passing lan ips from both lans to both lans 16:38 < ashashash> even when I disable all iptables rules it doesnt work 16:39 < krzie> cause src ip wont be vpn when it comes from other lan 16:39 < ashashash> I put extra forward rulesi n place as well, no change 16:39 < krzie> and same with response 16:39 < krzie> !iptables 16:39 < vpnHelper> krzie: Error: "iptables" is not a valid command. 16:39 < ashashash> once sec let me try something 16:39 < krzie> !policy 16:39 < vpnHelper> krzie: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 16:40 < ashashash> iptables -I FORWARD -i tun1 -j ACCEPT 16:40 < ashashash> still, tcpdump shows on tun1 16:40 < krzie> im not the right guy to help you with your firewall 16:40 < krzie> if it was an openvpn problem ild be of more use to you 16:41 < ashashash> 10.9.0.1 > 10.100.0.6: ICMP echo request 16:41 < ashashash> the firewall is the same configuration as on the old box 16:41 < krzie> you changed 1 thing, the firewall 16:41 < krzie> and it stopped working 16:41 < krzie> so i believe it is NOT the exact same config 16:41 < ashashash> and upgraded the openvpn version 16:41 < ashashash> the whole os was updated but i moved over the configurations by hand 16:42 < ashashash> on tun1 i can see: 10.9.0.1 > 10.100.0.6: ICMP echo request 16:42 < krzie> ok well i can at least tell you if it is not openvpn 16:42 < ashashash> but when i do a tcpdump on eth0 (the route taken by encrypted traffic) i see nothing going there 16:42 < krzie> !configs 16:42 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 16:43 < krzie> but im already 90% sure its firewall 16:43 < krzie> i can give that extra 10% after seeing configs 16:43 < ashashash> sec 16:47 < ashashash> ccd/client contain iroute 10.100.0.0 255.255.0.0 16:47 < ashashash> heres the openvpn.conf on the server http://pastebin.ca/1254728 16:50 < ashashash> heres the client conf http://pastebin.ca/1254735 16:50 < krzie> "(with comments removed)" 16:53 < ashashash> client: http://pastebin.ca/1254738 16:55 < ashashash> server: http://pastebin.ca/1254741 16:56 < ecrist> pfffft 16:56 * ecrist goes away 16:56 < ashashash> i just tried opening up the firewall as much as possible, still no change 16:57 < ashashash> fyi, i changed the remote ip, so dont wonder if its 127/8 17:02 < krzie> hey wassup ecrist 17:03 < krzie> # 17:03 < krzie> push "route 192.168.11.0 255.255.255.0" 17:03 < krzie> # 17:03 < krzie> push "route 192.168.12.0 255.255.255.0" 17:03 < krzie> those are both networks behind the server? 17:03 < ashashash> yes 17:03 < krzie> route 10.100.0.0 255.255.0.0 17:04 < krzie> that is a network behind a client 17:04 < ashashash> thats behind the clinet 17:04 < krzie> ? 17:04 < ashashash> yes 17:04 < krzie> k 17:04 < krzie> with a matching iroute in the clients ccd file? 17:04 < krzie> oh right you said that 17:04 < ashashash> iroute 10.100.0.0 255.255.0.0 17:04 < krzie> welp 17:05 < krzie> i got good news and bad news 17:05 < krzie> any guesses? 17:05 < ashashash> the conf looks good? 17:06 < krzie> that would be the good news 17:06 < krzie> bas news is your problem is not openvpn related 17:06 < krzie> and even though i know yopu dont think so, the problem is most likely your firewall 17:06 < krzie> you can double check you enabled ip forwarding as well tho 17:07 < ashashash> its enabled 17:08 < ashashash> i cant do more than enabling everything that goes in and out of tun1 and everything that comes from and goes to that ip adresses 17:08 < ashashash> which is what i did :/ 17:09 < ashashash> thanks tho :) 17:09 < ashashash> will see what else i can try with the firewall 17:17 < ashashash> on server the tun1 iface is (10.9.0.1 -> 10.9.0.2) on the client its (10.9.0.6 -> 10.9.0.5) .. whats the correct route on the server? "route add -host 10.100.0.0/16 dev tun1 gw 10.9.0.2) ? 17:17 -!- Topgun100 [n=topgun@78-86-133-25.zone2.bethere.co.uk] has quit [] 17:20 < krzie> umm 17:20 < krzie> you're doing too much man 17:20 < krzie> read up on the route command, you should NEVER need to specific that 17:20 < krzie> specify 17:24 < ashashash> i used to route different stuff thru the vpn tunnel, and when i initially setup the domU routing i did so by manually adding route commands 17:24 < ashashash> but none of that stuff seems to work now 17:25 < ashashash> firewall doesnt log any dropped packets there either 17:25 < ashashash> as if openvpn threw away anything not going to the remote vpn ip 17:32 < krzie> turn verb up to 6 17:32 < krzie> the only way it will throw packets away it will complain 17:32 < krzie> with a MULTI error 17:32 < krzie> but the fix would be an iroute, which you already have 17:33 < krzie> so unless packets are coming with a diff source address than something inside the network you iroute'd, its not dropping 17:40 < ashashash> turned it up to verb 9 17:41 < ashashash> now i get the following error message 17:41 < ashashash> http://pastebin.ca/1254773 17:41 < ashashash> i can see debug messages with the rythm of the ping, but it always says reading from tun/tap and then error 17:41 < ashashash> more of the same -> http://pastebin.ca/1254775 17:44 < ashashash> found the faq, says iroute must be messed up 17:48 < ashashash> awww god damnit, i'm stupid 17:48 < ashashash> it was the file access rights of the openvpn dir - since i downgraded the user to nobody he couldnt read the ccd 17:48 < ashashash> thanks for the help and sorry if i wasted your time 19:41 < krzie> ahh right on 19:41 < krzie> good stuff 19:41 < krzie> glad you found it 19:41 < krzie> and no worries bout my time, i pop in and out when im free 19:41 < krzie> when im busy i leave ;] 19:41 < krzie> (as you prolly noticed from my being idle for a bit) 19:44 -!- itchi [n=David@unaffiliated/itchi] has quit [Remote closed the connection] 19:45 -!- itchi [n=David@unaffiliated/itchi] has joined ##openvpn 19:49 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 20:16 * ecrist yawns 20:18 < jeev> brush your teeth 20:18 < jeev> i rewired that office 20:18 < jeev> for the phones 20:18 < jeev> i didn't know nortel phones only used 1 pair. 21:35 < krzie> nor did i 21:35 < krzie> but i do know they do some things their own way 21:35 < krzie> which is why i dont touch them without the right manual in front of me 21:39 < jeev> heh 21:39 < jeev> realy 21:40 < jeev> i just plugged the shi in 21:40 < jeev> shit 21:40 < krzie> haha werd 21:40 < jeev> :> 21:42 -!- ebil [n=ebil@ip70-174-136-104.dc.dc.cox.net] has quit [Read error: 104 (Connection reset by peer)] 22:14 < troy-> i have openvpn setup to route all client traffic - i can ping all IPs bound on the server but cant access public internet addresses 22:20 < jeev> are your nat rules set up? 22:20 < troy-> when i do iptables --list i see nothing 22:21 < troy-> so i'm guessing not ;) 22:21 < jeev> :> 22:21 < troy-> jeev, do you know of a guide / tutorial? 22:21 < jeev> should be in the howto 22:21 < jeev> it's a pretty generic 22:21 < jeev> nat line 22:22 < jeev> are you running linux 22:22 < jeev> iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE 22:22 < jeev> that's what my gay linux box does 22:22 < jeev> replace 192.168 with internal ips obvious 22:22 < troy-> jeev, yup 22:22 < troy-> i did that but i see nothing in iptables 22:22 < jeev> iptables -t nat -L 22:24 < troy-> Chain POSTROUTING (policy ACCEPT) 22:24 < troy-> target prot opt source destination 22:24 < troy-> thats all i see (pertaining to postrouting) 22:25 < troy-> oh never mind :) 22:25 < troy-> lemme try and enforce vpn now, sec 22:26 < troy-> jeev, you win gold star for the day 22:29 < jeev> heh 22:29 < jeev> the day? 22:29 < jeev> SHIET! 22:29 -!- mode/##openvpn [+o jeev] by ChanServ 22:29 -!- jeev changed the topic of ##openvpn to: HowTo: http://openvpn.net/howto READ IT | Your problem is probably your firewall. | If it's not your firewall, you're missing a route. | if you can reach the vpn but not outside, try your nat rules 22:29 -!- mode/##openvpn [-o jeev] by jeev 22:29 < jeev> i can't word shit 22:30 < troy-> slightly embarassing 22:30 < jeev> :> 22:31 < troy-> jeev, all this because pandora blocks canadian IPs 22:31 < jeev> lol 22:32 < jeev> canadians are funny 22:32 < jeev> i was watching something on destroyed in seconds 22:32 < jeev> this boat hit a bridge 22:32 < jeev> they were hilariuos 22:32 < jeev> hilarious 22:32 < troy-> well the ironic part is the verse dns for my hostname is .ca but it's still permitted 22:33 < troy-> just doing a basic geoip lookup i suppose 22:37 < jeev> yea 23:00 -!- eX|Nazha [n=nchin@82.168.111.218.cbj03-home.tm.net.my] has joined ##openvpn 23:01 < eX|Nazha> HI, 23:01 < eX|Nazha> my VPN will slow down, after an hour of connected to VPN server. 23:01 < eX|Nazha> How to fix this ? 23:01 < krzie> !tcp 23:01 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 23:01 < krzie> if using tcp as transport, the answer is üse udp 23:01 < krzie> üse udp 23:01 < krzie> bleh 23:02 < krzie> use udp 23:02 < krzie> lol 23:02 < krzie> damn international kb'sd 23:02 < eX|Nazha> how to change to udp ? 23:02 < krzie> i gotta go 23:02 < krzie> !man 23:02 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 23:02 < krzie> bbl 23:02 < eX|Nazha> edit in Server.OVPN? 23:04 < jeev> hmm 23:04 < jeev> what are various methods of encoding something 23:05 < jeev> like, i'm thinking.. 23:05 < jeev> maybe they're using a mac address 23:05 < jeev> to encode it 23:05 < jeev> but instead of 10char mac address, it's output is a 8char thing 23:06 < eX|Nazha> ? 23:06 < jeev> ? 23:06 < eX|Nazha> jeev, r u talking with me? 23:07 < jeev> no 23:07 < jeev> was just talkin to myself 23:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:36 < krzee> hey eX|Nazha 23:36 < krzee> you get any progress on your problem? 23:55 < jeev> heh --- Day changed Thu Nov 13 2008 00:11 < eX|Nazha> nope 00:12 < eX|Nazha> i can't change to UDP 00:14 < krzee> why not? 00:14 < ecrist> o.O 00:15 < ecrist> didn't I +b you? 00:16 < krzee> doh that reminds me 00:16 -!- mode/##openvpn [+o krzee] by ChanServ 00:16 -!- mode/##openvpn [-b *!*@lidsol.fi-b.unam.mx] by krzee 00:16 -!- mode/##openvpn [-o krzee] by krzee 00:17 * ecrist is gleefully installing Wrath of the Lich King... 00:17 * ecrist is a loser. 00:17 < eX|Nazha> krzee, can u guide me step by step. 00:17 < eX|Nazha> i am kindly noob here :) 00:17 < ecrist> eX|Nazha: while it's not super FreeBSD specific, see 00:17 < ecrist> !freebsd 00:17 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 00:19 < eX|Nazha> proto udp - Run with UDP protocol. I don't know why this is better than TCP, if it is. ? 00:20 < krzee> !tcp 00:20 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 00:20 < krzee> i have shown you that a few times 00:20 < krzee> click the link and read 00:20 < jeev> lol ecrist 00:20 < eX|Nazha> # TCP or UDP server? 00:20 < jeev> loser is an understatement! 00:20 < eX|Nazha> ;proto tcp 00:20 < eX|Nazha> proto udp 00:20 < eX|Nazha> my server.ovpn is 00:20 < eX|Nazha> ;proto tcp 00:21 < eX|Nazha> proto udp 00:23 -!- eX|Nazha [n=nchin@82.168.111.218.cbj03-home.tm.net.my] has quit [] 00:23 * krzee gone watching movie 00:23 < jeev> johnny does dallas 00:24 -!- eX|Nazha [n=nchin@82.168.111.218.cbj03-home.tm.net.my] has joined ##openvpn 00:24 < eX|Nazha> back 00:24 < eX|Nazha> did i miss any msg ? 00:27 < stephenh> nope. 00:34 < ecrist> eX|Nazha: go read the docs before you come back, please. 00:38 < ecrist> ah-ha, you tried working around my ban. 00:38 < stephenh> is eX|Nazha's problem installing a working openvpn server.? 00:39 -!- mode/##openvpn [+o ecrist] by ChanServ 00:39 < jeev> ut oh 00:39 -!- mode/##openvpn [+b *!?=nchin@*] by ecrist 00:39 -!- mode/##openvpn [-o ecrist] by ecrist 00:39 -!- mode/##openvpn [+o ecrist] by ChanServ 00:40 -!- mode/##openvpn [+b eX|Nazha!*@*] by ecrist 00:40 -!- mode/##openvpn [-o ecrist] by ecrist 01:04 < ropetin> What's going on here then? :) 02:11 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [] 02:34 < ecrist> nm 02:35 < ecrist> he won't read the docs 02:35 < ecrist> g'night 03:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:43 -!- eX|Nazha [n=nchin@82.168.111.218.cbj03-home.tm.net.my] has quit [Client Quit] 04:57 < reiffert> Moin! 05:54 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: krzie, paruchuri 05:54 -!- Netsplit over, joins: krzie, paruchuri 06:01 -!- littlerock [n=littlero@219.236.169.170] has joined ##openvpn 06:37 -!- itguru [n=p@212.85.1.33] has joined ##openvpn 06:37 < itguru> how to get all data to go via the VPN? 06:38 < itguru> Rather than just the data destined for the internal subnets 06:51 < stephenh> i believe it's in http://openvpn.net/index.php/documentation/howto.html. 06:57 < itguru> Thank you stephenh 07:00 < stephenh> it was really nothing. 08:20 -!- itguru [n=p@212.85.1.33] has quit [Read error: 110 (Connection timed out)] 08:22 -!- msim [i=what@ner-as21190.alshamil.net.ae] has joined ##openvpn 08:24 < msim> Trying to connect to the vpn server, and keep on getting "A connection to the remote computer could not be established, so the port used for this connection was closed" .. what gives? 08:42 < ecrist> http://www.youtube.com/watch?v=yU-tjPhLcRI 08:42 < ecrist> lol 08:42 < vpnHelper> Title: YouTube - Boys Beware Clipped (at www.youtube.com) 08:43 < ecrist> um, it can't connect to the remote system 08:43 < ecrist> probably a firewall issue 08:45 < msim> ecrist firewall is disabled on both client/server. 08:47 < ecrist> is the openvpn server daemon running on the other end? 08:47 < ecrist> can you pastebin your entire log file? 09:00 -!- ashashash [n=ash@p579853D2.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 09:04 -!- littlerock [n=littlero@219.236.169.170] has quit [Read error: 110 (Connection timed out)] 09:08 < msim> ecrist It's more like pptpd. 09:10 < ecrist> msim: OpenVPN != pptpd 09:10 < msim> I know, pptpd channel doesn't exist, thought you guys might know. 09:10 < ecrist> nope 09:10 < msim> alright, thanks. 09:36 < plaerzen> good morning #openvpn 09:36 < plaerzen> ! 09:46 < jeev> ah 09:50 -!- eartham [n=dak@190.24.218.190] has joined ##openvpn 09:51 < eartham> hi, i want to set up a routed vpn, now it works but i dont understad this parameter, where have to put the config file (to use iroute) client-config-dir ccd tutorial: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:51 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 09:51 -!- nooga [n=nooga@89.174.55.154] has joined ##openvpn 09:51 < nooga> hi 09:54 < eartham> hi 09:54 -!- itguru [n=p@host81-134-10-140.in-addr.btopenworld.com] has joined ##openvpn 09:56 < nooga> i've got several machines that were using pptp client to connect to a vpn server running on a router in my office, problem is that router died and now i need to create a vpn server in the office to allow those machines to connect 09:57 < nooga> they were connecting using only passwords, no certs etc 09:57 < nooga> and now i have problem because i just can't manage to set ovpn server without any certs and everything 09:58 -!- itguru [n=p@host81-134-10-140.in-addr.btopenworld.com] has quit [Read error: 60 (Operation timed out)] 09:59 < eartham> nooga, for windows machines you can create custom instalations 10:04 < nooga> they're running linux and i can't access them at all 10:04 < nooga> treat them like space probes ;) 10:06 < nooga> those machines try to connect to office external IP with preset passwords 10:07 < eartham> mmm 10:07 < eartham> why dont you keep using pptp 10:07 < eartham> ? 10:08 < nooga> well 10:08 < nooga> last solution was kinda automagic because vpn server built in the router did the work and everything was allright 10:09 < nooga> and now i need to set up a vpn server on a pc 10:09 < nooga> behind the router 10:09 < eartham> nooga, you can try to set up a pptp server on the pc 10:10 < nooga> and then forward the port? 10:10 < nooga> will those machines be visible under local ips in the office network? 10:13 < eartham> depends of the set up 10:14 < nooga> i'm not too good in networking stuff, in fact i'm a programmer ;| 10:14 < eartham> mmm bad stuff 10:14 < jeev> whayt kanguage 10:14 < jeev> lang 10:15 < nooga> what language what?;p 10:16 -!- Weasel[DK] [n=Weasel[D@93.164.121.150] has joined ##openvpn 10:16 < jeev> do you program 10:16 < jeev> heh 10:17 < nooga> it depends 10:17 < nooga> mianly C/C++ and ruby 10:18 < Weasel[DK]> im using openvpn for bridging 2 locations, but i want do block/discard DHCP... someone got a hint ? tried all kind of stuff with iptables and ebtables but without any luck. :( 10:24 -!- AukeF [n=auke@x154.flex.surfnet.nl] has quit [Remote closed the connection] 11:08 < eartham> hi, does anyone know if i can set up the iroute parameter on the server side instead creating a file on the client? 11:25 -!- nooga [n=nooga@89.174.55.154] has quit [Read error: 110 (Connection timed out)] 11:30 -!- stephank [n=urk@2002:52c5:cf78:0:21c:c4ff:fece:ea94] has joined ##openvpn 11:57 -!- xattack [n=xattack@132.248.108.233] has joined ##openvpn 12:00 < ecrist> eartham: I think that's where you set it up. 12:01 < eartham> ecrist, i find it out thanks 12:11 -!- stephank [n=urk@2002:52c5:cf78:0:21c:c4ff:fece:ea94] has quit [Read error: 113 (No route to host)] 12:15 < krzee> eartham, 12:16 < krzee> you can put the ccd dir anywhere you want 12:16 < krzee> just as long as the client-config-dir statement points to it 12:16 < krzee> Weasel[DK], why do you want to use bridging? 12:22 -!- stephank [n=urk@2002:52c5:cf78:0:21c:c4ff:fece:ea94] has joined ##openvpn 12:29 < stephank> Hello! I have a bit of a challenge. I work for a company offering VoIP services, and we have a whole bunch of linux boxes deployed at customer sites, and need to access the IP phones' web interfaces as well. Right now, we use lots of ssh tunnels, but I was wondering if openvpn could offer a more convenient solution. Problem is, how do I make available all these overlapping networks to our office network? 12:33 < stephank> Preferebly I'd just have a (virtual) machine permanently maintaining the connections and routing for me, but that still leaves addressing problems. I found out about the NETMAP iptables target, but that's also not ideal, because we copy and paste IP addresses around a lot. This may sound like a silly idea, but is it possible to abuse a site-local IPv6 subnet, prefix each remote network and masquerade to IPv4 at the router? (hard to fin 12:34 < ecrist> stephank: OpenVPN would be a good component to your solution. 12:36 < stephank> I imagine it's going to be one way or the other 12:49 < krzee> why a virtual machine? 12:50 < krzee> you said overlapping networks? 12:50 < krzee> as in 192.168.0.x on multiple sites? 12:50 < stephank> many remote sites have 192.168.0.x and 192.168.1.x, yes 12:51 < krzee> and you need access to the LANs behind the openvpn machines on those sites? 12:51 < stephank> exactly 12:51 < krzee> ok well 12:52 < krzee> the amount of effort you will spend setting up and maintaining the NATs to make that work, and constant upkeep of understanding it, far outweighs the effort of fixing the problem of overlapping ip ranges 12:52 < krzee> in other words, change the LAN ips now instead of later 12:52 < krzee> maybe something like 10.90.1.x 12:52 < krzee> 10.90.2.x 12:52 < krzee> 10.90.3.x 12:52 < stephank> we don't manage these networks, unfortunately, they're our customers :/ 12:52 < krzee> etc 12:53 < krzee> option 2, ugly as shit NAT 12:53 < krzee> and some kind of legend to keep you knowing what is what 12:53 < krzee> it will be ugly and hard to rememeber wtf is going on, easy to breaj 12:53 < krzee> break 12:53 < krzee> but not openvpn's fault, rather a fault of the network design you are requiring 12:56 < stephank> Well, I realize that, but changing the remote networking is really not an option. I'm more of a software engineer than a network engineer, so I might just write something to make it managable, once I understand the network side of things. 12:59 < krzee> unless you plan on re-inventing NAT theres nothing for you to write 13:00 < stephank> hehe 13:02 < krzee> hrm actually i take it back 13:03 < krzee> what i said works for client having same network as server 13:03 < krzee> but 2 clients, i dont think you can fix that with NAT 13:03 < krzee> im pretty sure you're just straight up screwed 13:04 < krzee> i dont think openVPN is a solution for you because you have a bunch of networks in the same IP range, changing them is not an option, and you want to link them 13:05 < krzee> "This may sound like a silly idea, but is it possible to abuse a site-local IPv6 subnet, prefix each remote network and masquerade to IPv4 at the router? (hard to fi" 13:06 < krzee> how would you masq it? you want to match 192.168.0.x multiple times with different results 13:06 < stephank> I was thinking along the lines of: fec0::1:192.168.1.3 to address tunnel 1, fec0::2:10.1.1.5 to address tunnel 2, etc. 13:06 < krzee> but those machines will be sending packets to you too 13:06 < krzee> and you would need to masq them the other direction too... 13:06 < stephank> of course 13:07 < krzee> meaning youd need to masq 192.168.0.x multiple times with different results 13:07 < krzee> how would you tell them apart? 13:08 < krzee> and your iroutes would be all screwed up 13:08 < krzee> in other words, no 13:09 < krzee> what you're thinking is the same as what i was thinking earlier, only you used nat to ipv6 and i just used ipv4 nat 13:10 < krzee> niether would work 13:10 < krzee> they would if it was only the server and client with conflicting NATs 13:10 < krzee> but what you describe, no 13:11 < krzee> if you're sure you cant get clients changing their networks to what you specify, ssh tunnels might be your best solution i guess 13:11 < krzee> cause multiple overlapping client networks is a huge problem 13:12 < krzee> but look on the bright side 13:12 < krzee> i just saved a ton on my car insurance ;] 13:12 -!- ikevin_ [n=kevin@ANancy-256-1-14-248.w90-13.abo.wanadoo.fr] has quit [Read error: 60 (Operation timed out)] 13:14 < stephank> krzee: not sure we're on the same frequency. I don't really see the problem you're trying to point out :) 13:15 < krzee> ok check this out 13:15 < krzee> you are talking about NATing 2 networks 13:15 < krzee> both start out as 192.168.0.x 13:15 < krzee> and both come from the same place 13:15 < krzee> how the hell would you tell them apart 13:15 -!- misfitx7 [n=tgarneau@c-24-128-57-144.hsd1.ma.comcast.net] has joined ##openvpn 13:15 < krzee> but even if you could 13:15 < krzee> !iroute 13:15 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 13:15 < krzee> that still would not work 13:16 < krzee> and yes, to your kernel both client networks DO come from the same place, the openvpn interface 13:16 -!- ikevin_ [n=kevin@ANancy-256-1-14-248.w90-13.abo.wanadoo.fr] has joined ##openvpn 13:17 < krzee> !learn iroute as does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry, please see !ccd 13:17 < vpnHelper> krzee: The operation succeeded. 13:17 < krzee> !forget iroute 1 13:17 < vpnHelper> krzee: The operation succeeded. 13:18 < krzee> !learn iroute as does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 13:18 < vpnHelper> krzee: The operation succeeded. 13:18 < krzee> !forget iroute 1 13:18 < vpnHelper> krzee: The operation succeeded. 13:19 < jeev> sup krzee 13:19 < krzee> wassup jeevs 13:19 < jeev> nothing much krzees 13:20 < krzee> but when i add an s to yours you become the butler 13:20 < krzee> ! 13:20 < jeev> ha ha ha 13:21 < jeev> hey 13:21 < krzee> "...They must find it difficult ... Those who have taken authority as the truth, rather than truth as the authority..." G. Massey 13:21 < jeev> my friend says when they get a call 13:21 < jeev> yesterday after i ran that one wire 13:21 < jeev> he says when they get a call 13:21 < jeev> it just makes a beep noise 13:21 < stephank> What I was planning on doing was setting up simple point to point VPNs. Our end runs a dhcp server in some range we know is unique, and deals out addresses for the tunnel interfaces on the customer end. Then, I want to set that machine on our end as a gateway for fec0::/64, and somehow have that machine take the first 32 bits and use it to determine which tunnel to use, and the latter as the IPv4 address to route to across the tunnel. 13:22 < krzee> jeev, what did i say bout working on nortel without the manual? 13:22 < krzee> stephenh, you wont be able to route to the LAN 13:22 < jeev> not even the nortel 13:22 < jeev> jsut the fax line too! 13:22 < jeev> i did everything freaking right 13:22 < jeev> i even tested it 13:22 < jeev> wtf man fuck 13:22 < Weasel[DK]> krzee, sorry did't notice your response 13:22 < Weasel[DK]> i need the same subnet on both locations 13:23 < krzee> stephenh, p2p doesnt do LAN routing iirc 13:23 < krzee> Weasel[DK], why? 13:23 < krzee> !bridge 13:23 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 13:23 < stephank> krzee: I know, that part of the routing won't be up to openvpn, I suppose 13:24 < krzee> !more 13:24 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 13:24 < krzee> stephank, well good luck to you, you have my answer 13:25 < stephank> krzee: hehe, okay. I'll keep digging. Many thanks for thinking along :) 13:25 < krzee> np 13:26 < Weasel[DK]> krzee, i would like to run a DHCP server at the other end too... mainly because if the link goes down they are in trouble with IP's 13:26 < krzee> Weasel[DK], you never mentioned why you want the same ip range on both sides 13:26 < krzee> windows filesharing by NETBIOS name without WINS? 13:26 < krzee> LAN gaming? 13:26 < krzee> something else that you need to communicate by MAC and not IP? 13:27 < Weasel[DK]> krzee, im looking into at "up" "down" solution 13:27 < Weasel[DK]> krzee, some stupid software i dont know about... :( 13:27 < krzee> you're not answering my question about why you want a bridge 13:27 < Weasel[DK]> now i did't ;) 13:27 < krzee> most likely you dont want a bridge 13:28 < Weasel[DK]> if this lame apps requires it... i have to 13:28 < krzee> what app? 13:31 < Weasel[DK]> krzee, i don't realy know. a license server i guess. i was told it only worked on the same subnet.... and thats the way they want it.. so 13:31 < krzee> but it actually matters 13:31 -!- stephank [n=urk@2002:52c5:cf78:0:21c:c4ff:fece:ea94] has left ##openvpn [] 13:31 < Weasel[DK]> krzee, it works fine... i just wanted a local DHCP just in case 13:31 < krzee> cause depending what it is and how it works you may be able to tell each dhcp server to control a /25 13:32 < krzee> instead of a /24 13:32 < krzee> then they are on same /24 handing out diff ips 13:32 < krzee> and app server could run on 255.255.255.0 still with static ip bypassing dhcp server 13:32 < krzee> possibly 13:33 < krzee> but *shrug* i gotta go anyways 13:33 < krzee> later 13:33 < Weasel[DK]> krzee, oki... C U 13:38 -!- eartham [n=dak@190.24.218.190] has quit [Read error: 54 (Connection reset by peer)] 14:12 -!- plaerzen [n=cam@vip2.tundraeng.com] has quit [Read error: 60 (Operation timed out)] 14:25 -!- xattack [n=xattack@132.248.108.233] has quit [] 15:21 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 15:57 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:11 -!- misfitx7 [n=tgarneau@c-24-128-57-144.hsd1.ma.comcast.net] has quit [Remote closed the connection] 16:47 -!- Weasel[DK] [n=Weasel[D@93.164.121.150] has quit [Remote closed the connection] 17:35 -!- plaerzen [n=cam@vip2.tundraeng.com] has joined ##openvpn 18:46 -!- theromis [n=romis@67-207-115-132.static.wiline.com] has joined ##openvpn 18:46 < theromis> hi guys 18:46 < theromis> is possible add command in management interface from OpenVPN plugin? 19:04 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:04 < Dougy> time to set up a vpn again 19:26 < Dougy> hmmmmmm 19:26 < Dougy> 2048 bit or 4096 bit? 19:26 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 19:26 * Dougy pokes krzie 19:32 -!- Alives [n=Alives@cpe-74-66-27-246.nyc.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 19:57 < jeev> loser 19:58 < Dougy> so 19:58 < Dougy> tun isnt enabeld 20:01 < jeev> when yo get yours enabled 20:01 < jeev> get mine enabled too 20:01 < jeev> i told you wankster 20:01 < Dougy> lol 20:02 < Dougy> im trying to learn bash scripting at its basics 20:02 < jeev> heh 20:03 < jeev> ok testicles 20:03 < jeev> i'v gotta go 20:03 < jeev> bbiab 20:03 < jeev> or bbl 20:08 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has quit [Read error: 113 (No route to host)] 20:21 < Dougy> -x in a bash script 20:21 < Dougy> in an if 20:21 < Dougy> if [ -x /usr/bin/yum ]; then 20:21 < Dougy> that 20:21 < Dougy> does that check if the file exists and can be run? 20:22 -!- msim [i=what@ner-as21190.alshamil.net.ae] has quit [] 20:32 < Dougy> krzie 20:47 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 20:49 < Dougy> krrrrrrrrrzie 21:26 < jeev> lol 21:26 < jeev> what 21:26 < jeev> are you trying to do 21:27 < Dougy> nothing no 21:27 < Dougy> w 21:28 < jeev> so your script failed? 21:28 < jeev> krzee can't write sh for crap 21:28 < jeev> dont listen to him! 21:39 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Ex-Chat"] 22:19 < troy-> jeev, for some reason external access dropped but i can still access internal nets 22:29 < jeev> check your nat 22:29 < jeev> ;d 22:32 < ecrist> dogmeat: man test 22:32 < ecrist> erm, Dougy 22:32 < jeev> lol 22:32 < jeev> ecrist 22:33 < jeev> what do you thinki about my new ringtone 22:33 < ecrist> what ringtone? 22:33 * ecrist found a new way to do cisco router backups by setting an snmp string, rather than using expect. 22:33 < jeev> USSR national anthem 22:34 < ecrist> why? 22:34 < jeev> i love it 22:34 < jeev> awesome 22:34 < ecrist> good enough reason, I suppose 22:35 < jeev> yea 22:35 < jeev> dood, all my reasons are good 22:36 < jeev> i'm the ish 22:38 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 110 (Connection timed out)] --- Day changed Fri Nov 14 2008 00:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:34 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 00:34 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 01:40 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit ["Leaving"] 01:42 -!- th [n=th@unaffiliated/th] has joined ##openvpn 01:44 < th> is it possible to accept a expired certificate with some special option? my only way of access to a machine is through the vpn which is down due to expired cert.. 01:45 < th> it's trying again and again to open vpn tunnel but my peer refuses due to expiry. i'd like to let it accept one time and replace the crt 02:08 < jeev> th 02:08 < jeev> i dunno how but 02:08 < jeev> check in the morning 02:08 < jeev> i'm SURE 02:08 < jeev> it's possible 02:11 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 02:28 < th> jeev: when is morning? i'm on GMT+1 03:55 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: thefish, zamba, ThoMe 03:56 -!- Netsplit over, joins: ThoMe, thefish, zamba 04:15 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 04:15 < krzee> i dont think so 04:15 < onats> is it possible to be connected to two vpn servers using one client (laptop) at the same time? 04:15 < onats> hi krzee 04:15 < krzee> onats, sure 04:15 < krzee> just run the client 2x 04:15 < krzee> 1 for each server 04:15 < onats> im using tunnelblick 04:16 < krzee> i use osx, but i dont bother with gui's 04:16 < onats> so i can just click connect on two 04:16 < onats> well its nice 04:16 < onats> :D 04:16 < krzee> heh 04:16 < krzee> and pointless 04:17 < krzee> i made a file named vpn.command 04:17 < krzee> all it has is thisL 04:17 < krzee> this: 04:17 < krzee> sudo /usr/local/sbin/openvpn /Users/Jeff/vpn/routed.conf 04:17 < krzee> i click it, a command window pops up 04:17 < krzee> type password, connected to vpn 04:17 < onats> well i like this. ehhehe 04:17 < krzee> cool 04:18 < krzee> then figure out how to run 2 configs in it 04:18 < onats> i can already.. i just wonder why i couldn't ping the devices on the 2nd connection. probably some routing stuff again... 04:19 < krzee> show configs 04:19 < krzee> well 04:19 < krzee> just show a client config 04:19 < krzee> i assume you are using different networks 04:21 < onats> krzee, yup, should be different configs 04:21 < onats> what do you mean show configs? 04:21 < krzee> !configs 04:21 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 04:21 < onats> krzee, from which part of the world you in? we seem to be online same time 04:22 < krzee> the caribbean, im just a night person 04:22 < krzee> it is 6:30ish right now 04:22 < krzee> ill be going to bed soon 04:27 < onats> http://pastebin.ca/1256021 04:28 < onats> cool! 04:28 < krzee> ohhh tap 04:28 < krzee> honestly, i have no idea 04:29 < krzee> you're trying to bridge into 2 vpns 04:29 < krzee> i cant help, i dont use bridging and have never tried to setup anything like that 04:29 < krzee> but hell maybe you can make 2 bridge devices and make a single bridge with both of those and your inet interface 04:30 < krzee> thats what ild try 04:30 < krzee> im sure we've gone over why you want bridging and you know you need it 04:31 < krzee> but i mention that anyways cause most people who ask for help bridging really want a routed setup 05:03 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:10 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 05:12 < reiffert> Moin 05:14 < ropetin> Yup yup 05:45 -!- th [n=th@unaffiliated/th] has left ##openvpn [] 06:06 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 06:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:08 -!- mRCUTEO [n=info@64.235.47.76] has joined ##openvpn 06:08 < mRCUTEO> hi 06:08 < mRCUTEO> how can i increase my openvpn transfer speed? 06:09 < mRCUTEO> my actualy bandwidth is 200 KB/s but i kinda get 55 KB/s only when using openvpn 06:12 < cpm> lot of overhead in crypto 06:13 < mRCUTEO> how can i overcome this problem cpm? 06:14 < mRCUTEO> overcome overhead in crypton? 06:14 < cpm> don't use encryption if you want speed 06:14 < cpm> I don't see it as a problem. Get a bigger pipe, faster computers 06:14 < mRCUTEO> ic 06:15 < mRCUTEO> how can i disable encryption? 06:15 < mRCUTEO> can i just edit the server.conf? 06:15 < mRCUTEO> or do i need to recompile.. 06:18 < mRCUTEO> # Select a cryptographic cipher. 06:18 < mRCUTEO> # This config item must be copied to 06:18 < mRCUTEO> # the client config file as well. 06:18 < mRCUTEO> ;cipher BF-CBC # Blowfish (default) 06:18 < mRCUTEO> ;cipher AES-128-CBC # AES 06:18 < mRCUTEO> ;cipher DES-EDE3-CBC # Triple-DES 06:18 < mRCUTEO> all encryption has been disabled.,. 06:18 < mRCUTEO> but i experience the same result 06:27 -!- nooga [n=nooga@89.174.55.154] has joined ##openvpn 06:35 < mRCUTEO> hello 06:35 < mRCUTEO> anyone knows how to increase speed of openvpn ? 06:52 < ecrist> faster processor and a bigger inet pipe 06:55 < mRCUTEO> oh 06:55 < ecrist> but, openvpn probably isn't your problem. 06:55 < mRCUTEO> yeah maybe it was my internet connnection 06:55 < ecrist> I've got openvpn installs pushing 50Mbps on a P3 06:56 < ecrist> few clients, though 06:56 < mRCUTEO> my isp throttle international connection.. 06:56 < mRCUTEO> my adsl speed is 1.5 Mbps but when connection to openvpn which inside my dedicated server i can only achieved 50 KB/s 07:00 * mRCUTEO BBL 07:00 -!- mRCUTEO [n=info@64.235.47.76] has quit [] 07:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:42 < nooga> maybe somebody knows: does pptp server (poptop) allow to create ethernet bridge? so that clients can get ips in LAN where server stands? 07:43 < nooga> because i need to do that and i'm completely lost in connecting pptp clients to ovpn server 07:43 < ecrist> !notopenvpn 07:43 < vpnHelper> ecrist: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 07:44 < nooga> there is no channel related to my problem ;| 08:10 -!- mRCUTEO [n=info@64.235.47.76] has joined ##openvpn 08:10 < mRCUTEO> hi 08:10 < mRCUTEO> how do i disable encryotion in openvpn? 08:17 -!- mRCUTEO [n=info@64.235.47.76] has quit [] 08:31 -!- slackytude [i=10029@p4FD88F32.dip0.t-ipconnect.de] has joined ##openvpn 08:33 < slackytude> my openvpn setup fails at TLS handshake. client gives me a timeout. any idea where to start looking? 08:45 < ecrist> mRCUTEO is a fucktard 08:45 < ecrist> slackytude: logs 08:46 < slackytude> ecrist, thx for responding. Im just rebuilding all my certs. only place I can think of where I did wrong. but this are windows machines and if the problem stays Im gonna cry again 09:05 -!- slackytude [i=10029@p4FD88F32.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 09:06 -!- slackytude [i=10029@p4FD89276.dip0.t-ipconnect.de] has joined ##openvpn 10:10 -!- nooga [n=nooga@89.174.55.154] has quit ["Lost terminal"] 10:10 -!- slackytude [i=10029@p4FD89276.dip0.t-ipconnect.de] has quit [Remote closed the connection] 11:50 < reiffert> "windows machine" - is that a common excuse in advance? 11:51 < reiffert> Something similar to "Windows machine means I can't find any logfile" or "I'm unable to read the logfile because carriage return's are missing"? 11:53 < cpm> fucktard? 11:55 < jeev> ? 11:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:10 < ecrist> yes 12:10 < ecrist> fucktard 12:10 < ecrist> 08:10 < mRCUTEO> how do i disable encryotion in openvpn? 12:11 < ecrist> if you're going to disable encryption, you might as well build a GRE tunnel 12:12 * ecrist gets cable installed tomorrow 12:12 < ecrist> cable internet, that is 12:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:20 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:36 < krzee> !learn noenc as if you're going to disable encryption, you might as well build a GRE tunnel 12:36 < vpnHelper> krzee: The operation succeeded. 12:58 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:50 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 13:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 113 (No route to host)] 15:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:38 -!- mRCUTEO [n=info@64.235.47.76] has joined ##openvpn 15:38 < mRCUTEO> hello 15:38 < mRCUTEO> anyone knows how to disable encryption in openvpn? 15:48 -!- mRCUTEO [n=info@64.235.47.76] has quit [] 16:11 < krzee> anyone know how to wait for an answer? 16:20 -!- stephenh [i=stephen@69.30.200.88] has quit [Read error: 113 (No route to host)] 16:20 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 17:42 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:00 -!- Dougy [n=doug@69.10.36.50] has joined ##openvpn 18:01 < Dougy> if gcc -DHAVE_CONFIG_H -I. -I. -I. -I. -g -O2 -MT socket.o -MD -MP -MF ".deps/socket.Tpo" -c -o socket.o socket.c; \ 18:01 < Dougy> then mv -f ".deps/socket.Tpo" ".deps/socket.Po"; else rm -f ".deps/socket.Tpo"; exit 1; fi 18:01 < Dougy> socket.c: In function 'unix_socket_get_peer_uid_gid': 18:01 < Dougy> socket.c:2737: error: storage size of 'peercred' isn't known 18:01 < Dougy> make[2]: *** [socket.o] Error 1 18:01 < Dougy> whats this? 18:03 < jeev> calm down. 18:04 < jeev> dont make me kick your a$$ 18:04 < Dougy> go away 18:04 < jeev> :O 18:04 < theromis> all my socket.c contains 2589 lines 18:05 < jeev> he's probably trying the beta 18:05 < theromis> I'm using vpn from subversion 18:06 < theromis> OpenVPN 2.1_rc4 18:06 < Dougy> yes 18:06 < Dougy> rc13 18:06 < Dougy> compiles fine on centos, not ubuntu 18:06 < jeev> i got 13 here 18:06 < jeev> 2751 socket.c 18:06 < theromis> looks like you have some libraries installed into /usr/local 18:07 < theromis> and it overrides our's structure defenition 18:07 < theromis> *your's 18:07 < Dougy> how to fix? 18:21 < Dougy> goign hmoe 18:21 -!- Dougy [n=doug@69.10.36.50] has quit [Remote closed the connection] 18:47 < reiffert> Hi 18:55 < djc> mpm: used context.changectx() because I figured it might be a tiny bit faster 18:55 < djc> so not really for a very particular reason 19:05 < djc> ugh totally wrong window 19:05 < djc> sorry for that 19:22 < reiffert> telnet towel.blinkenlights.nl 20:02 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:02 < Dougy> hey 20:02 < Dougy> is anyone here 20:04 < ecrist> no 20:05 < Dougy> hiya ecrist 20:05 < Dougy> how goes it 20:06 < jeev> ahh 20:06 < jeev> lookie, it's that steaming pile of sh*t 20:09 < Dougy> oh hey 20:09 < Dougy> look 20:09 < Dougy> its jeev 20:10 < jeev> i was talking about ecrist 20:10 < jeev> ;D 20:10 * Dougy has tun support now 20:10 < Dougy> @ jeev 20:11 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Ex-Chat"] 20:11 < jeev> lol 20:41 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 20:54 -!- cranky- [i=madman@pool-96-242-173-233.nwrknj.fios.verizon.net] has joined ##openvpn 20:55 < cranky-> ok, please point me to the idiot guide for openvpn routes 20:55 < cranky-> I can ping/connect to some machines from gui client to remote network, but not others, I can hit .1, .10, .125 on the remote side, but not .126 or .127 20:56 < cranky-> ready to drive to the office and set office on fire 21:03 < krzee> that is the worst explanation of a problem i have ever heard 21:03 < krzee> unfortunatly i cant dig mjuch into it cause its 11pm and friday night, so im outta here 21:05 < cranky-> heh 21:09 < cranky-> my routes look correct, at least to me, once I connect to the openvpn server, I can ping the server itself, I can ping/connect to other computers at the x.x.x.10 and x.x.x.125 but not to x.x.x.126 or x.x.x.127 21:15 < krzee> !route 21:15 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:40 < troy-> an openvpn client shows a default gateway of 192.168.2.5 however that IP isnt bound on the openvpn server 21:46 < troy-> fixed 23:00 < ropetin> troy-: Excellent, glad we could help ;) --- Day changed Sat Nov 15 2008 00:52 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 01:05 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Remote closed the connection] 03:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:04 -!- gallatin [n=gallatin@dslb-088-077-065-227.pools.arcor-ip.net] has joined ##OpenVPN 04:21 -!- plaerzen [n=cam@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 05:11 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:37 < cranky-> krzee: thanks! 06:37 < cranky-> reading it now (fell asleep lqast night) 07:10 -!- gallatin [n=gallatin@dslb-088-077-065-227.pools.arcor-ip.net] has quit [Remote closed the connection] 08:08 -!- paruchuri [n=paruchur@61.16.248.247] has quit [Remote closed the connection] 09:18 -!- DarkDrgn2k [n=DarkDrgn@CPE000f3d01971a-CM00125573082a.cpe.net.cable.rogers.com] has joined ##openvpn 09:18 < DarkDrgn2k> Hey guys, i just turned IP forwarding on a win2k3 server (reg key change) rebooted, now i get TTL expired wheni try to ping a remote client's IP, and remote clinet cant seem to ping the server. Logs seem ok. what did i miss 09:37 < jeev> huh 09:38 < jeev> cso you can't reach the net ? 09:39 < cranky-> grrr, something is still wrong 09:40 < cranky-> pushed the routes but nothing, I don't understand why the client can pin .1, .10, .121, .125 on the remote network, but not .50, .122, .123, .126 .127 09:40 < cranky-> s/pin/ping 09:48 -!- DarkDrgn2k [n=DarkDrgn@CPE000f3d01971a-CM00125573082a.cpe.net.cable.rogers.com] has quit [] 10:22 < jeev> are your iroutes ok 10:22 < jeev> i dunno what i'm aying 10:22 < jeev> nevermind 10:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:47 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:33 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 11:47 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:50 -!- jeev [n=email@unaffiliated/jeev] has quit ["ircN 8.00 for mIRC (20080809) - www.ircN.org"] 12:00 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 12:12 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:43 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:18 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 15:04 < ecrist> ! 15:07 < ecrist> so, I just got comcast business, going to be rolling my network over to that after I build a firewall on the 1650 nobody wants to buy from me 15:08 < ecrist> they asked me if I want to do IPsec tunneling, I just said yes 15:08 < ecrist> turns out, the comcast business gateway supports IPsec tunnels, as well as it will operate as a PPTP/L2TP VPN server 15:08 * ecrist is mildly impressed 15:23 -!- itchi [n=David@unaffiliated/itchi] has quit [Remote closed the connection] 15:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 15:37 < cranky-> someone please kick me 15:37 < cranky-> my routing was fine 15:37 < cranky-> someone enabled software firewalls on three machines 15:37 < cranky-> I want to kill myself 15:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:48 -!- mode/##openvpn [+o ecrist] by ChanServ 15:48 -!- cranky- was kicked from ##openvpn by ecrist [you told me to...] 15:48 -!- cranky- [i=madman@pool-96-242-173-233.nwrknj.fios.verizon.net] has joined ##openvpn 15:48 -!- mode/##openvpn [-o ecrist] by ecrist 15:48 < cranky-> thanks 15:49 < ecrist> how do you like fios? 15:49 < cranky-> now I just need to get someone to do it to my nuts 15:49 < cranky-> fios is awesome 15:49 < ecrist> do they allow you to host off it yet? 15:49 < cranky-> well... no, not unless you orderfios buisness with static IP 15:49 < ecrist> it's 100M up/down, right? 15:50 < cranky-> I have it at the office, $159/mo with static 5 ips 20/20Mbit 15:50 < cranky-> no they haven't started to offer 100mbit service yet 15:50 < cranky-> 50/20 is the highest they currently offer 15:50 < ecrist> 20/20 is sweet, though. 15:50 < cranky-> but 20/20 is plenty of bandwidth for 10 users 15:50 < ecrist> 50/10 is best I can get here, and that's throug comcast for $189/mo 15:50 < ecrist> do you host anything off that? 15:51 < cranky-> just vpn 15:51 < cranky-> for inbound stuff 15:51 < ecrist> do you actually get 20M up? 15:51 < cranky-> although we're going back and forth about bringind the mail server in house and running BES on it 15:51 < cranky-> yes 15:51 < ecrist> BES is expensive 15:52 < ecrist> especially for 10 users 15:52 < cranky-> hardest part about getting 20mbit up is finding a host that will accept it, I have to bounce through 5-6 speed tests to find someone 15:52 < cranky-> my webhost only allows 10mbit up to my account 15:52 < ecrist> I'd buy a BES hosted plan. They run about $9/mo per account. 15:52 < ecrist> lol 15:52 < cranky-> well that's what I wante to do, but the owner doesn't want the email outside 15:52 < cranky-> completely stupid 15:53 < ecrist> iirc, you're looking at ~$2000 for BES, plus Windows Server 2003/2008, plus MS Exchange for a grand total of around $6000 15:53 < ecrist> lots of hosting for $6000 15:53 < cranky-> .isp.broadviewnet.net] Inactivity timeout (--ping-restart), restarting 15:53 < cranky-> wtf, 15:53 < cranky-> I have a RDP connection over that link 15:54 < cranky-> and it's doing it while actively using it 15:54 < cranky-> brb, gonna check the server config 15:54 < ecrist> that's 66 months of hosted exchange accounts for 10 users. 15:54 < cranky-> and where are you getting hosted BES for $9/mo? 15:55 < ecrist> hang on 15:55 < cranky-> even at $22/mo for rackspace it made more sense 15:55 < cranky-> I think we're 8 blackberry and then an additional 5 email users 15:57 < ecrist> http://www.visi.com/business/email/exchange.aspx?gclid=CPD66s6W-JYCFRIfDQod6kG8YA 15:57 < vpnHelper> Title: Minneapolis Exchange Hosting - St. Paul Shared Exchange - Managed Exchange - IMAP - Webmail - Microsoft Outlook | VISI (at www.visi.com) 15:57 < ecrist> $11/mo with BES 15:57 < cranky-> $9 for exchange and bes? 15:57 < cranky-> that's crazy cheap 15:59 < cranky-> yay 16:01 < ecrist> plus, the nice thing about hosting mail elsewhere - spam/antivirus/updates/etc are someone else's problem. 16:02 < cranky-> dude, don't convince me 16:02 < cranky-> convince the idiot I work for 16:02 < ecrist> heh 16:02 < cranky-> I think they thought I was trying to earn on them with the service 16:02 < ecrist> here's what I did - convince the boss that mail admin takes too much of *your* valuable time. 16:03 < cranky-> I'm not an IT guy anymore 16:03 < cranky-> I'm a construction project manager 16:03 < ecrist> lol 16:03 < cranky-> I only d the IT on a as need basis 16:03 < cranky-> so they "snuck" a consultant company in" 16:03 < ecrist> then explain the costs to them as I did to you, above. 16:04 < cranky-> they give them this proposal for like $15K upfront and then $1800/mo in retainer 16:04 < cranky-> now mind you, this DID NOT include BES 16:04 < ecrist> ouch 16:04 < cranky-> I'm like, you only want a mail server forbetter blackberry integration and you're not getting it 16:05 < cranky-> lets do hosted exchange for $220/mo and that's it, no upfront, that's i 16:05 < cranky-> now mind you this was through rackspace's hosted exchange service 16:05 < cranky-> but the owner was pissy about it because they thought I was making money on that $220 16:06 < ecrist> lol 16:06 < ecrist> let them burn, then. 16:06 < cranky-> I'm like WTF, even if I was making $110/mo on that $220, it's lowering your monthly overhead by $1600 comapred to using assconnect the consultant company and saving you $15K up front 16:07 < cranky-> and I know they thought I was trying to earn on them because when I said it's a national company, blah blah bah, I got "oh, it's not your friendthat does the hosting?" 16:07 < cranky-> I wanted to reach across the desk and smash faces 16:09 < cranky-> wtf, it seems like the RDP connection is making the ovpn connection drop 16:13 < cranky-> oh 16:13 < cranky-> hrm 16:13 < cranky-> it's the ping-restart 16:16 < cranky-> I think I need to reboot the remote ovpn box 16:16 < cranky-> I have a feeling I screwed around with the routes too much, I bet the keep alive pings are goofy and that's why the connection is restarting 16:17 < cranky-> set the restart interval to 90 seconds and now it's like clockwork with the restarts 16:18 < cranky-> weird 16:19 < cranky-> ssh into the box, run ping against the client ip and I'm getting 13ms trips, and the connection still drops from inactivity 16:20 < cranky-> ok, here is hoping the remote comes back up after this reboot 16:27 < cranky-> and here it goes again 16:33 < cranky-> MULTI: multi_create_instance called 16:33 < cranky-> that's the server side log 16:40 < cranky-> ok, changed the connection from udp to tcp, lets see if it's a udp issue 16:42 < ecrist> !tcp 16:42 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:44 < cranky-> well udp is disconnecting periodically 16:45 < cranky-> and TCP seems stable 16:45 < cranky-> is there a reason why the udp keepalives would be problematic? 16:45 < cranky-> oh 16:45 < cranky-> hrm 16:45 < cranky-> no 16:47 < cranky-> could it be the mtu 1400 16:47 < cranky-> I'm not quite sure how ovpn does the keep alive 16:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:59 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:09 < cranky-> yeah, the tcp connecion is staying stable 17:21 < cranky-> hrmm 17:21 < cranky-> so why isn't the udp this consistent 17:21 < cranky-> over half an hour with minimal activity 17:21 < cranky-> no problems 17:22 < cranky-> on tcp 17:43 < ecrist> cable modem? 18:28 < cranky-> no, I'm on fios on this side 18:28 < cranky-> the other side is a T1 19:01 -!- ikevin_ [n=kevin@ANancy-256-1-14-248.w90-13.abo.wanadoo.fr] has quit [Read error: 145 (Connection timed out)] 19:27 -!- mRCUTEO [i=IRCLUNAT@89.18.162.93] has joined ##openvpn 19:27 < mRCUTEO> hi anyone knows how to accelrate openvpn bandwidth speed? 19:31 < cranky-> get a faster connection? 19:32 < mRCUTEO> cranky- my VPN is (10mbps) and my PC(2mbps) but my transfer is 50KB/s only using the VPN.. 19:33 < Rienzilla> use udp as a transport 19:34 < mRCUTEO> yes i use udp.. 19:35 < mRCUTEO> is it gotta do with the cypher encryption? 19:36 < Rienzilla> possibly, if your vpn endpoints have slow cpu's 19:41 -!- mRCUTEO [i=IRCLUNAT@89.18.162.93] has quit [Nick collision from services.] 19:41 -!- MRCUTEO [n=info@64.235.47.76] has joined ##openvpn 19:41 < MRCUTEO> how can i disable encryption in my openvpn client and server? 19:43 < MRCUTEO> im on a pentium 4 PC and my bandwidth is 2 mbps but my openvpn max transfer speed is only 512kbps.. any idea on how to incrase my transfer speed? 19:44 < Rienzilla> íf you're on a modern pc your bottleneck is not the encryption 19:56 < krzie> !noenc 19:56 < vpnHelper> krzie: "noenc" is if you're going to disable encryption, you might as well build a GRE tunnel 19:56 < krzie> as for your speed issues, use 2.1 and try --mtutest 20:05 < MRCUTEO> okie 20:05 < MRCUTEO> thanks for the info krzie 20:05 < krzie> you know what that will tell you? 20:06 < krzie> np man 20:08 < MRCUTEO> nope 20:08 < MRCUTEO> what will mtutest tells me? 20:08 < krzie> what your optimal MTU is 20:08 < krzie> im thinking maybe you are fregmenting 20:08 < krzie> !mtu 20:08 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test as well 20:08 < MRCUTEO> ic 20:08 < MRCUTEO> hold on 20:09 < krzie> you can use the old fashioned way if you prefer, but --mtutest will do it for you 20:10 < MRCUTEO> i must have 2.1 to do mtutest/ 20:10 < MRCUTEO> i must have 2.1 to do mtutest? 20:11 < MRCUTEO> im currently using 2.0.9 20:11 < krzie> lets see 20:11 < krzie> !man 20:11 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 20:12 < krzie> nope, looks like it is in 2.0 as well 20:12 < krzie> i thought it was 2.1 only, i was wrong 20:13 < MRCUTEO> [root@cp openvpn]# openvpn --mtutest 20:13 < MRCUTEO> Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: mtutest (2.1_rc8) 20:13 < MRCUTEO> Use --help for more information. 20:18 < MRCUTEO> C:\Documents and Settings\mRCUTEO>ping www.yahoo.com -f -l 1492 20:18 < MRCUTEO> Pinging www.yahoo-ht3.akadns.net [209.131.36.158] with 1492 bytes of data: 20:18 < MRCUTEO> Packet needs to be fragmented but DF set. 20:18 < MRCUTEO> Packet needs to be fragmented but DF set. 20:18 < MRCUTEO> Packet needs to be fragmented but DF set. 20:18 < MRCUTEO> Packet needs to be fragmented but DF set. 20:18 < MRCUTEO> Ping statistics for 209.131.36.158: 20:18 < MRCUTEO> Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), 20:24 < krzie> so go smaller 20:24 < krzie> btw that was mtu-test 20:24 < krzie> and for usage you read the manpage 20:24 < MRCUTEO> ic 20:25 < krzie> but it goes in existing configs, without the -- 20:25 < MRCUTEO> do i have to set this on the server or on my client>? i bet this for my client(windows) right? 20:25 < MRCUTEO> krzie how can i set the mtu in the openvpn server.conf? 20:25 < krzie> -mtu-test 20:25 < krzie> To empirically measure MTU on connection startup, add the --mtu-test option to your configuration. OpenVPN will send ping packets of various sizes to the remote peer and measure the largest packets which were successfully received. The --mtu-test process normally takes about 3 minutes to complete. 20:25 < krzie> you just add mtu-test 20:25 < MRCUTEO> okay 20:25 < krzie> likely just in server config 20:26 < MRCUTEO> thanks krzie 20:26 < krzie> and since your ping did not work, go lower 20:26 < MRCUTEO> okay 20:26 < MRCUTEO> both client and server? 20:26 < krzie> and im thinking that MTU is in fact your problem 20:26 < MRCUTEO> yes 20:26 < MRCUTEO> true 20:26 < krzie> likely just in server config 20:26 < krzie> but honestly i dont know 20:27 < krzie> should not be hard to find out 20:27 < MRCUTEO> mtu-test 1400 will do? 20:27 < MRCUTEO> okay 20:27 < krzie> i just pasted you the man page entry 20:27 < krzie> you dont use a number 20:27 < krzie> you just add mtu-test 20:29 < MRCUTEO> okay 20:31 * MRCUTEO restarting openvpn 20:39 -!- MRCUTEO [n=info@64.235.47.76] has quit [Nick collision from services.] 20:40 -!- mRCUTEO [n=info@118.100.168.5] has joined ##openvpn 20:40 < mRCUTEO> hi krzie 20:40 < krzie> hi 20:40 < mRCUTEO> Sat Nov 15 18:31:25 2008 TUN/TAP device tap0 opened 20:40 < mRCUTEO> Sat Nov 15 18:31:25 2008 TUN/TAP TX queue length set to 100 20:40 < mRCUTEO> Sat Nov 15 18:31:25 2008 /sbin/ip link set dev tap0 up mtu 1500 20:40 < mRCUTEO> Sat Nov 15 18:31:25 2008 /sbin/ip addr add dev tap0 10.8.0.1/24 broadcast 10.8.0.255 20:40 < mRCUTEO> i get these 20:41 < mRCUTEO> i run this in the command line: openvpn --mtu-test --dev tap0 config --server.conf 20:44 < krzie> you confuse me 20:44 < mRCUTEO> oh.. 20:45 < mRCUTEO> what i do is i put mtu-test in my server.conf and the above command , is that correct? 20:46 < krzie> you dont need --dev on CLI either 20:46 < krzie> just put it in the config 20:47 < krzie> and you would use --config server.conf 20:47 < mRCUTEO> okie 20:47 < mRCUTEO> okie 20:47 < mRCUTEO> okay i restarted the seerver 20:48 < mRCUTEO> so what should i do to see the mtu-test ? 20:48 < mRCUTEO> Sat Nov 15 18:40:56 2008 Initialization Sequence Completed 20:49 < krzie> no idea, ive never used it 20:49 < mRCUTEO> oh 20:49 < krzie> if it does nothing, try adding it to the client too 20:50 < krzie> likely just in server config 20:50 < krzie> but honestly i dont know 20:50 < krzie> should not be hard to find out 20:50 < mRCUTEO> okay krzie thanks for the info :) maybe this is what im looking for 20:50 < mRCUTEO> yeah anyway thank u so smuch 20:50 < krzie> since you already started doing it manually it should be easy to find it that way 20:50 < mRCUTEO> Sat Nov 15 18:40:56 2008 Initialization Sequence Completed 20:50 < mRCUTEO> okay 20:50 < krzie> but if i needed to do it, ild be using the built in openvpn way 20:51 < mRCUTEO> okie 21:01 -!- mRCUTEO [n=info@118.100.168.5] has quit [] 21:31 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 21:41 < jeev> jesus 21:41 < jeev> i'm so bored 21:41 < ropetin> Wanna do my work for me? :) 21:41 < jeev> what is it 21:41 < jeev> i have work i need to do 21:41 < jeev> well 21:41 < ropetin> :D 21:41 < jeev> i want to make something but i'm lazy 21:41 < jeev> ropetin, wanna do mine ? 21:41 < ropetin> Sure, what ya got? 21:41 < jeev> ok so i want to be able to email my server 21:41 < jeev> tell it something 21:42 < jeev> it stores it in sql 21:42 < jeev> and nice output on website 21:42 < jeev> and i can check off 21:42 < jeev> and delete 21:42 < jeev> and leave notes 21:42 < jeev> ? 21:42 < ropetin> Erm, I'll pass on that, thanks though! 21:44 < jeev> i dunno what to do! 21:44 < jeev> i can do one with bash 21:44 < jeev> but making it look nice? i dunno man 21:45 < ropetin> As long is it works, does it have to be pretty? 21:48 < jeev> yea 21:48 < jeev> i want it to be nice 21:48 < jeev> the php at least 21:50 < ropetin> In which case you don't want my help with it. I write code that makes real programmers weep 21:56 < jeev> lol 21:56 < jeev> you suck that much 21:57 < ropetin> Yup! 22:08 < jeev> heh 22:08 < jeev> awesome 22:08 < jeev> what do you code 22:08 < jeev> what lang 22:16 < ropetin> I've done a little PHP, a little scripting, I've been trying to learn Python 22:17 < ropetin> I use a Windows automation language called AutoIT, which is pretty neat 22:21 < jeev> ah 22:26 < ropetin> Yeah, not real programming! 22:30 < jeev> brfb 22:30 < jeev> brb 22:30 < ropetin> KK 22:59 < jeev> heh 22:59 < jeev> transvestite on COPS 23:02 -!- justdave [n=dave@unaffiliated/justdave] has quit ["rebooting"] 23:15 < krzie> jeev, i know that code exists for that already 23:15 < krzie> dunno what its called 23:16 < jeev> really 23:16 < jeev> shit 23:16 < jeev> find itttttttttttttt 23:16 < krzie> ya, for blogging 23:16 < jeev> come on krzie 23:16 < krzie> !google blog email 23:16 < vpnHelper> krzie: http://codex.wordpress.org/Blog_by_Email - Post to your blog using email << WordPress Codex 23:16 < jeev> krzie, how can i add shit to sql 23:16 < krzie> ild expect many blogs to not be static html but rather sql 23:17 < krzie> go google 23:17 < krzie> bbl 23:17 < jeev> damn 23:17 < jeev> you sux0r 23:31 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 23:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:58 < krzee> jeev, find anything yet? --- Day changed Sun Nov 16 2008 00:09 < krzee> if not, http://codex.wordpress.org/Blog_by_Email#.qmail_Activation 00:09 < vpnHelper> Title: Post to your blog using email « WordPress Codex (at codex.wordpress.org) 00:10 < krzee> err, http://codex.wordpress.org/Blog_by_Email 00:10 < vpnHelper> Title: Post to your blog using email « WordPress Codex (at codex.wordpress.org) 00:10 < krzee> sorry im a qmail user so i went right to tht 00:10 < krzee> hah 00:23 < krzee> !iptables 00:23 < vpnHelper> krzee: Error: "iptables" is not a valid command. 00:24 < krzee> !learn iptables as to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT 00:24 < vpnHelper> krzee: The operation succeeded. 00:27 < jeev> no 00:27 < jeev> havne't found 00:28 < jeev> but i dont want to have it go to a blogging system 00:28 < krzee> why not? it uses sql backend 00:29 < krzee> btw you know you could just steal the part you want tho 00:29 < krzee> it is a lil heavy for your needs 00:29 < jeev> yea 00:29 < jeev> shit man 00:29 < jeev> you should make one 00:29 < jeev> ;D 00:29 < krzee> hah 00:29 < krzee> but i dont care 00:29 < jeev> oh yea 00:29 < jeev> you can't do it 00:30 < jeev> i forgot 00:30 < krzee> how much you paying? 00:30 < jeev> 10 bux cash 00:31 < krzee> then ya, i cant do it 00:31 < jeev> thought so! you can't code.. i forgot! 00:31 < krzee> thats true actually 00:31 < krzee> hell im in chapter 2 of my book on C 00:31 < krzee> i make really good scripts, but im no coder 00:32 < jeev> lol 00:32 < jeev> you can't write anything in shell scripts anyway 00:32 < krzee> i could write your project in shell scripts 00:34 < krzee> i automated my old webhosting company in shell 00:34 < krzee> ive solved quite a few businesses problems in shell 00:34 < krzee> so ild say you can do a lot in it 00:35 < krzee> ive also solved things in shell that would have been much better in C 00:35 < krzee> which is why im teaching myself C 00:42 < jeev> hmm 00:42 < jeev> ok lets see if you could do it' 00:50 < krzee> do your own learning 00:50 < krzee> :p 00:52 < jeev> oh 00:52 < jeev> so you cant handle it 00:52 < jeev> its ok 00:53 < krzee> k 00:53 < krzee> ill bbl, reading 00:54 < jeev> ok cool 00:54 < jeev> it's ok 00:54 < jeev> that you dont konw bash scripting 00:54 < jeev> nobody is judging you 00:54 < jeev> ! 00:56 < krzee> stop trolling 00:56 < jeev> lol 00:56 < jeev> how is that trolling 00:57 < krzee> you're still trolling 00:57 < jeev> ??? 01:01 < jeev> i'm gtoo tired 01:01 < jeev> night 01:02 < krzee> nite 03:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:28 -!- ikevin [n=kevin@ANancy-256-1-93-46.w90-26.abo.wanadoo.fr] has joined ##openvpn 03:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 03:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:09 -!- subdolus [n=subdolus@subby.afraid.org] has joined ##openvpn 04:09 < subdolus> http://pastebin.com/m3544cbc 04:09 < subdolus> any ideas? 04:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:22 < reiffert> Cannot load certificate file /kee/client.crt 04:23 < reiffert> No such file or directory 04:27 -!- subdolus [n=subdolus@subby.afraid.org] has left ##openvpn [] 08:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 10:44 -!- Dougy [n=doug@64.18.159.247] has joined ##openvpn 10:44 < Dougy> heyo 11:16 < jeev> hi 11:41 < Dougy> hi jeev 11:41 < Dougy> your vps is on echo right 11:41 < Dougy> ? 11:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:48 < jeev> yea 11:48 < jeev> my friend wanted to take me to the victoria secret fashino show 11:48 < jeev> i didn't go 11:48 < jeev> last night they were hanging out at pdiddy's house after the party 11:48 < jeev> hehe 11:48 < jeev> then again 11:48 < jeev> i always meet people 11:50 < Dougy> nice 11:50 < Dougy> jeev: http://www.webhostingtalk.com/showthread.php?t=736734 11:50 < vpnHelper> Title: Creative VPS :: Creative(!) Business Idea - Web Hosting Talk - The largest, most influential web hosting community on the Internet (at www.webhostingtalk.com) 12:01 < jeev> ok let me read 12:01 < jeev> my friend is big time 12:01 < jeev> he's black too 12:01 < jeev> i've gone everywhere, i'm kind of glad i didn't go to miami though 12:02 < jeev> people are always using him for $ 12:02 < jeev> the less i cost to him, the better i feel 12:04 < jeev> should i write Dougy ? 12:04 < jeev> i should write that i saw my dhparam or something at 4096 get killed, get an email saying that i've been using high ass cpu ALL day when i had just started 2 hours ago... and it was night time already 12:11 < Dougy> ohi 12:11 < Dougy> op 12:11 < Dougy> o.o 12:11 < Dougy> lol jeev 12:11 < Dougy> if you want to 12:12 < jeev> what do you think 12:12 < Dougy> i wouldnt go against the host 12:12 < Dougy> dh2048 took like 10 sec for me 12:12 < jeev> i dunno 12:12 < Dougy> then again it was only one cert 12:12 < Dougy> :< 12:12 < jeev> mine was too 12:13 < Dougy> this was after he said he fixed the load 12:13 < Dougy> the 10 sec 12:13 < jeev> let mesee 12:13 < jeev> it just happene to me 12:14 < jeev> at least 5 seconds 12:14 < jeev> for /etc 12:14 < Dougy> odd 12:14 < Dougy> instant for me 12:14 < jeev> i keep forgetting to time ls /etc 12:14 < jeev> then when i do it with time 12:14 < jeev> it works] 12:14 < jeev> lol 12:15 < jeev> god i love rsync over ssh 12:15 < Dougy> huh? 12:15 < jeev> what 12:16 < jeev> dood 12:16 < jeev> crucialwebhost has been awesome 12:16 < jeev> apparently my 1 year ran out 12:16 < jeev> without a single email 12:16 < jeev> they suspended me. 12:16 < Dougy> lol 12:16 < Dougy> my customers love me 12:17 < Dougy> i'm the most flexible person 12:17 < jeev> gaywebhost.com ? 12:17 < Dougy> noe 12:17 < jeev> so i shouldn't post ? 12:17 < Dougy> nah 12:18 < Dougy> if youre gonna be negative dont 12:18 < Dougy> joe says nat is fine on other vps's 12:18 < Dougy> :< 12:18 < jeev> well 12:18 < jeev> not on ours. 12:18 < jeev> tell him to iptables -t nat -L 12:18 < jeev> and paste. 12:20 < Dougy> he knows 12:20 < Dougy> http://radiotime.com/station/s_28671/WFAN_660.aspx 12:20 < vpnHelper> Title: WFAN - The Fan 660 AM New York, NY - Listen Online (at radiotime.com) 12:20 < Dougy> yesssssss 12:20 < Dougy> giants game 12:20 < Dougy> =d 12:21 < jeev> gay 12:21 < jeev> giants are lame 12:21 < Dougy> giants win 12:31 < Dougy> YES 12:31 < Dougy> giants blocked a FG 13:03 -!- lyxan [n=zer0pyth@24-116-157-169.cpe.cableone.net] has quit [Read error: 60 (Operation timed out)] 13:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:46 -!- lchiessi [n=zorra@189.60.78.196] has joined ##openvpn 14:06 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 14:08 < jeev> Dougy 14:08 < jeev> there's a problem with this server man 14:08 < jeev> the poster is right 14:08 < jeev> we shouldn't have issues when others 14:09 < jeev> pass their limits 14:33 < troy-> jeev, douglas gets passed around at the office a lot ;) 14:34 < Dougy> o.o 14:34 < Dougy> hey troy- 14:34 < Dougy> what brings you here? 14:34 < Dougy> jeev, o.O 14:34 < Dougy> i dont have any problems 14:34 < troy-> jeev helps me with iptables 14:35 < Dougy> lol 14:35 < Dougy> jeev 14:35 < Dougy> helping someone 14:35 < Dougy> that's funny 14:37 < jeev> Dougy 14:37 < jeev> i feel like for the comunity 14:37 < jeev> i should post 14:45 < Dougy> doooooo ittt 14:45 < Dougy> Record Uptime: 4w 13h 11m 17s set on Thu Oct 09 16:17:38 2008 14:45 < Dougy> Uptime: 1 days 23 hours 20 minutes 51 seconds 14:49 < troy-> 14:49:17 up 409 days, 13:32, 2 users, load average: 0.00, 0.04, 0.07 14:49 < jeev> gay 14:51 < Dougy> nice troy 14:52 < troy-> its missing a kernel patch of three 14:52 < troy-> err or 14:57 < Dougy> lol 15:00 < jeev> Dougy 15:08 < Dougy> ? 15:08 < jeev> you suck 15:08 < Dougy> ? 15:09 < Dougy> if you're going to make false claims, back them up 15:09 < jeev> i'm not 15:09 < jeev> about you sucking? 15:09 < jeev> ;D 15:09 < Dougy> only for one person 15:09 < jeev> what you mena 15:09 < Dougy> hmm 15:09 < jeev> mean 15:09 < Dougy> you could definitely take that the wrong wa 15:09 < Dougy> y 15:09 < jeev> dood, i need osmething to eat 15:10 < Dougy> so go get food you retard 15:10 < jeev> from where 15:11 < Dougy> a takout ple 15:11 < Dougy> .. 15:11 < Dougy> takeout place 15:12 < jeev> eh 15:12 < jeev> i want subway 15:13 < Dougy> i want some kind of food 15:13 < Dougy> all i had was a piece of jake's pizza that i stole 15:13 < Dougy> before 15:13 < Dougy> at like 10 15:14 < jeev> heh 15:14 < jeev> how'd you steal it 15:14 < jeev> lol 15:16 -!- lchiessi [n=zorra@189.60.78.196] has quit ["estava usando o ×|ZorraScript 2006|x que pode ser copiado em www.zorrascript.c"] 15:22 < Dougy> he went into the DC 15:22 < Dougy> i ran over, grabbed slice, and bolted 15:32 < jeev> LOL 15:33 < jeev> shut up 15:33 < jeev> oh 15:33 < jeev> who's jake 15:33 < jeev> jake the plumber? 15:34 < Dougy> nope 15:34 < Dougy> IS tech 15:34 < jeev> oh 15:34 < jeev> did he know it was midssing 15:34 < Dougy> no idea 15:34 < Dougy> they hired some new nigger who knew 0 about unix 15:34 < Dougy> he asked me how to start a cpanel install the other day 15:35 < Dougy> and then another day "i dont have root password to log in, how do i reboot the server?" 15:35 < Dougy> and we had to show him how to do a centos cd install 15:35 < jeev> lol 15:35 < Dougy> i'm like "dude wtf i bet interserver pays better, they should hire me" 15:35 < jeev> how much they pay 15:35 < Dougy> no idea 15:35 * Dougy gets $9.25/hr 15:35 < Dougy> man 15:35 < Dougy> i love how the $ looks in mIRC 15:36 < jeev> loll 15:37 < Dougy> man 15:37 < Dougy> women 15:37 * Dougy was laying on the couch with his gf last night 15:37 < jeev> o0o0o 15:37 < Dougy> the bitch nearly killed me 15:37 < jeev> kiki 15:37 < jeev> lol 15:37 < Dougy> she sat up 15:37 < Dougy> and 15:37 < Dougy> her weight 15:37 < Dougy> --> 15:37 < Dougy> my balls 15:37 < jeev> how do you call your girlfriend a bitch 15:37 < jeev> thats why americna's are fucked up 15:37 < Dougy> dude 15:37 < Dougy> when you go to her house and eat dinner 15:37 < Dougy> her parents go 15:38 < Dougy> "hey whore, pass the milk' 15:38 < jeev> are you serious 15:38 < Dougy> yes 15:38 < jeev> i'll never say that 15:38 < jeev> to my girlfriend 15:38 < jeev> once again 15:38 < Dougy> and her brother's are "cocksucking faggots" 15:38 < Dougy> brothers* 15:38 < jeev> that's why american's have 50 % divorce rate 15:38 < Dougy> lol 15:38 * Dougy shrugs 15:38 < Dougy> i would never call my gf a bitch unless she inflicts physical pain like that 15:38 < jeev> i dont care 15:38 < Dougy> im still huring 15:38 < jeev> the worst i'l go is 15:38 < jeev> dork 15:38 < Dougy> s/huring/hurting/ 15:38 < Dougy> lol 15:38 < Dougy> i get called that about every 2 minutes 15:38 < Dougy> ~ 15:39 < jeev> i need to use that VPS 15:39 < jeev> or i'm paying for nothing 15:39 < Dougy> make it a dns server 15:39 < Dougy> i have nagios, cacti, bind, and soon openvpn on there 15:40 < jeev> i wouldn't trust him with dns 15:40 < jeev> anything tha tlinks me to my business or name 15:40 < jeev> i wont 15:40 * Dougy shrugs 15:41 -!- es-web [n=esben@90.185.248.123] has joined ##openvpn 15:41 < Dougy> i have my rdns hosted on there 15:41 < jeev> duno 15:41 < Dougy> rdns, cacti, nagios, openvpn? 15:41 < jeev> i'll just host some shit on it i guess 15:41 < jeev> some files 15:41 < jeev> 400 gigs transfer 15:41 < jeev> is cool 15:42 < es-web> Hi, im not sure that this is the right place, but I using ubuntu to connect to an openvpn server. Is there a GUI for Gnome to manage openvpn connections? 15:44 < Dougy> es-web: i hvent really checked, but i'm fairly sure networkmanager supports it 15:44 < Dougy> es-web: http://blogs.ubuntu-nl.org/dennis/2007/03/11/easy-openvpn-with-network-manager-in-feisty/ 15:44 < vpnHelper> Title: Steady as a rock » Blog Archive » Easy openvpn with network-manager in feisty (at blogs.ubuntu-nl.org) 15:45 < es-web> Dougy, the problem is that i only got an p12 file and not CA, Certificate, Key from the server 15:46 < Dougy> i can't help you then 16:51 < jeev> sup 16:51 < jeev> i went shopping 16:51 < jeev> i spent 140 bux 16:51 < jeev> and didn't end up getting anything i could immediately eat 16:51 < jeev> other than junk 16:59 < Dougy> im out 16:59 < Dougy> cya 16:59 < jeev> bye 17:33 -!- xororand [n=flatFev7@unaffiliated/xororand] has joined ##openvpn 18:14 -!- es-web [n=esben@90.185.248.123] has quit [Read error: 145 (Connection timed out)] 18:15 < xororand> helpful topic. solved my problem ;) 18:20 < krzie> heheheheh 18:20 < krzie> nice 18:20 < krzie> what was it?> 18:20 < xororand> my client firewall 18:20 < krzie> ahh, very common 18:21 < xororand> it was missing a rule to allow incoming packets related to outgoing connections 18:32 -!- xororand [n=flatFev7@unaffiliated/xororand] has quit ["WeeChat 0.2.7-dev"] 18:32 -!- xororand [n=flatFev7@unaffiliated/xororand] has joined ##openvpn 18:33 -!- xororand [n=flatFev7@unaffiliated/xororand] has quit [Client Quit] 19:18 < jeev> heh 19:18 < jeev> i'm rdpd from linux 19:18 < jeev> i should use my suse enterprise dekstop more often 19:19 -!- Plazma [n=Plazma@about/apple/TiBook/Plazma] has joined ##openvpn 19:22 -!- Plazma [n=Plazma@about/apple/TiBook/Plazma] has left ##openvpn ["Boogity Boogity moo?"] 19:32 < cranky-> hah 19:32 < cranky-> I think I figured out why udp was flaking out 19:32 < cranky-> my notebook was connected also 19:32 < krzie> whys that 19:33 < cranky-> two clients battling it out to restore the connection 19:33 < cranky-> I noticed it by accident 19:33 < cranky-> I went to reboot the notebook and the ovpn client popped up 19:33 < cranky-> I was like holy shit 19:34 < cranky-> I really didn't want to switch to udp because I have one pita user that is already set up 19:35 < cranky-> restored the connection 19:35 < cranky-> lets see if it restarts 19:36 < cranky-> looks like I fixed a bunch of little problems I hadn't noticed 19:36 < krzie> oh you had 2 using same cert? 19:36 < cranky-> yeah, no idea why that other computer was connected 19:36 < cranky-> must have been connected for days 19:36 < krzie> ahh 19:36 < cranky-> the funny thing about the udp connection is that since it's kind of stateless, when I switched it to tcp and back and forth that connection just kept reconnecting itself 19:37 < cranky-> and it was stealing the pings from this clinet 19:37 < cranky-> if I rememberred the password for the other user profile to that remote site it wouldnt' have happened 19:37 < cranky-> hrmmm looks like that was the problem 19:38 < cranky-> so far I'm like 3 minutes in and no reconnect 19:38 < cranky-> I was getting reconnected at the ping-restart interval plus or minus 15-20 seconds 19:38 < cranky-> which is what was throwing me off but I kept changing the server config to see if the restarts changed frequency, and they did, just not on the second 19:40 < cranky-> hrmm 19:40 < cranky-> 6 minutes and no restart 19:40 < cranky-> I'm fairly confident that was the source of the headache 19:40 < cranky-> which is good, now I don't have to deal with PITAUFH 19:49 < cranky-> yeah, that was the problem, 23 minutes no disco 19:49 < cranky-> before I couldn't get 3 minutes without reconnecting 19:49 < cranky-> yay 19:56 < jeev> Dougy 19:56 < jeev> i got annoyed at the harassment of that guy on th epost 19:56 < jeev> so i just posted 19:56 < jeev> and i said i dont care if i get removed 20:15 < troy-> which forum? 20:22 < jeev> webhostingtalk 20:45 < jeev> Dougy 20:45 < jeev> i feel bade 20:45 < jeev> bad 20:45 < jeev> but i havfe to say it yo uknow 20:45 < jeev> i feel bad for both people 20:45 < jeev> i said it, now it's done 20:45 < jeev> i dont like seeing bullying 20:53 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has quit [Nick collision from services.] 20:53 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn 20:55 -!- Luria [n=Abulafia@pool-162-84-196-231.ny5030.east.verizon.net] has quit [Client Quit] 21:13 < troy-> jeev, ah ya gotta love wht 21:14 < jeev> heh 21:15 * krzie never been there\ 21:15 < jeev> i wouldn't even LET YOU THERE! 21:16 < krzie> oh noes 21:17 < jeev> krzie, you sound like the gay guy from family guy 21:17 < krzie> i dont really watch tv 21:17 < krzie> i like family guy but never seen a gay guy on there 21:17 < krzie> i guess it makes sense youd remember him tho 21:19 < jeev> heh 21:19 < jeev> cause his voice is hilarious 21:19 < jeev> he goes 21:19 < jeev> oh nooooo 21:35 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 22:17 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:58 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 23:59 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has joined ##openvpn --- Day changed Mon Nov 17 2008 00:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:18 -!- jeffspeff [i=jeff@c-98-240-113-191.hsd1.ky.comcast.net] has joined ##openvpn 01:19 < jeffspeff> in 2.1rc14 does the one IP per computer feature work on windows systems? 01:19 < jeffspeff> topology subnet feature, allowing intuitive tun-based VPN subnets having 1 IP address per clien 01:27 < reiffert> The manpage knows more about that topic. 01:30 < jeffspeff> reiffert, are you referring to a *nix manpage? 01:31 < reiffert> jeffspeff: right. 01:31 < jeffspeff> windows systems don't have that 01:31 < reiffert> jeffspeff: you can find it in html format right on openvpn.net 01:31 < jeffspeff> reiffert, ok, thanks 01:33 < reiffert> Oh, and check out the changelog file. 01:42 -!- es-web [n=esben@90.185.248.123] has joined ##openvpn 01:49 < reiffert> jeffspeff: did you find it? 01:59 -!- Luria [n=trashed@pool-162-84-196-231.ny5030.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 02:23 -!- rycar [n=rycar@adsl-75-54-140-160.dsl.bkfd14.sbcglobal.net] has joined ##openvpn 02:38 -!- rycar [n=rycar@adsl-75-54-140-160.dsl.bkfd14.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 02:53 < krzee> !man 02:53 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 02:53 < krzee> !betaman for you 02:53 < vpnHelper> krzee: Error: "betaman" is not a valid command. 02:53 < krzee> err 02:53 < krzee> !betaman 02:53 < vpnHelper> krzee: "betaman" is http://www.openvpn.net/man-beta.html 02:53 < krzee> and yes, topology subnet works for windows 02:54 < krzee> otherwise it would be = to topology p2p 03:12 < krzee> http://www.switched.com/2008/11/14/why-you-should-never-try-to-steal-a-law-students-laptop/?rss 03:12 < vpnHelper> Title: Why You Should Never Try to Steal a Law Student's Laptop - Switched (at www.switched.com) 03:51 -!- jeffspeff [i=jeff@c-98-240-113-191.hsd1.ky.comcast.net] has quit [Read error: 60 (Operation timed out)] 03:52 < krzee> * Fixed some ifconfig-pool issues that precluded it from being combined 03:52 < krzee> with --server directive. 03:52 < krzee> Now, for example, we can configure thusly: 03:52 < krzee> server 10.8.0.0 255.255.255.0 nopool 03:52 < krzee> ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0 03:52 < krzee> to have ifconfig-pool manage only a subset 03:52 < krzee> of the VPN subnet. 04:58 -!- lyxan [n=zer0pyth@24-116-157-169.cpe.cableone.net] has joined ##openvpn 05:06 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:47 -!- stephenh [i=stephen@69.30.200.88] has joined ##openvpn 05:50 -!- Federico2 [n=Fede@193.200.193.239] has joined ##openvpn 05:51 < Federico2> hi there 06:02 -!- brutopia [n=user@backport.ri.fi] has joined ##openvpn 06:02 < brutopia> hello 06:02 < reiffert> krzee: but the manpage says: 06:03 < brutopia> can I have three linux boxes A, B and C where there are connections only between A -> B and B -> C and create private subnet so that A could connect directly to C? 06:03 < brutopia> with openvpn 06:03 < reiffert> krzee: however, he was asking "one IP per computer feature" 06:04 < reiffert> brutopia: use routes to have A send packets to B, which knows how to send them to C. 06:05 < reiffert> Given that A ->B and B->C is fixed, that is one possible solution. 06:05 < reiffert> Another might be connecting A->C, but however. 06:05 < brutopia> is there any solution for cases where the links are not fixed 06:06 < reiffert> more input required. 06:06 < brutopia> reiffert --help 06:09 < reiffert> :~$ reiffert --help 06:09 < reiffert> -bash: reiffert: command not found 06:09 < Federico2> anyone here had any experience on running routing protocols on top of meshed openvn networks? 06:10 < brutopia> +1 06:13 < Federico2> ? 06:14 < reiffert> ! 06:14 < Federico2> * 06:14 < reiffert> invalid character. 06:25 < Federico2> ^H 06:27 < ecrist> 06:28 < ecrist> Federico2: why would there be a problem? 07:12 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 07:42 < ecrist> morning pa 08:06 -!- sledgeas [n=sledge@unibz.it] has joined ##openvpn 08:06 < sledgeas> hello 08:07 < sledgeas> I have instructions how to connect to my workplace VPN through windows network connections (asks for company namy->ip->user/pass). how do i connect to it through my gentoo? i edit /etc/openvpn/default.conf but i dont know group_id etc.. 08:09 < ecrist> sledgeas: that vpn is PPTP, look for PPTP linux in the goog and see what it says. 08:09 < ecrist> that's not an openvpn connection 08:10 -!- sledgeas [n=sledge@unibz.it] has quit [Connection reset by peer] 08:11 -!- sledgeas [n=sledge@unibz.it] has joined ##openvpn 08:12 < sledgeas> soz i got disconnected. were there any comments on my vpn work-win->gentoo question? 08:28 -!- sledgeas [n=sledge@unibz.it] has quit [Read error: 145 (Connection timed out)] 08:44 -!- sledgeas [n=sledge@unibz.it] has joined ##openvpn 09:04 -!- ikevin_ [n=kevin@ANancy-256-1-52-42.w90-26.abo.wanadoo.fr] has joined ##openvpn 09:05 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:05 < onats> hey all 09:11 -!- paruchuri [n=paruchur@61.16.248.247] has joined ##openvpn 09:22 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 09:23 -!- ikevin [n=kevin@ANancy-256-1-93-46.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 09:28 < lyxan> is it possible for openvpn to maintain connection between two points if the connection between the two points change? 09:28 < lyxan> (ie: MPLS goes down, swap to backup internet?) 09:31 -!- sledgeas [n=sledge@unibz.it] has quit ["Leaving."] 10:13 < ecrist> lyxan: sure, openvpn, by default, doesn't care how it gets from one point to another. 10:13 < ecrist> sledgeas: that vpn is PPTP, look for PPTP linux in the goog and see what it says. 10:13 < jeev> hi ecrist 10:14 < lyxan> ecrist, is the configuration I need to do that in the docs some where? 10:16 < lyxan> I'm sure it is 10:16 * lyxan goes off to look 10:16 < jeev> ecrist, i noted openvpn vpn connection in suse 10:16 < jeev> i'm so excited! 10:16 * jeev is excite! 10:17 < ecrist> lyxan: no configuration needed, just retry infinite, when it's able to connect, it will 10:17 < lyxan> guess I just do server 10.10.21.31, and server 68.x.x.x? 10:17 < lyxan> for "failover" configuration 10:18 < lyxan> cool 10:19 < lyxan> this should make things even easier then 10:19 < lyxan> was thinking I was gonna need to write a script when infact all I really need to do is setup openvpn, and walk away :D 10:29 -!- ebil|work [n=andy@216.64.93.22] has joined ##openvpn 10:29 < ebil|work> Hi again. 10:30 < ebil|work> So, I've managed to narrow down my problem (maybe) 10:30 < ebil|work> I've had a bunch of iptables people look at my firewall settings, and the only thing my firewall is doing right now is NAT translation 10:32 < ebil|work> I still have the following problem though: machines from the client side network can all access machines on the server side network, however, machines on the server side network cannot access machines on the client side network. I am using the ccd, route, and iroute directives, but still no luck. after doing a bunch of network testing, I've discovered that if I ping the client from the server (on the internal 192.168.x.x address) the packets never even 10:32 < ebil|work> reach the client 10:33 < ebil|work> I'm at a loss as I've been futzing with this for a couple weeks now 10:34 < ebil|work> Hmmm... actually. I think it may be a routing issue on the router. not a firewall issue... 10:36 < ebil|work> bah 10:37 < reiffert> allright, let me login, let"s share a screen session and fix the thing. 10:40 < ebil|work> I would, but I'm at work :\ I'll try to hop on when I get home 10:40 < reiffert> When will that be? 10:40 < ebil|work> 7pm EST most likely :\ 10:41 < reiffert> Sounds like 1:20h from now. 10:41 < ebil|work> umm. that's about... 7 hours from now 10:41 < ebil|work> what timezone are you on? 10:41 < reiffert> Ah well, I should have known EST is not European Summer Time :) 10:41 < ebil|work> heh 10:41 < reiffert> I'm on GMT+01 10:42 < ebil|work> ok, -5 here 10:42 < reiffert> Ah well, I think I'm allready to bed then. 10:43 < ebil|work> yeah... I'll try to get a little more data together. I think my routing/network setup at my parents house was so horrendously f'd up, that it's breakign everything 10:44 < reiffert> It might be of help when you show up with ifconfig, client/server conf, firewall config, routing tables and openvpn server/client logfiles. 10:45 < ebil|work> I'll get that ready tonight, I'll also add some tcpdump logs (I found that tcpdump DOES show packets even if they are dropped by iptables, since they hit tcpdump first) 10:46 < reiffert> That depends, but however. 10:48 < jeev> hey guys 10:48 < jeev> i dunno if this be normal 10:48 < jeev> i copied my config from /windows/C :) 10:48 < jeev> when i traceroute soething that has a route 10:48 < jeev> it shows the first hop 10:49 < jeev> every hop until the end shows * 10:49 < jeev> and it shows the hostname/ip of the target in the traceroute 10:49 < jeev> ultimately, it's going through the tunnel, but why are the routes not working 10:49 < jeev> or showing 10:51 -!- ebil|work [n=andy@216.64.93.22] has quit ["Leaving"] 11:04 -!- plaerzen [n=cam@vip2.tundraeng.com] has joined ##openvpn 11:26 < ecrist> hey plaerzen 11:26 < ecrist> jeev: NAT 11:26 < plaerzen> hey ecrist 11:31 < krzee> [08:03] krzee: however, he was asking "one IP per computer feature" 11:31 < krzee> reiffert, ya, topology subnet was good, what i pasted from changelog was unrelated 11:31 < krzee> but it was cool and from newest changelog, so i decided to paste it 11:32 < krzee> cause it was from today 11:32 < reiffert> krzee: yeah :) 11:32 < reiffert> !help 11:32 < vpnHelper> reiffert: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 11:33 < reiffert> krzee: should we add something like e.g. "paste client/server conf, ifconfig, route, firewall settings and whatever to someplace"? 11:35 < ecrist> reiffert: could set it as entry msg 11:36 < reiffert> I hate entry messages ... but when the majority is vorting for it ... 11:36 < reiffert> s,vorting,voting, 11:37 < krzee> !config 11:37 < vpnHelper> krzee: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 11:37 < krzee> !conf 11:37 < vpnHelper> krzee: Error: "conf" is not a valid command. 11:37 < krzee> wtf 11:37 < krzee> !configs 11:37 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 11:37 < krzee> there it is 11:37 < krzee> etc etc 11:37 < reiffert> etc? 11:37 < krzee> !factoids search * 11:37 < vpnHelper> krzee: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'routes', 'tls-cipher', 'multi', 'configs', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', (2 more messages) 11:37 < krzee> !more 11:37 < vpnHelper> krzee: 'download', '', 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'mitm', 'hmac', 'winipforward', 'help', 'topology', 'fragment', '2.1-winpass-script', 'activedirectory', 'net30', 'someclient2client', 'local', (1 more message) 11:37 < krzee> !more 11:37 < vpnHelper> krzee: 'dhcp', 'chooseip', 'irclogs', 'noenc', and 'iptables' 11:37 < reiffert> grep -vE '#' 11:37 < reiffert> sorry. 11:38 < reiffert> grep -vE '^#' 11:39 < reiffert> configs is please pastebin your client and server configs (with comments removed, that is grep -vE '^#' client.conf), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles. 11:39 < krzee> we dont usually want all that info 11:39 < krzee> !all 11:39 < vpnHelper> krzee: Error: "all" is not a valid command. 11:40 < krzee> !learn all as please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 11:40 < vpnHelper> krzee: The operation succeeded. 11:40 < krzee> there you go 11:40 < reiffert> krzee: well .. I do. People try to explain stuff they dont know and omit the intresting parts, so I have to ask and ask and ask... 11:41 < reiffert> krzee: you're my man, thanks! 11:41 < krzee> np =] 11:42 -!- Dryanta [i=dryanta@66.252.23.192] has joined ##openvpn 11:42 < krzee> !chooseip 11:42 < vpnHelper> krzee: "chooseip" is OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). 2 -- Use --client-config-dir file for static IP (next choice). 3 -- Use --ifconfig-pool allocation for dynamic IP (last choice). 11:42 < Dryanta> ok 11:42 < Dryanta> my openvpn setup just crapped out 11:42 < krzee> hey Dryanta 11:42 < Dryanta> halp plz 11:42 < Dryanta> hola 11:42 < krzee> whats the problem? 11:42 < Dryanta> Options error: --client-to-client requires --mode server 11:42 < Dryanta> i changed the config naught 11:43 < krzee> !configs 11:43 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 11:43 < krzee> !learn configs as please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 11:43 < vpnHelper> krzee: The operation succeeded. 11:44 < krzee> !forget configs 1 11:44 < vpnHelper> krzee: The operation succeeded. 11:50 -!- tarvid [n=tarvid@dpc6935139037.direcpc.com] has joined ##openvpn 11:55 < krzee> Dryanta, gunna paste your configs? 11:56 < jeev> krzie 11:57 < jeev> ecrist 11:57 < jeev> NAT is on 11:57 < Dryanta> krzee: ya 11:57 < krzee> holy shit jeev is on topic 11:57 < Dryanta> i had some craziness a minute ago 11:57 < krzee> ahh i gotchya Dryanta 11:57 < Dryanta> theres this really hott girl in our office, and she had an issue 11:57 < Dryanta> so i had to see whats up you know :) 11:58 < krzee> hahahah 11:58 < jeev> when i traceroute 11:58 < krzee> werd 11:58 < jeev> the first hop is my ip 11:58 < jeev> is the gw 11:58 < jeev> every hop after that is * 11:58 < jeev> then last hop, if icmp is enabled, will show 11:58 < jeev> but it goes through the tunnel 11:58 < jeev> wtf is that about 12:00 < Dryanta> http://pastebin.ca/1259467 12:00 < Dryanta> configs have not changed since i first set it up in june 12:00 < Dryanta> working like a dream until this morning 12:00 < Dryanta> cor still has openvpn running and tun up 12:01 < Dryanta> sacto even after reboot still dies with that error i pasted earlier 12:03 < krzee> umm 12:03 < reiffert> I'd say get a recent openvpn, but maybe thats just me. 12:03 < krzee> this looks like a single p2p connection 12:03 < jeev> wack 12:03 < krzee> not a client/server setup 12:03 < ecrist> jeev: you're missing a route somewhere 12:04 < krzee> ecrist, did you catch he said the last hop shows up in his traceroute? 12:04 < ecrist> oh, no 12:04 < ecrist> that imply I read the whole thing 12:04 < krzee> hehehe 12:04 < krzee> Dryanta, there more than 2 machines on this vpn? 12:04 < Dryanta> no 12:05 < krzee> just remove client-to-client from both 12:05 < krzee> it is for a diff type of setup 12:05 < Dryanta> wai did it work before? heh 12:05 < krzee> its for server/client, you are using p2p 12:05 < krzee> cause you didnt have those options 12:05 < krzee> and someone changed the config since 12:05 < krzee> but it was still running so you didnt know 12:06 < Dryanta> Options error: Parameter priv_key_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. 12:06 < krzee> if you wanted to you could beef it up tho 12:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:07 < jeev> i'm not missing a route 12:07 < Dryanta> wth 12:07 < jeev> what is wth 12:07 < Dryanta> i did a open vpn key so i didnt have to do that bullshit 12:07 < Dryanta> what the hell 12:07 < krzee> Dryanta, you willing to re-do your setup? if you leave the p2p behind you could have more security 12:07 < krzee> and i could help you better too, ive never even though of using a p2p setup 12:08 < krzee> i know you from #freebsd so ild recommend ssl-admin for making the certs and whatnot 12:08 < krzee> made by ecrist 12:08 < krzee> !ssl-admin 12:08 < vpnHelper> krzee: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 12:08 < krzee> its even in ports iirc 12:08 < krzee> !sample 12:08 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 12:09 < ecrist> yes, in ports, but outdated. 12:09 < Dryanta> krzee: i need no more security hah 12:09 < ecrist> one of these days Ill update the port. 12:09 < Dryanta> i tried ssl admin it didnt work 12:09 < krzee> you have no HMAC verification 12:09 < Dryanta> its a 256bit key 12:09 < Dryanta> or 1-24 or 2048 or something 12:10 < Dryanta> and my site is straight up down 12:10 < Dryanta> i used openvpn for that p2p setup because ipsec is not working right on that box 12:10 < Dryanta> i dont need any more complexity, i need more simplicity 12:11 < Dryanta> im tearing vpn out of the network entirely in a month or 2 12:11 < ecrist> go straight IPsec, then. 12:11 < jeev> ecrist 12:11 < Dryanta> ecrist: no, ipsec is broke on that box 12:11 < Dryanta> something about the ipsec vpn is not right and i could not figure out why 12:11 < krzee> well with ptp you dont use key 12:11 < krzee> with ptp you use secret 12:11 < Dryanta> krzee: uhm, it is a secret 12:11 < krzee> your configs must have been dramaticly changed 12:12 < Dryanta> i did something off the openvpn site 12:12 < Dryanta> no this is the same config that has been working since jun 16 12:12 < krzee> key /usr/local/etc/openvpn/key 12:12 < krzee> secret /usr/local/etc/openvpn/key 12:12 < krzee> see the diff? 12:12 < Dryanta> where? 12:13 < krzee> you are NOT connecting any lans behind the boxes, right? 12:14 < krzee> because a ptp setup cant do that 12:14 < Dryanta> it is 12:14 < ecrist> krzee: why couldn't it 12:14 < ecrist> ? 12:14 < Dryanta> yes it can 12:15 < Dryanta> if you route 12:15 < Dryanta> again 12:15 < jeev> ecrist, any idea why routes are'nt showing until the last hop ? 12:15 < Dryanta> THIS HAS WORKED FINE FOR MONTHS 12:15 * ecrist sets mode +dufus krzee 12:15 < jeev> maybe it's the firewall 12:15 < jeev> hmm 12:15 < ecrist> Dryanta: no need to yell. 12:15 < Dryanta> its just that you guys dont believe me, it has worked 12:15 < Dryanta> no configs have changed 12:15 < Dryanta> ls -l proves that 12:16 < ecrist> Dryanta: *something* changed. 12:16 < Dryanta> so arguments openvpn took before its not taking now 12:16 < Dryanta> which makes no sense to me 12:16 < ecrist> things don't just stop working 12:16 < krzee> oh ok, i guess its only iroute you cant use 12:16 < krzee> ive never used ptp setup, and its unlikely i ever will 12:16 < jeev> not the firewall 12:17 < krzee> Dryanta, your configs must have changed cause those configs would have never worked 12:17 < Dryanta> krzee: then explain to me why openvpn is running on cor 12:17 < Dryanta> with taht config :P 12:17 < krzee> there was never a time client-to-client worked with --server 12:17 < krzee> err without 12:17 < Dryanta> [root@cor /var/log]# ps -ax |grep open 12:17 < Dryanta> 66971 p1 R+ 0:00.00 grep open 12:17 < Dryanta> 68172 p5- S 3:11.77 openvpn --remote 75.25.xx.xx --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --secret key 12:17 < krzee> and there will never be one either, cause it would not make sense 12:18 < krzee> see! 12:18 < krzee> --secret key 12:18 < krzee> your configs have key key 12:18 < krzee> it should be secret, like i told you 12:18 < jeev> my question has been left unanswered, this is weird 12:18 < krzee> maybe thats why, it must have been running from commandline and not using the configs 12:19 < krzee> someone got it up at CLI and prolly stopped working on the configs and never fixed them 12:19 < krzee> notice it is running without using a config file... 12:23 < krzee> so switch --key to --secret and remove --client-to-client from configs 12:23 < krzee> you should be up and running 12:23 < krzee> btw its time to upgrade ;) 12:24 < krzee> jeev, somewhere a route is blocking the ICMP type that corresponds to traceroute 12:24 < krzee> i forget which that is 12:24 < krzee> 8 sounds right, but its been yrs 12:26 < krzee> nope thats echo, i guess its 30 (RFC1393) 12:28 < jeev> where is somewhere 12:28 < jeev> hm 12:28 < jeev> you know what, i'm tired of not routing everything 12:28 < jeev> i want to pull/push everything 12:28 < jeev> and the one that i dont want to pull/push gateway 12:29 < jeev> dood, my screen keeps getting bright and dim 12:29 < jeev> wtf POS laptop 12:29 < krzee> [14:28] i want to pull/push everything 12:29 < krzee> [14:28] and the one that i dont want to pull/push gateway 12:29 < krzee> huh? 12:33 < jeev> hold up 12:47 < jeev> ok now the traceroutes work 12:47 < jeev> i just made it push/pull 12:47 < jeev> so the gateway is default now 12:47 < jeev> instead of selective routes 12:55 -!- Mark17 [n=mark@vnc.tt.streamservice.nl] has joined ##openvpn 13:04 < Mark17> hello, is the following possible and if yes should i use dev tun or dev tap? i want on 2 locations an server with openvpn and have all ips from 1 location to be available at the other location (so i can use the ips at the other location) and a new subnet will be created so both locations can also connect to each other using internal ips (10.x.x.x range) 13:05 < Mark17> i cannot find this in the online manual/howto 13:07 < ecrist> I don't understand what you're trying to describe. 13:07 < ecrist> if you want both locations to share one single subnet, use tap 13:08 < ecrist> if you want each location to have separate subnets, but be routable to eachother, use tun 13:08 < Mark17> both locations now have different subnets, in the future i want it to have all subnets to be available at both locations 13:08 < ecrist> Mark17: that's done through routing. 13:09 < Mark17> ecrist: well the gateway for subnet 1 is only available at location 1 and the gateway for subnet 2 is only available at location 2 and in the future they should share 1 internal subnet 13:10 < ecrist> then use tap 13:11 < krzee> !route 13:11 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:11 < krzee> that is an example of how to link multiple lans so they are routable to eachother 13:12 < krzee> if you actually need them on same subnet, tap 13:12 * ecrist thinks Mark17 doesn't fully understand that which he is asking. 13:12 < krzee> but you likely want !route 13:12 * krzee agrees 13:12 -!- tarvid [n=tarvid@dpc6935139037.direcpc.com] has quit ["Leaving"] 13:15 < Mark17> i will make an image to explain what i want 13:21 -!- mRCUTEO [n=info@124.82.101.159] has joined ##openvpn 13:21 < mRCUTEO> ls 13:21 < Mark17> http://www.streamservice.nl/openvpn.jpg 13:21 < Mark17> it should be possible i think 13:21 < Mark17> all ips should be available at all locations 13:29 < krzee> did you read !route 13:29 < krzee> !route 13:29 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:29 < krzee> see picture at bottom 13:30 < krzee> time for me to go 13:30 < krzee> adios 13:30 < krzee> bbl 13:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 13:52 -!- mRCUTEO [n=info@124.82.101.159] has quit [Read error: 110 (Connection timed out)] 14:40 -!- dlewis [i=c7340d68@about/security/staff/dlewis] has joined ##openvpn 14:49 -!- Cugel [n=Cugel@unaffiliated/cugel] has joined ##openvpn 14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:50 < Cugel> Hello people. Anyone who can help me fix something? 14:51 < ecrist> sure 14:51 < ecrist> be fast 14:51 < Cugel> Oh I'll ask later, I'll return. Seems I need to fix some other stuff first. 14:51 < ecrist> kk 14:51 * ecrist goes home. 14:52 -!- Cugel [n=Cugel@unaffiliated/cugel] has left ##openvpn [] 15:29 < plaerzen> ugh, tired. 15:29 * plaerzen needs a java. 16:25 < Dryanta> ok 16:33 -!- nofxx [n=nofxx@unaffiliated/nofxx] has joined ##openvpn 16:37 < nofxx> I got a machine in my openvpn server lan, that need two way communication with a client connecting to this server. What would be the best approach, make this machine a client too, so both stays in the same tunnel, or add all the routes to make them talk? 16:37 < nofxx> Having some problems with the last one. 16:37 < nofxx> IJust need masquerade all? 16:39 < nofxx> hehe that`s what I call a succint topic =D 16:39 < nofxx> concise* 16:40 -!- dlewis [i=c7340d68@about/security/staff/dlewis] has quit ["http://www.mibbit.com ajax IRC Client"] 17:12 < ecrist> nofxx: add the necessary routes 17:12 < ecrist> read the howto, and follow the instructions near the bottom for client configs. 17:13 < ecrist> allow your 'client' to only connect to the necessary segment 17:19 < nofxx> ecrist, yea... I think the problem was my lan network was 10.x.x.x and the vn 10.8.0.x , changing the lan to 10.1.1.x 17:45 < ecrist> just change the subnet mask. 17:46 < ecrist> though, the ip too works. 17:46 < ecrist> same affect 17:47 -!- nofxx_ [n=nofxx@unaffiliated/nofxx] has joined ##openvpn 17:53 -!- nofxx [n=nofxx@unaffiliated/nofxx] has quit [Read error: 60 (Operation timed out)] 18:17 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 18:20 < nofxx_> worked like a charm. sorry the stupid question. thx e crist 18:24 < nofxx_> Ah, lil question. What would be the diff between tcp or udp in openvpn? 18:24 < ecrist> tcp is bad 18:24 < ecrist> !tcp 18:24 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 18:24 < nofxx_> great. thank you again 18:30 -!- Typone [n=nitsme@195.197.184.87] has quit ["Terminated with extreme prejudice - dircproxy 1.1.0"] 18:32 < ecrist> np 19:04 < ecrist> 19:09 < jeev> . 19:09 -!- nofxx_ [n=nofxx@unaffiliated/nofxx] has quit ["Leaving"] 19:12 * ecrist hopes he didn't break his internet connection 19:12 < ecrist> jeev, do me a favor 19:12 < ecrist> what does www.secure-computing.net resolve to for you? 19:17 < jeev> my mailserver is denying bestbuy's mx 19:17 < jeev> However, the domain response.bestbuy.com has declared using SPF that it does not send mail through mh4.response.bestbuy.com (70.87.26.166). That is why the message was rejected. 19:17 < jeev> 173.8.113.73 19:23 < krzie> ... BitchX: www.secure-computing.net is www.secure-computing.net 19:23 < krzie> (173.8.113.73) 19:23 < krzie> and that box would NOT have it cached 20:00 -!- Typone [n=itsme@195.197.184.87] has joined ##openvpn 20:09 < krzie> im bored =/ 20:10 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 20:18 -!- ElCheapo [n=elcheapo@d199-126-36-20.abhsia.telus.net] has quit [Remote closed the connection] 20:45 < cranky-> yeah it looks like the two clients with the same certificate was causing the ping restart 20:45 < cranky-> 24 horus later, only messages in the log are the key expirations 20:45 < cranky-> =] 20:45 < krzie> give all clients diff certs 20:46 < krzie> oh i guess you figured that out then 20:46 < krzie> lol 20:46 < cranky-> no, the problem was my notebook was still connected for some silly ass reason 20:46 < ecrist> or, use duplicate-cn 20:46 < cranky-> so I'm on my desktop wondering why I keep getting ping-restarts 20:46 < krzie> ecrist, ya but why do that instead of making new certs? 20:46 < cranky-> I switched over to TCP and it was solid, only noticed it by accident 20:46 < krzie> ecrist, to me seeing a cert connect 2x is a huge sign of comprimised cert 20:47 < cranky-> dulicate-cn is easier if you have 1 road warrior with multiple computers 20:47 < ecrist> krzie: there's a couple *valid* reasons, though it usually doesn't make practical sense from a security standpoint. 20:47 < cranky-> make an installer and let them run it everywhere 20:48 < krzie> true 20:48 < krzie> the security standpoint is where i base my argument for not using it 20:48 < krzie> but what you said is right on the mark 20:48 * jeev loves his opensuse 20:49 < cranky-> hah http://www.youtube.com/watch?v=xQERRbU23bU&eurl=http://www.cynical-c.com/?p=12295 20:49 < vpnHelper> Title: YouTube - Ants! (at www.youtube.com) 20:49 < cranky-> oops wrong window 20:49 < cranky-> still a cool video, massive ant colony, 528 sf, 26ft deep, the filled in the colony with concrete or something so they could excavate it out and check the underground structure 21:02 -!- cranky- [i=madman@pool-96-242-173-233.nwrknj.fios.verizon.net] has quit ["b0rk"] 21:02 < ecrist> krzie: you have a fairly high speed inet connection? 21:02 < ecrist> or jeev 21:03 < ecrist> need someone to test something for me... 21:12 < krzie> dude 21:12 < krzie> im in a 3rd world country 21:12 < krzie> i have the slowest inet ive ever seen since dialup 21:12 < ecrist> krzie - can you get to www.secure-computing.net? 21:12 < krzie> its thinband 21:12 < krzie> Defcon Presentation 21:12 < krzie> You can download the Defcon Mifare presentation in PDF form here. 21:13 < ecrist> hrm, ok 21:13 < ecrist> why kind of download speed you got? 21:14 < krzie> under a t1 21:14 < ecrist> see if downloading http://www.secure-computing.net/files/vmcore.0.bin will saturate it. 21:14 < ecrist> the .bin is so your browser won't try to open the file. 21:14 < ecrist> it's 1.1GB 21:15 < krzie> i cant right now 21:15 < krzie> i can dl it from a 100mbit tho 21:15 < ecrist> that would do 21:15 < krzie> fetch: http://www.secure-computing.net/files/vmcore.0.bin: Forbidden 21:16 < krzie> permissions 21:16 < ecrist> I can fetch it. 21:16 < ecrist> proxy server on your end blocking it? 21:16 < krzie> fetch: http://www.secure-computing.net/files/vmcore.0.bin: Forbidden 21:16 < krzie> no proxy, im logged in via ssh 21:17 < ecrist> hrm, I can fetch hit. 21:17 < krzie> even as root i cant 21:17 < krzie> so its not my end 21:17 < krzie> you on same lan? 21:17 < ecrist> ah, .htaccess 21:18 < ecrist> try again 21:19 < krzie> k 21:19 < krzie> if it doesnt max me it might not be your fault 21:19 < krzie> oh whoa this is slow 21:19 < krzie> my box would never be this slow, its you 21:19 < krzie> im getting under 100kb/s 21:19 < krzie> 82 and climbing 21:20 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Nick collision from services.] 21:20 < ecrist> iftop shows me pushing 773Kb to hemp.ircpimps.org 21:20 < krzie> vmcore.0.bin 3% of 182 MB 87 kBps 35m09s 21:20 < ecrist> see the cap B 21:20 < krzie> lemme restart it in screen so i can iftop too 21:20 < krzie> ya 88 kilobytes/s 21:21 < krzie> thats slow as shit 21:21 < krzie> vmcore.0.bin 3% of 182 MB 87 kBps 35m09s 21:21 < ecrist> my connection is supposed to be 2Mb up. 21:21 * ecrist calls business services 21:22 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 21:23 < ecrist> on phone now 21:24 < krzie> hrmmm 21:24 < krzie> which column in iftop is /second? 21:24 < ecrist> first 21:24 < ecrist> after 'rates' 21:24 < krzie> lil over 700 megabit 21:24 < krzie> err 21:24 < krzie> kilobit 21:24 < krzie> lol 21:24 < ecrist> right 21:24 < krzie> big diff, lol 21:25 < krzie> shall i kill it? 21:25 < ecrist> no 21:25 < krzie> k 21:26 < krzie> you got 30min before i need to restart 21:26 < ecrist> the tech is using it for troubleshooting. ;) 21:26 < krzie> lemme know =] 21:26 < ecrist> heh 21:27 < krzie> 16 68.85.165.162 (68.85.165.162) 77.341 ms 77.532 ms 77.383 ms 21:27 < krzie> 17 jupiter.secure-computing.net (173.8.113.73) 207.747 ms 214.325 ms 197.972 ms 21:28 < krzie> thats a whole fucking lot of latency between you and your router 21:28 < ecrist> let's stop the test for a min. 21:29 < krzie> done 21:30 -!- DarkDrgn2k [n=DarkDrgn@CPE000f3d01971a-CM00125573082a.cpe.net.cable.rogers.com] has joined ##openvpn 21:31 < DarkDrgn2k> Ok, i have a TUN interface. the Server Side's default gateway has a router to both the TUN network (192.168.100.0/255.255.255.0) and the Client side's netowkr (192.168.4.0/255.255.255.0) setup. 21:31 < DarkDrgn2k> The client's side default network has 100 and SERVER 2.0/255.255.255.0 setup on the default netowrk 21:31 < DarkDrgn2k> Both machines on iether side of the tunnel can see each other 21:32 < DarkDrgn2k> but the machien running openvpn CANNOT see ping any of the devices 21:33 < krzie> by devices you mean machines on the lan behind openvpn? 21:33 < DarkDrgn2k> yes machines 21:34 < krzie> and you want the lan behind server AND lan behind client to communicate? 21:34 < DarkDrgn2k> setup is Gateway 2.2 ---- OVPNSERVER (100.0)-------OVPNCLIENT(100.10)-----GATEAY 4.2 21:34 < DarkDrgn2k> all 2.x machines see the 4.x 21:34 < DarkDrgn2k> and 4.x see 2.x 21:35 < DarkDrgn2k> but the SERVER itself does not see any 2.x machines 21:38 < krzie> ok 21:38 < krzie> you need an iroute 21:38 < krzie> !route 21:38 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:38 < krzie> i made this writeup EXACTLY for people doing what you are doing =] 21:39 < krzie> its an extremely common thing to have trouble with 21:39 < krzie> (which is why i made a detailed writeup) 21:39 < krzie> so read that whole thing, see picture at bottom 21:39 < krzie> and lemme know how that helps 21:40 < DarkDrgn2k> 10-4 21:40 < DarkDrgn2k> LINK NOT WORKING 21:41 < krzie> doh 21:41 < krzie> ecrist is working on the server right now 21:41 < krzie> weird, works for me 21:41 < DarkDrgn2k> Firefox can't find the server at www.secure-computing.net 21:41 < krzie> interesting 21:41 < DarkDrgn2k> quite 21:41 < krzie> i must have had it cached after all, have NO clue how that happened 21:42 < krzie> ohhhh wait yes i do 21:42 < krzie> well ok, heres what you need 21:42 < krzie> !man 21:42 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 21:42 < krzie> !ccd 21:42 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client 21:42 < krzie> !iroute 21:42 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 21:42 < DarkDrgn2k> having said that.. why do you think that both sides othe the network would see eachother... but the server itself doesnt.. 21:42 < krzie> look in the manual for --iroute and --client-config-dir 21:43 < DarkDrgn2k> krzie: i have iroute thougt 21:43 < DarkDrgn2k> and ccd 21:43 < ecrist> krzie: I figured out the problem. 21:43 < ecrist> :) 21:43 < ecrist> return path was across my DSL 21:43 < krzie> oh i see that now DarkDrgn2k 21:43 < krzie> i misread 21:43 < krzie> in that case DarkDrgn2k, firewall 21:43 < ecrist> when I change the default route, I'm pushing 200KB to 580KB/sec 21:43 < DarkDrgn2k> no firewall.. 21:43 < DarkDrgn2k> its runnign on a windows 2k3 server. 21:43 < krzie> what OS is server? 21:43 < DarkDrgn2k> ip routing enabled with regedit 21:43 < krzie> firewall 21:44 < DarkDrgn2k> and firewall is disabled :) 21:44 < DarkDrgn2k> (i hate that bloody service!) 21:44 < krzie> !winfirewall 21:44 < vpnHelper> krzie: Error: "winfirewall" is not a valid command. 21:44 < krzie> bleh 21:44 < krzie> !factoids search win 21:44 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', and '2.1-winpass-script' 21:44 < krzie> bleh 21:44 < DarkDrgn2k> its not running 21:44 < DarkDrgn2k> service is disabled 21:44 < krzie> right but ive seen this before 21:44 < krzie> when it is disabled but still fucks with things 21:45 < krzie> i seen JJK help someone with it on mail list 21:45 < krzie> with some netsh commands 21:45 < krzie> to reset firewall stuffs 21:45 < krzie> i have it on my laptop mail.app 21:45 < krzie> but im not with my laptop right now =/ 21:46 < DarkDrgn2k> i just checked..... the firewall was tunred off before the service was disabled 21:46 < DarkDrgn2k> could u check my routes. make sure they are not foo bared http://pastebin.ca/1259988 21:47 < krzie> if its only openvpn changing your routes ild rather see configs 21:47 < krzie> is that the case? 21:48 < DarkDrgn2k> shoudl be.. 21:48 < DarkDrgn2k> 1 sec 21:48 < krzie> !configs 21:48 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 21:48 < DarkDrgn2k> doesnt help.. windows :) 21:48 < krzie> heheh 21:48 < DarkDrgn2k> http://pastebin.ca/1259989 21:49 < DarkDrgn2k> tempkey file simply contains iroute 192.168.4.0 255.255.255.0 21:49 < krzie> and tempkey is the clients common-name 21:49 < DarkDrgn2k> yes 21:50 < krzie> 4.0 is client lan 21:50 < krzie> 2.0 is server lan 21:50 < DarkDrgn2k> yes 21:50 < DarkDrgn2k> 100.0 is vpn 21:50 < krzie> 100.0 is vpn 21:50 < DarkDrgn2k> client- > http://pastebin.ca/1259993 21:50 < krzie> right 21:50 < krzie> !tcp 21:50 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 21:50 < krzie> that is not your problem 21:51 < krzie> but helpful for you to know 21:51 < krzie> you prolly want udp 21:51 < DarkDrgn2k> i was runnig udp but had problems :) 21:51 < krzie> only way you dont want udp is firewalls that you cant control not allowing it 21:51 < DarkDrgn2k> i found when i had a DSL connection with high packet loss 21:51 < DarkDrgn2k> the connection wouldnt drop properly... 21:51 < krzie> for why, see the link 21:52 < DarkDrgn2k> i swiched the TCP to make sure that when the connection died.. it died... 21:52 < DarkDrgn2k> i know.. udp keepalive 21:52 < krzie> did you test mtu to see if that was the source of the issues? 21:52 < krzie> ya i see you have keepalive 21:52 < ecrist> DarkDrgn2k: is the website back up? 21:53 < DarkDrgn2k> ecrist: dns wont resolve 21:53 < ecrist> hrm, use 173.8.113.73 21:53 < DarkDrgn2k> krzie: i just dont get how the 4.0 and 2.0 nets see each other but ther SERVER doesnt 21:53 < DarkDrgn2k> 173.8.113.73 works... 21:54 < DarkDrgn2k> just dns is fried 21:54 < ecrist> DNS should have propagated last night. 21:54 < ecrist> :\ 21:54 < DarkDrgn2k> yep 21:54 < DarkDrgn2k> tried a few dns server.. 21:54 < DarkDrgn2k> none of them 21:54 < krzie> ill bbiab 21:54 < ecrist> tx for the info - looking into it 21:55 < DarkDrgn2k> ? 21:55 < krzie> DarkDrgn2k i know it doesnt seem like it, but im 90% sure nothing besides firewall could stop it 21:55 < krzie> since both lans can communicate 21:55 < krzie> maybe you could enable/disable it 21:55 < krzie> or reboot 21:56 < krzie> or reboot 10x (hey, it IS windows) ;] 21:56 < krzie> ill be back in a bit 21:56 < DarkDrgn2k> kk 21:57 < ecrist> DarkDrgn2k: now? 21:57 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Nick collision from services.] 21:58 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 22:06 < DarkDrgn2k> ecrist: there we go 22:06 < DarkDrgn2k> ecrist: ...working... 22:09 < jeev> sup 23:47 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Nick collision from services.] 23:47 -!- metatron [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 23:53 -!- metatron is now known as Luria --- Day changed Tue Nov 18 2008 00:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:18 -!- paruchuri [n=paruchur@61.16.248.247] has quit [Read error: 60 (Operation timed out)] 00:45 -!- DarkDrgn2k [n=DarkDrgn@CPE000f3d01971a-CM00125573082a.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 03:01 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 03:38 -!- mnemoc [n=amery@shell.opensde.net] has joined ##openvpn 03:40 < mnemoc> hi, can one have an "N-way" vpn? I mean, the VPN is created by N routers all connected to each other without a master and the result been a single network 03:42 < mnemoc> I'm probably using the wrong terms so any keyword is highly welcomed 03:46 < mnemoc> I'll have a set of servers distributed on different locations, with some vservers inside each, and I want those vservers to freely talk to the vservers on every other servers like they were "local" 03:47 < mnemoc> any sugestion is also highly appreciated :) 04:07 < Federico2> mnemoc, in switch mode you mean? 04:08 < Federico2> look on the website 04:09 < mnemoc> Federico2: they will be on different DCs 04:09 < mnemoc> like a poor-man cloud 04:09 < Federico2> of course 04:11 < mnemoc> "bridging" ? 04:12 < mnemoc> ic 04:14 < Federico2> yep 04:14 < Federico2> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 04:14 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 04:17 < Federico2> yeah 04:17 < Federico2> have fun 04:18 < mnemoc> Federico2: thanks :) 04:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:54 < stephenh> mnemoc: unless you need to use unroutable traffic i would stick to a routed VPN and run multiple configurations on each host to create your mesh network. 04:55 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 145 (Connection timed out)] 04:58 < mnemoc> stephenh: yes? more reliable? 04:59 < stephenh> you would only really use it if you needed network broadcasts or non ip traffic 04:59 < mnemoc> stephenh: one of my goals it to be able to vpn to one "node" and have access to all of them 04:59 < stephenh> only time we used a bridge was for vpn users who needed to access notes. 05:00 < mnemoc> no broadcasts, no non-ip traffic 05:00 < mnemoc> just boring ldap, sql, ssh, ... 05:00 < mnemoc> uhm 05:01 < stephenh> you made it sound like you want all your sites to connect to each other so there is no master/slave scenario 05:02 < mnemoc> right, it will be multi-master 05:02 < mnemoc> syncronizing each other using vpn 05:03 < mnemoc> but "joining" that meshed network from admin's computer is a desired feature 05:05 < stephenh> just run another instance and push routes to client? 05:05 < mnemoc> uh, that sounds simple :) I have still zero experience with openvpn capabilities 05:06 < mnemoc> so, i'll take the path you suggest, thanks! :) 05:07 < mnemoc> i have lots to read and learn 05:09 < stephenh> it'll take a bit of planning but it won't be hard to accomplish what you want to do. 05:10 < stephenh> http://openvpn.net/index.php/documentation/howto.html 05:10 < vpnHelper> Title: HOWTO (at openvpn.net) 05:10 < stephenh> follow that from top to bottom and you'll have one site connected to another site, then follow it again but use a different server port 05:11 < stephenh> there'll always be a server and a client, but you won't have a star type network where all traffic between subnets go between a central point, each will have their own direct path 05:12 < mnemoc> sounds good :) 05:13 < stephenh> that's what it sounds like you are trying to do anyway, then you can host another instance on one or many hosts on port 1194 for yourself/roadusers 05:13 < stephenh> i tend to use 5001, 5002, 5003 etc for connecting sites and 1194 for client vpn 05:14 < mnemoc> default port for humans 05:14 < stephenh> yep. 05:14 < stephenh> makes my life easier cause then i'll use like 10.10.1.1 and 10.10.1.2 for 5001, 10.10.2.1 and 10.10.2.2 for 5002, etc 05:15 < mnemoc> :D 05:21 -!- Han [n=han@unaffiliated/han] has left ##openvpn [] 05:31 -!- thefish [n=thefish@unaffiliated/thefish] has quit [Read error: 60 (Operation timed out)] 06:41 -!- lchiessi [n=postgres@201.29.212.55] has joined ##openvpn 06:45 -!- lchiessi [n=postgres@201.29.212.55] has quit ["ZorraScript 2007 curta a vida no irc de outra maneira! Pegue já: www.zorrascript.com"] 07:14 < Federico2> stephenh, when you use bridge mode all the communication are by default direct 07:14 -!- ikevin_ [n=kevin@ANancy-256-1-52-42.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 07:14 < Federico2> but I would be happy to have some of the nodes acting as a forwarder 07:14 -!- ikevin_ [n=kevin@ANancy-256-1-21-133.w90-13.abo.wanadoo.fr] has joined ##openvpn 07:14 < mnemoc> .oO 07:15 < Federico2> is case one of the point-to-point link is not reliable 07:15 < Federico2> there is no routing/fallback implemented inside openvpn 07:16 < Federico2> oh, by the way 07:16 < Federico2> in bridge mode there is no keepalive traffic, isn't it? 07:36 -!- paruchuri [n=paruchur@61.16.248.247] has joined ##openvpn 07:40 < ecrist> rawr 07:42 < ecrist> bbiab --- Log closed Tue Nov 18 07:42:14 2008 --- Log opened Mon Nov 24 18:31:40 2008 18:31 -!- ecrist [n=ecrist@chunk.secure-computing.net] has joined ##openvpn 18:31 -!- Irssi: ##openvpn: Total of 40 nicks [0 ops, 0 halfops, 0 voices, 40 normal] 18:31 < Dougy> ecrist: ! 18:31 < jeev> krzee 18:31 < jeev> you there 18:31 -!- Irssi: Join to ##openvpn was synced in 22 secs --- Log closed Mon Nov 24 18:31:58 2008 --- Log opened Mon Nov 24 18:32:40 2008 18:32 -!- ecrist [n=ecrist@chunk.secure-computing.net] has joined ##openvpn 18:32 -!- Irssi: ##openvpn: Total of 40 nicks [0 ops, 0 halfops, 0 voices, 40 normal] 18:32 -!- Irssi: Join to ##openvpn was synced in 22 secs 18:38 < ecrist> was someone trying to contact me? 18:38 < krzie> wassup 18:39 < krzie> ecrist i was just letting you know i was back 18:39 < krzie> we were playing ping tag 18:39 < krzie> jev, im in and out, whats up? 18:39 < jeev> question, not pertaining to openvpn. 18:39 < jeev> msg 18:40 < ecrist> krzie: don't worry about my question re SSL earlier. I has a funky ssl cert from GoDaddy that wasn't matching up. I had them re-key it; all is well. 18:41 < krzie> oh i gotchya 18:41 < jeev> ecrist 18:41 < krzie> for the record, screw godaddy 18:41 < krzie> http://www.gambling911.com/gambling-news/go-daddy-responds-kentucky-online-gambling-domain-order-100908.html 18:41 < jeev> you guys know if the godaddy cert authenticates wel ? 18:41 < jeev> like on my mailserver? 18:42 < krzie> why wouldnt it? 18:42 < ecrist> yes, it does 18:45 < jeev> cause maybe it wasn't backed properly 18:45 < jeev> i need to get one. 18:47 < krzie> my mailserver works fine with a self signed cert 18:47 < ecrist> krzie: you don't suppose the website you linked me is a bit biased, do you? 18:47 < krzie> *shrug* 18:47 < krzie> it is very biased 18:47 < krzie> but i side with them no matter what angle you look from 18:47 < ecrist> jeev: create your own CA, and import it into your keychain 18:47 < krzie> yanno what i mean? 18:47 < ecrist> krzie: I think it's a debatable subject from either side. 18:48 < krzie> not me, godaddy should have complied with the court order and NOTHING MORE 18:48 < krzie> they lose all domains i control that they had over it 18:50 < Dougy> ecrist: phpbb pisses me off 18:50 < jeev> huh 18:50 < ecrist> Dougy: why? 18:50 < jeev> ecrist 18:50 < Dougy> ecrist: converters.. 18:50 < jeev> how will other people's mailservers approve my bullshit cert? 18:50 < ecrist> Dougy: how is that phpBB's fault? 18:50 < Dougy> ecrist: i have the odl vb in /home/dougy/ovpnforum.com/vb but the converter doesnt find it 18:50 < Dougy> old 18:50 < Dougy> because i enter the proper path 18:50 < Dougy> and phpbb still does not like it 18:51 < ecrist> jeev, ssl is server-> client, not server->server 18:51 < jeev> there is server -> server too. 18:51 < krzie> ecrist, its both 18:51 < ecrist> what good is server to server ssl? 18:51 < jeev> certificate verification failed for edge1.choicepoint.net[66.241.37.242]:25: untrusted issuer /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority 18:51 < jeev> ecrist, some people like choicepoint have greylisting 18:52 < jeev> i'm not interested in continually being greylisted 18:52 < ecrist> jeev, greylisting isn't continual 18:52 < jeev> it is with choicepoint. 18:52 < ecrist> who the hell is choicepoint? 18:53 < krzie> i never hearda them either 18:53 < jeev> choicepoint is a big ass company 18:53 < jeev> how have you not heard of them 18:54 < jeev> choicepoint has more info on you than you do :) 18:54 < krzie> i highly doubt that 18:54 < jeev> you know what i mean 18:54 < krzie> :-p 18:54 < krzie> my macbook pro has 500gb hd internal now 18:54 < krzie> and i love it 18:56 < ecrist> what vintage is your MBP? 18:57 -!- NBrepresent [n=perry@bas1-toronto09-1176018504.dsl.bell.ca] has joined ##openvpn 18:57 < krzie> 1st gen 18:58 < ecrist> me too, about 4th revision, though. 18:58 < jeev> i have one, a powerbook 18:58 < jeev> it doesn't charge 18:58 < jeev> i parted it.. i think ineed a new 18:58 < jeev> i forgot the name 18:58 < jeev> but i dunno if that's the problem.. so i wont order the part. 18:59 < ecrist> inverter board, prolly 19:07 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 19:07 < onats> ecrist, are you busy? 19:07 < ecrist> kinda cleaning the office, what's up? 19:08 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 19:13 < ecrist> onats, what did you need? 19:13 < onats> well i just wondered if you have an idea... my openvpn server no longer serves up IP addresses to the clients.. 19:13 < onats> the vpn server is on the same box as the router, which serves as DHCP.. 19:13 < ecrist> how many clients? 19:14 < onats> just one 19:14 < onats> me 19:14 < onats> im trying to connect to home, but can no longer get an IP 19:14 < onats> it connects alright 19:14 < onats> what is the config that i should be putting in? 19:15 < onats> isn't it supposed to serve up IP's automatically? 19:15 < ecrist> tun or tap? 19:16 < mRCUTEO> ecrist: is it possible to run openvpn in vbox? 19:16 < onats> tap 19:17 < krzie> vbox? 19:17 < mRCUTEO> virtualbox 19:18 < mRCUTEO> *virtualbox guest 19:18 < krzie> should be fine as long as the kernel has tuntap in it 19:18 < krzie> which is nothing you control as a guest 19:18 < mRCUTEO> okay thanks 19:18 < ecrist> onats: sounds like you're missing a bridge statement or something. 19:19 < ecrist> perhaps krzie can help ya, I gotta get this office clean. Kid's got conferences in 20 mins, too. 19:20 < aegis> any of you guys know how to fix network-manager-openvpn ??? 19:21 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has quit [] 19:21 -!- mRCUTEO [n=irclunat@64.235.47.233] has joined ##openvpn 19:21 < krzie> yes 19:21 < onats> i shouldn't have had switched to another device.. gave y fully working router/vpn to my dad 19:21 < krzie> but not using it 19:21 < krzie> !ubuntu 19:21 < vpnHelper> krzie: "ubuntu" is dont use network manager! 19:22 < mRCUTEO> phew its working 19:22 < mRCUTEO> flawless 19:22 < mRCUTEO> openvpn tested in VirtualBox Guest - its flawless working great :) 19:23 < krzie> i havnt setup bridging in a long long time 19:23 < krzie> but if you wanna post your configs, ill take a look 19:23 < krzie> (@ onats ) 19:23 < krzie> !configs 19:23 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 19:30 < onats> what was that? 19:31 < onats> ahh.. my configs? 19:31 < onats> wait 19:37 < aegis> krzie: How did you get it to work? I get it to connect to the VPN, but it doesn't allow me any access outside the VPN... 19:38 < krzie> by outside the vpn, do you mean the LAN behind the vpn, or to access the inet? 19:38 < krzie> and tun or tap? 19:39 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has quit [] 19:43 < onats> http://pastebin.ca/1266299 19:45 < krzie> WOW 19:45 < krzie> ecrist is good 19:45 < krzie> you need server-bridge 19:45 < krzie> !man 19:45 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 19:45 < krzie> btw, time for my usual line of questioning 19:45 < krzie> why do you want a tap bridge? 19:55 -!- mRCUTEO [n=irclunat@64.235.47.233] has quit [] 19:55 < onats> to be honest with you, i just transferred the config from my old router 19:55 < onats> it was the first openvpn config i setup.. 19:56 < onats> i'm just going to redo my config and setup a tun routed... 19:56 < onats> that right? 19:56 < aegis> krzie: I am using tap... I have a bridge set up... it works fine via command line, however when I use network-manager-vpn it messes up the routing table. 19:56 < onats> wait, are you talking to me krzie? 19:56 < krzie> onats yes i was talkin to you 19:57 < krzie> tun is better unless you have a reason to want tap 19:57 < krzie> less overhead, easier to setup (imo) 19:57 < onats> ill do it over the weekend 19:57 < krzie> !sample 19:57 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:57 < krzie> !route 19:57 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 19:57 < onats> i setup that 3 site routed config and it works flawlessly today 19:58 < krzie> between those and the manual, you should be able to set one up rather quick 19:58 < krzie> ahh cool 19:58 < krzie> used my walkthrough? 19:58 < krzie> aegis, 19:58 < krzie> !ubuntu 19:58 < vpnHelper> krzie: "ubuntu" is dont use network manager! 19:58 < onats> i dont know.. cant remember 19:58 < onats> it was a mashup of all the help/wikis/forums that i researched on 19:58 < onats> which one is your walkthrough 19:58 < krzie> !route 19:58 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 19:59 < krzie> that 19:59 < onats> only problem i encountered before was that i turned on logging, and turns out it filled up the flash drive/space 19:59 < onats> wow.. this is a quick walkthrough! 19:59 < krzie> ahh one of those hacked up routers 19:59 < onats> bookmarking 19:59 < onats> krzie, yup 19:59 < krzie> ya you must have routing for troubleshooting, but cant keep it 19:59 < onats> krzie, what hardware are you runnign your vpns on? 20:00 < krzie> which is why i dont use them 20:00 < onats> routing you mean logging 20:00 < krzie> just normal single proc fvsd 20:00 < onats> fvsd? 20:00 < krzie> err 20:00 < krzie> fbsd 20:00 < onats> i see 20:01 < krzie> and dual core mac laptop 20:01 < onats> thats for the client? 20:01 < krzie> done it on windows and linux too 20:01 < krzie> ya my mac laptop is a client 20:01 < krzie> my servers are both clients and servers 20:01 < krzie> all freebsd 20:01 < krzie> only problem i encountered before was that i turned on logging, and 20:01 < krzie> turns out it filled up the flash drive/space 20:02 < krzie> thats why i dont like those 20:02 < krzie> when you get owned you wont even have logs of it 20:02 < krzie> linux - logging = bad 20:04 < krzie> any of you guys know how to fix network-manager-openvpn ??? 20:04 < krzie> !ubuntu 20:04 < krzie> krzie: "ubuntu" is dont use network manager! 20:04 < krzie> krzie: I am using tap... I have a bridge set up... it works fine via 20:04 < krzie> command line, however when I use network-manager-vpn it messes up 20:04 < krzie> the routing table. 20:04 < krzie> aegis 20:05 < krzie> your answer is do not use network-manager 20:05 < krzie> people always have problems with it screwing up their vpns 20:05 < krzie> which is why we already had !ubuntu 20:05 < aegis> oh 20:06 < aegis> i won't be able to get my girlfiend to use command line 20:06 < aegis> so I guess I will just hope they fix the plugin for network-manager 20:07 < krzie> dude 20:07 < krzie> make a .command 20:07 < krzie> shell script for the win 20:07 < onats> what's the alternative for network-manager? 20:07 < krzie> just starting the vpn 20:07 < krzie> its not like its so complex you need a gui 20:07 < krzie> its a single command 20:07 -!- randra [n=sleepkno@189.31.103.105] has joined ##openvpn 20:07 < krzie> make it executable and double click the sucker 20:08 < krzie> its pretty simple... 20:08 < aegis> and a password/login/password 20:08 < krzie> it prompts 20:08 < krzie> double clicking a single line shell script is like typing the command into the shell 20:08 < aegis> right, i have no problem with it... there are people who won't bother if they have to do all that... 20:09 < krzie> those people are using linux 20:09 < krzie> ? 20:09 < aegis> yeah 20:09 < krzie> they should be using something they understand 20:09 < aegis> ubuntu 20:09 < aegis> they understand "just works" ;) 20:09 < krzie> well thats not linux 20:09 < krzie> lol 20:10 < onats> on a routed setup, assuming i'm connecting using a mac, how does the mac get an IP from the internal lan of the VPN server again? 20:10 < krzie> it doesnt 20:10 < krzie> it gets an ip from the internal vpn block 20:10 < krzie> and routes to the servers lan 20:11 < onats> so that's ok? 20:11 < krzie> ok? 20:11 < onats> i mean, doesn't it look nicer if you have an IP from the LAN? 20:11 < krzie> it doesnt work that way 20:12 < onats> i also remember having an issue with push route not being accepted on osx... 20:12 < onats> i had to add the route manually 20:12 < krzie> its accepted just fine 20:12 < onats> hmmm 20:12 < krzie> as long as client has client or pull 20:12 < krzie> (same as any other os) 20:14 < onats> how do you test clients assuming you dont have any other machine outside LAN that you can control? 20:17 < krzie> ive never had that situation 20:17 < onats> hehe 20:17 < krzie> but really, you can connect in same lan 20:17 < krzie> !wifi 20:17 < vpnHelper> krzie: Error: "wifi" is not a valid command. 20:18 < krzie> !local 20:18 < vpnHelper> krzie: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. 20:18 < krzie> if you arent using redirect-gateway, it should just work 20:18 < krzie> but dont spend too long troubleshooting on that 20:18 < krzie> just see if they connect or not 20:23 -!- randra [n=sleepkno@189.31.103.105] has quit [] 20:42 < Dougy> ohi 20:50 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 20:50 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 20:59 -!- NBrepresent [n=perry@bas1-toronto09-1176018504.dsl.bell.ca] has quit ["Leaving."] 20:59 < Dougy> gah 20:59 < Dougy> cardiomyocytes 20:59 < Dougy> kill me 21:31 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 21:32 < jeev> cool 21:32 < jeev> connected my 56" 21:32 < jeev> to my computer lool 21:46 < troy-> kinda big 21:51 < jeev> movies are so clean 21:52 < jeev> dvi to HDMI 22:04 < ecrist> DVI, in most regards *is* HDMI 22:04 < ecrist> HDMI includes some copy protection and audio. 22:05 < jeev> yea 22:05 < jeev> i dunno 22:05 < jeev> i just hit my face (2cm) from my eye on a sharp corner 22:05 < jeev> i'm so lucky. 22:19 -!- Dougy [n=doug@174.34.138.158] has quit ["Ex-Chat"] 22:49 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 22:49 < mRCUTEO> hi is thre a way run 2 client of openvpn connecting to one server in the same PC for wondows? 22:56 < krzie> sure, diff configs 22:56 < krzie> gotta go. bbl 22:58 < mRCUTEO> did a diff config but aint working here 23:05 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has quit [] 23:19 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 23:35 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn --- Day changed Tue Nov 25 2008 00:10 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 00:10 < mRCUTEO> hi how to create new tap for openvpn in Windows XP? 00:26 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has quit [Nick collision from services.] 00:26 -!- mRCUTEO-Smoke-W3 [i=irclunat@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 00:26 < mRCUTEO-Smoke-W3> hi 00:27 < mRCUTEO-Smoke-W3> what happen if i bridge tap0 and eth0 in my openvpn client ? 00:33 -!- mRCUTEO-Smoke-W3 [i=irclunat@r0x.dave.ksh2008-sarawak.com] has quit [] 02:14 -!- whaletales [n=Paul@87-127-190-18.static-adsl.entanet.co.uk] has joined ##openvpn 02:39 -!- niekie [i=niek@bergnetworks.com] has joined ##openvpn 02:48 -!- whaletales [n=Paul@87-127-190-18.static-adsl.entanet.co.uk] has quit [Read error: 110 (Connection timed out)] 03:02 < tompaw> unbelievable. the basic setup worked for me without any guis ;) 03:06 < reiffert> unbelievable. 03:12 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 03:26 -!- zenoswyn [n=w0tan@75.15.219.43] has joined ##openvpn 03:28 -!- zenoswyn [n=w0tan@75.15.219.43] has quit [Client Quit] 05:18 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: lyxan, thefish 05:19 -!- Netsplit over, joins: thefish, lyxan 05:24 -!- P4k3 [i=P4k3@c-0c34e255.014-33-6b6c7810.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)] 05:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:28 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Connection timed out] 06:30 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 06:30 -!- Luria [n=trashed@pool-151-202-77-13.ny325.east.verizon.net] has joined ##openvpn 07:31 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has joined ##openvpn 07:32 < error404notfound> I am trying to create a certificate and I get: http://pastebin.com/mce9dce7 07:35 < reiffert> remove the ticks. 07:35 < reiffert> forget that. 07:36 < reiffert> did you source the vars file? 07:36 < reiffert> that is ". ./vars" 07:41 < error404notfound> there are any ticks, those are single quotes 08:02 < ecrist> !easyrsa 08:02 < vpnHelper> ecrist: Error: "easyrsa" is not a valid command. 08:02 < ecrist> !easy-rsa 08:02 < vpnHelper> ecrist: Error: "easy-rsa" is not a valid command. 08:03 < ecrist> error404notfound: easy-rsa sucks balls, for the record. 08:03 < error404notfound> ecrist: what do you suggest then? manual? 08:03 < ecrist> I wrote a perl script 08:03 < ecrist> !ssl-admin 08:03 < vpnHelper> ecrist: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 08:16 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has quit ["Leaving."] 08:16 -!- mRCUTEO [n=info@124.13.95.12] has joined ##openvpn 08:16 < mRCUTEO> hi 08:17 < mRCUTEO> can 2 client run simultanously from one PC connecting to 1 server? 08:22 < ecrist> mRCUTEO: that question was answered last night 08:22 < ecrist> 22:49 < mRCUTEO> hi is thre a way run 2 client of openvpn connecting to one server in the same PC for wondows? 08:22 < ecrist> 22:56 < krzie> sure, diff configs 08:38 -!- gleblanc [n=chatzill@216.30.212.117] has joined ##openvpn 08:39 -!- mRCUTEO [n=info@124.13.95.12] has quit [Read error: 110 (Connection timed out)] 09:11 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [] 09:59 -!- whaletales [n=Paul@5ad5a082.bb.sky.com] has joined ##openvpn 09:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:59 < krzee> !route 09:59 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 10:01 < krzee> !bridge 10:01 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 10:01 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 10:06 < gleblanc> Bridging is probably the wrong solution to your problem 10:06 < krzee> right 10:06 < krzee> i was using those links to tell someone on the mail list that =] 10:09 < gleblanc> ah 10:37 -!- LinuxWhore [n=muchtall@70-99-118-66.apigroupinc.com] has joined ##openvpn 10:37 * ecrist points to krzee 10:37 < LinuxWhore> heh 10:38 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 10:38 < LinuxWhore> krzee: ecrist recommended I ask you this... 10:38 < ChUbB> hi people, anyone know of any proformance differances between tcp and udp set ups ? 10:38 < ecrist> !tcp 10:38 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:39 < ecrist> ChUbB: see ^^^^ 10:39 < ChUbB> so am i right think tcp is slower ? 10:39 < LinuxWhore> I have an OpenVPN server on a Comcast business line. When I turn up more than 10-15 connections, random tunnels start dropping and reconnecting. 10:39 < ecrist> yes 10:39 < ecrist> LinuxWhore: what sort of keep-alive do you have? 10:39 < LinuxWhore> keepalive 5 10 10:40 < LinuxWhore> If I drop it down to 1-3, they stay up fine 10:40 < LinuxWhore> Have you heard of this? 10:40 < ChUbB> ecrist: kk cheers guys 10:41 < ecrist> have you tried extending them, like 30 120? 10:41 < ecrist> or 10 120? 10:42 < ecrist> I think that's what I'm using, hang on 10:42 < LinuxWhore> ecrist: I'll check 10:42 < ecrist> yeah, 10 120 is what we're using. 10:51 < plaerzen> hello ovpn 10:56 < LinuxWhore> ecrist: Ok. That seems solid. Wonder why that works fine on our T1 connections but not on Comcast. 10:57 < gleblanc> Any of you folks routing whole networks through a Windows based OpenVPN server? I'm having trouble making routing work on mine 10:57 < LinuxWhore> I think we cranked it up to check so frequently, with such a low tolerance for failure so that we'd make sure the connection came back up quickly in case of faiure. 11:35 < ecrist> LinuxWhore: glad I could help. 11:39 < ecrist> gleblanc: no, but I do other funky routing stuff with windows. 11:39 < ecrist> what problems are you running in to? 11:40 < gleblanc> ecrist: So far, I can't successfully communicate between two networks. Let me elaborate a bit 11:41 < gleblanc> I have a main office LAN, with an OpenVPN server on the lan. There is a firewall between the office lan and the internet, and I have a UDP port forwarded to the OpenVPN server 11:42 < gleblanc> the firewall also acts as the default gateway for the office lan 11:43 < gleblanc> There is also a remote office, which I am attempting to connect via OpenVPN. 11:43 < gleblanc> The remote office has bog-simple routing. Default gateway is also the OpenVPN client. 11:43 < gleblanc> On the firewall box at the main office, I've added a static route that sends traffic destined for the remote office to the OpenVPN box 11:45 < gleblanc> I can't seem to connect from PCs on the main office to PCs at the remote office 11:45 < gleblanc> I suspect that the OpenVPN server isn't routing packets through 11:46 < gleblanc> Now, from my recent readings of the sample config files, I see that they mention that the remote network needs to know how to route back to the OpenVPN server 11:47 < gleblanc> but since the OpenVPN client is the default gateway, that part should be OK 11:47 < ecrist> gleblanc: take a look at !route 11:47 < gleblanc> !route 11:47 < vpnHelper> gleblanc: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:47 < gleblanc> okey, will do 12:02 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 12:09 < krzee> [12:39] keepalive 5 10 12:09 < krzee> that is soooo small 12:10 < krzee> --keepalive n m 12:10 < krzee> A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations. 12:10 < krzee> For example, --keepalive 10 60 expands as follows: 12:10 < krzee> 12:10 < krzee> if mode server: 12:10 < krzee> ping 10 12:10 < krzee> ping-restart 120 12:10 < krzee> push "ping 10" 12:10 < krzee> push "ping-restart 60" 12:10 < krzee> else 12:11 < krzee> ping 10 12:11 < krzee> ping-restart 60 12:12 * jeev is sad. 12:12 < jeev> i ran out of space at one wilshire, ptp will only meet me there. 12:12 < krzee> that meant send a ping every 5 seconds, quit if one isnt recieved within 10 seconds 12:12 < krzee> which is far too often / too little time 12:44 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 13:55 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 13:56 < unixSnob> What format is the auth-user-pass file supposed to be expressed in? 14:12 < stephenh> is the only way to reset a password to revoke the key, delete it, and recreate it with build-key-pass? 14:29 -!- unixSnob [n=jj@starfury.spearlink.com] has quit [Read error: 110 (Connection timed out)] 14:40 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit [Read error: 60 (Operation timed out)] 14:40 < gleblanc> ecrist: thanks, I think this is gonna do it 14:40 -!- Dougy [n=doug@174.34.138.158] has joined ##openvpn 14:40 < Dougy> blahhhhhhhhhhh 14:46 < jeev> . 14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:54 < ChUbB> when i play games over openvpn i got my openvpn server in london and i am playing a peer 2 peer game does the data go through the server in lodon or between the vpn clients direct 14:55 < stephenh> how else would it get to the vpn clients? 14:56 < ChUbB> kk.... i am new just trying to see if openvpn can out proform hamachi in speed 14:57 < Dougy> jeev 14:58 < Dougy> someone i know killed themself with a train yesterday 14:58 < stephenh> i think better way would be to ping between hamachi IPs and ping between openvpn clients? 14:58 < Dougy> ChUbB: in every respect it should 14:58 < stephenh> is the only way to reset a password to revoke the key, delete it, and recreate it with build-key-pass? 15:00 < jeev> damn 15:00 < jeev> sucks 15:08 < stephenh> ChUbB: doing some reading, openvpn seems to be considerably faster 15:10 -!- thefish [n=thefish@unaffiliated/thefish] has quit [Remote closed the connection] 15:15 < ChUbB> stephenh: kk cheers and Dougy 15:16 -!- Dougy [n=doug@174.34.138.158] has quit [Read error: 54 (Connection reset by peer)] 15:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:07 -!- LinuxWhore [n=muchtall@70-99-118-66.apigroupinc.com] has quit [Read error: 104 (Connection reset by peer)] 16:52 < krzie> <- back 16:52 < krzie> ChUbB: in every respect it should 16:52 < krzie> false 16:53 < krzie> openvpn would outperform for security 16:53 < krzie> not for speed between 2 clients 16:53 < krzie> cause that other app allows peer to peer direct connections 16:53 < krzie> openvpn requires all traffic to pass through the server 17:12 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit ["IceChat - Its what Cool People use"] 17:15 -!- Cyllene [i=UNtQZrND@unaffiliated/cyllene] has joined ##openvpn 17:15 < Cyllene> Hi. 17:15 < krzie> wey 17:15 < krzie> hey 17:16 < Cyllene> I have eth0 and its alias, eth0:0. 17:16 < Cyllene> Both have public, external IPs 17:17 < Cyllene> Is it possible for me to bridge tap0 and eth0 such that I can use eth0:0's IP "locally" on this machine? 17:17 < Cyllene> The problem is that I connect to openvpn from eth0. 17:17 < Cyllene> So if I try to mess with it, it will cut the connection. 17:18 < Cyllene> s/from/on 17:18 < krzie> why do you want to bridge? 17:18 < krzie> as opposed to routed 17:19 < Cyllene> Because I don't know how to route it properly. :) 17:20 < krzie> well 17:20 < krzie> !sample 17:20 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 17:20 < krzie> !nat 17:20 < vpnHelper> krzie: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 17:20 < krzie> you just use that ip when you setup your NAT 17:21 < krzie> do you want either side to allow its LAN to communicate through the VPN? 17:22 < Cyllene> Well 17:22 < Cyllene> There is no LAN on the one side. 17:22 < Cyllene> There is only a LAN locally here at this house. 17:22 < krzie> will it access the vpn? 17:23 < krzie> (through the local machine) 17:23 < Cyllene> No. 17:23 < Cyllene> The only thing accessing the VPN tunnel is the machine running the OpenVPN client. 17:23 < krzie> k 17:23 < krzie> then thats all 17:24 < krzie> oh and this: 17:24 < krzie> !def1 17:24 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:24 < Cyllene> hmm 17:24 < Cyllene> Interesting... so def1 will create a route such that you can still communicate with the VPN, but all other connections get routed through tap0. 17:24 < krzie> first of all 17:24 < krzie> you want tun not tap 17:25 < Cyllene> I see. 17:25 < krzie> well windows uses tap even with routed 17:25 < krzie> so if you use windows, right 17:25 < Cyllene> It's Windows/Debian 17:25 < krzie> secondly... 17:25 < krzie> if you dont want to route * through the vpn, just leave out redirect-gateway all together 17:26 < krzie> but if you do want that, use redirect-gateway def1 17:26 < krzie> so you overwrite the default route in a friendly way that doesnt destroy the existing default route 17:52 -!- NBrepresent [n=perry@bas1-toronto09-1279335439.dsl.bell.ca] has joined ##openvpn 17:52 < NBrepresent> hi, could anyone here help me troubleshoot connecting to my employer's vpn from network-manager-openvpn? 18:00 < krzie> !ubuntu 18:00 < vpnHelper> krzie: "ubuntu" is dont use network manager! 18:02 < NBrepresent> ok, i also installed the openvpn package, and i could try it from the command line instead. 18:02 < NBrepresent> out of curiosity, why not use it? 18:03 < krzie> yes on the commandline 18:03 < krzie> you can even make a shelkl script 18:03 < krzie> shell script 18:03 < krzie> to start it 18:03 < krzie> and you can make that clickable from desktop 18:04 < krzie> why not use it = everyone has problems with it 18:04 < krzie> it sucks 18:04 < NBrepresent> ah, ok 18:04 < krzie> working configs wont work on it quite often 18:04 < NBrepresent> well i have my .crt, .key and ca.crt as well as my username and pass ... and openvpn installed... what next? 18:04 < NBrepresent> the quick start seems to be mostly about setting up a server 18:08 < krzie> read the howto 18:08 < krzie> ~!howto 18:09 < krzie> if you had a specific question ild answer it 18:09 < krzie> !howto 18:09 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:09 < krzie> but with a question like "what do i do?" you really need to read the openvpn howto 18:17 -!- gleblanc [n=chatzill@216.30.212.117] has quit [Read error: 131 (Connection reset by peer)] 18:19 < NBrepresent> yes, i'm following it now, i'll let you know how i do 18:23 < NBrepresent> would you like to see a paste of my errors? http://paste2.org/p/107059 18:42 < krzie> if you're using 2.1, why 2.1 rc7? 18:42 < krzie> we're on rc15... 18:43 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 18:47 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 18:47 < kexman> hello 18:47 < kexman> how can i check if openvpn is running or not ? 18:47 < kexman> i need it in a bash if syntax 18:47 < krzie> same way you check if anyhthing is running on your OS 18:47 < kexman> krzie: well i need to know if im connected to a specific vpn 18:47 < krzie> ping it 18:48 < kexman> krzie: right ! what a great idea :) 18:48 < krzie> so without looking for the formatting 18:48 < kexman> but i can ping it when im not running in the vpn :P 18:48 < krzie> if [ping 10.8.0.1] 18:48 < krzie> umm, no 18:48 < kexman> krzie: not good since when im on the lan i have a similiar ip 18:48 < krzie> ping the internal VPN ip 18:48 < kexman> bridged 18:48 < krzie> oh, i hate bridged setups 18:48 < kexman> hehehe :) 18:49 < kexman> well 18:49 < kexman> i needed for some reasons 18:49 < krzie> still, shouldnt the vpn have a diff known ip that you cant ping unless connected...? 18:49 < krzie> (yes, it should) 18:49 < krzie> heheh 18:49 < kexman> the ip of the vpn client ? 18:49 < kexman> the tap ? 18:49 < krzie> depends where the script runs 18:50 < kexman> hehe ? 18:50 < kexman> heh ? 18:50 < kexman> what do you mean ? 18:50 < krzie> if script runs on client, ping the internal ip of the server 18:50 < kexman> ifconfig | grep -i wlan0 -A1 | grep -i "inet addr:192.168.5." 18:50 < kexman> something like this 18:50 < krzie> thats pretty ugly 18:50 < kexman> hehehe 18:50 < kexman> yeah 18:51 < kexman> but i found out how i can do it :) 18:51 < kexman> thanx 18:51 < krzie> to test if connected ild use ping personally 18:51 < kexman> okay 18:51 < krzie> ok col 18:51 < krzie> cool 18:51 < kexman> thanx 18:51 < krzie> np man 18:51 < krzie> whats the script for id you dont mind my askin 18:51 < kexman> gentoo emerges :) 18:51 < kexman> emerge --sync 18:52 < kexman> should sync from local lan server if can be pinged but only if vpn is not active ... 18:52 < kexman> hey ffs :) i should check for the vpn first :P 18:52 < kexman> duhh 18:52 < kexman> same shit anyway :) 18:52 < kexman> i have this server 18:52 < kexman> ill ping it if it responds then = true :) 18:52 < kexman> if vpn = active i can ping the router :) 18:52 < kexman> since touer = vpn server :) 18:52 < kexman> yeah 18:52 < kexman> as you said :) 18:53 < kexman> ping the internal ip of the server :) 18:55 < krzie> right 18:55 < kexman> aaa 18:55 < kexman> and not ! :) 18:56 < kexman> but ! 18:56 < kexman> i can ping hosts :) 18:56 < Cyllene> hmm 18:56 < Cyllene> krzie: Ok, I have a little problem. 18:56 < kexman> and this host will be active only if i am not outside :) 18:57 < Cyllene> krzie: I am using def1, and when openvpn inserts the routes it overrides the route that I am using to communicate with the openvpn server. 18:57 < krzie> Cyllene, ? 18:57 < kexman> ping is not a good choice for vpn status check :( 18:57 < krzie> kexman ive tested it before for someone 18:57 < kexman> krzie: with this bridged setup its not ! 18:57 < krzie> ping respnds great to being put in an if 18:57 < kexman> krzie: so thus ifconfig | grep -i blahblah :P 18:57 < Cyllene> krzie: So the openvpn client loses connectivity all on its own. 18:57 < krzie> you have your lan setup to BEVER hand out the ip right? 18:57 < krzie> err 18:57 < krzie> NEVER 18:58 < kexman> why not ? 18:58 < kexman> krzie: what ? never hand out an ip ? 18:58 < krzie> and the vpn server is the only thing that will ever hand it out... 18:58 < kexman> okay 18:58 < kexman> soo ? 18:58 < krzie> the normal dhcp server never should 18:58 < krzie> only the vpn server 18:58 < kexman> okay 18:58 < kexman> so what do you suggest ? 18:58 < kexman> what is the point ? 18:58 < krzie> so there will NEVER be machines on the network that you gave to server-bridge 18:58 < kexman> ping the client ip ? 18:58 < krzie> unless connected via vpn 18:59 < kexman> what should i ping ? 18:59 < krzie> where does the script run? 18:59 < krzie> server or client? 18:59 < kexman> krzie: client 18:59 < kexman> ping the vpn-client-ip ? 18:59 < kexman> its static 18:59 < kexman> i think :P 18:59 < kexman> 111 being the end of it 18:59 < krzie> if it runs on client 18:59 < krzie> then ping the server internal ip 19:00 < kexman> krzie: no good !!!! 19:00 < krzie> why not? 19:00 < kexman> since i dont need to be in the vpn i could be in the real lan (since its bridged) and i can still ping the server 19:00 < kexman> and that is not good 19:00 < krzie> first check if openvpn is running 19:00 < kexman> uff 19:00 < kexman> how ? 19:01 < kexman> ps aux | grep -i openvpn ? 19:01 < kexman> still using grep :) 19:01 < krzie> ps auxw|grep openvpn 19:01 < kexman> ill ping the client-vpn ip! 19:01 < krzie> whats wrong with grep? 19:01 < kexman> isnt that good ? 19:01 < kexman> i will get that ip only when connected to the vpn 19:01 < kexman> right ? 19:01 < krzie> ya 19:01 < krzie> good point 19:01 < kexman> krzie: i dont know ... i recommended it before combined with ifconfig :) 19:01 < kexman> and you didnt really seemed to like it :) 19:01 < krzie> that should work fine, although it could have the ip while not actually connected i think 19:02 < krzie> if it was connected and is retrying 19:02 < kexman> how is that ? 19:02 < kexman> aha 19:02 < Cyllene> krzie: Any idea on what may be wrong? 19:02 < krzie> i doubt it drops the ip while retrying 19:02 < kexman> uhumm 19:02 < kexman> okay 19:02 < kexman> so you say check if openvpn is running then check if server is pingable :) 19:02 < kexman> right ? 19:02 < krzie> and if im right about that, then the ifconfig thing you said would have the same problem 19:02 < krzie> yes 19:02 < krzie> exactly 19:05 < Cyllene> hmm 19:05 < Cyllene> krzie: What do you think is wrong? 19:05 < kexman> need to add a [] to the grep 19:05 < kexman> ps aux | grep -i [o]penvpn 19:06 < kexman> since otherwise it will find the grep :P 19:06 < krzie> oh i nvr knew that trick 19:06 < krzie> i always grep -v grep 19:06 < kexman> well i just remembered it :) 19:06 < kexman> i saw it somewhere else 19:06 < kexman> but damn 19:07 < kexman> it was loooong time ago :) 19:07 < kexman> im happy that i remembered it 19:07 < krzie> Cyllene, sorry... whats wrong? 19:07 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 19:09 < Cyllene> krzie: I am doing the def1 thing, but after the connection is established the routes are configured badly, which causes the connection to be dropped to the ovpn server. 19:09 < krzie> !logs 19:09 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 19:09 < Cyllene> So it goes into an endless loop. 19:09 < Cyllene> krzie: Do you want logs from the server, client, or both? 19:09 < krzie> it says both 19:11 < kexman> krzie: [o] regexp :) 19:11 < NBrepresent> krzie: re: using 2.1_rc7, i guess it's just what was in the ubuntu repo? i just used synaptic to install openvpn and that's what i got. 19:11 < kexman> [o]penvpn becomes openvpn ... i mean you search for that ... but ps aux would show your grep as [o]penvpn 19:11 < kexman> coool 19:11 < krzie> ahhhhhhh 19:11 < krzie> makes sense 19:11 < krzie> nice tip 19:13 < kexman> krzie: better ;) 19:13 < kexman> pgrep openvpn :P 19:13 < NBrepresent> krzie: here's a newer paste of what's going on - http://paste2.org/p/107073 19:14 < krzie> !logs 19:14 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 19:14 < krzie> i said BOTH with verb set to 6 19:14 < krzie> you gave me client with verb set to give me no info 19:15 < krzie> i cant help you unless you give what i said i needed 19:15 < NBrepresent> sorry, i must have missed that (i've been on and off the comp) . i will set verb to 6 but i have no access to the server logs 19:15 < krzie> how so? 19:16 < krzie> you dont run the server? 19:16 < NBrepresent> i mean my workplace runs the server, and i'm a client... isn't that how it works? 19:16 < krzie> so they setup openvpn and left you to figure out your end on your own? 19:16 < NBrepresent> no, i'd like to connect to my company's vpn from home . i have the crt, key and ca file, as well as password 19:16 < NBrepresent> well, they only provide windows support 19:17 < krzie> if its tun its the EXACT same thing with like 2 differences 19:17 < NBrepresent> exact same as what? 19:18 < krzie> as a windows config 19:18 < krzie> but ok, do this 19:18 < krzie> !configs 19:18 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 19:18 < krzie> !logs 19:18 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 19:18 < krzie> ill take just client 19:19 < NBrepresent> k 19:19 < krzie> and we'll hope everything i need is there 19:20 < NBrepresent> client config: http://paste2.org/p/107078 19:22 < Cyllene> hmm 19:22 < Cyllene> krzie: Well the problem somehow magically fixed itself, but I can not contact the "outside" world. 19:22 < Cyllene> I have added the correct iptables rule for NAT. 19:23 < krzie> Cyllene, you need NAT 19:23 < Cyllene> ^ 19:23 < krzie> well your NAT isnt right 19:23 < Cyllene> MASQUERADE 0 -- 7.3.0.0/24 anywhere 19:23 < krzie> cause if you can reach the vpn server but not the inet through it when using redirect-gateway, problem is NAT 19:23 < krzie> 7.3.0.0??? 19:23 < Cyllene> yup 19:23 < krzie> thats not even a 1918 ip 19:24 < krzie> that is inet routable 19:24 < krzie> !1918 19:24 < vpnHelper> krzie: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 19:24 < NBrepresent> krzie: " openvpn --verb 6 /usr/share/doc/openvpn/examples/sample-config-files/client.conf" gives "Options error: You must define TUN/TAP device (--dev)" 19:24 < Cyllene> :| 19:24 < Cyllene> ok 19:24 < ecrist> evening, folks 19:25 < krzie> NBrepresent, your client config file in in /usr/share/doc/openvpn/examples/sample-config-files/ ??? 19:25 < krzie> looks like you're trying to run a sample file to me... 19:25 < Cyllene> MASQUERADE 0 -- 10.3.0.0/24 anywhere 19:25 < Cyllene> I am sure that looks better. 19:26 < NBrepresent> krzie: that's right, the quick start suggested starting with those files 19:26 < krzie> hey ecrist 19:26 < krzie> well heres a tip for the future 19:26 < krzie> never overwrite the sample files of ANY app 19:26 < krzie> copy them somewhere else and edit the copy 19:26 < krzie> and what quickstart? 19:26 < NBrepresent> the howto, quickstart thing 19:26 < krzie> in !howto? 19:26 < NBrepresent> yes 19:27 < krzie> ok 19:27 < NBrepresent> http://openvpn.net/index.php/documentation/howto.html#config 19:27 < krzie> just change the verb in that file 19:27 < vpnHelper> Title: HOWTO (at openvpn.net) 19:27 < krzie> instead of using it on cmd 19:27 < NBrepresent> k, changed there 19:27 < krzie> and to specify config 19:27 < krzie> you need --config 19:28 < NBrepresent> ok 19:28 < krzie> so openvpn --config /path/to/config 19:28 < Cyllene> ok 19:28 < krzie> and i was wrong earlier, i had asked Cyllene for !logs, not you 19:28 < Cyllene> krzie: I changed it to 10.3.0.0/24 and I have the same issue. 19:28 < krzie> got confused, sorry bout that ;] 19:29 < krzie> Cyllene 19:29 < krzie> !configs 19:29 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 19:29 < krzie> !logs 19:29 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 19:29 < krzie> both of those 19:30 < krzie> NBrepresent, inform your company that they should be using udp instead of tcp 19:30 < krzie> give them this document 19:30 < krzie> !tcp 19:30 < NBrepresent> krzie: connection timed out : http://paste2.org/p/107079 19:30 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:30 < krzie> NBrepresent, tell them the link to that is in the openvpn manual 19:30 < NBrepresent> they could actually be using udp... 19:30 -!- Luria [n=trashed@pool-151-202-77-13.ny325.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 19:30 < krzie> didnt they give you the config file??? 19:30 < NBrepresent> the .crt, yes 19:30 < krzie> thats the cert, not the config 19:30 < NBrepresent> is it in there whether to use tcp or udp 19:31 < krzie> if they run the server and didnt give you the config, you're screwed 19:31 < krzie> you cant just guess what they are using... 19:31 < krzie> theres all sorts of shit they could have changed from default 19:31 < NBrepresent> i see 19:32 < NBrepresent> what is in this config? i mean what specifically do i still need to ask for in order for this to work? 19:32 < krzie> and your error just shows you cant connect, which is cause you dunno what to connect to 19:32 < krzie> ip, port, tcp or udp, if they changed ciphers, etc etc 19:32 < krzie> get a win config, it'll be same 19:33 < krzie> you said they support windows setups 19:33 < krzie> if you can get a windows config, you literally change like 1 thing 19:34 < krzie> (the paths) 19:34 < krzie> and possibly a couple things that are windows specific to fix windows lameness 19:34 < Cyllene> krzie: Is it OK if I PM you the URL to the logs and config files? 19:34 < krzie> but if you show me the win config i can tell you in like 10sec anything you gotta change 19:34 < krzie> thats fine Cyllene 19:34 < krzie> and thanx for asking 19:34 < Cyllene> Yup 19:36 < krzie> any reason you wanna use tcp Cyllene ? 19:36 < krzie> for example, nazi work firewall that wont allow udp? 19:36 < krzie> (which is really like the only reason to use tcp) 19:36 < krzie> here is why not to: 19:36 < krzie> !tcp 19:36 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:37 < krzie> Cyllene, you likely want mode server and proto udp 19:37 < Cyllene> Ok 19:37 < Cyllene> Isn't mode server implied? 19:37 < krzie> implied by what? 19:37 < Cyllene> tls-server 19:38 < krzie> where do you see tls-server in your server config? 19:38 < NBrepresent> krzie: thanks for your help, i just emailed the tech support at my work 19:38 < krzie> but you're right, it should be implied by --server 10.3.0.0 19:38 < NBrepresent> maybe i'll catch you on here again when i've got the config 19:38 < krzie> NBrepresent no problem 19:38 < Cyllene> Whopos 19:38 < Cyllene> You are right 19:38 < krzie> ya im here a lot 19:38 < NBrepresent> later! 19:39 -!- NBrepresent [n=perry@bas1-toronto09-1279335439.dsl.bell.ca] has left ##openvpn [] 19:39 < Cyllene> I have tls-client in the other config file. 19:39 < Cyllene> So I incorrectly assumed I put that in there too. 19:39 < krzie> !sample 19:39 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:39 < Cyllene> Ok 19:39 < Cyllene> proto tcp-server 19:39 < Cyllene> That's what I was thinking of. 19:40 < krzie> 1sec 19:40 < krzie> !man 19:40 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 19:40 < krzie> also, if you wanna use 2.1 you should prolly compile from source and use rc15 19:40 < krzie> instead of the outdated ubuntu version 19:40 < Cyllene> I am using 2.0.9 19:40 < krzie> oh my bad 19:40 < krzie> thats fine then 19:41 < krzie> got confused again, that was nb 19:41 < Cyllene> Actually... 19:41 < Cyllene> 2.0.9 on the windows box 19:41 < Cyllene> 2.0.9 on the server 19:41 < Cyllene> bah 19:41 < krzie> cool 19:41 < Cyllene> OpenVPN 2.1_rc7 on the server 19:41 < krzie> nothin wrong with that 19:41 < krzie> oh 19:41 < Cyllene> Sorry, tired. 19:41 < krzie> then i wasnt mistaken 19:41 < krzie> if staying with 2.1 goto rc15 19:41 < Cyllene> ok 19:42 < kexman> OpenVPN 2.0.9 mipsel-linux [SSL] [LZO] built on Jul 22 2008 19:42 < krzie> or go down to 2.0.9 there too 19:42 < kexman> is this outdated ? 19:42 < krzie> nah 2.0.9 is fine 19:42 < krzie> 2.1 is still beta (although its fine too) 19:42 < kexman> will wait till it goes stable 19:42 < Cyllene> krzie: I will be upgrading both now. 19:42 < kexman> i use that on the server 19:43 < kexman> and have 2.0.7 on my client :P 19:43 < krzie> cool, 2.0.9 is perfect unless you need a feature from 2.1 19:43 < krzie> ouch, upgrade much? 19:43 < krzie> lol 19:43 < krzie> thats like 2006 19:43 < kexman> what 2.0.7 ? :) 19:44 < kexman> 2.0.7-r2 19:44 < kexman> gentoo 19:44 < ecrist> krzie: website been any faster for you? 19:44 < krzie> lemme check 19:44 < krzie> !route 19:44 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 19:45 < Cyllene> Building now. 19:46 < Cyllene> krzie: In the mean time, is there anything else you see that would be an issue? I have changed the configuration to include mode and proto udp. 19:48 < krzie> ecrist, hard to tell from my slow ass 3rd world inet, wanna gimme that link and ill fetch from 100mbit server?> 19:49 < krzie> you dont need tls-client on the client config 19:49 < krzie> cause it knows based on tls-auth getting 1 19:50 < krzie> you dont need pull cause it is implied by mode client 19:50 < Cyllene> ok 19:50 < krzie> lemme look at my configs real quickj 19:50 < krzie> !sample 19:50 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:50 < Cyllene> Both machines have rc15. 19:51 < krzie> ok i was wrong, niether needs mode 19:51 < krzie> the server statement handles it for the server 19:51 < krzie> in the client, just put the word client on its own line 19:51 < krzie> you can remove pull cause client implies it 19:51 < krzie> tls-client goes 19:52 < krzie> otherwise it looks good 19:52 < Cyllene> ok 19:52 < krzie> dont forget to put client to udp as well 19:52 < Cyllene> Should I reboot after upgrading to rc15? 19:52 < krzie> then try again, and gimme new logs 19:52 < krzie> no 19:52 < Cyllene> (Windows) 19:52 < Cyllene> ok 19:52 < krzie> err maybe 19:52 < Cyllene> heh, ok 19:52 < krzie> windows needs a reboot after creating a new text file 19:52 < Cyllene> haha 19:52 < krzie> so who knows ;] 19:52 < Cyllene> Ok, I shall return 19:52 < ecrist> sure, let me find that link again. 19:52 < krzie> i havnt used win in awhile so im not 100% 19:53 < krzie> cool, ill be here 19:53 < ecrist> http://www.secure-computing.net/files/vmcore.0.bin 19:53 < ecrist> krzie: I forgot, I've not switched the default route yet, let me do that now 19:54 < krzie> ok, say when 19:54 < ecrist> ok, route switched 19:54 < Cyllene> ok 19:55 < krzie> 350kB/s nd climbing 19:55 < krzie> err, not climbing i guess 19:56 < krzie> around 350 steady 19:56 < krzie> 300 steady now 19:56 < ecrist> 1.92Mb/s according to iftop on my firewall. 19:56 < ecrist> that's while I'm doing a 1.44GB download from adobe. ;) 19:56 < krzie> that sounds about right 19:56 < krzie> 1.5 is about 190-200 19:57 < krzie> so 1.9 should be around that 19:57 < ecrist> sweet 19:57 < ecrist> ok, I'm satisfied. 19:57 < krzie> thats much faster than before 19:57 < ecrist> I just moved my mail server over. 19:57 < krzie> and plenty fast for web files 19:57 < krzie> especially cross country 19:57 < krzie> that was san diego 19:57 < Cyllene> krzie: On the client I need tls-client and pull 19:57 < ecrist> oh yeah. I also added gzip compression the webserver, which I missed, apparently, when I built it about 5 months ago 19:58 < krzie> Cyllene why do you say that? 19:58 < Cyllene> krzie: openvpn will error-out if I don't have tls-client (with "ca") and it also errors out when I don't have ifconfig 19:58 < krzie> Cyllene you need client, remove pull and tls-client 19:58 < Cyllene> Oh, ok 19:58 < krzie> tls-auth key 1 tells it it is tls-client 19:59 < ecrist> krzie: I'm ready for you to send that server down any time, btw. oh, and I've got IPv6 support, via a tunnel from HE. 19:59 < krzie> and client tells it is going to pull 19:59 < ecrist> since comcrap isn't doing it yet. 19:59 < krzie> ahh nice 19:59 < krzie> ya im ready too 19:59 < krzie> im checking who i know in orlando 19:59 < krzie> to go confiscate my servers 19:59 < ecrist> I've been doing 6 for over a year now. 19:59 < Cyllene> krzie: Client config is done. Anything on the server config? 19:59 < ecrist> and godaddy finally supports v6 name servers for whois, so I'm building that now. 20:00 < krzie> cause the useless guy who is has them is too lazy to send them 20:00 < krzie> he said they were sent a month ago 20:00 < ecrist> lol 20:00 < krzie> ya, hes lucky im not going out there myself 20:00 < krzie> he always jerks me around 20:00 < krzie> Cyllene, only what i told you earlier 20:01 < Cyllene> ok 20:01 < Cyllene> Generating logs now 20:02 < krzie> cool 20:02 < krzie> same link will work fine 20:02 < krzie> might as well update the config files too 20:04 < Cyllene> krzie: Refresh 20:04 < krzie> haha nice name for the client ;] 20:04 < Cyllene> haha, yeah ;) 20:05 < krzie> ahh ya mode server is optional after all 20:06 < krzie> cause its implied by --server network netmask 20:06 < krzie> but that doesnt hurt anything 20:06 < krzie> only gunna have 1 client? 20:06 < Cyllene> For now, yes. 20:07 < Cyllene> But I want to be able to scale it eventually. 20:07 < krzie> then use 255.255.255.0 in srver statement 20:07 < krzie> server statement that is 20:07 < Cyllene> ok 20:07 < Cyllene> But is that why it is not working? 20:08 < krzie> im getting to logs now 20:08 < krzie> and doing other stuff while im talkin to ya too ;] 20:08 < krzie> brb gunna look after bathroom 20:11 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Connection timed out] 20:18 < krzie> Cyllene, is there still a problem? 20:18 < krzie> looks like its working 20:18 < krzie> i see it add the routes, everything looks nice 20:19 < krzie> then it looks like you kill it 20:19 < krzie> and it removes the routes good too 20:19 < krzie> looks perfect to me... 20:19 < krzie> am i missing something? 20:21 < krzie> anothr thing you may want 20:21 < krzie> !mitm 20:21 < vpnHelper> krzie: "mitm" is stop Man-in-the-Middle attacks by signing the server cert specially. http://openvpn.net/index.php/documentation/howto.html#mitm 20:22 < krzie> of course that requires remaking the server cert 20:44 < krzie> cyllene, still alive? 21:00 < Cyllene> yup 21:00 < Cyllene> Still not working :( 21:00 < krzie> it looks like it is 21:00 < krzie> the windows client, windows firewall is disabled? 21:01 < krzie> at least for the tap adapter... 21:03 < ecrist> I'm off to bed. l8r all 21:03 < krzie> wow thats early for you eric 21:03 < krzie> gnite 21:03 < krzie> tell mrs crist we said hi ;] 21:03 < ecrist> krzie: not *actually* going to bed, just getting off the damn 'puter 21:04 < krzie> haha gotchya 21:04 < ecrist> need some poon and more jaeger/red bull. 21:04 < ecrist> ;) 21:04 < krzie> one of those gives you wings 21:04 < ecrist> most of Dougy's ovpn stuff is converted, gotta fix an error in phpbb3 tomorrow. 21:04 < krzie> and since shes preg im going with the redbull 21:05 < krzie> oh cool, i didnt know that you guys figured that out 21:05 < ecrist> hehe. tell you what, nothing's hotter than the woman carrying your baby. 21:05 < krzie> last i knew he was tryiong to find a decent converter 21:05 < krzie> ecrist, i wouldnt know yet but i can immagine thats very true 21:05 < krzie> i was making a pretty weak redwings joke 21:05 < ecrist> krzie: I contributed some small code fixes and such to phpbb code base a couple years ago, they sent me a free teddy bear wearing a hoodie with the phpbb logo on it. 21:06 < ecrist> yeah, I figured. 21:06 < krzie> hahahah a phpbbear 21:06 < ecrist> don't think I even got a by-line for the code I submitted, but I really don't care. glad to take part 21:07 < ecrist> I've been using phpBB for about 8 years, off and on 21:07 < ecrist> well, going to pay the wife some attention. see you tomorrow. 21:07 < krzie> they have had so many bugs and fixes giving all a byline would prolly double the real code 21:07 < krzie> later 21:13 < krzie> Cyllene 21:13 < krzie> can server ping 10.3.0.6? 21:13 < krzie> can client ping 10.3.0.1? 21:41 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 21:46 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 21:47 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 21:52 -!- Bejgli [i=bejgli@CubeClub.hu] has joined ##openvpn 21:52 < Bejgli> hi 21:52 < Bejgli> could someone help me setting default route in openvpn? 21:52 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 21:53 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 21:58 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 21:58 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 22:00 < Bejgli> never mind, found it 22:00 < Bejgli> bye 22:00 -!- Bejgli [i=bejgli@CubeClub.hu] has left ##openvpn [] 22:04 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 22:04 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 22:10 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 54 (Connection reset by peer)] 22:10 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 22:16 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 22:16 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 22:17 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 22:22 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 54 (Connection reset by peer)] 22:22 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 22:23 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has quit [] 22:26 -!- tjz [n=jz@bb116-14-181-56.singnet.com.sg] has joined ##openvpn 22:26 < tjz> hey guys!! 22:26 < tjz> New guy here 22:26 < tjz> %_% 22:27 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 54 (Connection reset by peer)] 22:28 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 22:33 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 54 (Connection reset by peer)] 22:33 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 22:39 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Connection reset by peer] 22:39 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 22:45 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 22:45 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 22:51 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 22:51 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 22:57 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 22:57 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 23:02 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Connection reset by peer] 23:03 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 23:08 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 23:08 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 23:14 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 23:14 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 23:20 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 23:20 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 23:22 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has joined ##openvpn 23:22 < error404notfound> ecrist: I would need to do just CA to create a new certificate for client using your script, right? 23:26 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 23:26 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 23:31 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 23:32 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 23:37 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 23:38 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 23:40 < krzee> ya 23:44 < krzee> although i would use the ca you made there, and make the server cert seperate 23:45 < krzee> because it needs to be signed as a server 23:45 < krzee> i need to ask ecrist if it does that, forgot to mention that to him 23:45 < krzee> cause it seems theres no special make server item in his menu 23:45 < krzee> just do this 23:45 < krzee> openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf 23:45 < krzee> openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf 23:45 < krzee> chmod 0600 server.key 23:47 < krzee> !learn servercert as openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key 23:47 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 23:47 < krzee> !learn servercert as openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key 23:47 < vpnHelper> krzee: Joo got it. 23:48 < krzee> !learn servercert as this will help with !mtim 23:48 < vpnHelper> krzee: Joo got it. 23:48 < krzee> !servercert 23:48 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mtim 23:49 < krzee> !mitm 23:49 < vpnHelper> krzee: "mitm" is stop Man-in-the-Middle attacks by signing the server cert specially. http://openvpn.net/index.php/documentation/howto.html#mitm 23:52 < krzee> !learn mitm as use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 23:52 < vpnHelper> krzee: Joo got it. 23:52 < krzee> !mitm 23:52 < vpnHelper> krzee: "mitm" is (#1) stop Man-in-the-Middle attacks by signing the server cert specially. http://openvpn.net/index.php/documentation/howto.html#mitm, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 23:53 < krzee> damn, some clients will include that ',' now 23:53 < krzee> !forget mitm * 23:53 < vpnHelper> krzee: Joo got it. 23:54 < krzee> !learn mitm as http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially 23:54 < vpnHelper> krzee: Joo got it. 23:54 < krzee> !learn mitm as use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 23:54 < vpnHelper> krzee: Joo got it. 23:54 < krzee> sorry for all that noise --- Day changed Wed Nov 26 2008 00:02 < krzee> !winroute 00:02 < vpnHelper> krzee: "winroute" is in windows if the route cannot be added, try route-method exe in your config file 00:06 < krzee> !learn winroute as many users also report it helps to add --route-delay to give the interface extra time to get up 00:06 < vpnHelper> krzee: Joo got it. 00:06 < krzee> !forget winroute 2 00:06 < vpnHelper> krzee: Joo got it. 00:07 < krzee> !learn winroute as many users also report it helps to add route-delay to give the interface extra time to get up 00:07 < vpnHelper> krzee: Joo got it. 00:07 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Connection timed out] 00:13 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 00:27 < tjz> hmm 00:27 < tjz> krzee, can you try out my vpn 00:27 < tjz> see whether you can connect to it 00:28 < krzee> you dont have another computer? 00:28 < tjz> don't have... 00:29 < tjz> i have the .ca,.opvn file 00:29 < krzee> im willing to look over the configs and logs and help you with them 00:29 < tjz> ok 00:30 < tjz> this is the log: 00:30 < tjz> on my computer 00:30 < tjz> ............................................................................... 00:30 < krzee> pastebin 00:30 < krzee> please 00:30 < tjz> Wed Nov 26 14:30:01 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 00:30 < tjz> Wed Nov 26 14:30:01 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. 00:30 < tjz> Wed Nov 26 14:30:01 2008 LZO compression initialized 00:30 < tjz> Wed Nov 26 14:30:01 2008 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] 00:30 < krzee> !logs 00:30 < tjz> Wed Nov 26 14:30:01 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] 00:30 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 00:30 < krzee> !configs 00:30 < tjz> Wed Nov 26 14:30:01 2008 Local Options hash (VER=V4): '41690919' 00:30 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 00:30 < tjz> Wed Nov 26 14:30:01 2008 Expected Remote Options hash (VER=V4): '530fdded' 00:30 < tjz> Wed Nov 26 14:30:01 2008 UDPv4 link local (bound): [undef]:1194 00:30 < tjz> Wed Nov 26 14:30:01 2008 UDPv4 link remote: 64.27.56.14:1194 00:30 < krzee> stop! 00:30 < krzee> hehe 00:30 < tjz> what are u doing 00:30 < krzee> !logs 00:30 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 00:30 < tjz> that's it 00:30 < krzee> !pastebin 00:31 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 00:31 < krzee> thats it cause you have verb set to 3 00:31 < tjz> what should i set to... 00:31 < tjz> in my .opvn 00:32 < krzee> verb 6 00:32 < tjz> ok 00:32 < tjz> let me try 00:32 < krzee> then use pastebin.ca to show me 00:32 < tjz> what should i type? 00:32 < tjz> !pastebin 00:32 < vpnHelper> tjz: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 00:33 < tjz> ok 00:34 < tjz> http://www.pastebin.ca/1267326 00:34 < tjz> still at 'waiting' 00:36 < tjz> sound it look good? 00:37 < krzee> windows firewall on? 00:37 < tjz> no 00:37 < tjz> i use sysgate personal firewall 00:37 < krzee> turn it off for testing 00:38 < krzee> if thats it, find a way to just turn it off for your tap adapter 00:38 < tjz> ok 00:38 < tjz> i have shutdown my firewall 00:39 < krzee> now stop it 00:39 < krzee> and restart openvpn 00:39 < tjz> ok 00:40 < tjz> same thing.. 00:40 < tjz> do you want to access my vps 00:40 < tjz> or 00:40 < krzee> and you're sure the windows firewall was turned off too? 00:40 < tjz> yes.. 00:41 < krzee> show me the logs from the vps 00:41 < krzee> and the config 00:41 < krzee> both in pastebin 00:41 < tjz> ok, give me a sec 00:41 < tjz> server log: 00:41 < tjz> http://www.pastebin.ca/1267327 00:42 < krzee> how come verb isnt 6? 00:43 < tjz> let me set the server vpn to verb 6 00:43 < tjz> still the same 00:44 < tjz> getting this on my computer openvpn: Wed Nov 26 14:43:51 2008 us=293815 UDPv4 WRITE [14] to 64.27.56.14:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 00:44 < krzee> verb 6 changes logging verbosity 00:44 < krzee> i only want to see logs at verb 6 00:44 < krzee> pastebin then whole thing 00:44 < tjz> on server log: Tue Nov 25 22:44:24 2008 us=251024 116.14.181.56:1194 UDPv4 WRITE [14] to 116.14.181.56:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0 00:44 < krzee> like i said way back when i said 00:44 < krzee> !logs 00:44 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 00:45 < tjz> ok 00:48 < tjz> Server log: http://www.pastebin.ca/1267336 ; Client log: http://www.pastebin.ca/1267338 00:50 < tjz> this is server config (server.conf) : http://64.27.56.14/server.conf 00:50 -!- mRCUTEO [n=irclunat@64.235.47.232] has joined ##openvpn 00:50 < mRCUTEO> hiya all 00:50 < tjz> yooooooooo 00:50 < mRCUTEO> whats up :) 00:50 < mRCUTEO> y0 tjz 00:51 < tjz> i am new here :) 00:51 < tjz> ^_^ 00:51 < mRCUTEO> anyone knows any budget dedicated server that allows Openvpn to be hosted ? 00:51 < tjz> of course with a problem 00:51 < mRCUTEO> welcome to the club tjz 00:51 < mRCUTEO> "_ 00:51 < tjz> what is your budget? 00:51 < mRCUTEO> $50-$80 00:51 < tjz> plain centos 5 server? 00:51 < tjz> low-end server? 00:51 < mRCUTEO> yerp u should do 00:51 < mRCUTEO> yes 00:52 < mRCUTEO> 1-5 mbps bandwidth 00:52 < tjz> let me see.. 00:52 < mRCUTEO> good peering to west USA 00:52 < mRCUTEO> okie dokie :) 00:52 < krzee> tjz 00:52 * mRCUTEO location Nevada, texas 00:53 < krzee> i want your config with no comments 00:53 < krzee> !configs 00:53 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 00:53 < mRCUTEO> compare to 2.0.9 openVPN 2.1 version is outstanding :D 00:54 < mRCUTEO> speed trmoundously increase with this new version :) 00:54 < krzee> its a vps, just use grep -vE '^#' server.conf 00:54 < krzee> mRCUTEO, nice to hear 00:54 < krzee> got any numbers for that? 00:54 < tjz> cool 00:54 < tjz> wtf ? 2.1 is out??? 00:54 < mRCUTEO> yes 00:54 < tjz> omg 00:54 < mRCUTEO> its in the website 00:54 < krzee> like what it tested at in 2.0.9 and 2.1, as compared to xfers between same boxes with no vpn 00:55 < krzee> 2.1 is beta branch 00:55 < krzee> but its known to be stable 00:55 < tjz> jeff, server conf without comment: http://www.pastebin.ca/1267345 00:55 * mRCUTEO tesing with VMWARE / VIRTUALBOX / OPENVZ / XEN 00:55 < tjz> ya.. i go with stable 00:55 * mRCUTEO ALL LAWLES 00:55 * mRCUTEO ALL FLAWLES 00:55 < krzee> ya 00:55 < mRCUTEO> superb 00:55 < mRCUTEO> with no problem at all 00:55 < mRCUTEO> :) 00:55 < krzee> ive used 2.1 on fbsd and osx 00:55 < krzee> and gentoo 00:56 < krzee> worked nice 00:56 < mRCUTEO> openvpn proved can be run both in virtual kernel or real kernel :D 00:56 < mRCUTEO> gotta try bsd someday :() 00:56 < mRCUTEO> :D 00:56 < mRCUTEO> compared to pptp(poptop and windows VPN), flexibility is advantage for openvpn 00:57 < mRCUTEO> you can config almost anything to it fit your network needs 00:57 < mRCUTEO> bridge, nat etc :D 00:57 * mRCUTEO fall in love with openVPN 00:57 < mRCUTEO> haha 00:58 < tjz> u got it 00:59 < krzee> hehe 00:59 < tjz> i like openvpn too 00:59 < krzee> ya me too mRCUTEO 00:59 < tjz> ^_^ 00:59 * tjz kiss openvpn 00:59 < tjz> lol 01:00 < mRCUTEO> krzee: what is the meaing of bypass dhcp here? __> push "redirect-gateway def1 bypass-dhcp" 01:00 < mRCUTEO> *meaning 01:01 < mRCUTEO> previous 2.0.9 only option available is redirect-gateway def1 01:01 < mRCUTEO> whats the meaning of bypass-dhcp? 01:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Nick collision from services.] 01:03 < tjz> rip.. 01:04 < mRCUTEO> lol.. 01:04 < tjz> lolz 01:04 < mRCUTEO> i wonder whats the meaning of bypass-dcp .. 01:04 < mRCUTEO> hmm 01:04 < ropetin> mRCUTEO: Guess would be 'don't get DHCP address'? 01:04 < mRCUTEO> oh 01:04 < ropetin> Use static instead? 01:04 < mRCUTEO> ic 01:04 < mRCUTEO> understood 01:04 < mRCUTEO> :) 01:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:06 < mRCUTEO> is it possible to connect 2 clients concurrently at the same machine to 1 openvpn server? 01:06 < ropetin> Yes, with two different config files 01:06 < mRCUTEO> and 2 taps? 01:06 < ropetin> But the question would be, why? 01:06 < tjz> wb, jeff! 01:06 < ropetin> Yup 01:07 < mRCUTEO> okiedokie 01:07 < krzee> thx 01:07 < mRCUTEO> now the question which traffic will packet use to sent and receive if we have 2 clients conected at the same time? 01:07 < krzee> [03:00] krzee: what is the meaing of bypass dhcp here? __> push "redirect-gateway def1 bypass-dhcp" 01:07 < krzee> !man 01:07 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 01:07 < ropetin> Is there a specific reason you'd need to have multiple connections to the same server? 01:08 < krzee> you should be asking the manual under --redirect-gateway 01:08 < krzee> mRCUTEO, you mean 2 clients on 2 diff machines? 01:08 < mRCUTEO> ropetin im thinking to assign 2 diferent ip (through port forwarding) from the openvpn to my server 01:08 < tjz> jeff, server conf without comment: http://www.pastebin.ca/1267345 01:08 < tjz> ^_^ 01:08 < mRCUTEO> ropetin im thinking to assign 2 diferent ip (through port forwarding) from the openvpn to my *client 01:09 < ropetin> I'm new at this VPN thing, so please forgive my confusion, but what problem is that trying to solve? 01:09 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Connection timed out] 01:09 < mRCUTEO> for example i will use ip 218.208.11.2 (for http forwsrding to my client) and ip 218.208.11.3 (for ftp port forwarding) any idea? 01:10 < ropetin> Different IPs for different services? Weird :) 01:11 < mRCUTEO> ya through port forwarding 01:11 < mRCUTEO> i use my openvpn static ip to port forwarding my PC at home so i can create my own http server 01:11 < mRCUTEO> my pc at home is dynamic .. 01:12 < mRCUTEO> so by default openvpn will only allowed 1 connectopn to IP.. so is there way i can 2 or more IP to my clien :P 01:12 < krzee> route 192.168.40.128 255.255.255.248 01:12 < ropetin> So you use a static IP on another system, openVPN it through to your home PC on whatever IP it scurrently has? 01:12 < krzee> tjz, why do you have that there? 01:13 < mRCUTEO> yes 01:13 < ropetin> I'd still argue that there is no need to have two IPs for two services. That's what ports are for 01:13 < mRCUTEO> correct ropetin 01:13 < ropetin> mRCUTEO: And it still hurts my brain to think that's even needed or a good idea 01:13 < tjz> jeff, what do you mean? 01:13 < ropetin> Are you using IP or a domain name for the static IP> 01:13 < ropetin> ? 01:14 < krzee> route 192.168.40.128 255.255.255.248 01:14 < mRCUTEO> im using IP ropetin 01:14 < tjz> hmm 01:14 < tjz> i follow a guide 01:14 < tjz> hehe 01:14 < krzee> you are telling your routing table to send the exact network from the sample config through the vpn 01:14 < krzee> !route 01:14 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:14 < tjz> roger that 01:14 < krzee> that will help you understand route, iroute, ccd 01:15 < krzee> you probably dont have the right entry for route 192.168.40.128 255.255.255.248 01:15 < mRCUTEO> im sure you can do a lot of things if you can really have more than 1 IP assign to your OPENVPN, from there you can create another http server on different adress...something we call virtual openvpn lol :P 01:15 < krzee> that was an example in the openvpn sample config 01:15 < ropetin> mRCUTEO: I'll stop laboring this point in a second, but why? :) You would be easier to use some kind of dynamic DNS service to set a static domain name to the dynamic IP. Worst case you'll have down time for a few minutes when the IP changes 01:15 < tjz> jeff, you are right.. 01:15 < tjz> let me check again 01:16 < mRCUTEO> ropetin: but im running email and IRC servers too.. 01:16 < mRCUTEO> :) 01:16 < mRCUTEO> i prefered static IP :) 01:16 < ropetin> Good point mRCUTEO, that's a valid reason 01:16 < krzee> yes you can have 1 machine connect 2x 01:16 < krzee> and a valid reason would be this: 01:16 < krzee> 1 with traffic shaping for backups 01:16 < krzee> 1 with higher qos for lan usage 01:17 < ropetin> Fair enough :) 01:17 < krzee> but you need to have each use its own network 01:17 < mRCUTEO> yerp :D 01:17 * ropetin goes back to sleep again 01:17 < krzee> iinternally 01:17 < krzee> and only 1 can share the lan behind it 01:17 < krzee> (via iroute) 01:17 < tjz> if i comment the line "route 192.168.40.128 255.255.255.248" ... will it helps? 01:17 < krzee> nite ropetin 01:17 < krzee> no tjz 01:18 < krzee> your problem seems to be a firewall 01:18 < tjz> hmm 01:19 < tjz> i have tested with my computer's firewall turn off.. 01:19 < krzee> did you send me the complete logs? 01:19 < tjz> i am not sure if "192.168.40.128" is the correct IP i should put in server.conf 01:19 < krzee> or did you cut some off the bottom? 01:20 < tjz> yup..the complete log 01:20 < tjz> Server log: http://www.pastebin.ca/1267336 ; Client log: http://www.pastebin.ca/1267338 01:20 < krzee> tjz, did you already read !route? 01:20 < krzee> ya i have those up 01:20 < krzee> thats why im saying looks firewall related to me 01:20 < krzee> its windows right? 01:20 < tjz> ya..i am using winxp pc 01:21 < krzee> [03:19] i am not sure if "192.168.40.128" is the correct IP i should put in server.conf 01:21 < krzee> you havnt read my writeup at !route yet then 01:21 < tjz> ^_^ 01:21 < krzee> it explains what those are 01:22 < tjz> ok 01:24 < krzee> and i dont think you gave the client enough time 01:24 < krzee> when you pasted those logs 01:24 < krzee> it never even said it could not connect 01:28 < tjz> it end there with the same line repeating.. 01:28 < tjz> http://www.pastebin.ca/1267376 01:28 < tjz> Wed Nov 26 15:27:28 2008 us=997437 UDPv4 WRITE [14] to 64.27.56.14:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 01:29 < krzee> goto control panel 01:29 < krzee> security center 01:29 < krzee> firewall 01:29 < krzee> does it say windows firewall is off? 01:31 < tjz> it say: ON. sygate firewall is currently ON 01:31 < krzee> ahh 01:31 < krzee> windows doesnt play nice with many of them 01:31 < krzee> well on != off 01:31 < krzee> i already said 01:31 < krzee> for testing turn it off 01:32 < krzee> get vpn working, then toss firewalls and stuff back on 01:32 < tjz> ya 01:32 < tjz> i click "windows firewall" 01:32 < tjz> it is set as "off" 01:32 < krzee> and sygate is off? 01:33 < tjz> hold on 01:33 < tjz> let me shutdown sygate 01:33 < krzee> turn off EVERYTHING that filters traffic 01:33 < tjz> ok. sygate firewall is off 01:33 * mRCUTEO reboot 01:33 -!- mRCUTEO [n=irclunat@64.235.47.232] has quit [] 01:33 < krzee> and 01:33 < krzee> !iptables 01:33 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept 01:35 < tjz> [root@vpn10001 openvpn-2.0.9]# service iptables stop 01:35 < tjz> Flushing firewall rules: [ OK ] 01:35 < tjz> Setting chains to policy ACCEPT: mangle filter nat [ OK ] 01:35 < tjz> this is my "service iptables status" : http://www.pastebin.ca/1267382 01:41 < tjz> :) 01:48 < tjz> :( 01:53 < krzee> dunno man 01:55 < tjz> lol 01:55 < tjz> ^_^ 01:55 < tjz> do you have a guide on how to setup openvpn on a centos server? 01:57 < krzee> basically 01:57 < krzee> !sample 01:57 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 01:57 < krzee> and if a LAN is involved on either side 01:57 < krzee> !route 01:57 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:58 < krzee> other than that, any problems that dont show up in a verb 6 logfile are outside of openvpn 02:02 < tjz> hmm 02:07 < tjz> been trying to solve this for more than 3 weeks now 02:07 < tjz> hehe 02:08 < tjz> i don't mind paying .. 02:08 < tjz> :( 02:12 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 02:13 < krzee> alright 02:13 < tjz> ^_^ 02:13 < krzee> ill log into your server and get myself connected to it with your certs for a lil fee if you want 02:14 < krzee> but i cant do it with your windows box 02:14 < krzee> im in 3rd world internet and remote desktop with my connection would be hell 02:14 < krzee> and you are too from the looks of your hostname 02:14 < tjz> hmm 02:14 < tjz> where are you from? 02:15 < krzee> from usa 02:15 < krzee> live in caribbean 02:15 < tjz> oh 02:15 < tjz> 3/4am there now? 02:15 < krzee> yup 02:16 < tjz> -_-" 02:18 < tjz> so many pple in this channel 02:18 < tjz> i guess everyone is sleeping 02:18 * ropetin is awake 02:18 < tjz> darn 02:18 < tjz> rope, r u using winxp ? 02:19 < tjz> i mean windows system for your desktop? 02:19 < ropetin> Yup, right now, although I switch between Linux and WIndows 02:19 < tjz> ok 02:19 < tjz> can you help me do a quick "connect" ..to see whether you can connect to my vpn 02:20 < tjz> i have the .ca,.opvn,.key ready 02:21 < ropetin> I'd like to help, but I know it wouldn't work (I'm behind a restrictive firewall at work) 02:21 < tjz> ohok 02:21 < tjz> are you from asia? 02:23 < tjz> <-- singapore 02:23 < tjz> :) 02:24 < ropetin> No, US 02:25 < tjz> ok 02:29 < ropetin> Sorry! 02:29 < tjz> hey 02:29 < tjz> it's ok 02:29 < tjz> are you doing night shift? 02:29 < tjz> :P 02:30 < krzee> evidently :-p 02:30 < ropetin> Yup, sure am 02:30 < tjz> lolz 02:31 < troy-> krzee, can i move to caribbean? 02:31 < krzee> i believe so 02:31 < troy-> and crash at your place 02:31 < krzee> are you on felony probation or parole? 02:31 < krzee> cause then you cant 02:31 < krzee> haha 02:31 < troy-> nope no record 02:31 < krzee> if you can find my place you can crash here 02:32 < krzee> but like 02:32 < krzee> im not saying where 02:32 < krzee> hehe 02:32 < troy-> damn 02:32 < troy-> hows the weather there? 02:32 < krzee> nice 02:32 < troy-> i'm jealous, snow here 02:33 < krzee> its 4am and i could be comfortable outside naked 02:33 < tjz> lol 02:33 < troy-> argh, i'd freeze my ass off 02:33 < tjz> we don't have snow here 02:33 < tjz> never 02:33 < tjz> summer all the way 02:33 < troy-> ah you are in .sg 02:33 < tjz> can we switch place? 02:33 < tjz> i never see snow b4 02:33 < troy-> sure! 02:33 < tjz> ^_^ 02:34 < troy-> 24hr plane ride though 02:34 < tjz> canada is snowing? 02:34 < troy-> yep 02:34 < tjz> ok 02:34 < tjz> heard alot of good things in canada 02:34 < tjz> nice place 02:35 < tjz> ^_^ 02:35 < troy-> its 1 degree C right now 02:35 < troy-> its kinda nice in the summer 02:35 < tjz> omg! 02:35 < tjz> 1 deg.. 02:35 < tjz> -_- 02:36 < troy-> http://www.theweathernetwork.com/weather/caon0696 02:36 < vpnHelper> Title: Weather Forecast: Toronto, Ontario - The Weather Network (at www.theweathernetwork.com) 02:36 < krzee> !weather toronto 02:36 < vpnHelper> krzee: Error: HTTP Error 500: Server Error 02:36 < troy-> fail 02:36 < krzee> !weather toronto, ca 02:36 < vpnHelper> krzee: Error: HTTP Error 500: Server Error 02:36 < krzee> whats the zip? 02:37 < troy-> m4w1x7 02:37 < tjz> raining and snowing!! 02:37 < tjz> omg 02:37 < krzee> hah 02:37 < tjz> freezing! 02:37 < krzee> thats no zip 02:37 < troy-> its called a postal code 02:37 < krzee> !weather m4w1x7 02:37 < vpnHelper> krzee: The current temperature in Danforth and Jones Ave, Toronto, Ontario is 35.1°F (3:37 AM EST on November 26, 2008). Conditions: Light Rain. Humidity: 85%. Dew Point: 30.2°F. Windchill: 35.6°F. Pressure: 29.65 in 1003.9 hPa (Falling). 02:37 < tjz> cool 02:38 < krzee> oh whoa 02:38 < krzee> never seen a canada zip then 02:38 < krzee> haha 02:38 < troy-> you havent missed much :P 02:39 < krzee> been to toronto tho 02:39 < krzee> had a great time 02:39 < troy-> yeh thats where i live 02:39 < troy-> i'd give it up for the caribbean in a heart beat 02:40 < reiffert> moin 02:40 < tjz> morning 02:41 < reiffert> funny postal codes :) 02:41 < tjz> it's like a password 02:41 < tjz> lol 02:43 < troy-> kinda i guess 03:07 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit [Read error: 113 (No route to host)] 04:21 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 04:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 04:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:38 -!- slonik [i=slonik@evilcore.org] has joined ##openvpn 04:39 < slonik> hello everyone 04:39 < slonik> I've got problem starting openvpn service 04:39 < slonik> syslog says: 04:39 < slonik> kernel: audit(1227695554.737:6): avc: denied { read } for pid=4028 comm="openvpn" name="server. 04:39 < slonik> conf" dev=dm-0 ino=16254698 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file 04:40 < slonik> It seems that kernel forbids server.conf file to be read 04:40 < slonik> but when I start openvpn from command line using --config it's ok 04:40 < slonik> any ideas? 04:57 -!- slonik [i=slonik@evilcore.org] has left ##openvpn [] 05:00 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 05:07 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 05:22 < Cyllene> krzee: Yes. 05:22 < Cyllene> krzee: The server can ping 10.3.0.6 and the client can ping 10.3.0.1. 05:24 < krzee> then your vpn works fine 05:24 < krzee> so what isnt working? 05:25 -!- jfkw_ [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 05:25 -!- Netsplit over, joins: ikevin_ 05:25 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: jfkw 05:28 < Cyllene> krzee: I want to be able to connect *through* it. 05:29 < Cyllene> For example, if I navigate to whatismyip.org from my laptop (10.3.0.6), I want the site to travel through the tunnel and be fetched from the server, 10.3.0.1. 05:30 < Cyllene> I thought that was why I had that one POSTROUTING rule on the nat table. 05:40 < krzee> that is: 05:40 < krzee> !def1 05:40 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 05:40 < krzee> then you need NAT on your server 05:42 < krzee> theres 2 ways to add redirect-gateway def1 05:42 < krzee> one is in client config you just add that 05:42 < krzee> other is in server config you add push "redirect-gateway def1" 05:42 < krzee> only difference is whether or not you want all clients to have it or not 05:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:03 < Cyllene> hmm 06:03 < Cyllene> krzee: I don't want to lose connectivity to the server if something goes wrong. 06:04 < Cyllene> For example, when I use def1 on my laptop, I lose all connections to the Internet (which I am fine with). 06:04 < krzee> !nat 06:04 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 06:04 < Cyllene> :| 06:05 < krzee> iptables -t nat -A POSTROUTING -s 10.3.0.0/24 -o eth0 -j MASQUERADE 06:05 < Cyllene> I already did that. 06:05 < Cyllene> I showed you that yesterday. 06:05 < Cyllene> What I am saying is that I don't want to run openvpn on the server and have the routing table messed up so I can't SSH in and fix it. 06:05 < krzee> ip forwarding is on? 06:05 < Cyllene> Yes 06:06 < krzee> the server doesnt change its routing table 06:06 < krzee> well not its default routes 06:06 < krzee> only adds a route to the client 06:06 < Cyllene> Ok 06:09 < Cyllene> It seems to be working now. I had to change one small thing. 06:09 < Cyllene> Thank you, krzeel 06:10 < Cyllene> krzee, rather. 06:11 < krzee> np 06:11 < krzee> what did you have to change? 06:11 < Cyllene> ip_forward 06:12 < Cyllene> Now, do you think it's possible to forward the packets from eth0:0 (an alias with a different IP)? 06:13 -!- djc [n=djc@xavamedia.nl] has left ##openvpn [] 06:14 < krzee> Cyllene, that is a matter of changing your NAT rule 06:36 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Read error: 104 (Connection reset by peer)] 07:08 -!- paruchuri [n=qvantel@61.16.248.247] has quit ["Ex-Chat"] 07:19 < ecrist> morning, folks 07:21 -!- protocols [n=protocol@p5791FD1E.dip.t-dialin.net] has joined ##openvpn 07:21 < protocols> hi all 07:21 < ecrist> howdy 07:22 < protocols> I guess I am missing something. but when I try to connect from client to server, the client uses a random port and not the default 1194, although specified via cl-argument 07:25 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 07:29 -!- K_luffy [n=V3N@77.31.186.120] has joined ##openvpn 07:30 < K_luffy> can someone please help me with configuring my openvpn? 07:30 < ecrist> protocols: it's going to use a random *outgoing* port, but it should connect to 1194 on the remote system. 07:30 < K_luffy> I've installed the gui package from http://openvpn.se/download.html on my windows 2003 server 07:30 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 07:31 < ecrist> K_luffy: what problems are you having? 07:31 < K_luffy> now all I see proxysettings 07:31 < K_luffy> I don't know what am I supposed to do now 07:31 < K_luffy> all what I want is tunnel my university connection through my server 07:33 < ecrist> have you read any documentation? 07:33 < K_luffy> it's all codes which I can't make a sense of it 07:33 < K_luffy> unless you have an easy to follow guide which would be really appreciated 07:36 < protocols> ecrist, yes hm ok maybe I should not explicit set --port 07:37 < randra> i have one openvpn server configured, and have one machine with dhcp configured, how i can do to my clients connect and use my dhcp to get ip address? 07:43 < protocols> ecrist, any way I can set the outgoing port? 07:45 < ecrist> K_luffy: see !howto 07:45 < ecrist> !howto 07:45 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:46 < ecrist> randra: you need to setup bridging 07:46 < ecrist> though, unless you're using something that specifically used ethernet protocols, like SMB, I'd recommend routed. 07:54 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has left ##openvpn ["Leaving."] 07:54 -!- K_luffy [n=V3N@77.31.186.120] has quit [Read error: 145 (Connection timed out)] 07:55 -!- K_luffy [n=V3N@77.31.186.120] has joined ##openvpn 07:55 -!- paruchuri [n=qvantel@61.16.248.247] has quit ["Ex-Chat"] 08:04 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 08:11 < K_luffy> anyone please? I'm struggling here 08:11 < K_luffy> the network adapter has an x on it 08:13 < K_luffy> and I don't see the connect option when I right click openvpn gui in the taskbar like in a youtube guide 08:17 < ecrist> K_luffy: did you read the howto? 08:32 < ecrist> I'm guessing not 08:32 < ecrist> please come back when you have read some of the documentation 08:32 < ecrist> and, as far as I'm concerned, You Tube videos don't count as documentation. 08:59 < K_luffy> ecrist: ok I'll try to understand it although I'm not really familiar with coding and such 09:03 < ecrist> K_luffy: an openvpn config isn't coding 09:03 < ecrist> it's a config file 09:04 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:06 < K_luffy> I don't know it says Change 'myremote' to be your remote host in the sample.opvn 09:07 < K_luffy> I'm not sure what put in the one for the server 09:07 < K_luffy> I'll just modifiy the sample.opvn and put it in my config folder 09:08 < K_luffy> I'm gonna put my server ip in the sample.opvn for my pc 09:09 < K_luffy> but what should I replace myremote for my server one? 09:09 < tjz> good nite 09:09 -!- tjz [n=jz@bb116-14-181-56.singnet.com.sg] has quit ["gg. X_X"] 09:11 -!- dvl [n=nnnnnndv@pdpc/supporter/professional/dvl] has joined ##openvpn 09:12 < dvl> This weekend, one of my goals is to create a VPN involving three servers out on the Internet and my home network. This is to avoid the problems associated with having a dynamic IP. 09:13 < dvl> Previously, I have only used OpenVPN to link my laptop to my home network while travelling. I'm thinking that adding three more remote clients to the VPN should not be complex. Except to needing to restart the session when the home IP address changes. I already have a DYN DNS solution working. 09:16 < ecrist> dvl - what's your question? 09:17 < K_luffy> ecrist: do you know any easier vpn solution? 09:18 < K_luffy> I can't get this to work 09:18 < ecrist> K_luffy: no. you really need to read the docs. 09:18 < K_luffy> I'm reading it and I can't even get through the first step 09:18 < ecrist> I'm willing to help you, but only if you're willing to actually try to get it working on your own. 09:18 < K_luffy> it says to edit the config file 09:18 < ecrist> well, perhaps VPNs are above your head, then. 09:19 -!- ChUbB [n=IceChat7@62.31.213.230] has joined ##openvpn 09:19 < K_luffy> I edited it and when I try to connect it gives me errors 09:19 < K_luffy> Y_Y 09:20 < ecrist> K_luffy: read the *whole* document before you just try to connect. are you doing static keys, or ssl certificates? 09:21 < K_luffy> I didn't try to read the whole thing, I was trying to do it step by step 09:22 < K_luffy> mmm will try to read it all and get back 09:22 < K_luffy> just to make sure, this is the how to you are refering to my case, right? 09:22 < K_luffy> http://openvpn.net/index.php/documentation/install.html?start=1 09:22 < vpnHelper> Title: Installation (Win32) - Page 2 (at openvpn.net) 09:23 < ChUbB> hi, do u need bridge config to use openvpn as a gateway (say i want to send all my data down the vpn so i can get passed filters at my skool) 09:23 < ecrist> !howto 09:23 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:23 < ChUbB> kk sorry guys normal do look before asking 09:23 < ecrist> yes 09:23 < K_luffy> okay 09:24 < ecrist> ChUbB: that !howto was directed at K_luffy 09:28 < dvl> ecrist: question, yes, the question. Always annoying when $WORK interrupts me.. :0 09:29 < ChUbB> o k 09:31 < dvl> ecrist: at present, the VPN is 'hosted' at home, on the dynamic IP address. I know how I can launch a script upon IP address change, but I'm wondering about the implications for the clients.... They can be set up to just reconnect to the VPN server at home, but I'm wondering if I'm designing this backwards. 09:31 < dvl> ecrist: for example.. 09:31 < dvl> ecrist: given the dynamic IP address at home, would be easier better to host the VPN on one of the three external servers, then just get $HOME to connect to it? 09:35 < ecrist> yes 09:35 < ecrist> if they've got static ips 09:35 < dvl> Yes, the external servers have static IPs 09:35 < dvl> Do it all with certificates... 09:41 < ecrist> yes 09:41 < ecrist> I'd put the server on one of those systems, and connect from home that way 09:43 < dvl> ecrist: well given I already have a working VPN solution (based at home, with a dynamic IP address), turning it around so it hosted on a static IP address "out there", should be relatively painless. 11:00 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 11:01 < PeterFA> Is the push directive a general directive in that it will push any configuration option after it? 11:06 < ChUbB> when trying to send all data down the vpn i have push "redirect-gateway" in the client is there any config or setup needed on the server ? 11:18 < ecrist> PeterFA: with some limits, but that's the idea 11:18 < PeterFA> ecrist, ok, thanks. 11:18 < ecrist> yes, you need to NAT traffic and have proper in and out routing 11:20 < ChUbB> ecrist: do u need bridged nic's ? 11:30 -!- kreg [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 11:43 < ecrist> no, you need ip forwarding, though. 11:56 -!- protocols [n=protocol@p5791FD1E.dip.t-dialin.net] has quit ["Leaving"] 12:10 -!- ikevin_ [n=kevin@ANancy-256-1-53-233.w90-26.abo.wanadoo.fr] has quit [Read error: 54 (Connection reset by peer)] 12:12 -!- ikevin [n=kevin@ANancy-256-1-53-233.w90-26.abo.wanadoo.fr] has joined ##openvpn 12:41 < Dougy[RV|Away]> hi 12:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:49 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit ["aula"] 12:52 < Dougy[RV|Away]> ecrist: hihi 12:55 -!- jeev [n=email@unaffiliated/jeev] has quit [Read error: 60 (Operation timed out)] 13:00 -!- dvl [n=nnnnnndv@pdpc/supporter/professional/dvl] has left ##openvpn ["Leaving"] 13:07 < ecrist> howdy, Dougy[RV|Away] 13:08 < Dougy[RV|Away]> how goes it 13:11 < ecrist> haven't had time to look into the code yet 13:11 < Dougy[RV|Away]> i haven't had time to do the sqldump 13:12 < Dougy[RV|Away]> since i cant rsync it to my account, i suddenly got hit with a lazy spell 14:03 < ecrist> why can't you rsync it to your account? 14:19 < Dougy[RV|Away]> ecrist: wouldnt let me 14:19 < Dougy[RV|Away]> says i did not have permission or something 14:20 < ecrist> you should be able to rsync *from* my host. 14:25 -!- T_X [i=linus@gateway/tor/x-e113834882aafbdb] has joined ##openvpn 14:26 < T_X> hi! I'm having some routing problems with openvpn. I can reach the vpn-server, my friend can reach the vpn-server too, but we can't reach each other 14:26 < T_X> shall I post our routing tables on pastebin? 14:27 < kala> and with addresses and with the vpn-server routing table 14:27 < kala> and vpn-server configuration 14:29 < krzee> --client-to-client 14:29 < krzee> in the server config 14:29 < krzee> you remove the -- when you put options in the config tho 14:30 < krzee> !factoids search client 14:30 < vpnHelper> krzee: "someclient2client" is "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 14:30 < krzee> thats for only letting SOME communicate 14:30 < krzee> for your setup, you just add client-to-client 14:31 -!- bandini [n=bandini@host50-109-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 14:43 < T_X> this is client A: http://pastebin.com/m4a34f695 and these are the second client and the server: http://pastebin.com/m384b854c 14:44 < T_X> I'll give this option a try, wait a second 14:49 < T_X> ah, thank a lot, this seems to work now, hehe 14:49 < T_X> *thanks 14:49 < T_X> hope were not already looking through all these configs etc. :) 14:54 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 15:07 < Dougy[RV|Away]> ecrist: sorry 15:07 < Dougy[RV|Away]> back now 15:07 < ecrist> no worries 15:08 < ecrist> I'm fighting with my network migration 15:08 < Dougy[RV|Away]> i was trying to rsync the .sql file 15:08 < Dougy[RV|Away]> to my home dir 15:08 < Dougy[RV|Away]> from my vps 15:08 < Dougy[RV|Away]> so incoming not out 15:08 < ecrist> and you were getting permission denied? 15:09 < Dougy[RV|Away]> yessir 15:09 < Dougy[RV|Away]> brb going up from dc 15:09 < Dougy[RV|Away]> unfortunately i have about a 75 lb box to carry 15:09 < Dougy[RV|Away]> so im gonna be a good 5 min 15:09 < Dougy[RV|Away]> brb 15:09 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 15:10 < ecrist> that's fine 15:14 < ecrist> Dougy[RV|Away]: I can rsync from the server without any problems. 15:15 < Dougy[RV|Away]> not from 15:15 < Dougy[RV|Away]> to 15:15 < Dougy[RV|Away]> my gnax vps into the server 15:15 < Dougy[RV|Away]> man that was a bitch 15:16 < ecrist> can you pull? I don't really want to enable remote execution on that host 15:16 < Dougy[RV|Away]> its fine 15:16 < Dougy[RV|Away]> i can fetch ti 15:16 < Dougy[RV|Away]> it 15:16 < ecrist> ok 15:16 < Dougy[RV|Away]> i just got lazy 15:17 < Dougy[RV|Away]> :p 15:17 < Dougy[RV|Away]> let me dig up logins and i'll get you that sqldump 15:17 < Dougy[RV|Away]> i have it 15:17 < Dougy[RV|Away]> hmm, is the box up at the moment or no 15:17 < ecrist> absolutely 15:18 * Dougy[RV|Away] can't ssh to it 15:18 < Dougy[RV|Away]> hrm 15:18 * Dougy[RV|Away] tries something else 15:18 < Dougy[RV|Away]> .153 right? 15:20 < Dougy[RV|Away]> ecrist: pm 15:22 < ecrist> wait one 15:22 < Dougy[RV|Away]> yessir 15:35 -!- jstrom [i=johan@core.stromnet.se] has joined ##openvpn 15:36 < jstrom> Im running openvpn 2.0.9 on OSX, I've got a few tunnels, but i just noiced that when i try to ping my own endpoint, the packet travels over the network to the other end (where it gets dropped by FW) instead of just being responded to on my local side.. any ideas why? 15:37 < jstrom> that is, on my mac i ping the IP on teh local tun interface 15:37 < jstrom> on the remote end I see : block in on tun0: 192.168.125.6 > 192.168.125.6: icmp: echo request 15:38 < jstrom> where 125.6 is my OSX local IP 15:38 < jstrom> known issue or have i missed something? 15:40 < jstrom> no fw on the mac 16:05 -!- T_X [i=linus@gateway/tor/x-e113834882aafbdb] has quit [Remote closed the connection] 16:06 -!- bandini [n=bandini@host50-109-dynamic.31-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:14 < ecrist> jstrom: that's normal. don't try to ping your vpn endpoint 16:16 < jstrom> okay 16:16 < jstrom> ping wasnt my main reason i wanted to do this though.. :) 16:17 < jstrom> i got a service listening on the IP, so other ppl can access it.. but it would be nice if I could too 16:17 < Dougy[RV|Away]> fuck 16:20 < ecrist> o.O 16:20 * Dougy[RV|Away] 's dad is apparently not doing very well post-op 16:21 < ecrist> tell him to start doing better, or no supper. 16:23 < Dougy[RV|Away]> yeah 16:23 < Dougy[RV|Away]> he's not going to be eating for a while either way 16:29 < krzie> i got a service listening on the IP, so other ppl can access it.. but 16:29 < krzie> it would be nice if I could too 16:29 < krzie> jstrom what do you mean? 16:29 < jstrom> krzie: on my VPN endpoint IP 16:29 < Dougy[RV|Away]> alright.. i have to go 16:30 < Dougy[RV|Away]> i'll be back whenever 16:30 < Dougy[RV|Away]> may be a week or two 16:30 < krzie> so on client1 you are trying to reach client1? 16:30 < Dougy[RV|Away]> ttyl 16:30 < krzie> later dougy 16:31 < krzie> jstrom cant you reach your own machine by 127.0.0.1? 16:31 < ecrist> Dougy[RV|Away]: your board is converted 16:31 < ecrist> I'm going to create an account, can you make me admin? 16:32 < krzie> damn i hope he didnt leave yet 16:32 < krzie> he said a week or 2 16:32 < krzie> thats mid dec 16:32 < krzie> same time it expires 16:32 < jstrom> krzie: to make it simple, lets say i run a developement web server on client A, and from the server that i connect to, id like to be able to surf into this web server. this works fine, except for the fact that i cannot surf to the same IP from the client box 16:33 < ecrist> krzie: the only thing I can't do is repoint the domain. 16:33 < jstrom> in my case i have a DNS record pointing to this IP (the vpn endpoint), and when a "remote" client uses it (ie via the server) this works fine, but i cannot use the domain myself.. since it points to my VPN ip which i dont seem to be able to acces 16:33 < jstrom> access 16:33 < ecrist> I don't *really* need him to make me an admin 16:33 < krzie> ok i get it jstrom, the problem is DNS record right? 16:33 < krzie> ok yes it is 16:33 < jstrom> it is? :) 16:33 < krzie> i can think of 2 easy solutions 16:33 < jstrom> i have one solultion 16:33 < jstrom> with the host file 16:33 < krzie> 1) make an entry in the clients host file 16:33 < jstrom> which works now, but seems kindof ugly ;) 16:33 < krzie> yup 16:34 < krzie> 2) is bind veiws 16:34 < jstrom> yep 16:34 < krzie> 3) (dunno if it would work or not) is to make a route for your own ip routing it to 127.0.0.1 16:34 < jstrom> but that is just a workaround the "problem". there is thus no way to let my local machine acces services on the same machine, using the VPN endpoint IP? 16:34 < krzie> you arent asking a openvn problem 16:34 < krzie> you're asking a networking problem 16:34 < krzie> the solutions have been given 16:34 < jstrom> i dont know if this is openvpn problem or if this only got to do with the tun device 16:35 < jstrom> but yes 16:35 < krzie> sounds like you want to try #3 but i dunno if it'll work 16:35 < jstrom> nr 3 works :) 16:35 < krzie> but the best solution is #1 imho 16:35 < krzie> ok you did #3 and it worked? 16:35 < jstrom> yep just tried 16:35 < jstrom> seems to work fine 16:36 < krzie> cool, next step is to add that to your openvpn ccd setup 16:36 < jstrom> yep 16:36 < krzie> add a push route to ccd 16:36 < krzie> maybe even give it a static ip if you're too lazy to find the right ENV var 16:36 < krzie> !static 16:36 < vpnHelper> krzie: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 16:36 < jstrom> already got static 16:36 < jstrom> but thanks :) 16:36 < krzie> ahh then its easy 16:36 < jstrom> yep 16:37 < krzie> personally i woulda gone the static way too, im lazy ;] 16:37 < jstrom> i guess this would be a nice default thing to have though, are there any side effects? 16:37 < krzie> although you already had it so likely had a diff reason than laziness 16:37 < krzie> none i can think of 16:37 < jstrom> yeah, limit who can connect to this specific server 16:37 < krzie> i think its just not been expected that you would wanna reach yourself on that ip 16:37 < krzie> maybe email the mailing list to suggest it 16:37 < krzie> the devs watch the users mail list 16:38 < krzie> especially if other users on the list second your motion 16:38 < jstrom> just might do that.. :) 16:38 < krzie> !mail 16:38 < vpnHelper> krzie: "mail" is http://sourceforge.net/mail/?group_id=48978 16:40 * jstrom writes 16:40 < jstrom> hm do i need to be subscribed to post+ 16:40 < jstrom> ? 16:40 < jstrom> or will it just be moderated 16:40 < krzie> i think it will still post 16:40 < krzie> make a note that you are not subscribed 16:40 < jstrom> yeah 16:40 < krzie> in case people reply to list 16:40 < jstrom> :) 16:40 < jstrom> mm 16:40 < krzie> im not sure tho, as i am subscribed 16:41 -!- dlab [n=dlab@71.177.39.8] has joined ##openvpn 16:41 < jstrom> k 16:44 < ecrist> krzie - you registered on ovpnforum.com? 16:44 < krzie> ya 16:44 < krzie> as krzee 16:44 < krzie> im a secret moderator 16:44 < krzie> i COULD be admin 16:44 < krzie> lemme see if i can add you 16:44 < krzie> i didnt think bout that 16:44 < krzie> where should i go to test? 16:45 < krzie> shit i hope i know my pass, lol 16:45 < krzie> im not at home so cant check ym laptop keychain 16:47 < ecrist> krzie: I already fixed me 16:47 < ecrist> dougy.hosting.secure-computing.net 16:47 < ecrist> if you're an admin already, I won't change you 16:48 * krzie hopes thats not the perm address ;] 16:48 < ecrist> looks like some permissions settings didn't get converted with the new board. 16:48 < ecrist> I 16:49 < ecrist> I'll mark you as a 'founder' but won't change your perms. founders are sort of like hidden moderators, unless you give them special ranks and such 16:49 < krzie> ahh 16:49 < krzie> hah i dunno my pass 16:49 < krzie> it dont really matter tho 16:49 < ecrist> ok, updated 16:49 < ecrist> I can change your pass, if you'd like. 16:49 < dlab> is there a way to make openvpn accept multiple CRLs? 16:50 < ecrist> dlab: a given chain shouldn't really have multiple CRLs 16:50 < dlab> have multiple CAs with client certificates under each CA, say.. if I wanted to revoke one of the CAs 16:50 < ecrist> well, I should say, there should only be one CRL per level. 16:50 < dlab> openssl verify -crl_check shows that it works with the .pem I generated 16:50 < dlab> but openvpn only seems to be accepting the first crl 16:51 < krzie> its only made for one 16:51 < krzie> just like its only made for one ca 16:51 < krzie> 1 ca, one crl 16:52 < dlab> doesn't help if I have a hundred or so clients organized under a few CAs 16:52 < ecrist> dlab: fix your model 16:52 < krzie> only the ones organized under the CA your server uses will work 16:53 < dlab> that's no fun :( 16:53 < krzie> hey we're not the ones making our setup wrong ;] 16:53 < krzie> only clients signed by the same CA as the server can connect 16:53 < dlab> openssl seems to like it, figured openvpn would be fine with it, too 16:53 < ecrist> krzie: looks like the import/conversion 'deactivated' all the accounts 16:53 < ecrist> I've reactivated yours, made you founder 16:54 < krzie> thx 16:54 < krzie> ill try my passes again 16:54 < krzie> maybe i tried a right one 16:54 < dlab> yeah, fed openvpn the root CA certificate, worked for a while 16:55 < krzie> then build your CA based on the root CA 16:55 < krzie> err 16:55 < krzie> your CRL 16:55 < dlab> I did 16:55 < krzie> then why do you need more than 1? 16:55 < dlab> so the CA and all of the keys signed by it are revoked 16:55 < dlab> but I also want to revoke some keys under another CA 16:55 < dlab> that's signed by the same root 16:56 < ecrist> dlab, fix your model. You can't do what you're trying to do. 16:56 < krzie> agreed 16:56 < ecrist> your setup is over complicated 16:58 < dlab> so I'm going to have to move everything under one CA .. resign all of the clients' keys? o_o 16:58 < dlab> seemed like a more organized approach when I was testing the model with openssl verify 16:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:00 < ecrist> dlab: too many chiefs, not enough indians 17:00 < ecrist> what *good* reason do you have for so many CAs? 17:01 < dlab> root VPN CA, separate CA for contractors/admins/employees/etc.. 17:02 < dlab> trying to revoke the CA for the contractors as it's not needed anymore 17:02 < ecrist> ok, so, the VPN should be using the root CA 17:02 < dlab> nod 17:02 < ecrist> if you revoke the contractor CA (with the root) does the CRL now indicate all sub certs are revoked? 17:02 < dlab> yeah, that works fine 17:03 < dlab> but now certs that I had revoked under the employees CRL aren't read 17:03 < dlab> and work again 17:03 < ecrist> ok, iirc, the root ca should be able to revoke sub certs 17:03 < ecrist> thus, keeping one CRL 17:03 < krzie> should be able to revoke employees in the same crl 17:03 < krzie> exactly 17:03 < krzie> thats what i was thinking earlier 17:04 < krzie> but ive never wanted a convoluted CA setup 17:04 < krzie> so i havnt tested 17:04 < dlab> crl is just a list of serial numbers and an issuer 17:04 < dlab> so I thought you'd just concatenate the crls 17:04 < ecrist> ah, but you're missing the subtlety. it's a *signed* list of serial numbers and the issuer 17:04 < ecrist> concatenating them breaks the sig 17:05 < dlab> nah 17:05 < dlab> as I said, it works with openssl verify -crl_check 17:05 < dlab> crls are generated with openssl ca -name whatever -gencrl -out crl.txt 17:05 < ecrist> I would call that a bug in openssl verify 17:05 < ecrist> your method is flawed 17:05 < dlab> howso? 17:08 < ecrist> think of the model you're using 17:08 < ecrist> the way CAs were designed, they're each a separate entity, within a tree. 17:09 < ecrist> a higher 'branch' can revoke sub trees 17:09 < krzie> they're that way because trusted CAs like verisign need to be able to sign your CA 17:09 < ecrist> you can't just mash the two CRLs together and expect them to work. 17:09 < krzie> but verisign shouldnt be able to revoke a client on your CA 17:09 < krzie> and they SHOULD be able to revoke your CA al together 17:09 < krzie> all 17:09 < dlab> yeah, that's not what I'm trying to do 17:10 < dlab> I'm trying to make openvpn read the CRLs for the root and sub CAs 17:10 < ecrist> we understand what you're trying to do, dlab 17:10 < krzie> think of CA's from that perspective and you'll see why its not working 17:10 < ecrist> we're being nice about telling you that it won't work 17:10 < krzie> and why it SHOULDNT work 17:10 < krzie> its not an openvpn thing 17:10 < krzie> its about design of ca's 17:11 < ecrist> why not run a separate VPN instance for each component, all within the same /16? 17:11 < ecrist> proper subnetting should fix things for you 17:11 < krzie> and in the case of something like contractors 17:11 < ecrist> that would also allow you to firewall more effectively 17:11 < dlab> that's just avoiding the current issue 17:11 < krzie> when you know its limited time 17:11 < krzie> i would give them their own vpn 17:11 < krzie> instead of their own CA 17:12 < ecrist> dlab - your model isn't going to work. whether you think it should or not 17:12 < krzie> and its not going to work because of the design of CAs in ssl, not because of openvpn 17:12 < reiffert> moin 17:12 < krzie> moin 17:12 < reiffert> how is everybody? 17:12 < krzie> (i miss kraut's nightly 'moin') 17:13 < reiffert> People from the northern coast always say "moin moin", kind of strange when you are going to visit that region the first time 17:14 < dlab> yeah, it sounds like you think I'm trying to revoke certs from sub-CAs in the root CRL 17:15 < krzie> you are 17:15 < krzie> cause you can only have 1 CRL 17:15 < krzie> and you cant concat 17:15 < reiffert> one CRL per sub-ca? 17:15 < dlab> nod 17:16 < dlab> each issuer has it's own CRL, I'm just trying to see if there's a way to make openvpn read the root's crl and all of the sub-CA crls 17:16 < krzie> no 17:16 < krzie> as youve been told 17:16 < krzie> you have your complete answer 17:17 < krzie> you can rephrase it as many times as you want 17:17 < reiffert> people from #debian.de do think: CRL per sub-ca is possible. 17:17 < krzie> answer stays the same 17:17 < krzie> reiffert and get openvpn to read multiple crls? 17:17 < reiffert> what was your answer again please? 17:17 < dlab> reiffert: yeah, I verified it works 17:17 < krzie> (no) 17:17 < dlab> just.. not with openvpn 17:17 < krzie> openvpn reads 1 crl 17:17 < dlab> yeah 17:17 < reiffert> krzie: ah, make openvpn tp read multiple crls? well no. 17:18 < krzie> right, his question is related to openvpn 17:18 < krzie> thats why hes asking it here ;] 17:18 < krzie> although we get offtopic enough it makes ssense to not take that for granted 17:18 < krzie> lol 17:18 < krzie> <-- as guilty of that as most anyone else 17:18 < krzie> haha 17:19 < reiffert> Allright, so ... how about to tell openvpn to check multiple crl's against multiple privates? 17:20 < ecrist> krzie: btw, I've got an email in to the folks with OpenVPN about linking and pushing the IRC chan, wiki, and forum. 17:20 < krzie> nice man 17:21 < krzie> they used to have all these things themselves but stopped taking care of them and let them break 17:21 < krzie> would make sense for them to use ours 17:21 < ecrist> I only post links to porn once in a while. O,O 17:22 < ecrist> I've even submitted having the push subdomains to me for the wiki and the forum and I'll host them and we'll manage them. 17:22 < reiffert> Does James Yonan himself spend time on irc? 17:22 < ecrist> at least until we're all burned out. ;) 17:22 < ecrist> not seen him here. 17:23 < ecrist> the person I emailed is the owner of the domain(s) 17:23 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 17:23 < reiffert> and whenever a new openvpn rc gets done .. is james yonan the only person who submits patches and the only guy who's doing the development? 17:23 < krzie> reiffert, i never seen him on here 17:24 < krzie> reiffert, others have submitted patches, but i believe they submit them to him 17:25 < ecrist> where is their repo these days? 17:25 < ecrist> they still using svn, or did they migrate to git? 17:25 < krzie> good question 17:25 < krzie> all ive seen if patches given over mail list 17:25 < krzie> but i cant see dev mail list 17:25 < krzie> its invite only 17:25 < Cyllene> krzie: Hey 17:25 -!- dlab [n=dlab@71.177.39.8] has left ##openvpn [] 17:26 < Cyllene> When trying to connect multiple clients to the VPN server, all clients have the same IP. 17:26 < Cyllene> They aren't being assigned different IPs. Do you know what is wrong? 17:26 < krzie> each client has its own certs with unique common names? 17:26 < Cyllene> hmm 17:26 < Cyllene> They have the same common names. 17:27 < krzie> bad Cyllene 17:27 < krzie> go make them again 17:27 < Cyllene> Bad, but fatal? 17:27 < krzie> unique common names 17:27 < krzie> go make them again 17:27 < Cyllene> haha, ok 17:27 < reiffert> krzie: openvpn-devel is invite only?? 17:28 < krzie> yes 17:28 < ecrist> o.O port-share feature to allow OpenVPN and an HTTPS server to share TCP port 443. 17:28 < reiffert> well then I wonder who ever invited me to that. 17:28 < ecrist> that's interesting 17:28 < ecrist> reiffert: it might not have always been that way 17:29 < reiffert> How do I send you n invatation? 17:31 < reiffert> It is not invite only. Just requested a new subscription. 17:31 < reiffert> are we talking about the same thing, do we? 17:32 -!- mRCUTEO [i=irclunat@r0x.dave.ksh2008-sarawak.com] has quit [] 17:36 -!- dvl [n=nnnnnndv@pdpc/supporter/professional/dvl] has joined ##openvpn 17:36 < dvl> FWIW, PHP errors on the website: http://openvpn.net/archive/openvpn-users/2006-08/msg00184.html 17:36 < vpnHelper> Title: [Openvpn-users] TLS Error: Unroutable control packet received from (at openvpn.net) 17:43 < krzie> reiffert i tried to sign up for openvpn-devel and it said it was closed and i had to be added by mod 17:43 < krzie> reiffert, havnt you submitted code? 17:48 < reiffert> I was posting some shell stuff some years ago ... 17:48 < reiffert> ah right, for having a ppp style wtmp/login 17:49 < reiffert> http://openvpn.net/archive/openvpn-users/2007-01/msg00229.html 17:49 < vpnHelper> Title: [Openvpn-users] utmp wtmp style login information (at openvpn.net) 17:51 < reiffert> I should do a proper rewrite, but as there havent been any responses ... 17:51 < reiffert> It has been done quick n dirty. 17:57 < krzie> hey thats cool 17:58 < krzie> does the PAM script add anything to wtmp? 17:58 < krzie> cause if not it damn well should use your code 18:02 < reiffert> the wtmp entries have to be done as superuser, thats why it is using sudo. 18:03 < krzie> right 18:04 < krzie> i caught how it works, i like it 18:05 < krzie> then for added measure you could have openvp group be all that can execute the script 18:09 -!- K_luffy [n=V3N@77.31.186.120] has quit [Read error: 60 (Operation timed out)] 18:28 -!- ChUbB [n=IceChat7@62.31.213.230] has quit [Read error: 104 (Connection reset by peer)] 18:43 -!- jfkw_ [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit [Remote closed the connection] 18:46 -!- MissNeBuN [n=missnebu@pool-96-250-40-227.nycmny.fios.verizon.net] has joined ##openvpn 18:53 -!- MissNeBuN [n=missnebu@pool-96-250-40-227.nycmny.fios.verizon.net] has quit ["Leaving"] 19:02 -!- dvl [n=nnnnnndv@pdpc/supporter/professional/dvl] has left ##openvpn ["Leaving"] 19:12 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 19:16 < onats> anyone up? 19:33 < krzie> wassup 19:33 < ecrist> ctyup 19:35 < onats> if you guy's aren't busy.. can someone take a look at my server config? 19:36 < krzie> !configs 19:36 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 19:37 < onats> http://pastebin.ca/1268102 19:37 < onats> woops 19:37 < krzie> anything specific you want us to look for or just see if it could be improved? 19:37 < onats> wait, will remove comments 19:39 < onats> wait, please ignore that config first.. i will recheck my config 19:40 < krzie> cool, will wai for next link 19:44 -!- s2r [n=dada@190.2.0.105] has joined ##openvpn 19:46 -!- dvl [n=nnnnnndv@pdpc/supporter/professional/dvl] has joined ##openvpn 19:56 < onats> is the "daemon" setting important? 19:59 < dvl> important to what? 20:02 < s2r> Im trying to run an openvpn server on a windows 2003 sbs. And configured everything, the client connects and it gets an ip address. When I ping the server I see the icmp packet denied by an interface that's not tap. 20:02 < s2r> I think that the firewall, 8signs, might be messing with the packets. 20:14 < krzie> onats, is having openvpn running in the background important to you? 20:24 < onats> krzie, i just put it in anyway. 20:24 < onats> my routed connection is working now, and i get an ip address from the private vpn network 20:25 < onats> posting server config file now, and i'd like to request for inputs to optimize/improve, if any... 20:26 < onats> http://pastebin.ca/1268131 20:29 < onats> krzie? 20:31 -!- s2r [n=dada@190.2.0.105] has quit [Remote closed the connection] 21:10 < krzie> brb 21:11 < krzie> ill look at in in 1min 21:37 < krzie> ok im looking now 21:37 < krzie> sorry was busy 21:38 < krzie> 10.0.1.0/24 is the LAN the server is on? 21:42 < onats> krzie, yup 21:42 < onats> that's the LAN on my server 21:45 < krzie> cool 21:45 < krzie> why do you have duplicate-cn enabled? 21:46 < onats> will take it out.. no need for it.. 21:46 < krzie> k 21:46 < krzie> and 1 other thing 21:46 < krzie> lemme find it 21:46 < krzie> !sample 21:46 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 21:47 < krzie> is your server on a linksys hacked up firmware setup? 21:47 < onats> krzie, yes. but its a buffalo with dd-wrt on it 21:48 < krzie> ok cool 21:48 < krzie> then its ok you have logging off 21:48 < krzie> so you dont fill the FS 21:48 < krzie> on the client you want something like this: 21:48 < krzie> tls-auth /home/krzee/vpn/keys/server-ca/ta.key 0 21:48 < krzie> and change the 0 to 1 on clients 21:48 < onats> what is that for? 21:48 < onats> i have to generate the ta.key right? 21:48 < krzie> HMAC auth for each packet 21:48 < krzie> correct 21:48 < krzie> !hmac 21:48 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 21:48 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 21:49 < onats> HMAC=hardwaremac? 21:49 < onats> ok... will read up on that. 21:49 < krzie> after that, you can lose tls-server from server and tls-client from clients 21:49 < onats> what else did you see? 21:49 < krzie> generating ta.key is seperate from making certs 21:50 < krzie> openvpn --genkey --secret ta.key 21:50 < krzie> thats all there is to it 21:50 < krzie> the main reading up on it is in !hmac 21:50 < krzie> tells you all you need to know 21:51 < krzie> thats all i see, looks like a good config 21:51 < krzie> in the clients do you have: ns-cert-type server ?? 21:51 < onats> thanks for your inputs 21:51 < onats> yes 21:51 < krzie> cool 21:51 < onats> that's right? 21:51 < krzie> do the changes i said and consider your setup nice 21:51 < krzie> yes 21:51 < krzie> !mitm 21:51 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 21:52 < krzie> thats what ns-cert-type server is for 21:52 < onats> i see... 21:52 < krzie> but dude 21:52 < krzie> you sure you want the certs in /tmp? 21:53 < krzie> there must be a better location for them 21:53 < krzie> or is that all you can write to? 21:53 < krzie> certs are small, can fit somewhere else if you can write to somewhere else 21:53 < onats> krzie, well, the way i put the certs is that i save them on the web gui of dd-wrt. it saves it on temp directory by default 21:54 < onats> so that should be fine... restarting the device, it regenerates the keys there.. 21:54 < krzie> if it was mine ild move them and update my config 21:54 < krzie> keys cant be regenerated on restart 21:54 < onats> i mean "saves" them there 21:54 < krzie> they need to stay the same dude 21:54 < krzie> they only get generated once 21:54 < onats> yup 21:54 < krzie> so you can safely move them 21:54 < krzie> i would, but thats up to you 21:54 < onats> ok will keep that in mind then. 21:55 < krzie> config looks god once the changes i said are made 21:55 < onats> will explore the device on where i can put it.. 21:55 < krzie> good 21:55 < onats> it only has 4mb of space 21:55 < krzie> the configs should be under 100kb 21:55 < krzie> prolly more like 20kb 21:55 < krzie> or less 21:55 < onats> ok noted 21:55 < krzie> maybe like 5-10kb 21:56 < krzie> especially cause on a 4mb drive blocksize should be small as shit 21:59 < krzie> out of curiosity, why do you have tun-mtu 1500? 21:59 < krzie> 1500 is default 21:59 < krzie> so its a useless config option to set it to default 22:01 < krzie> also, if you are unsure about your mtu, see !mtu 22:37 < onats> !mtu 22:37 < vpnHelper> onats: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test as well 23:09 < onats> krzie, what other fancy stuff can we do with openvpn? 23:14 < troy-> sup krzie 23:22 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 23:23 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 23:29 < oc80z> great topic, now memorize it. 23:30 * oc80z waitin for the new release :D 23:30 < mRCUTEO> :D 23:32 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has quit [] --- Day changed Thu Nov 27 2008 00:11 < onats> krzie, are you still there? 00:14 < onats> ecrist? 00:18 < onats> !iroute 00:18 < vpnHelper> onats: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 00:18 < onats> !route 00:18 < vpnHelper> onats: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:18 < onats> !ccd 00:18 < vpnHelper> onats: "ccd" is entries that are basically included into server.conf, but only for the specified client 00:24 -!- Gigantic [n=12345@unaffiliated/gigantic] has joined ##openvpn 00:27 -!- Gigantic [n=12345@unaffiliated/gigantic] has left ##openvpn ["Boom!!"] 01:02 < reiffert> moin 01:04 -!- paruchuri [n=qvantel@61.16.248.247] has quit ["Ex-Chat"] 01:05 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 02:28 -!- Rabenklaue [n=Rabe@f051097154.adsl.alicedsl.de] has joined ##openvpn 02:29 -!- aje [n=aj@itersys.dk] has joined ##openvpn 02:29 < aje> hi there 02:30 < aje> i have a running openvpn installation on a linux-based firewall (SME) which is getting a bit too old. 02:31 < aje> so i am looking for a viable alternative. i know that openvpn is able to 'speak' with a radius server (internal NT installation), so i am looking for a firewall distribution of some sort which integrates openvpn nicely. 02:31 < aje> could you guys recommend something? there is a gazillion of firewalls out there. 02:38 -!- Rabenklaue [n=Rabe@f051097154.adsl.alicedsl.de] has quit [Read error: 104 (Connection reset by peer)] 02:47 -!- c0l2e [n=rnartos@202.128.61.152] has joined ##openvpn 02:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 03:13 -!- c0l2e [n=rnartos@202.128.61.152] has left ##openvpn [] 03:13 -!- c0l2e [n=rnartos@202.128.61.152] has joined ##openvpn 03:22 -!- c0l2e [n=rnartos@202.128.61.152] has quit [Read error: 54 (Connection reset by peer)] 03:38 -!- c0l2e [n=rnartos@202.128.61.152] has joined ##openvpn 03:38 < c0l2e> how can I assign each client with its own permanent ip?? 04:08 -!- c0l2e [n=rnartos@202.128.61.152] has quit [Read error: 113 (No route to host)] 04:49 -!- protocols [n=protocol@p5791FDF0.dip.t-dialin.net] has joined ##openvpn 04:50 < protocols> is it possible, as client to define the net-if to use to connect with the server? 04:51 < reiffert> yes. 04:52 < protocols> that would be? I was thinking of bind, but was unsure as I am sitting behind a NAT 04:53 < reiffert> --local 04:55 < protocols> ah yes right, I used that for the server, too - was just not sure if this is meant for clients, too.. thanks 04:55 < reiffert> else you could have your routing table do the right job. 04:56 -!- mRCUTEO [n=info@118.100.169.143] has joined ##openvpn 04:56 < mRCUTEO> this left feels right 04:57 < protocols> hmm I get an error (expected that) that it does not go well with "nobind" 04:57 < protocols> I hope nobind is not mandatory for clients 04:58 < reiffert> Then have your routing table to the right thing. 04:59 < protocols> yupp, ok it works.. thanks.. 04:59 < reiffert> And whats your solution? 05:00 < protocols> like you said, via local I explicit bind openvpn to a interface, and I removed "nobind" 05:01 < reiffert> route add -host server dev yourinterface 05:02 < reiffert> depends on your OS. 05:02 -!- mRCUTEO [n=info@118.100.169.143] has quit [] 05:03 < protocols> why do I need to do that? 05:03 < protocols> I used redirect-gateway to take over my routings automatically 05:04 < protocols> I had above only a problem that it should use a different gateway on localside for communicating outside to the openvpn-server, as my server is connected to multiple uplinks 05:05 < reiffert> You dont need to do that, it is just an alternative approach of getting done what you did by specifying --local 05:18 < protocols> but local does not generate any routing tables or? 05:20 < reiffert> right, it does not. 05:20 < reiffert> totally different approaches. 05:22 < reiffert> --local tells the application to bind to the right address when binding the socket. 05:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 06:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 06:24 -!- aje [n=aj@itersys.dk] has left ##openvpn [] 06:32 -!- onats_ [n=julian@unaffiliated/onats] has joined ##openvpn 06:34 -!- mRCUTEO [n=info@64.235.47.77] has joined ##openvpn 06:34 -!- s2r [n=s2r@190.2.0.105] has joined ##openvpn 06:35 < mRCUTEO> hi i have 2 openvpn client connected concurrently. Which traffic do openvpn use actually? the first client connected or the 2nd client? 06:45 -!- s2r [n=s2r@190.2.0.105] has quit [Remote closed the connection] 06:45 < Cyllene> hmm 06:45 < Cyllene> krzie: You can combine static key encryption and TLS, right? 06:50 < Cyllene> Actually, scratch that. 06:51 < Cyllene> I was confused by the fact that both tls-auth and secret use a --genkey file. 06:54 -!- onats [n=15172@unaffiliated/onats] has quit [Nick collision from services.] 06:54 -!- onats_ is now known as onats 06:57 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:01 -!- mRCUTEO [n=info@64.235.47.77] has quit [Read error: 104 (Connection reset by peer)] 07:17 -!- s2r [n=s2r@190.2.0.105] has joined ##openvpn 07:45 -!- mRCUTEO [n=info@64.235.47.77] has joined ##openvpn 07:45 < mRCUTEO> hello anyone knows whats the iptables rules for me to port forward port 80 to client ? 07:54 -!- s2r [n=s2r@190.2.0.105] has left ##openvpn [] 08:02 -!- mRCUTEO [n=info@64.235.47.77] has quit [Read error: 131 (Connection reset by peer)] 08:14 -!- mRCUTEO [n=info@118.100.169.143] has joined ##openvpn 08:20 < mRCUTEO> hi 08:20 < mRCUTEO> anyone knows how to port forward http port 80 to my openvpn client? 08:23 -!- mRCUTEO [n=info@118.100.169.143] has quit [Read error: 54 (Connection reset by peer)] 08:23 < brutopia> how do I disable authentication completely with configuration files? 08:27 -!- onats [n=julian@unaffiliated/onats] has quit [Nick collision from services.] 08:27 -!- onats_ [n=julian@unaffiliated/onats] has joined ##openvpn 08:40 < ecrist> brutopia what do you mean by 'completely'? 08:56 < brutopia> so that I don't have to specify any tls stuff 08:56 < brutopia> I just want to connect without any encryption or authentication 09:01 < brutopia> I have already put auth none and cipher done but when I start with my configuration file it requires me to give a CA file 09:10 -!- K_luffy [n=V3N@77.31.162.183] has joined ##openvpn 09:31 -!- MedicXO [i=4ff5493c@gateway/web/ajax/mibbit.com/x-4da6ff36c514c2c8] has joined ##openvpn 09:48 -!- MRCUTEO [n=info@118.100.169.143] has joined ##openvpn 09:48 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 09:51 -!- MRCUTEO [n=info@118.100.169.143] has quit [Nick collision from services.] 09:51 -!- mRCUTEO [n=info@124.82.101.241] has joined ##openvpn 09:51 < mRCUTEO> hi 09:51 < mRCUTEO> krzie 09:51 < mRCUTEO> u there>? 09:52 < mRCUTEO> can i use UDP on brdige mode? 09:52 < dvl> AFAIK, yes 09:53 < mRCUTEO> okie 09:53 < mRCUTEO> server-bridge 69.235.47.77 255.255.255.0 69.235.47.232 69.235.47.237 09:54 < mRCUTEO> is this the right way to set server-bridge? 09:57 < mRCUTEO> Sat Nov 22 07:45:22 2008 OpenVPN ROUTE: failed to parse/resolve route for host/network: 69.235.47.1 09:57 < mRCUTEO> what does that mean? 10:01 < mRCUTEO> anyone has experience setting up openvpn in bride mode? 10:06 < Cyllene> mRCUTEO: I do. 10:06 < mRCUTEO> Cyllene 10:06 < mRCUTEO> can you guide me 10:07 < mRCUTEO> try to configure bridge few times with ccd no luck 10:07 < mRCUTEO> Cyllene 10:07 < mRCUTEO> server-bridge 69.235.47.77 255.255.255.0 69.235.47.232 69.235.47.237 10:07 < mRCUTEO> is this correct? 10:08 < mRCUTEO> and i set enable ccd 10:08 < Cyllene> mRCUTEO: I don't know what your network topology is. 10:08 < mRCUTEO> my IP: 69.235.47.77 (br0) 10:08 < Cyllene> http://openvpn.net/bridge.html 10:08 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 10:08 < mRCUTEO> just follow the steps there? 10:10 < mRCUTEO> ouch my server hang.. 10:10 < dvl> time for a better OS. :) 10:10 < mRCUTEO> lucky it was just a virtual sevrer 10:10 < mRCUTEO> phew 10:12 < mRCUTEO> i forgot to edit the bridge-start script argh 10:12 < mRCUTEO> where should i put the bridge-start script in? 10:12 < mRCUTEO> in which folder? 10:17 -!- ChUbB [n=IceChat7@62.31.213.230] has joined ##openvpn 10:29 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 10:29 < pumkinhed_> hello #openvpn, i have about 20 clients that connect to our network via openvpn 10:29 < pumkinhed_> now that i have it deployed, i'd like to run a post connect script to gpupdate, is there any way to do this from the server, or do i have to add an up script to each client? 10:31 -!- whaletales [n=Paul@5ad5a082.bb.sky.com] has quit [Read error: 54 (Connection reset by peer)] 10:33 < plaerzen> Pretty sure you can't do it from the server at all. Ask ecrist. He's the king. 10:35 < pumkinhed_> ecrist: please tell me there is a way :) 10:37 -!- whaletales [n=Paul@5ad9e64c.bb.sky.com] has joined ##openvpn 10:37 < mRCUTEO> hi 10:37 < mRCUTEO> when i started openvpn my tap wont came up in ifconfig :( 10:37 < mRCUTEO> anyone knows how to solve this :( 10:37 < ecrist> brb 10:43 -!- MedicXO [i=4ff5493c@gateway/web/ajax/mibbit.com/x-4da6ff36c514c2c8] has quit ["http://www.mibbit.com ajax IRC Client"] 10:44 -!- mRCUTEO [n=info@124.82.101.241] has quit [] 10:45 < pumkinhed_> k 10:49 -!- protocols [n=protocol@p5791FDF0.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 10:50 < Cyllene> hmm 10:50 < Cyllene> Anyone know why my clients can't see each other? 10:50 < Cyllene> I am using tun, both machines are windows xp 10:50 < Cyllene> The server is debian 10:51 < Cyllene> Pinging 10.3.0.1 works on both ends. 10:51 < Cyllene> The two connected clients are 10.3.0.6 and 10.3.0.7 10:52 < Cyllene> I can see the reads and writes on the mangement console. 10:53 < Cyllene> I do not have "client-to-client" enabled. 10:53 < Cyllene> Is that necessary? 10:58 < Cyllene> I want clients to be able to talk to each other, but I don't want openvpn to act like a hub and dumbly forward all traffic to all clients. 10:58 -!- PatrickDK [n=guest@dyn-170-244-162.myactv.net] has joined ##openvpn 10:58 < Cyllene> (Causing a mess) 11:02 < ecrist> pumkinhed_: you've gotta do that on the client, sorry. 11:03 < ecrist> there is a way you can do such things, but it would be very kludgy 11:04 < ecrist> there are scripts that can be run upon client connect. You could use that to fire a script, but that would run on the server, so you'd have to use ssh or some other means to fire off the update 11:05 < PatrickDK> hmm, I've been looking around, probably blind 11:05 -!- K_luffy [n=V3N@77.31.162.183] has quit [Read error: 60 (Operation timed out)] 11:06 < PatrickDK> but I can't find a command so openvpn will perserve a route for itself, to the openvpn server 11:06 < PatrickDK> so the routes openvpn installs doesn't kill itself 11:09 -!- ChUbB [n=IceChat7@62.31.213.230] has quit [Read error: 110 (Connection timed out)] 11:10 < pumkinhed_> PatrickDK: the OS does the routing, once the route is no longer valid, the os probably kills it 11:11 < PatrickDK> no 11:11 < PatrickDK> the os does the routing 11:11 < PatrickDK> and openvpn brings up the connection 11:12 < PatrickDK> openvpn installs new route 11:12 < PatrickDK> and it's more specific than the old default route 11:12 < PatrickDK> so it can't find the openvpn server anymore and drops 11:12 < PatrickDK> it's a classic case, suprised I can't find any info on google 11:12 < PatrickDK> probably just searching the wrong terms 11:12 < PatrickDK> most people have this issue when installing a new default route 11:14 < Cyllene> pumkinhed_: Hi. Are you available for assistance? 11:15 < pumkinhed_> PatrickDK: so you are trying to replace the default route? 11:15 < PatrickDK> no 11:15 < PatrickDK> but most commonly the people that have this issue are 11:16 < pumkinhed_> ah 11:16 < PatrickDK> without their default gateway, they can't locate the openvpn server on the internet anymore 11:16 < PatrickDK> same issue I am having 11:16 < PatrickDK> but somehow I just am not googling the right thing 11:16 < pumkinhed_> PatrickDK: i have had this issue on other machines, i believe i had to set the route-method to exe 11:16 < pumkinhed_> PatrickDK: the environment was server 2k3, but i dont remember the particulars 11:17 < pumkinhed_> Cyllene: don't ask to ask 11:17 < Cyllene> ok 11:18 < Cyllene> As said above, I have two clients connected to the VPN which can't see each other. 11:18 < Cyllene> As of now it is 10.3.0.6 and 10.3.0.10 11:18 < Cyllene> I have "client-to-client" enabled in the config. 11:18 < Cyllene> Both clients and the server are using 2.1 rc15. 11:19 -!- zamba [i=marius@sveigde.hih.no] has left ##openvpn [] 11:19 < PatrickDK> hmm, route-method isn't it, that is just how openvpn installs the routes into the kernel 11:22 < Cyllene> I am using tun as well. 11:22 * ecrist shoots his router 11:22 < Cyllene> The reason for using tun is so that I can connect through the server and use NAT 11:24 < PatrickDK> hmm, it's redirect-gateway 11:24 < PatrickDK> but I only want it to do step 1, not 2 and 3 11:30 < PatrickDK> ah, think I found my answer testing it now, route remote_host 255.255.255.255 net_gateway 11:30 < PatrickDK> that is the best I can do :( 11:44 -!- MRCUTEO [n=info@124.82.101.241] has joined ##openvpn 11:44 < MRCUTEO> hi 11:44 < MRCUTEO> everyone knows what is this error ? br0: Dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature 11:45 < MRCUTEO> trying to install bridge-start wont work 11:46 < MRCUTEO> cant get openvpn to work in bridge mode :( 11:52 < pumkinhed_> Cyllene: perhaps its a firewall issue on the openvpn server, what os? 11:53 -!- MRCUTEO is now known as mRCUTEO 11:53 -!- mRCUTEO [n=info@124.82.101.241] has quit [] 11:53 -!- pumkinhed_ is now known as pUmkInhEd 12:01 < Cyllene> pUmkInhEd: Debian 12:02 < pUmkInhEd> you use iptables? 12:02 < pUmkInhEd> for firewall? 12:28 -!- MRCUTEO [n=info@124.82.101.241] has joined ##openvpn 12:28 < MRCUTEO> anyone can help ? i can get connected with bridge mode but cannot access internet in the openvpn.. anyone>? 12:28 < Cyllene> pUmkInhEd: Yes 12:29 < MRCUTEO> i have added eth0 and tap0 to br0 12:29 < MRCUTEO> but still not working 12:29 < MRCUTEO> dns has also been setup 12:31 < pUmkInhEd> Cyllene: i don't use iptables, but i think it is probably a routing/nat issue 12:32 < pUmkInhEd> Cyllene: maybe #debian can help you with that... 12:32 < pUmkInhEd> or someone else here ... 12:33 < Cyllene> hmm 12:34 < Cyllene> I'll leave that one on the backburner for now. 12:34 < Cyllene> I don't understand why my replay-persist file isn't being written to. 12:42 < MRCUTEO> argh 12:42 < MRCUTEO> Cyllene 12:42 < MRCUTEO> how do you add tap0 to your bridge? 12:43 < MRCUTEO> i manage to add tap0 the bridge but still no internet connection on the client.. 12:43 -!- PatrickDK [n=guest@dyn-170-244-162.myactv.net] has quit [Read error: 110 (Connection timed out)] 12:45 < pUmkInhEd> MRCUTEO: have you defined your bridge in /etc/network/interfaces? 12:45 < MRCUTEO> yes 12:45 < MRCUTEO> im using centos 12:45 < MRCUTEO> i defined in /etc/sysconfig/network-scripts/ifcfg-eth0 12:46 < pUmkInhEd> can you ping across the bridge? 12:46 < Cyllene> MRCUTEO: Linux or BSD? 12:46 < MRCUTEO> yes 12:46 < MRCUTEO> Linux 12:46 < MRCUTEO> Centos 12:46 < Cyllene> :| 12:46 < Cyllene> You need to use br0 12:46 < MRCUTEO> yes already configured br0 12:46 < pUmkInhEd> MRCUTEO: so whats the problem? 12:46 < MRCUTEO> and link br0 with tap0 and eth0 12:47 < Cyllene> err 12:47 < Cyllene> brctl* 12:47 < MRCUTEO> yeah 12:47 < MRCUTEO> when connecting using client , i cannot browse wbesite.. 12:47 < MRCUTEO> error 12:47 < MRCUTEO> br0: dropping NET+IF 12:47 < pUmkInhEd> can you tracert or traceroute and see whether its a networking issue 12:48 < MRCUTEO> br0: dropping NET_IF_UFO 12:48 < MRCUTEO> something wrong.. 12:49 < pUmkInhEd> apparently that error message is a red herring 12:50 < MRCUTEO> what is a red herring? 12:50 < pUmkInhEd> its just saying to you that checksum offloading is not supported by the virtual interface 12:50 < pUmkInhEd> but its not indicating failure, just the status 12:50 < MRCUTEO> oh.. 12:50 < MRCUTEO> when i start openvpn tap0 wont show in ifconfig 12:51 < MRCUTEO> thats the weirdest 12:51 < Cyllene> pUmkInhEd: Should the replay-persist file ever have anything in it? 12:51 < pUmkInhEd> Cyllene: not sure, i dont use that feature 12:52 < Cyllene> ok 12:52 < pUmkInhEd> try modprobe ethertap 12:52 < pUmkInhEd> should load the tap driver 12:52 < MRCUTEO> okay 12:52 < MRCUTEO> i try now 12:53 * MRCUTEO computer disconnect need another remore reboot (reboot number 29) 12:54 -!- MRCUTEO is now known as mRCUTEO 12:55 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 12:59 < mRCUTEO> pUmkInhEd 12:59 < pUmkInhEd> hi... 12:59 < mRCUTEO> what should i set in my srver.conf : dev tap or dev tap0? 13:01 < mRCUTEO> FATAL: Module ethertap not found. 13:01 < mRCUTEO> FATAL: Module tap not found. 13:01 < pUmkInhEd> hrm... 13:01 < mRCUTEO> oh goodnes 13:03 < pUmkInhEd> tap0, you should spec the actual iface 13:03 < mRCUTEO> okay 13:03 < mRCUTEO> FATAL: Module tap0 not found. 13:03 < mRCUTEO> same also :( 13:04 < mRCUTEO> but modprobe tun works.. 13:04 < mRCUTEO> do i need to use tun then? 13:04 < pUmkInhEd> well, does tun suit your needs 13:04 < pUmkInhEd> are you trying to bridge two networks or not? 13:04 < unixSnob> anyone notice that openvpn front ends don't support tls authentication? 13:04 < mRCUTEO> yes 13:05 < mRCUTEO> bridgin 2 networs 13:05 < unixSnob> dd-wrt and the n800 both force users to resort to the CLI 13:06 < unixSnob> anyone manage to get the maemo front-end to work with tls authentication? 13:06 < pUmkInhEd> mRCUTEO: how about lsmod 13:06 < pUmkInhEd> mRCUTEO: see any tap in there? like tap.o 13:06 < mRCUTEO> ok 13:07 < mRCUTEO> nope 13:07 < mRCUTEO> no tap 13:07 < mRCUTEO> only tun 13:10 < pUmkInhEd> dang, centos is a beastie, so many repositories 13:10 < pUmkInhEd> depending on where you got the package you may have to load another tuntap package 13:11 < pUmkInhEd> http://letmegooglethatforyou.com/?q=centos+tuntap 13:11 < vpnHelper> Title: Let me google that for you (at letmegooglethatforyou.com) 13:11 < mRCUTEO> i succesfully connect but i dunno why i cant browse the internet.. 13:12 < pUmkInhEd> because your default gateway is at the other side of the bridge, most likely 13:14 < mRCUTEO> oh 13:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:15 < mRCUTEO> let me check my config again 13:15 < pUmkInhEd> you can ping across the bridge, maybe try pinging the default gateway 13:15 < mRCUTEO> okay 13:16 -!- yokyok [n=david@ppp-2.WLAN.FTG.panline.net] has joined ##openvpn 13:18 < yokyok> hello 13:18 < yokyok> I can't find a way to get rid of Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: topology (2.0.9) 13:18 < krzee> heheh 13:19 < krzee> you using topology subnet? 13:19 < unixSnob> how do I find out the DNS server for a VPN provider? 13:19 < yokyok> the option is push "redirect-gateway def1" 13:20 < yokyok> but i tried some other way 13:20 < krzee> yokyok, 13:20 < krzee> !configs 13:20 < vpnHelper> krzee: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 13:20 < yokyok> thanks 13:26 < mRCUTEO> anyone knows how to port forward all ports to openvpn client ? 13:26 < mRCUTEO> anyone knows how to port forward all ports to openvpn client ? 13:27 < jeev> krzee 13:34 < yokyok> so... :) 13:34 < yokyok> http://pastebin.com/d14b08793 13:39 < yokyok> I uncommented the line push "redirect-gateway def1 bypass-dhcp" that was in the sample config, as it seemed to be what I wanted to do 13:39 < yokyok> but somehow the client isn't accepting that 13:52 -!- mRCUTEO [n=info@124.82.101.241] has quit [Read error: 110 (Connection timed out)] 14:06 < dvl> Well, I got my VPN running. I was able to run cvsup over it, very nicely. :) 14:07 < dvl> I wrote up how to create the CA and certificates. The README is good, but some points need to be emphasized. http://www.freebsddiary.org/openvpn-easy-rsa.php 14:07 < vpnHelper> Title: The FreeBSD Diary -- Creating your own Certificate Authority (at www.freebsddiary.org) 14:08 < dvl> Next step: document the setup of a simple VPN. 14:11 < brutopia> hey, how can I disable TLS, authentication and encryption? I have following configuration file http://pastebin.com/m545c32d5 14:11 < brutopia> I don't understand why it requires CA certificate even if I haven't specified any authentication 14:13 < dvl> perhaps the server requires it? 14:14 < brutopia> I can put any address to the remote variable and it requires it 14:14 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 14:14 < dvl> cool 14:20 < brutopia> if I put a secret then it complains about too many authentication mechanism 14:38 < unixSnob> brutopia: you have to match the server config i believe 14:51 < brutopia> even if I specify a remote server with non-routable address it displays the same error 14:51 < brutopia> it can't even get to the connecting phase 14:52 < dvl> brutopia: tried /dev/null ? 15:01 -!- yokyok [n=david@ppp-2.WLAN.FTG.panline.net] has quit [Read error: 110 (Connection timed out)] 15:02 < brutopia> as a remote address? 15:22 < dvl> No, for the cert. 15:22 < dvl> FreeBSD FTW! 15:22 < dvl> # This script supports running multiple instances of openvpn. 15:22 < dvl> My hero! 15:27 < unixSnob> can openvpn be used to bond two uplink together? 15:42 < krzie> no i dont see how it would be 15:49 < unixSnob> eg. someone has DSL and Cable internet. They want the combined speed of both, and the reliability of a backup. 15:49 < krzie> no such thing as combined speed 15:50 < krzie> its possible to have each's speed going seperate 15:50 < unixSnob> oh it exists.. but perhaps not openvpn supported 15:50 < krzie> but not a single xfer of combined speed 15:50 < unixSnob> analog modem users do it.. using "shotgun" uplinks 15:50 < unixSnob> no, it's combined 15:50 < krzie> but no, thats not an openvpn thing 15:51 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 15:51 < krzie> openvpn is for vpn 15:51 < krzie> jeev, here? 15:52 < krzie> i got you msg but had to go 15:52 < krzie> on thanksgiving i always telecommute to the family 15:52 < krzie> so couldnt irc 15:53 -!- PatrickDK [n=guest@dyn-170-244-162.myactv.net] has joined ##openvpn 15:55 < pumkinhed_> get er going PatrickDK 15:55 < PatrickDK> heh 15:55 < PatrickDK> sorry, I was attempting to fix my auto-login script, freenode change their string, and I wasn't detecting it 15:55 < PatrickDK> but got it working ok 15:55 < krzie> and unixSnob, if you get a single xfer of combined speed, im extremely interested to know how you did it 15:56 < pumkinhed_> good to hear, what was the problem? 15:56 < krzie> getting around the routing issues and whatnot 15:56 < PatrickDK> route remote_host 255.255.255.255 net_gateway 15:56 < PatrickDK> that gives my ALMOST what I wanted 15:57 < PatrickDK> so the vpn remote host will use the default gateway 15:57 < PatrickDK> if a client doesn't use the default gateway to get to it, they will still be screwed 15:57 < PatrickDK> but good enough for most cases 15:58 < unixSnob> krzie: this page explains how to do it => http://www.cyberciti.biz/howto/question/static/linux-ethernet-bonding-driver-howto.php 15:58 < vpnHelper> Title: Linux Ethernet Bonding Driver HOWTO (at www.cyberciti.biz) 15:58 -!- pUmkInhEd [n=pumkinhe@mail.guardianchem.ca] has quit [Read error: 110 (Connection timed out)] 15:58 < PatrickDK> I had to make several more interesting changed to make bgp notice when openvpn was up and down though 15:59 < unixSnob> krzie: i was hoping openvpn would handle this effort though, because then I would get the capability automatically without having to be in control of the vpn server 15:59 < PatrickDK> unixsnob, openvpn can't do that 15:59 < PatrickDK> it caches ip's and routes internally 16:00 < PatrickDK> so multible connections to the same openvpn server causes openvpn to go nuts 16:00 < PatrickDK> I did it, didn't work, stopped it, and used multible openvpn clients and servers to do it 16:00 < unixSnob> PatrickDK: bummer! so even if I control the vpn server, it wouldn't work? 16:00 < PatrickDK> then all the routing is on the os, and you let the os pick what openvpn tunnel to use 16:01 < PatrickDK> nope, not without setting up x copies of openvpn servers and clients 16:01 < PatrickDK> each link needs it's own openvpn server and client 16:01 < PatrickDK> and you have to let the os do all the routing 16:01 < PatrickDK> basically just setup the bonding, or multipath 16:02 < PatrickDK> but you must keep each openvpn from seeing the different clients with the same ip addresses 16:02 < krzie> just dont share the lan behind any clients to both instances 16:02 < krzie> cause the internal iroute stuff will say "WTF!?" 16:03 < unixSnob> well, sounds possible then.. but more effort than i want to get into 16:03 < PatrickDK> I'm redesigning my whole openvpn structure now 16:03 < PatrickDK> one openvpn server for clients 16:03 < krzie> well ya, but the bonding would be 100% outside of openvpn 16:03 < krzie> openvpn is only for making a vpn 16:03 < PatrickDK> then an openvpn server per connection to remote lans 16:03 < PatrickDK> and bgp over those 16:03 < krzie> what you're talkin bout is something the OS needs to do 16:03 < PatrickDK> no internal openvpn routing going on 16:04 < krzie> (that was directed twords unixSnob ) 16:04 < PatrickDK> I know :) 16:04 < krzie> cool =] 16:05 < PatrickDK> openvpn is just one flexible software, most of the time I use it without routing 16:05 < PatrickDK> it's fun to bind network adaptors together on different remote machines 16:05 < PatrickDK> expecially with how many os's I have virtualized now 16:07 < krzie> how many ya got? 16:08 < krzie> now that my macbookpro has a 500gb HD im gunna start virtualizing a few to 16:08 < krzie> i figure ill toss on a windows for the hell of it, backtrack, maybe fbsd and gentoo as well 16:08 < krzie> for no good reason other than i have the space now 16:23 < dvl> How I got my VPN running: http://www.freebsddiary.org/openvpn.php 16:23 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - getting it running (at www.freebsddiary.org) 16:23 < dvl> Tomorrow, I'll work on multiple instances. 16:24 < krzie> nice dvl, thank you for writing about it and sharing with us 16:25 < krzie> !learn fbsdbridge as http://www.freebsddiary.org/openvpn.php for dvl's writeup on bridging openvpn in freebsd 16:25 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 16:26 < dvl> krzie: thanks. 16:26 < krzie> !learn fbsdbridge as http://www.freebsddiary.org/openvpn.php for dvl's writeup on bridging openvpn in freebsd 16:26 < vpnHelper> krzie: Joo got it. 16:26 < dvl> krzie: there is a similar article for CA 16:26 < krzie> !ssl-admin 16:26 < vpnHelper> krzie: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 16:26 < dvl> http://www.freebsddiary.org/openvpn-easy-rsa.php 16:26 < vpnHelper> Title: The FreeBSD Diary -- Creating your own Certificate Authority (at www.freebsddiary.org) 16:26 < krzie> thats a nice fbsd app form managing certs 16:27 < dvl> krzie: I think it comes with OpenVPN 16:27 < krzie> feedback ive seen is that ssl-admin > easy-rsa 16:27 < krzie> ya easy-rsa does 16:27 < krzie> ssl-admin does not, but is in ports (although more recent copy is in the link) 16:27 < krzie> ecrist coded ssl-admin 16:28 < dvl> OMG, http://www.secure-computing.net/wiki/index.php/OpenVPN_Server is FreeBSD specific 16:28 < vpnHelper> Title: FreeBSD OpenVPN Server HowTo - Secure Computing Wiki (at www.secure-computing.net) 16:28 < dvl> \o/ 16:30 < krzie> hehe ya 16:30 < krzie> although ssl-admin shouldnt be 16:31 < krzie> !learn easy-rsa-unix as http://www.freebsddiary.org/openvpn-easy-rsa.php for a writeup of making certs with easy-rsa in fbsd, only the dir changes for linux 16:31 < vpnHelper> krzie: Joo got it. 16:32 < dvl> I've added links to that article from mine. 16:32 < krzie> !learn certs as use !easy-rsa-unix for easy-rsa 16:32 < vpnHelper> krzie: Joo got it. 16:32 -!- yokyok [n=david@ppp-2.WLAN.FTG.panline.net] has joined ##openvpn 16:33 < krzie> !learn certs as use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs 16:33 < vpnHelper> krzie: Joo got it. 16:33 < krzie> right on dvl =] 16:33 < krzie> nice ammo for the bot =] 16:33 < krzie> i love that bot, i can often help people who are willing to read with nothing but bot commands 16:34 < yokyok> !learn Options error 16:34 < vpnHelper> yokyok: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 16:34 < yokyok> you never know :) 16:35 < krzie> hehe 16:35 < krzie> yokyok, i told you your problem 16:35 < krzie> you are using bypass-dhcp on 2.0 16:35 < krzie> but that is only a 2.1 option 16:35 < yokyok> I tried without the bypass-dhcp 16:35 < yokyok> but then I have to downgrade? 16:35 < krzie> post your config for me pls 16:36 < krzie> downgrade!? 16:36 < yokyok> http://pastebin.com/d6d560a5f 16:36 < krzie> you are using 2.0, right? 16:36 < yokyok> I took the line from the config sample 16:36 < yokyok> yes 16:36 < krzie> then you can only use 2.0 options 16:36 < krzie> or upgrade to 2.1 16:37 < yokyok> no sorry 16:37 < yokyok> openvpn 2.1~rc11-1 16:37 < krzie> but what about client? 16:37 < yokyok> on the other side, it's the openwrt port 16:37 < krzie> btw 2.1 is on rc15 16:37 < krzie> "openwrt port" means nothing 16:37 < krzie> what version 16:38 < dvl> I've just setup an OpenVPN server at home, where I have a dynamic IP address. Then I setup an OpenVPN client on one of my colo boxes. This VPN will help me do backups, pull website content from my repository at home, etc. The next step is to add another OpenVPN client from another colo box (different data center). I am not sure how the ifconfig fits in when you have multiple clients... clues? 16:38 < yokyok> OpenVPN 2.0.9 16:38 < krzie> multiple clients with lans behind them?? 16:38 < krzie> yokyok, then you can only use 2.0 stuff 16:38 < krzie> 2.1 will work with 2.0 16:39 < dvl> krzie: multiple clients without LANs behind them. 16:39 < krzie> but you must pretend both are 2.0 16:39 < krzie> dvl, pls see my writeup on that at: 16:39 < krzie> !route 16:39 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 16:39 < krzie> dvl, feedback appreciated 16:39 < yokyok> how to do that? 16:39 < krzie> yokyok, by only using config options that work in 2.0 16:39 < krzie> in other words 16:39 < krzie> !man 16:39 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 16:39 < krzie> only use #1 16:39 < krzie> NOT #2 16:40 < yokyok> ok, thanks 16:40 < krzie> np 16:40 < krzie> now yokyok, show me yours logs 16:40 < krzie> !logs 16:40 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:40 < krzie> cause your configs look fine as you posted 16:40 < krzie> also yokyok, any ccd rules? if so they werent pasted 16:41 < dvl> krzie: Hmmm, that link involves clients with LANs behind them. In my case, the clients are stand-line boxes, no LAN behind them. That link still apply? 16:41 < krzie> yokyok, does it connect and you can ping 10.8.0.1 from client? 16:41 < yokyok> i can ping 10.8.0.1 16:41 < krzie> yokyok, cause it looks like it should connect, but not route to inet 16:42 < yokyok> i can ssh at that address 16:42 < krzie> yokyok, ok so your problem is you cant route from client to inet after connecting to vpn, right? 16:42 < yokyok> route are probably bad, I was all after that "push" that wasn't understood by the client 16:42 < krzie> yokyok, if so, dont post your logs 16:43 < krzie> ok go ahead and post the logs 16:43 < krzie> hehe 16:43 < krzie> WITH VERB 6 16:43 < krzie> aka: 16:43 < krzie> !logs 16:43 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:43 < krzie> dvl, most people setup their server on the dedicated box and their home network as client 16:44 < krzie> so they dont hafta worry bout dyndns and whatnot 16:44 < krzie> but either way works 16:44 < krzie> oh dvl, i read your answer to me too fast 16:44 < krzie> i thought you said WITH lans behind them 16:45 < krzie> dvl, i no longer understand your question then 16:45 < krzie> you just make the clients certs and they connect 16:45 < dvl> krzie: OK, I am probably thinking too much. 16:45 < krzie> if you wanna post your configs without comments i can look over it for ya 16:45 < krzie> and tell ya if anything can be fixed/changed to improve anything 16:45 < dvl> krzie: this might explain what I'm doing and why: http://dan.langille.org/2008/11/26/avoiding-dynamic-ip-address-woes-with-a-vpn/ 16:45 < vpnHelper> Title: » Avoiding dynamic IP address woes with a VPN - Dan Langilles Other Diary (at dan.langille.org) 16:46 < krzie> i usually do routing but ill look at your bridged 16:46 < dvl> krzie: I have not yet tried multiple clients. I'm just thinking ahead. Perhaps tomorrow. I've spend all day on those articles. 16:46 < dvl> krzie: well, perhaps bridged is not what I need for this situation. 16:47 < krzie> prolly not 16:47 < krzie> !bridge 16:47 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 16:47 < vpnHelper> krzie: the protocol uses MAC addresses instead of IP addresses. 16:47 < krzie> see #3 and #4 16:49 < krzie> dvl, here is another option to solve that problem 16:49 < krzie> use routed 16:49 < krzie> use your dedicated server as the openvpn server 16:49 < krzie> then you can always connect by logging into that server and using the internal vpn ip 16:50 < krzie> and if you want to access the lan behind the openvpn client, see !route 16:50 < krzie> in fact i think ill comment on that page telling him that 16:51 < reiffert> And if you want to use windows protocols or OSX and feel all the comfort of doing that, use either broadcast relay and multicast relay or bridge the whole thing. 16:51 < reiffert> Allthough remembering IP addresses is quite comfortable as well. 16:52 < reiffert> And as no whatsoever libc supports a per domain nameserver settings (watch out, the apple crew hacked that into the OS X libc, yeah yeah yeah!), writing down IP addresses makes you happy from time to time. 16:52 < krzie> tru, although at that point you may as well bridge 16:52 < reiffert> Hopefully no lan dhcp server plays tricks on you. 16:53 < dvl> krzie: well, if I put the OpenVPN server on one of my dedicated servers, then the other servers have to VPN into that. If the other servers need something from home, the traffic will go from NYC to Austin to Philadelphia. 16:53 < krzie> ahh i see 16:53 < dvl> krzie: whereas if $HOME is the VPN server, the dedicated servers suck directly from $HOME 16:53 < krzie> well you could still have those connect to home cause of dyndns, and do the rest of what i said 16:54 -!- yokyok [n=david@ppp-2.WLAN.FTG.panline.net] has quit [Read error: 104 (Connection reset by peer)] 16:54 < krzie> ya valid point 16:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:54 < dvl> krzie: what you just said was: use $HOME as the OpenVPN server? 16:54 < dvl> krzie: and then look at routed 16:55 < krzie> yup 16:55 < krzie> and to bypass per ip rules 16:55 < krzie> just connect over the vpn 16:55 < reiffert> dvl: can you give me an update of what you are planning to do please, you've got three networks, A,B and C and you have hosts in those networks, let's call them ann, bar and charlie, whats their purpose? 16:55 < krzie> ive done that 16:55 < krzie> i wouldnt open ssh at home 16:55 < krzie> but i would make outbound connection to a server 16:55 < krzie> and then connect home over that server 16:56 < reiffert> problem sounds solved. 16:56 < krzie> he wants to have firewall rules so only a certain ip can access services 16:56 < dvl> reiffert: Well, I don't have three networks. I have one. At $HOME. I have three servers, at different data centers. Those servers need access to stuff on my $HOME network. 16:56 < krzie> but since ips change, he needs a nice way to do it 16:56 < krzie> the vpn creates that nice way 16:57 < dvl> krzie: Yes, that was my thought... the clients would just reconnect, and we're up and running again. 16:57 -!- unixSnob [n=jj@starfury.spearlink.com] has quit ["leaving"] 16:57 < krzie> * /etc/pf.conf - update the IP address of my home gateway 16:57 < krzie> * /etc/hosts - update the IP address 16:57 < krzie> * /usr/local/etc/nrpe.conf - allow hosts to connect from the outside 16:57 < krzie> * restart stunnel - ensure the stunnel over which cvs updates is restarted 16:57 < krzie> and none of that is needed 16:57 < reiffert> dvl: network center's are connected fast and connection to $home is slow? 16:57 < dvl> krzie: \o/ 16:57 -!- YokYok [n=david@ppp-2.WLAN.FTG.panline.net] has joined ##openvpn 16:57 < krzie> cause the machines make outbound connection to HOME 16:58 < krzie> then everything goes over that 16:58 < dvl> reiffert: fast being a relative term. $HOME is 15Mb/15Mb 16:58 < reiffert> Sounds like a sane solution to me then. 16:58 < dvl> good!~ 16:58 < reiffert> Btw, in bridging mode you could still have a firewall handle who's doing what. On linux it's ebtables and it's working great. 16:59 < reiffert> Not sure about BSD. 16:59 < dvl> In general, the data centers pull data from $HOME. But then, $HOME also runs backups of the data centers. So in those cases it pulls from the VPN, no worries. 16:59 < krzie> dvl, using SMB at all? 17:00 < krzie> or any protocol which uses MAC and not IP? 17:00 < dvl> krzie: Not for what I'm doing over the VPN, no. 17:00 < krzie> k, you want routed for sure then 17:00 < krzie> otherwise you're wasting overhead 17:00 < krzie> encapsulating ethernet frames over ip 17:00 < dvl> krzie: This will all be UDP AFAIK. 17:01 < krzie> good 17:01 < krzie> udp is better 17:01 < krzie> !tcp 17:01 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 17:01 < dvl> krzie: Any SMB stuff will be from my laptop... when i'm not at home and VPN'd home. 17:01 < krzie> dvl, you can still use smb by ip, just not by NETBIOS 17:02 -!- whaletales [n=Paul@5ad9e64c.bb.sky.com] has quit [Read error: 110 (Connection timed out)] 17:05 < krzie> !learn bridge-fw as in bridging mode you could still have a firewall handle who'sdoing what. On linux it's ebtables and reiffert says it's working great. 17:05 < vpnHelper> krzie: Joo got it. 17:05 < krzie> nice tip reiffert 17:06 < krzie> dvl, but also if you required bridging only for 1 client you could create 2 servers, 1 for bridge 1 for tun 17:06 < krzie> in case its important you use netbios 17:13 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:13 * Dougy is back ahead of schedule 17:13 < Dougy> %*$!^%& mother 17:13 < krzie> wasssup dougy 17:13 < Dougy> my mom nearly gave me a heart attack last night 17:13 < krzie> ecrist got the forum working 17:13 < Dougy> for a not a big deal 17:13 < krzie> you have the address? 17:14 < Dougy> yessir 17:14 < krzie> cool 17:14 < Dougy> ecrist: i would release that updated patching ya'll did 17:14 < Dougy> now i need to update its dns 17:14 < krzie> im sure he will, he has released code for phpBB before 17:14 < Dougy> ecrist: point A record to 173.8.113.98? 17:15 < krzie> i think he needs to activate accounts and stuff 17:15 < Dougy> krzie: i'm looking for a *nix based distro for my desktop 17:15 < Dougy> new tower i built 17:15 < krzie> he was trying to catch ya last night when ya left 17:15 < Dougy> dont say freebsd 17:15 < krzie> umm 17:15 < krzie> pcbsd? 17:15 < Dougy> no bsd 17:15 < krzie> heh 17:15 < Dougy> krzie: my mom called me, and i finished up the os load iw as doing 17:15 < Dougy> and just ran out 17:15 < Dougy> i didnt even finish what my boss told me to do 17:15 < krzie> you could use noobuntu ;] 17:15 < Dougy> wha? 17:15 * Dougy was thinking the dreaded Fedora 17:15 < krzie> ubuntu 17:15 < krzie> oh hell no 17:15 * Dougy is on ubuntu right now 17:16 * Dougy has freebsd installed on the tower now 17:16 < Dougy> i was playing with freebsd for a bit 17:16 < krzie> i had a class on unix and they had us use redhat 17:16 < Dougy> im going to get it on more of my servers when i get them again 17:16 < krzie> i wanted to strangle the teacher 17:16 < Dougy> Red hat is nice 17:16 < krzie> "this isnt unix!!! 17:16 < krzie> " 17:16 < Dougy> CentOS is very nice for a minimal desktop 17:16 < Dougy> believe it or not 17:16 < Dougy> fedora was kinda yuck last time when i used it 17:17 < Dougy> circa release 8 17:17 < Dougy> 7* 17:17 < krzie> you're asking the wrong guy 17:17 < Dougy> https://fedoraproject.org/wiki/Image:Tours_Fedora10_019.png 17:17 < vpnHelper> Title: Image:Tours Fedora10 019.png - FedoraProject (at fedoraproject.org) 17:17 < krzie> only linux ild use by choice is gentoo 17:17 < Dougy> that doesn't look real bad 17:17 < krzie> with possibility of debian 17:17 < Dougy> i would use gentoo 17:17 < Dougy> but 17:17 < Dougy> this tower cant handle that much compiling 17:17 < krzie> lol 17:18 < Dougy> Copyright (c) 1992-2008 The FreeBSD Project. 17:18 < Dougy> Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 17:18 < Dougy> The Regents of the University of California. All rights reserved. 17:18 < Dougy> FreeBSD is a registered trademark of The FreeBSD Foundation. 17:18 < Dougy> FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 17:18 < krzie> any tower can handle compiling 17:18 < Dougy> root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC 17:18 < Dougy> Timecounter "i8254" frequency 1193182 Hz quality 0 17:18 < Dougy> CPU: Intel(R) Pentium(R) 4 CPU 2.40GHz (2394.02-MHz 686-class CPU) 17:18 < Dougy> Origin = "GenuineIntel" Id = 0xf29 Stepping = 9 17:18 < krzie> its just you who cant maybe :-p 17:18 < Dougy> Features=0xbfebfbff 17:18 < Dougy> Features2=0x4400 17:18 < krzie> dude 17:18 < Dougy> real memory = 2080309248 (1983 MB) 17:18 < Dougy> avail memory = 2025947136 (1932 MB) 17:18 < krzie> PASTEBIN 17:18 < Dougy> It has one fan in it 17:18 < Dougy> and its meant for a 17:18 < Dougy> 1U rackmount not a tower 17:18 < Dougy> nah mang 17:18 < Dougy> pastebin is for quitters 17:18 < Dougy> or people who dont want tog et banned 17:18 < Dougy> to get* 17:18 * Dougy is kind of indifferent tonight 17:20 < krzie> lol 17:20 < Dougy> rofl krzie 17:20 < Dougy> www.fedora.org 17:23 < dvl> go FreeBSD go 17:24 < Dougy> haha 17:24 < Dougy> FreeBSD is good for servers imho 17:24 < Dougy> not for desktops 17:25 < Dougy> brb 17:25 < Dougy> getting on wifi 17:25 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Ex-Chat"] 17:26 -!- YokYok [n=david@ppp-2.WLAN.FTG.panline.net] has quit [Read error: 104 (Connection reset by peer)] 17:26 < reiffert> krzie: how to firewall bridged connections in BSD? 17:27 < krzie> its been a long time but i think i did it in ipfw 17:27 < krzie> by specifying layer 17:27 < reiffert> ah, allright. 17:27 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has quit [Read error: 110 (Connection timed out)] 17:27 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:27 < Dougy> ohai kidz 17:27 < Dougy> meh bsd was nice 17:28 * Dougy likes it for server stuff.. but it must go 17:29 < Dougy> this tower has 4 NIC's 17:29 < Dougy> :o 17:34 < krzie> my lan media center is fbsd 17:34 < krzie> it controls video for my 400disc dvd changer 17:34 < krzie> and my TV-in 17:34 < Dougy> nice 17:34 < krzie> outputs to my stereo systemn for audio 17:34 < Dougy> this is weird 17:34 < krzie> and has 4x500gb hd's in ZFS 17:35 < Dougy> er 3 nics my b 17:35 < Dougy> this tower has all 3 17:35 < Dougy> but 17:35 < Dougy> it detects the one built into the motherboard as eth2 and the 2 PCI ones as eth0 + 1 17:35 < krzie> does that somehow matter? 17:35 < Dougy> doesnt 17:35 < Dougy> i just find that weird 17:36 < Dougy> its the only distro out of 5 ive tried thats done that 17:37 < reiffert> wtf, 400disc dvd changer? What does that look like? 17:37 < krzie> it can be changed but i forget where 17:37 < krzie> 1sec reif 17:37 < reiffert> just for private purposes? 17:38 < krzie> ya its just a big dvd changer 17:38 < krzie> i like movies ;] 17:38 < krzie> its full btw 17:38 < krzie> and my nfs is 1/2 full of divx movies that arent in the changer 17:38 < reiffert> last time I was thinking about cd changer systems was back in 95 but then soon the hard disc prices looked way more attractive. 17:39 < krzie> my boy worked at sony 17:39 < krzie> so i got a nice discount 17:39 < krzie> http://www.amazon.com/Sony-DVPCX995V-400-Disc-Changer-Player/dp/B000A3XRSO 17:39 < reiffert> woot. 17:39 < krzie> that hooks to my svideo in on my bsd box 17:39 < krzie> and audio in so it stays in sync 17:40 < reiffert> And the price even has one digit less then I was expecting it to have. 17:40 < krzie> ya 17:40 < krzie> my roommate was the guy who worked at sony 17:40 < krzie> i had racks of dvds all over the house 17:40 < krzie> one day he pulled that up on the web and said i should get it 17:41 < krzie> i said "bring that home tomorrow, heres the $" 17:41 < krzie> haha 17:41 -!- randra [n=sleepkno@189.75.20.171] has joined ##openvpn 17:41 < reiffert> It really really looks like a wannatohave. How about a (P/S)ATA connector? 17:42 < krzie> that would be gangster 17:42 < krzie> to run a HD on it 17:42 < krzie> but no 17:42 < reiffert> or to connect the dvddrive to the PC by whatever, esata. 17:42 < dvl> OK, when my second client connects, the first loses connectivity. I think I understand why. openvpn.conf for each client has "ifconfig 192.168.100.2 255.255.255.0". 17:43 < krzie> oh right that too 17:43 < reiffert> damn, I dont understand hardware developers, they always seem to miss important things. 17:43 < krzie> dvl, you using routed? 17:43 < dvl> krzie: no, I was going to try this first. 17:43 < krzie> then either use server-bridge to assign auto 17:43 < krzie> or change the ifconfig in each's ccd entries 17:43 < reiffert> however, long stories about so called multimedia hardware and in the end it's just modern shit in platic. 17:43 < krzie> giving each their own 17:43 < krzie> !static 17:44 < vpnHelper> krzie: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 17:44 < krzie> like that 17:44 < reiffert> plastic 17:44 < dvl> reading 17:44 < krzie> or if you do it in client config just change the ifconfig in each 17:44 < krzie> the place to read on those in man page 17:44 < krzie> !man 17:44 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 17:45 < reiffert> e.g. hdd video recorders without NIC. or vice versa and so on. 17:46 < krzie> gotchya 17:52 < Dougy> damn man 17:52 < Dougy> little mustache scissors fuckin hurt when you miss what you went to trim 17:52 * Dougy just took off a nice piece of his upper lip 17:52 < Dougy> oops 17:53 < reiffert> try the other lip to ease the pain. 17:53 < krzie> mustache scissors!?!? 17:54 < krzie> arent you 15? 17:56 < Dougy> 16 and a bit 17:56 < Dougy> foo 17:56 < Dougy> :p 17:56 * Dougy doesn't like shaving 17:57 < krzie> shiet 17:57 < Dougy> since i'm blond, those little scissors keep it good enough i dont need to shave 17:57 < krzie> try being my 17:57 < krzie> err me 17:57 < krzie> im like teen-wolf 17:57 < Dougy> ahahaha 17:57 < Dougy> i just have little stuff 17:57 < Dougy> but 17:57 < Dougy> my gf pisses and moans because it tickles her 17:57 < Dougy> pita 17:57 < krzie> tickles... 17:57 < krzie> mine straight up hurts them 17:58 < krzie> if i dont shave for a day 17:58 < krzie> <-- italian and greek 17:58 < krzie> aka furry 17:58 < Dougy> ouch.. 17:58 < Dougy> lol 17:58 < Dougy> <- english, german, and transylvanian 17:59 < reiffert> teen-wolf? wtf? 18:00 < krzie> lol 18:00 < krzie> ever seen that movie? 18:00 < krzie> michael j fox is a teenager/ warewolf... 18:00 < reiffert> well .. are there any naked tits? 18:00 < krzie> not sure, it was from the 80's or 90's 18:00 < krzie> its been a long time 18:01 < reiffert> yeah 18:01 < reiffert> you know 'heavy metal'? 18:02 < krzie> vaguely 18:05 < reiffert> I love movies which come up with plenty of music playing in the back and foreground, Heavy Metal is one of the earliest I think. 18:06 < reiffert> Another one that was sounding pretty much different than all the other movies was: the crow, part I 18:06 < Dougy> DID SOMEONE SAY TIST? 18:06 < Dougy> TITS* 18:07 -!- K_luffy [n=V3N@77.31.162.183] has joined ##openvpn 18:07 < Dougy> woo 18:07 < Dougy> i found my arrest paperwork 18:07 < Dougy> lame 18:08 < krzie> arrest!? 18:08 < krzie> damn you're satrting early 18:08 < Dougy> simple assault 18:08 < Dougy> bull shit 18:08 < Dougy> i fucking kicked a kid 18:08 < Dougy> ONE TIEM 18:08 < Dougy> TIME 18:08 < Dougy> and i got arrested for simple assault 18:08 < krzie> well i hope you learned your lesson 18:08 < reiffert> Dougy is so excited he cant even spell tits. 18:08 < Dougy> krzie: yes 18:08 < krzie> if you're gunna kick or punch, WHOOP SOME ASS 18:08 < Dougy> i learned that if i hit someone 18:09 < Dougy> im going to fuck them up 18:09 < Dougy> not just one shot 18:09 < Dougy> im going to really rip them up 18:09 < krzie> exactly 18:09 < Dougy> god admn 18:09 < Dougy> damn 18:09 < reiffert> you say 'tits' and you can watch the trousers bloat. 18:09 < reiffert> 16 and a little, hahaha 18:10 < krzie> hahaha 18:10 < Dougy> nah not so much with me 18:10 < Dougy> my gf sufficees 18:10 < Dougy> suffices 18:10 < krzie> bah you're a man 18:10 < Dougy> krzie 18:10 < Dougy> this happened when i was 14 18:10 < Dougy> rofl 18:10 < krzie> by nature we need more than that 18:10 < krzie> speaking of which, got one of my girls interested in a 3some with her friend last night 18:11 < Dougy> niceeee 18:11 < Dougy> hit it 18:11 < krzie> took awhile of letting her know its ok and whatnot 18:11 < Dougy> make a video 18:11 < krzie> yup and yup 18:11 < krzie> but the vid will never hit the inet 18:11 < krzie> i make a few vids ;] 18:11 < Dougy> tmi 18:11 < Dougy> fuck 18:11 < krzie> i have a nice sony NTSC qual cam 18:11 < reiffert> :) 18:11 < Dougy> my gf really is rubbing off on me 18:11 < dvl> OK, I have --server-bridge configured and pushing an IP address to the client. What I'm missing is a way to push a route to the client. 18:11 < Dougy> dvl: way to ruin the moment 18:11 < reiffert> krzie: ntsc pal conversion should not be the problem :p 18:12 < krzie> dvl, with bridge you dont push routes 18:12 < dvl> Dougy: that's called frotage... ;) 18:12 < Dougy> dvl: say what? 18:12 < dvl> krzie: then I'm missing something. 18:12 < dvl> Frotage - 1 definition - The act of rubbing ones genitals on inanimate objects to induce ejaculation and/or acheive pleasureable sensations. 18:12 < krzie> you use the same /24 in the server-bridge 18:12 < krzie> but you tell the lan dhcp server to not assign the block you give to server-bridge 18:12 < dvl> "rubbing off"... too fast for me 18:13 < krzie> they are on the same lan 18:13 < dvl> krzie: reading that. 18:13 < krzie> my gf really is rubbing off on me 18:13 < Dougy> ohhh 18:13 < krzie> s/off/one off/ 18:13 < Dougy> haha 18:14 < Dougy> krzie: i am gonna upload something in 5 mins to show you 18:14 < Dougy> hah 18:14 < krzie> ok 18:14 < krzie> your girls titties? 18:14 < ecrist> Dougy: did you get my messages the other day? 18:14 < krzie> cause thats illegal 18:14 < Dougy> ecrist: no 18:14 < Dougy> family issue 18:14 < krzie> i dont need no child porn cases 18:14 < reiffert> allright, back to the important things then .. how to share all the pron. 18:14 < Dougy> i got up and ran as fast as i could to get hmoe 18:14 < Dougy> s/hmoe/home/ 18:14 < Dougy> krzie: no 18:14 < Dougy> no titties for you 18:14 < Dougy> that's illegal 18:14 < krzie> good 18:14 < ecrist> well, I got the board converted. 18:14 < Dougy> she's 16 18:15 < Dougy> ecrist: i saw 18:15 < krzie> exactly 18:15 < Dougy> ecrist: what do i set ovpnforum.com's A rec to 18:15 < reiffert> 16 and doesnt know what she's doing? damn hell, never again. 18:15 < dvl> krzie: I think I'm confused... if the VPN and the LAN share the same netblock, doesn't my VPN server wind up with two IP addresses in the same netblock? If so, that's rather interesting. 18:15 < ecrist> the ip juno.secure-computing.net is at: 173.8.113.98 18:15 < reiffert> (16 and a little) 18:15 < krzie> dvl, how so? 18:16 < krzie> it takes one from server-bridge, wheres the other one come from dvl? 18:16 < krzie> ohhhh 18:16 < dvl> krzie: from the NIC on the LAN. 18:16 < krzie> it starts with one 18:16 < dvl> formthe NIC 18:16 < krzie> no cause its bridged 18:16 < krzie> same ip 18:16 < ecrist> Dougy: give it an A and AAAA record 18:17 < ecrist> AAAA should be 2001:470:1f11:463::98 18:17 < dvl> OH. krzie let me upload my config, perhaps I'm fuggered up. 18:17 < Dougy> [tech@console ~]$ host ovpnforum.com 18:17 < Dougy> ovpnforum.com has address 173.8.113.98 18:17 < Dougy> [tech@console ~]$ 18:17 < krzie> dvl, im not 100% on where it gets its local ip cause i havnt done bridging in so long 18:17 < Dougy> krzie: is 3 lines ok for not pastebinning 18:17 < krzie> i have no reason to use bridging 18:17 < krzie> sure dougy 18:17 < reiffert> dvl: btw, if you ever want one NIC to have multiple IP Addresses just from the same netblock, there is no whatsoever reason to not do it. 18:17 < krzie> 5 or more requires PB 18:17 < Dougy> ecrist: not sure my dc even supports ipv6 18:17 < ecrist> you don't need to, I'm sure the DNS daemon does, that's all that matters. 18:18 < Dougy> alright 18:18 < dvl> http://www.langille.org/tmp/openvpn.conf 18:18 < Dougy> i havent set up an AAAA record before 18:18 * Dougy forgets what one looks like 18:18 < Dougy> just 18:18 < Dougy> ovpnforum.com. 600 IN AAAA ip 18:18 < Dougy> ? 18:18 < dvl> reiffert: DOH, I forgot about that, yes, that is feasible. 18:18 < ecrist> yep 18:18 < ecrist> no different than an A, aside from IP versoin 18:18 < dvl> reiffert: and I have servers with IP aliases on them... so there. 18:20 < reiffert> yep 18:20 < Dougy> added, ecrist 18:20 < ecrist> ovpnforum.com has address 173.8.113.98 18:20 < ecrist> ovpnforum.com has IPv6 address 2001:470:1f11:463::98 18:20 < ecrist> ovpnforum.com mail is handled by 10 mail.ovpnforum.com. 18:20 < Dougy> !forum 18:20 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 18:20 < Dougy> @ everyone 18:20 < Dougy> dvl: join! :P 18:20 < Dougy> reiffert: you too 18:20 < Dougy> krzie: 106! 18:21 < ecrist> Dougy: I marked myself as a founder, hope you don't mind. 18:21 < Dougy> ecrist: not at all 18:21 < ecrist> also, you need to do some work on that board so it doesn't look so, 'just installed' 18:21 < Dougy> not sure quite what that means 18:21 < Dougy> ecrist: i have to go mod hunting and skin hunting one of these days 18:21 < Dougy> unless you have one you recommend 18:21 < ecrist> founder = admin without the 'admin' flags (but perms) 18:21 < Dougy> works for me 18:22 < ecrist> nothing in mind. 18:22 < ecrist> I would recommend something minimalist, but functional. 18:22 < Dougy> nod 18:22 < ecrist> i.e. don't make it look like myspace. 18:22 < ecrist> ;) 18:22 < Dougy> well if anyone wants to suggest 18:22 < Dougy> im open 18:22 < reiffert> Dougy: me too what? 18:23 < Dougy> reiffert: join 18:23 < reiffert> where what and why? 18:23 < ecrist> I would recommend the following links in the header for the board: wiki, openvpn.net, mailing list archives, and a mention of IRC chan here. 18:24 < Dougy> ecrist: ok 18:24 < Dougy> you can add them if ya wish 18:24 < Dougy> reiffert: 18:24 < Dougy> !forum 18:24 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 18:24 < ecrist> Dougy: naw, your project. I've got enough going on. ;) 18:24 < ecrist> I'll support, but not develop. 18:24 < Dougy> K 18:24 < Dougy> krzie: http://www.upload3r.com/serve/271108/1227831859.jpg 18:24 < ecrist> I *already* fixed the php code for the converter for you... 18:24 < reiffert> Dougy: look, when I use google I have to add -forum -board on every odd search because of the insane big number of bullshit out on the net. I dont take part on such a thing. 18:24 < Dougy> ecrist: did i say thanks? 18:25 < Dougy> reiffert: alright, valid reason for not joining 18:25 < Dougy> unlike everyone else and their "i dont feel like it" bullshit 18:26 < reiffert> One of the guys who cant send emails without a webbrowser, eh? 18:26 < Dougy> me or him? 18:27 < reiffert> "everyone else". 18:27 < Dougy> oh 18:27 < Dougy> nod 18:27 * Dougy is sluggish this evening 18:29 < dvl> OK, getting confused as to why this does not work yet... http://www.langille.org/tmp/openvpn.conf 18:30 < dvl> The client gets an IP address. 10.55.0.170. But cannot ping 10.55.0.2 18:31 < reiffert> Hm, who would ever need a video showing the openvpn installation on debian? 18:31 < dvl> netstat -nr looks good... has 10.55.0.0/24 link#6 UC 0 0 tap0 18:31 < dvl> reiffert: yeah, nobody uses Debian any more. ;) 18:31 < reiffert> dvl: god thank for that one, now debian doesnt have to support all the forum and board people. 18:32 < Dougy> krzie 18:32 < Dougy> does your login for the forum work 18:32 < Dougy> i think all the pw's need a hard reset o.o 18:33 < Dougy> forced reset w/e 18:34 < reiffert> omg, the debian video does so many things in the wrong 18:34 < reiffert> well, just pretty wrong. however. 18:35 < Dougy> hmm ecrist 18:35 < Dougy> my phpmyadmin login doesnot work 18:35 < dvl> I'm seeing the pings out from the client and into the server, but from there, the replies are going out on the local LAN, not back on the VPN 18:35 < dvl> This is a routing issue. :) 18:36 < dvl> relatively easy to fix. 18:36 < reiffert> dvl: you are using bridged setup? 18:36 < krzie> its not routing in a bridge 18:36 < krzie> well, maybge it is 18:36 < reiffert> :) 18:36 < dvl> reiffert: I think so: http://www.langille.org/tmp/openvpn.conf 18:36 < krzie> i dunno bridged setups confuse me 18:36 < dvl> reiffert: you tell me... ^^ 18:36 < reiffert> dvl: paste: brctl show 18:36 < krzie> server-bridge 10.55.0.2 255.255.255.0 10.55.0.170 10.55.0.180 18:36 < krzie> it is bridged 18:36 * Dougy stabs krzie 18:36 < dvl> 00:36:45.742088 arp who-has 10.55.0.2 tell 10.55.0.1 18:37 < dvl> OK, then why can't it find that IP? 18:37 < reiffert> dvl: paste: brctl show 18:37 < reiffert> on the server 18:37 < dvl> reiffert: don't know that I have brctl 18:37 < reiffert> what kind of OS are you on? 18:37 < krzie> bsd 18:37 < dvl> FreeBSd 18:38 < reiffert> ah, sorry, just proove that tap and ethernet device are bridged. 18:38 < reiffert> then .. 18:38 < dvl> short paste 18:38 < krzie> once upon a time i knew how to check for that in fbsd 18:38 < Dougy> ahh phpmyadmin works 18:38 < dvl> tap0: flags=8943 mtu 1500 18:38 < dvl> inet6 fe80::2bd:a4ff:fe65:0%tap0 prefixlen 64 scopeid 0x8 18:38 < dvl> inet 10.55.0.2 netmask 0xffffff00 broadcast 10.55.0.255 18:38 < krzie> anyways dvl, you dont even want a bridged setup 18:38 < dvl> krzie: now you tell me. ;) 18:38 < krzie> i told you long ago 18:38 < PatrickDK> bridge setup in freebsd is annoying, atleast last I did it, it's a sysctl 18:38 < krzie> want me to scroll to it? 18:38 < reiffert> dvl: well, you failed to show. 18:38 < dvl> krzie: I was hoping to hand out IP addresses easily 18:39 < PatrickDK> and if you do more than one bridge, it gets complex fast 18:39 < dvl> reiffert: dunno how to show, but let's talk to krzie more. 18:39 < krzie> PatrickDK its a sysctl in 6 18:39 < reiffert> krzie: more. 18:39 < dvl> krzie: Yes, you probably did. 18:39 < krzie> in 7 its something else, ecrist mentioned it the other day 18:39 < PatrickDK> ya, I only have 5 and 6 currently in production 18:39 < dvl> krzie: But last thing I heard from you was the server-bridge option, so I went with thatn. 18:40 < krzie> cause you said you wanted to keep briding anyways for now 18:40 < krzie> but in reality, once you get bridged working you want to kill it and start over 18:40 < reiffert> :) 18:41 < dvl> krzie: OK. what do you recommend? 18:41 < reiffert> dvl: fix the bridge setup on the serverside. 18:42 < krzie> dvl, you using routed? 18:42 < krzie> krzie: no, I was going to try this first. 18:42 < krzie> then either use server-bridge to assign auto 18:42 < krzie> i recommend going to a routed setup 18:42 < reiffert> that is *bridge* tap and ethernet to a new device, the bridge device and assign it the same IP address the former ethernet device has had. 18:42 < krzie> !sample 18:42 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 18:42 < dvl> krzie: I see now... 18:42 < krzie> heres some sample configs to start you out 18:42 < reiffert> krzie: but he's just one step away.. 18:43 < krzie> and hes gunna be wasting overhead of xfering ethernet frames over ip when he doesnt want to use anything that needs bridge 18:43 < dvl> reiffert: I read what you said.... but I'm thinking my brain is too fried tonight to be ov value. 18:43 < krzie> ild be telling him to switch to routed if he was finished and had bridging working 18:44 < reiffert> :) 18:44 < PatrickDK> heh 18:44 < krzie> but by all means 18:44 < krzie> if he wants bridging anyways, go for it 18:44 < krzie> thats just my advice 18:44 < PatrickDK> always use routed, unless you need ipx, arp, dhcp, ... 18:44 < krzie> but im not his mom or anything ;] 18:45 < krzie> PatrickDK exactly 18:45 < PatrickDK> I actually can't think of why you need arp 18:45 < dvl> krzie: ahhh! I thought you were my mommy! 18:45 < PatrickDK> but some do, I guess if you physically split a single lan over two locations 18:45 < krzie> maybe for vpn enabled CARP? 18:45 < Dougy> krzie: http://ovpnforum.com/viewtopic.php?f=6&t=12&p=36 :( 18:45 < vpnHelper> Title: OpenVPN Forum View topic - OpenVPN server IP address blocked by ISP (at ovpnforum.com) 18:45 * Dougy made an oops 18:45 < dvl> Dougy: condom broke? 18:45 < PatrickDK> krzie, ya, but still doesn't sound like the *correct* why to do it 18:46 < krzie> dougy, i dunno my pass on the forum right now 18:46 < Dougy> krzie: ill reset it if you want 18:46 < krzie> dougy, i gotta check my keychain on my laptop at home 18:46 < Dougy> i had to reset mine 18:46 < Dougy> it didnt work 18:46 < krzie> ok but i cant access my email from here either 18:46 < dvl> PatrickDK: well, FYI, here's the background to my VPN solution: http://dan.langille.org/2008/11/26/avoiding-dynamic-ip-address-woes-with-a-vpn/ 18:46 < vpnHelper> Title: » Avoiding dynamic IP address woes with a VPN - Dan Langilles Other Diary (at dan.langille.org) 18:47 < krzie> dvl, i explained why you dont need bridge for that whatsoever 18:48 < dvl> krzie: I understand (I think). I just posted it for PatrickDK 's benefit, not to justify bridging. 18:49 < krzie> oh gotchya 18:49 < PatrickDK> heh, dynamic ip :( 18:49 < dvl> krzie: the sample that you prompted from vpnHelper , is that a general solution with which I'd apply routed? 18:50 < dvl> PatrickDK: yes, lovely. 18:50 < krzie> its a basic working routed setup 18:50 < reiffert> good night guys, may the routed setup be with you. 18:51 < reiffert> Dougy: naked shaken tits. big tits. white. 18:51 < PatrickDK> ya, what you need is simple 18:51 < Dougy> reiffert: mmmmmmmmm 18:51 < dvl> krzie: OK. thanks 18:51 < reiffert> :D 18:51 < Dougy> reiffert: perky>? 18:51 < PatrickDK> make a point to point vpn and use static ips for the vpn 18:51 < PatrickDK> done 18:51 < krzie> to which you apply anything specific to your setup 18:51 < krzie> PatrickDK, 3 clients 18:51 < krzie> dvl, no problem 18:52 < PatrickDK> krzie, no that would be hard 18:52 < PatrickDK> cause his home would be the server 18:52 < PatrickDK> I would just do 3 seperate vpn's from his house 18:52 < krzie> dvl, then sharing any lans behind any of the peers, see !route 18:52 < krzie> PatrickDK, why? 18:52 < dvl> PatrickDK: running three instances of OpenVPN? 18:52 < PatrickDK> yep 18:52 < krzie> that would NOT be hard, it would be a normal setup 18:52 < PatrickDK> or you would still have the dynamic ip problem if you make your home a openvpn server 18:53 < krzie> his solution is not 3 ptp setups, unless he is using openvpn 1.x 18:53 < dvl> 2.x here 18:53 < krzie> no he wouldnt 18:53 < PatrickDK> maybe there is something I dunno about 2.x then :) 18:53 < krzie> he just accesses home stuff based on vpn ip 18:53 < krzie> instead of inet ip 18:53 < PatrickDK> I thought the issue was accessing inet stuff from home 18:53 < krzie> and reaches it by dyndns 18:53 < dvl> PatrickDK: If my ip address changes, connection is broken, DYN DNS is updated, clients reconnect. Done. Does that make sense? 18:54 < PatrickDK> oh ya, he does the whole dynamic dns thing 18:54 < krzie> well from home he still uses vpn ips to access 18:54 < krzie> then he can use !static if he wants 18:54 < PatrickDK> heh, I have mixed feelings about that 18:54 < krzie> !static 18:54 < vpnHelper> krzie: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 18:54 < Dougy> blah 18:54 < Dougy> i had boston market for dinner 18:54 < PatrickDK> dvl, I have had too many bad dns servers 18:54 < Dougy> my stomach isnt likin 18:54 < PatrickDK> that set a min cache time 18:54 < dvl> PatrickDK: well, FWIW, it seems fine for me (DYNDNS). 18:55 < dvl> krzie: you're suggest that static for me? 18:55 < PatrickDK> if it works, it works :) 18:55 < krzie> for the clients, assuming you want to reach services on the clients getting around firewall rules 18:55 < dvl> PatrickDK: we'll find out soon enough. 18:55 < Dougy> krzie: need your advice 18:56 < Dougy> my school... when you hardwire in 18:56 < Dougy> you have to set firefox to 10.1.0.11 port 8078 to be able to surf the net or do anything at all 18:56 < Dougy> you cant even ping without that proxy server 18:56 < Dougy> is there any way to get around that? 18:56 < krzie> PatrickDK, the only advantage of 3 tunels with p2p is the static ip, but thats doable easily in client/server 18:56 < krzie> dougy, openvpn supports proxy 18:57 < krzie> you can vpn over the proxy, then use redirect-gateway 18:57 < Dougy> hmm 18:57 < Dougy> i can try that 18:57 < Dougy> pretty sure it wont work 18:57 < krzie> *shrug* 18:57 < krzie> it should 18:57 < Dougy> if you cant even do icmp without going through the school's proxy setup 18:57 < krzie> the vpn would go over the proxy 18:57 < Dougy> if they have it that limited, im pretty sure 18:57 < krzie> everything else would go over the vpn 18:57 < Dougy> that a vpn wont work 18:58 < krzie> so * would be going over the proxy 18:58 < Dougy> where is info on openvpn's proxy 18:58 < Dougy> info 18:58 < Dougy> blah i cant talk 18:58 < krzie> in the man page 18:58 < Dougy> !man 18:58 < vpnHelper> Dougy: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 18:58 < krzie> look for "proxy" 18:59 < Dougy> i woulda looked at this in school but 18:59 < Dougy> you cant even google the word proxy let alone have it in a webpage you're surfign 18:59 < Dougy> surfing 18:59 < krzie> you MAY need to run your vpn on tcp 443 18:59 < Dougy> im assuming its a socks proxy? 18:59 < Dougy> the one school has 18:59 < krzie> if you cant get it working otherwise 19:00 < krzie> you should know what kind of proxy, dont you have to tell firefox that...? 19:00 < Dougy> nope 19:00 < Dougy> i put it in all proxy settings 19:00 < Dougy> and it works 19:00 < Dougy> oh 19:00 < Dougy> socks5 19:00 < Dougy> --socks-proxy server [port] 19:00 < Dougy> what is te config directive for that 19:02 < Dougy> socks-proxy 10.1.0.11 8078 ? 19:04 < krzie> dunno dude 19:04 < krzie> play with it, you'll figure it out 19:05 < krzie> dougy, which forum do you want me to look in? 19:05 < krzie> if i answer in the old one it will be erased 19:05 < Dougy> new one 19:05 < Dougy> i posted a reply there 19:05 < krzie> k 19:05 < Dougy> http://www.ovpnforum.com/viewtopic.php?f=6&p=36&sid=bdcd367fa3f853591607fa43839e42e6#p36 19:05 < vpnHelper> Title: OpenVPN Forum View topic - OpenVPN server IP address blocked by ISP (at www.ovpnforum.com) 19:11 < krzie> dougy, im going to ignore that cause i dont understand wtf hes talkin bout 19:12 < Dougy> lmfao 19:12 < Dougy> i didnt even read it to be completely honest 19:12 < Dougy> i guess i should 19:14 < Dougy> uhh 19:14 < Dougy> wtf 19:14 < Dougy> lol 19:15 < krzie> im a junior member, lol 19:19 < krzie> !man 19:19 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 19:20 < krzie> !factoids search * 19:20 < vpnHelper> krzie: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'man', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'tls-cipher', 'multi', 'configs', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', '', 19:20 < vpnHelper> krzie: 'forum', 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'hmac', 'winipforward', 'help', 'topology', 'fragment', '2.1-winpass-script', 'activedirectory', 'net30', 'someclient2client', 'local', 'dhcp', 'chooseip', 19:20 < vpnHelper> krzie: 'irclogs', 'noenc', 'iptables', 'all', 'mactuntap', 'nobind', 'pwfile', 'servercert', 'mitm', 'fbsdbridge', 'easy-rsa-unix', 'certs', and 'bridge-fw' 19:21 < dvl> it seems the website is fuggered up: http://openvpn.net/archive/openvpn-users/2008-02/msg00014.html Warning: require_once(../../../archive_common.php) [ 19:21 < krzie> wow that bot knows a lot of shit 19:21 < vpnHelper> Title: [Openvpn-users] routed vpn and fqdn? (at openvpn.net) 19:21 < krzie> ya dvl 19:21 < krzie> we wish we had access to fix that 19:21 < krzie> they broke their forum 19:21 < krzie> they didnt have a wiki 19:21 < krzie> and they neglected their irc channel 19:22 < krzie> so ecrist setup a wiki, dougy setup a forum, and we tookover the irc channel 19:22 < krzie> but we cant fix their website =/ 19:22 < Dougy> lmfao 19:22 < krzie> but hey, at least the app rules 19:22 < krzie> heheh 19:23 < krzie> ill take a good app with neglected email archives over the opposiute 19:23 < krzie> =u 19:23 < krzie> -u 19:23 < dvl> krzie: :they? OK, the openvpn project is not organized as I expected. 19:24 < krzie> the code is 19:24 < krzie> but ya 19:25 < krzie> thats the cool thing bout a nice opensource app tho 19:25 < krzie> people like us will try to fill the gap 19:25 < krzie> i dont have the C skill to contrib to the code, but i can help people 19:26 < krzie> others as well 19:26 < krzie> then theres reiffert who does both on occasion =] 19:26 * krzie pokes thomas 19:29 < Dougy> lets make a fork of openvpn then 19:29 < Dougy> o.o 19:29 < Dougy> well, by lets, i mean the people here 19:29 < Dougy> not me 19:29 * Dougy is a failure 19:36 < krzie> dougy, openvpn itself kicks ass 19:36 < krzie> a fork would be if the code needed to be improved 19:37 < Dougy> ring 19:37 < dvl> Options error: --server directive network/netmask combination is invalid 19:37 < Dougy> ah 19:37 < dvl> What goes in there? --help doesn't have it. 19:37 < dvl> krzie: that's your option, not sure what you've put in there. 19:37 < krzie> manb page 19:37 < dvl> krzie: you had Options error: --server directive network/netmask combination is invalid 19:37 < krzie> !man 19:37 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 19:38 < krzie> dvl, that config works for me, what did you change? 19:38 < krzie> or just pastebin your configs after you changed them 19:38 < dvl> krzie: no, I understand now. 19:38 < krzie> and ill take a look 19:38 < krzie> oh ok 19:38 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit ["Leaving"] 19:41 < dvl> krzie: OK, server started. 19:43 < Dougy> krzie: http://cdn-1.11piecesofflare.com/d1/stickers/5883/7111/back_seat_accidents_thumb.gif 19:47 < dvl> krzie: got client going. testing now. 19:49 < krzie> lol dougy 19:50 < Dougy> :p 19:50 < Dougy> wow 19:50 < Dougy> my girlfriend just sent me one of those bumperstickers on facebook 19:50 < Dougy> "butterflies never felt so good :]" 19:50 < Dougy> rofl 19:54 < dvl> krzie: I get the impression I'm missing something on tap0: http://pastebin.ca/1269093 19:54 < dvl> That's the server. 19:54 * Dougy runs 19:55 < krzie> you shouldnt have tap 19:55 < krzie> routed is tun 19:55 < dvl> krzie: well, I'm good then, without a tap assigned. 19:55 < krzie> except on windows where both are tap 19:56 < krzie> your tun looks right 19:56 < Dougy> windows fails 19:56 < Dougy> what? 19:56 < krzie> can your client ping 10.8.1.1? 19:56 < dvl> krzie: yes 19:56 < krzie> then your vpn works 19:57 < dvl> krzie: Oh.... 19:57 < krzie> do clients need to access the lan behind your server? 19:57 < dvl> krzie: yes 19:57 < krzie> then you need a push route 19:57 < krzie> as explained n !route 19:57 < krzie> !route 19:57 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 19:57 < krzie> that explains a lot more than that 19:57 < krzie> but it explains that as well 19:58 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 19:58 < mRCUTEO> hi i manage to create bridge-netweork but when connecting from client i cannot access the internet.. anyone can help? 19:59 < dvl> heh, heh,,,, I think my gateway is messed up. I can't browse to google.com 19:59 < dvl> or to krzie 's url 19:59 < krzie> dvl, you trying to direct inet access over the vpn? 19:59 < dvl> krzie: I hope not.... not on purpose. I've stopped the VPN on the server. 19:59 < mRCUTEO> hi krzie : do you know where can i get a good guide on setting up openvpn bridge-mode in Fedora/Centos OS? 19:59 < krzie> dvl, post configs? 20:00 < dvl> krzie: working on that. 20:00 < krzie> mRCUTEO no i dont like bridge mode and dont know it well enough to help 20:00 < krzie> mRCUTEO why do you need bridge? 20:00 < mRCUTEO> i want my client PC to be a web server with a static ip 20:01 < krzie> but why bridge mode? 20:01 < mRCUTEO> is there a right way to do port forwarding instead ? 20:01 < krzie> bridging is only for when you need a protocol that communicates using MAC address to work over the VPN 20:01 < mRCUTEO> ic 20:01 < mRCUTEO> i tried some iptables rules but not working for port forwarding 20:02 < dvl> krzie: http://www.langille.org/tmp/openvpn.conf 20:02 -!- randra [n=sleepkno@189.75.20.171] has quit [Read error: 113 (No route to host)] 20:02 < mRCUTEO> krzie do you know a valid iptables rules to port forward port 80 to my client? 20:02 < krzie> dvl, that shouldnt break your inet, its prolly your bridge that is breaking it 20:02 < krzie> from your old setup 20:03 < krzie> dvl, a reboot should fix it if you didnt make perm changes 20:03 < krzie> no mRCUTEO i dont 20:03 < krzie> but it should be just like a normal NAT setup's port forwarding 20:03 < dvl> krzie: that bridge should be long gone by now... stopping OpenVPN got http working 20:03 < krzie> or very very similar 20:03 < krzie> dvl, anything in ccd entries? 20:04 < krzie> cause those configs wont overwrite your default route 20:04 < mRCUTEO> okie 20:04 < krzie> dvl, and to share the server lan over vpn, you will use a push route 20:04 < dvl> krzie: Yes, looking at the push now. FYI, restarted server and client. can browse web fine. 20:04 < mRCUTEO> krzie if i wanted to use a public IP as my openvpn what configruation should i change>? 20:05 < krzie> ahh good 20:05 < krzie> mRCUTEO you would need a couple free ips 20:05 < krzie> you would need to waste 2 20:06 < mRCUTEO> oh 20:06 < krzie> then you would allocate a small block of routable ips in your server statement 20:06 < krzie> its usually NOT the way to go 20:06 < mRCUTEO> do you have any URL for guide? 20:06 < krzie> and you would REALLY want topology subnet from 2.1 20:06 < krzie> as to not waste 4 ips per client 20:06 < krzie> no mRCUTEO 20:06 < mRCUTEO> ic 20:06 < krzie> but its been talked about on the mail list 20:07 < krzie> so you would need 2 ips to waste 20:07 < krzie> then 1 ip per client 20:07 < dvl> krzie: beauty. 20:07 < mRCUTEO> ic 20:07 < krzie> and you cant allocate a 3 ip block, so minimum 4 ips to be used 20:08 < dvl> krzie: trying to add a new client 20:10 < ecrist> sup, bitches? 20:11 < krzie> sup eric 20:11 < krzie> happy thxgivin 20:11 < ecrist> ditto! eat some good turkey? 20:11 < krzie> dude 20:11 < krzie> the best i ever had 20:11 < mRCUTEO> hi ecrist do you have a guide on how to port forward http port 80 to oepnvpn client? 20:12 < krzie> (in linux) 20:12 < Dougy> yo ecrist 20:12 < ecrist> krzie: http://bacontoday.com/turbaconducken-turducken-wrapped-in-bacon/ 20:12 < vpnHelper> Title: Turbaconducken (Turducken Wrapped in Bacon) | Bacon Today (at bacontoday.com) 20:12 < krzie> oh hell ya 20:13 < krzie> you has a turducken!? 20:13 < krzie> with bacon 20:13 < krzie> thats awesomeness 20:13 < ecrist> wanted it. 20:13 < Dougy> jesus christ 20:13 < ecrist> wife vetoed. next year, though 20:13 < ecrist> mRCUTEO: it's going to vary on what hardware you're using on the gateway 20:14 < mRCUTEO> ic 20:14 < mRCUTEO> it has to go through the gateway? 20:14 < ecrist> of course 20:14 < ecrist> sorry, back to the movie 20:14 < krzie> a pregnant woman veto'ed a turducken in bacon!? 20:15 < ecrist> krzie: she's in her 'sick' phase 20:15 < krzie> oh 20:15 < ecrist> couple more weeks and it'll be in craving phase 20:15 < krzie> ecrist he wants port 80 on his server to forward to his client machine 20:15 < ecrist> s/it/she/ 20:15 < krzie> its a normal NAT port forward in his iptables 20:15 < ecrist> krzie: real easy with freebsd and pf. ;) 20:15 < krzie> agreed 20:15 < krzie> im not an iptables guy 20:16 < ecrist> back to movie 20:16 < mRCUTEO> oh okie :) 20:16 < krzie> nor will i learn it for someone elses setup ;] 20:16 < krzie> what movie? 20:16 < mRCUTEO> so it just using normal nat krzie? 20:16 < krzie> well not a normal NAT 20:16 < krzie> a normal port forward you would use in a NAT 20:16 < mRCUTEO> okay 20:16 < krzie> like if your home router was linux, and you wanted to port forward 20:17 < krzie> its the same thing, just so happens that the lan machine is really a vpn client 20:17 < Cyllene> krzie: How easy do you think it would be to link openvpn servers together in a decentralized p2p network? 20:18 < krzie> decentralized? 20:18 < Cyllene> yeah 20:18 < krzie> openvpn uses centralized scheme 20:18 < krzie> so im not sure what you mean 20:18 < Cyllene> Well 20:18 < Rienzilla> you could make some effort to make a fully connected netwrok :) 20:18 < krzie> i have setup servers linking to servers tho 20:18 < krzie> and routing through 20:18 < Rienzilla> every node trying to connect to every server it knows 20:19 < krzie> (by adding clients and complex iroutes 20:19 < Cyllene> Like, having each openvpn server be a "router" 20:19 < Cyllene> On your own little private "internet" 20:19 < krzie> how easy? not very 20:20 < Dougy> a darknet! 20:20 < krzie> doable? yes. easy? no 20:21 < krzie> gunna need to get familiar with debugging on your own tho 20:21 < Cyllene> yeah, I am definitely not going to do that. 20:21 < Cyllene> It's just a cool thing to think about. 20:21 < krzie> when i setup my openvpn chainsing i had to read iroute code in source to figure out how to do it 20:21 < krzie> and a ton of tcpdumpping 20:21 < krzie> haha 20:22 < Cyllene> heh 20:23 < krzie> i had it like this 20:23 < krzie> a client connects to a server, that server has another client 20:23 < krzie> the other client has another openvpn instance connected to a diff server 20:23 < krzie> who had another client 20:23 < krzie> the other client has another openvpn instance connected to a diff server 20:23 < krzie> etc 20:23 < krzie> and routed all the way through 20:23 < krzie> then i setup a vpn to go over that vpn 20:23 < krzie> from endpoint to far endpoint 20:24 < krzie> so nothing inside was trusted 20:24 < krzie> super paranoid route hider 20:24 < krzie> lol 20:24 < krzie> with 4096 encryption everywhere 20:26 < Dougy> damn 20:26 < dvl> Hmmm, first client works OK. second client cannot get TLS going. 20:26 < krzie> dvl, change verb to 6 on server and non working client 20:26 < krzie> then look at logs 20:26 < krzie> if you dunno whats wrong in logs pastebin them 20:27 < krzie> dvl, you using a diff cert for the second client? 20:27 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has quit [] 20:28 < Cyllene> hey krzie, do you know of any reason why TCP_NODELAY wouldn't work? 20:29 < Cyllene> On debian I get a failure when trying to set it. 20:29 < dvl> krzie: yes, different cert for the second client. 20:29 < krzie> i dont even know what TCP_NODELAY is 20:29 < Cyllene> tcp-nodelay 20:29 < krzie> dvl, ok then do what i said above 20:30 < dvl> well, for starters, lots of these on client... posting full logs next. P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #20 ] [ ] pid=0 DATA len=0 20:31 < krzie> ya that means nothing without full logs 20:31 < krzie> Cyllene i dunno dude 20:33 < Cyllene> ok 20:35 < krzie> i dont even know what you're talkin bout to be honest 20:38 < Cyllene> http://openvpn.net/index.php/documentation/manuals/openvpn-21.html#lbAH 20:38 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 20:38 < Cyllene> --tcp-nodelay 20:39 < krzie> you're using tcp? 20:39 < krzie> and you're using 2.1 on client and server? 20:39 < Cyllene> I was before I spoke with you. 20:40 < Dougy> blah 20:40 < Dougy> i took 8 hours to fix this customer's server 20:40 < krzie> well if you're using udp (which is by far recommended) why would a tcp flag work? 20:40 < Dougy> he was like "what the fucking hell took so long" 20:40 * Dougy ignores him 20:40 < Cyllene> No no, this was before I spoke with you 20:41 < krzie> Cyllene, ok well now i know what you're talking about 20:41 < krzie> unfortunatly i still have no idea 20:41 < krzie> =/ 20:41 < Dougy> ouch 20:41 < Dougy> lol 20:41 < Dougy> krzie: i've never heard you say that 20:41 < krzie> it happens, lol 20:41 < krzie> ive never needed tcp 20:42 < krzie> so iv never played with tcp optimization 20:42 < dvl> krzie: http://www.langille.org/tmp/openvpn.client.txt 20:42 < krzie> any job i would take where ild be in a network, ild have access to allow myself outbound udp ;] 20:42 < dvl> krzie: and http://www.langille.org/tmp/openvpn.server.txt 20:43 < krzie> whoawhoawhoa 20:43 < krzie> Nov 28 02:31:10 nyi openvpn[98545]: OpenVPN 2.0.6 i386-portbld-freebsd6.3 [SSL] [LZO] built on Nov 26 2008 20:43 < krzie> outdated much!? 20:43 < dvl> That's the latest ported to FreeBSd 20:43 < Dougy> ew 20:43 < Dougy> someone hit the freebsd ports maintainer 20:44 < krzie> seriously 20:44 < dvl> 27 Apr 2006 20:44 < dvl> wow 20:44 < krzie> he hasnt had free time in the last couple yrs? 20:44 < krzie> haha 20:44 < krzie> dvl, it compiles from src perfectly 20:44 < krzie> on both 6 and 7 i can vouch for that 20:45 < dvl> I just emailed him. 20:48 < dvl> 2.0.9 is the latest? 20:48 < dvl> I see 2.1 beta and rc but no release 20:49 < dvl> # DO NOT BOTHER TO SEND NOTICES ABOUT OPENVPN 2.0.9 20:49 < dvl> # AS IT FIXES WINDOWS-ONLY BUGS THAT DON'T AFFECT *BSD 20:49 < dvl> # AND THUS DOES NOT WARRANT A PORT UPGRADE! 20:49 < dvl> # UPGRADE REQUESTS WILL BE DROPPED UNLESS BSD-RELATED. 20:49 < dvl> heh, that's in the port makefile 20:50 < dvl> so really, it's on the latest release 20:51 < krzie> lol 20:51 < dvl> I could grab openvpn-devel 2.1.r15 20:51 < krzie> gotchya 20:51 < dvl> ? 20:51 < krzie> well im sure he looked into it more than me 20:51 < krzie> so if he says that in the makefile, im sure you're fine 20:51 < dvl> Now, about those logs? Anything obvious? 20:51 < krzie> lemme get back to them 20:51 < krzie> got caught worfking for a minute 20:52 < dvl> bugger. ;) 20:52 < dvl> I appreciate it 20:53 < krzie> ya np man 20:54 < krzie> always easier to help people who take the time to read 20:54 < krzie> (which its obvious you have) 20:58 -!- tjz [n=tjz@bb116-14-181-56.singnet.com.sg] has joined ##openvpn 20:58 < Dougy> bed 20:58 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Ex-Chat"] 21:01 < krzie> dvl, looks like it could be some kind of firewall issue, could that be the case? 21:02 < dvl> krzie: possible 21:02 < krzie> cool, look into that 21:02 < krzie> tcpdump will be your friend here too 21:04 < krzie> who is 72.94.100.80? 21:05 < krzie> oh wait 21:05 < krzie> dude 21:05 < krzie> those are the exact same logs 21:05 < krzie> lol 21:05 < krzie> that was confusing me 21:05 < dvl> on both? 21:05 < krzie> ya same file 21:05 < dvl> sorry, let me fix that. 21:05 < krzie> np 21:06 < krzie> both are client 21:11 < tjz> anyone try install openvpn on a openvz vps? 21:11 < krzie> as long as tuntap is in the kernel it will work 21:11 < dvl> krzie: reload http://www.langille.org/tmp/openvpn.server.txt 21:11 < krzie> note: you have no control over that 21:11 < krzie> the people who run the vps have to have tuntap in the ken\rnel 21:11 < krzie> kernel 21:12 < tjz> how much ram do you think is enough for a vps use for openvpn 21:12 < krzie> no idea 21:12 < krzie> i dont use any VPS 21:12 < tjz> i am looking at 64mb.. 21:12 < krzie> i have my own servers 21:13 < krzie> shouldnt need much 21:13 < tjz> ya 21:14 < krzie> hrm, dvl... im not sure if that could be firewall, server is seeing ackets from client 21:14 < krzie> and responding 21:14 < krzie> oh wait 21:14 < krzie> yes it is 21:14 < krzie> client firewall 21:14 < krzie> it is sending but not recieving 21:14 < dvl> krzie: what clues you into that? 21:15 < krzie> server reads and writes 21:15 < krzie> client writes, writes, writes 21:15 < krzie> no read 21:15 < dvl> OK. Will check. 21:15 < dvl> Now, why would that happen, client allows all out. Will verify. 21:15 < krzie> dunno, but tcpdump should verify what i said 21:16 < tjz> a 32bit system can hold 4gb ram or 3gb ram? 21:16 < krzie> 4gb 21:16 < krzie> as long as bios isnt old and weak 21:16 < tjz> ok.. 21:16 < dvl> looks better now 21:16 < krzie> i386 has 4gb limit 21:16 < krzie> dvl, changed a FW rule? 21:17 < PatrickDK> technically it's somewhere around a 3.5gig limit 21:17 < dvl> krzie: yes. 21:17 < PatrickDK> due to pci memory mapping 21:17 < krzie> nice =] 21:17 < dvl> krzie: now getting a tun0 21:17 < krzie> PatrickDK no kidding? that explains my home NFS, i thought it was my bios 21:18 < krzie> can the client ping 10.8.1.1? 21:18 < PatrickDK> krzie, worst I have seen is 3.2gigs usable 21:18 < PatrickDK> some get as high as 3.7gigs though 21:19 < krzie> iirc mines about 3.5 it can handle 21:19 < krzie> it wont boot with 4x1gig 21:19 < krzie> but 3x1gb and 1x512 works 21:20 < krzie> and all the 1gb sticks are identical 21:20 < krzie> and it wasnt the stick cause i can use any 3 21:20 < PatrickDK> hmm, that is strange 21:20 < PatrickDK> normally, it's just you put in 4gigs 21:20 < krzie> its a old weak bios too tho 21:20 < PatrickDK> and only 3.xgigs show up in the count 21:20 < krzie> i really should goto amd64 cause i use zfs 21:21 < krzie> but its the frankenstein box and i dont really wanna shell out the $ to upgrade 21:29 < dvl> krzie: looking good. configuring third client now. 21:32 < tjz> using a different config 21:32 < tjz> ^_^ 21:32 < tjz> i think 21:36 < dvl> krzie: got my third client working. :) 21:38 < tjz> cool 21:38 < krzie> nice 21:38 < tjz> is it wise to allow 3 clients to share the same IP? 21:38 < krzie> see how much easier it was with routed? 21:39 < krzie> share the same ip!? 21:39 < krzie> you mean for outbound NAT? 21:41 < tjz> errr 21:41 < tjz> public IP 21:41 < krzie> like the average person does for their house? 21:42 < tjz> hmm... 21:42 < tjz> not too sure 21:42 < tjz> ^_^ 21:43 < krzie> well im not 100% i understand the question 21:43 < krzie> but if i do its normal and not a problem 21:43 < dvl> I don't understand it either. 21:43 < dvl> tjz: What is it you are trying to do/ 21:43 < krzie> you mean you have --redirect-gateway and NAT 21:43 < krzie> and all machines use the same ip in their NAT 21:43 < krzie> ??? 21:43 < krzie> if so, that is fine 21:45 < tjz> i need to try out more on the openvpn setup 21:45 < tjz> so far, i couldn't get my openvpn to work on a vps (power on openvz) 21:46 < tjz> maybe i should go try on a xen (which used a actual kernel) 21:46 < dvl> I am watching the "Best Udder - All Breeds" competition. on PBS no less... 21:48 < tjz> hmm 21:48 < tjz> what is it about? 21:49 < dvl> Cow competitions at fairs. 21:49 < krzie> time for me to head out 21:49 < krzie> later guys 21:49 < dvl> later, thanks. 21:50 < krzie> ill be back from other client later 21:50 < krzie> np man 21:50 < krzie> you are fully working now right? 21:50 < dvl> yes, AFAIK 21:50 < krzie> you prolly have 1 thing left 21:50 < dvl> I've stopped for today. 21:50 < dvl> static? 21:50 < krzie> on server you want to push route to clients for their LAN 21:50 < krzie> oh ya that too 21:50 < dvl> I have that push now. 21:50 < krzie> push "route lan_net lan_mask" 21:50 < dvl> Well, the clients can access my $HOME LAN via the push 21:50 < krzie> oh cool 21:50 < dvl> yeah, that's in there. 21:51 < dvl> static will be useful for me to access the clients from here. 21:51 < krzie> agreed 21:51 < krzie> but thats easy 21:51 < krzie> and you know how (!static) 21:51 < dvl> yea, so i thought 21:51 < krzie> see ya later =] 21:51 < dvl> later. 21:52 < dvl> !static 21:52 < vpnHelper> dvl: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 21:56 < dvl> about it for me too... I've been going non-stop for 12 hours or so.... 22:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:12 < PatrickDK> well, I have full mesh bgp runnong over openvpn tunnels, all up and working good 22:15 < dvl> woo 22:15 < dvl> PatrickDK: You saw... I got it running finally. Seems OK, time will tell. 22:16 < PatrickDK> heh 22:17 < PatrickDK> my server<- clients setup isn't working well for bgp 22:17 < PatrickDK> it requires iroutes :( 22:17 < PatrickDK> so switching all bgp routes to ptp 22:17 < PatrickDK> and leaving the client access on the server method 22:41 < krzee> PatrickDK, would you please make a walkthrough for that!??? 22:41 < krzee> [00:12] well, I have full mesh bgp runnong over openvpn tunnels, all up and working good 22:41 < krzee> that would be a badass walkthrough 22:42 < krzee> <-- knows little about bgp 22:42 < krzee> the wiki is a good place to put it if you dont have your own site 22:42 < krzee> !wiki 22:42 < vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 22:43 < krzee> its public write-able 23:41 < krzee> !factoids search win 23:41 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', and '2.1-winpass-script' 23:42 < krzee> !win_noadmin 23:42 < vpnHelper> krzee: "win_noadmin" is http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows --- Day changed Fri Nov 28 2008 00:01 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 00:01 < mRCUTEO> :D 00:04 < mRCUTEO> u ther krunar 00:04 < mRCUTEO> opps 00:04 < mRCUTEO> u there krzee 00:08 < krzee> !ask 00:08 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/ 00:08 < krzee> hehe 00:08 < krzee> plenty of others here that know stuff besides me 00:08 < mRCUTEO> :) 00:08 < mRCUTEO> krzee can u take a look at my simple iptables? 00:09 < krzee> ive never used iptables 00:09 < mRCUTEO> oh my 00:09 < mRCUTEO> :\ 00:09 < krzee> you're prolly better off talking to someone who uses iptables 00:09 < mRCUTEO> okie bro ;=) 00:09 < krzee> most linux channels are crawling with them 00:11 < mRCUTEO> :) 00:34 < tjz> i understand we can run multiple openvpn instances.. 00:34 < tjz> can we assign a unique ip for each openvpn instance? 00:39 < mRCUTEO> yes 00:40 < mRCUTEO> its possible 00:40 < mRCUTEO> u can assign private and public ip to the instances 00:42 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has quit [] 00:45 < tjz> ok.. 00:45 < tjz> rip 00:45 < tjz> :( 01:09 -!- hermetek [n=shupej@74.196.125.168] has joined ##openvpn 01:10 -!- hermetek [n=shupej@74.196.125.168] has quit [Remote closed the connection] 01:23 -!- hermetek [n=shupej@74.196.125.168] has joined ##openvpn 01:24 < hermetek> Hello room. 01:25 < hermetek> I have a bridging firewall (linux 2.6) set up that connects to various vlans as a cisco trunk. I've added OpenVPN into the mix running as a server on the firewall, and am having some strange issues. 01:27 < hermetek> The VPN client connects to the server without issue, and communication works properly between the two endpoints. However, the client cannot access networks directly connected to the server. 01:29 < hermetek> In the server log: GET INST BY VIRT: 10.120.0.91 [failed]; On the server: (interface vlan2) inet addr:10.120.0.10 Bcast:10.255.255.255 Mask:255.255.255.0 01:29 < hermetek> The firewall (that the OpenVPN server runs on) can ping 10.120.0.91 just fine. 64 bytes from 10.120.0.91: icmp_seq=1 ttl=64 time=1.19 ms 01:29 < hermetek> Any suggestions? 01:30 < hermetek> I manually changed the IP's there for privacy, sorry about mismatching broadcast and network on the ifconfig output. Assume it's correct; it is on the server. 01:30 < hermetek> *netmask 01:35 -!- paruchuri [n=qvantel@61.16.248.247] has quit [Connection timed out] 01:58 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 01:58 < c64zottel> \ufeffhello, is there a OpenVPN client for windows which i can use without installation? like running from USB-drive? 02:13 < tjz> don't think so 02:13 < tjz> check this: 02:13 < tjz> sourceforge.net/projects/ovpnp 02:14 < tjz> OpenVpn Portable 02:15 < c64zottel> tjz: will check this, ty 02:34 < tjz> np ^_^ 02:36 < c64zottel> tjz, but i have to isntall it too 02:36 < c64zottel> i meant, just an executable, without installation at all 02:36 < c64zottel> hm 02:37 < tjz> i haven't try that though 02:37 < c64zottel> tjz, ok, ty 02:37 < c64zottel> at least a try 02:37 < tjz> :) 02:51 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 03:15 -!- onats_ [n=julian@unaffiliated/onats] has quit [Remote closed the connection] 03:23 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 03:36 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 03:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:46 < reiffert> tjz: no, it is not possible. 03:46 < reiffert> sorry, c64zottel. 03:47 < reiffert> hermetek: did you add the tap device to the bridge? 03:47 < reiffert> hermetek: that means, when the vpn is connected, show us a brctl show 03:47 < reiffert> hermetek: and ifconfig tap[0123..] and br0 03:48 < reiffert> c64zottel: openvpn works with the help of a kernel driver, a network card. It's called tun/tap device. On Windows this needs to be installed once and after this you can run openvpn as user (no administrative priveledges required) 03:51 < c64zottel> reiffert: hm, thanks for the explanation 04:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:41 -!- tjz [n=tjz@bb116-14-181-56.singnet.com.sg] has quit [Nick collision from services.] 04:42 -!- tjz [n=tjz@119.234.1.12] has joined ##openvpn 04:42 < tjz> i have my openvpn connected to my server 04:42 < tjz> why does my ip still show my ISP's IP? 04:42 < tjz> and not the remote server iip.. 04:44 < c64zottel> tjz: because its a tunnel, if you would change your ip address, your ISP wouldn't find you anymore .) 04:46 < c64zottel> tjz: thats why you have a tun/tap device (tun for tunnel / tap for bridging) 04:47 < c64zottel> tjz: its like (or maybe it is, not sure) a virtual lan (vlan) device 04:47 < tjz> ya 04:47 < tjz> when i go to a website 04:47 < tjz> it should show the new IP address.. 04:47 < tjz> but for my case, it still show my ISP's IP.. 04:48 < c64zottel> depends on your VPN, do you use openVPN? 04:48 < tjz> ya 04:48 < tjz> use openvpn gui to connect to the server(openvpn already setup) 04:50 < c64zottel> then i would say its normal, cause openVPN doesn't kill the existing routes, means, openVPN opens a tunnel, with a new ip adress, and add a route for the private network, but you default route directs still to the ISP gateway (internet) 04:50 -!- mRCUTEO [n=info@124.82.100.95] has joined ##openvpn 04:50 < tjz> hmm 04:50 < tjz> how do i fix this? 04:51 < c64zottel> tjz: just watch and think: route print 04:51 < c64zottel> tjz: there is nothing to fix 04:51 < c64zottel> tjz: and ipconfig 04:51 < tjz> hmm 04:51 < c64zottel> but i am not a pro on this stuff, maybe there can someone add or correct me 04:52 < tjz> ok.. 04:52 < c64zottel> tjz: why are you not satisfied? 04:52 < tjz> it is showing my ISP ip.. 04:52 < tjz> i don't think i am in the tunnel at all 04:52 < c64zottel> tjz: try: route print 04:52 < tjz> route print 04:52 < tjz> do this at where? 04:53 < c64zottel> command line 04:53 < c64zottel> it shows the routes 04:54 < tjz> ok 04:54 < mRCUTEO> anyone have a good iptables rules to port forward port 80 from openvpn server to openvpn client.. 04:56 < tjz> this is the result for "route print" 04:56 < tjz> http://pastebin.ca/1269254 04:57 < tjz> This is my "ipconfig/all" : http://pastebin.ca/1269255 04:59 < c64zottel> tjz: and as you can see, 10.8.0.0 is your vpn-network 05:01 < tjz> what should i change on my server.. 05:01 < tjz> !route 05:01 < vpnHelper> tjz: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 05:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 05:13 < tjz> :( 05:24 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit ["Leaving."] 05:30 -!- tjz [n=tjz@119.234.1.12] has quit [] 05:33 -!- mRCUTEO [n=info@124.82.100.95] has quit [] 06:30 < Cyllene> krzie: You here? 06:31 < Cyllene> replay-persist is not storing information properly for me. 06:31 < Cyllene> (It's not writing to the file) 06:43 -!- tjz [n=tjz@bb220-255-22-231.singnet.com.sg] has joined ##openvpn 07:24 < ecrist> morning folks 07:31 -!- MRCUTEO [n=info@118.100.171.142] has joined ##openvpn 07:31 -!- MRCUTEO is now known as mRCUTEO 07:37 < ecrist> mRCUTEO: your port forwarding question doesn't pertain to openvpn - how about you google it. It's a very common task to perform. 07:37 < mRCUTEO> okay ecrist 07:38 < mRCUTEO> i got it to work already :) 07:38 < mRCUTEO> google helps me :) 07:41 -!- YokYok [n=david@ppp-2.WLAN.FTG.panline.net] has joined ##openvpn 07:45 -!- mRCUTEO [n=info@118.100.171.142] has quit [] 07:56 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has joined ##openvpn 08:10 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:17 -!- AukeF [n=auke@x154.flex.surfnet.nl] has quit [Read error: 110 (Connection timed out)] 08:17 -!- AukeF [n=auke@dhcp-121.wind.surfnet.nl] has joined ##openvpn 08:34 -!- YokYok [n=david@ppp-2.WLAN.FTG.panline.net] has quit ["leaving"] 08:35 -!- MrMarshall [n=aa@151.56.81.203] has joined ##openvpn 08:36 < MrMarshall> hi to all 08:43 -!- MrMarshall [n=aa@151.56.81.203] has quit [] 08:46 -!- Remowylliams [n=Mare@71.16.217.178] has joined ##openvpn 08:48 < Remowylliams> hi all, do I need a special tun driver for vista x64? 08:51 < Remowylliams> everything seems to be working up till the tun device is waiting for the route. after I guess 30 checks or so it finally says it's up. but I don't see the route in the route table and I can only ping the tun interface's ip 08:53 < ropetin> Remowylliams: I've never used it on Vista, but from what I read online, it should work fine with the latest version 08:53 < ropetin> Which version are you using? 09:02 < Remowylliams> I'm using 2.0.9 I think 09:03 < ropetin> Apparently 2.1 has built in support for Vista 64 09:06 < Remowylliams> ropetin: I see it's at rc15 I am guessing I could try using it. 09:07 < Remowylliams> Oops no I take that back I'm using 2.1.rc15 09:08 < Remowylliams> Hmm but I built 2.0.9 on my router doh! 09:10 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:10 < ropetin> :D 09:14 < Remowylliams> blessed are the writers of configure :) 09:18 < ropetin> ? :D 09:19 < Remowylliams> ropetin: to be able to build a chunk of software on many different platforms using the gnu configure system is much better than trying to build make files for every platform 09:26 < ropetin> Well that's certainfly true 09:26 < ropetin> certainly 09:38 -!- dresdn [n=dresdn@ip72-223-108-98.ph.ph.cox.net] has joined ##openvpn 09:41 < dresdn> Anyone here happen to be using an ActionTec device as the gateway on a LAN with an OpenVPN server behind it? 09:46 -!- protocols [n=protocol@p5791FC06.dip.t-dialin.net] has joined ##openvpn 09:54 < Remowylliams> dreadfully uncooperative. 09:55 < Remowylliams> there's a good chance the way it's hooked up to the network it's jusst not going to work. 09:55 * Remowylliams hrmrms 09:56 < dresdn> Remowylliams: you referring to the actiontecs? 09:57 < Remowylliams> dresdn: no my problem with getting 2.1rc15 to work on Vista x64 09:57 < dresdn> ahhh - I'm sorry =) 10:01 < Remowylliams> I keep getting waiting for tun/tap interface to come up a bunch of times then it says it's connected but I don't actually see the route. 10:01 < dresdn> ipconfig /all show the int? 10:03 < Remowylliams> it says unable to redirect default gateway 10:05 -!- ikevin_ [n=kevin@ANancy-256-1-53-233.w90-26.abo.wanadoo.fr] has joined ##openvpn 10:07 < Remowylliams> route gateway or ifconfig missing according to the log 10:49 -!- ikevin_ [n=kevin@ANancy-256-1-53-233.w90-26.abo.wanadoo.fr] has quit ["Quitte"] 10:51 < ecrist> morning 10:52 -!- dresdn [n=dresdn@ip72-223-108-98.ph.ph.cox.net] has quit [Remote closed the connection] 10:52 < Remowylliams> morning ecrist 10:52 < Remowylliams> now why would openvpn set my tun0 to /sbin/ifconfig tun0 192.168.5.1 192.168.5.2 mtu 1500 netmask 255.255.255.255 the netmask doesn't look like I'd expect it too 10:52 -!- tjz [n=tjz@bb220-255-22-231.singnet.com.sg] has quit [] 10:53 < Remowylliams> shouldn't it be 255.255.255.0 ? 10:55 < ecrist> no 10:55 < ecrist> I would ignore that, unless you want to get into the inner workings of subnetting and openvpn 10:56 < Remowylliams> ecrist: well I can't ping on my router the 192.168.5.1 10:57 -!- MrMarshall [n=MrMarsha@151.56.81.203] has joined ##openvpn 10:57 < MrMarshall> hi to all 10:57 < ecrist> Remowylliams: from a connected client? 10:58 < ecrist> fwiw, you're not going to be able to ping the .1 address for the server itself. 10:58 < MrMarshall> i need to route all my home lan through openvpn 10:58 < Remowylliams> ecrist: I have a freebsd outer I built openvpn 2.1rc15 on I'm ssh'ed into the router on one computer to monitor things, I bring up openvpn with a server.conf and then I connect to it with another computer via openvpn with a client.conf 10:58 < ecrist> MrMarshall: you need a default gateway that supports it, then it's a matter of proper routes 10:59 < Remowylliams> I'm trying to ping 192.168.5.1 from inside the router, If you persist in thinking I won't be able to ping it. please explain why. 10:59 < MrMarshall> ecris the openvpn is mine 11:00 < ecrist> Remowylliams: from other systems, that IP should be pingable 11:00 < ecrist> from the openvpn server itself, no. 11:01 < MrMarshall> i have added push "redirect-gateway def1" to the end of conf 11:01 < dvl> http://www.yaplakal.com/uploads/previews/post-3-12278580528617.jpg 11:02 < MrMarshall> but when i connect to my vpn i can't reach any website 11:03 < Remowylliams> ecrist: Odd I can ping my 192.168.4.1 address just fine which is natted and I can see the tun0 interface fine. when my windows vista x64 machine connects I get a number of: route: waiting for tun/tap interface to come up. and in the end it tells me it failed to establish a default gateway. 11:03 < ecrist> MrMarshall: you need to NAT 11:04 < ecrist> Remowylliams: when you give me a better idea of what you're trying to do, and your configs, I can better help you 11:04 < ecrist> !configs 11:04 < vpnHelper> ecrist: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 11:04 < MrMarshall> ok i try now and i tell you 11:04 < Remowylliams> ecrist: with the client machine connected I can only ping the assigned IP address of the machine itself not the ip of the machine the server is running on 11:06 < Remowylliams> ecrist: What better idea do you need? I want to connect and use the vpn. 11:07 -!- PatrickDK [n=guest@dyn-170-244-162.myactv.net] has quit [Nick collision from services.] 11:18 < ecrist> let me see your config 11:18 < ecrist> both client and server 11:20 < MrMarshall> whenn i try to set iptablerule "iptables: No chain/target/match by that name" 11:21 < ecrist> MrMarshall: sorry, I'm not an iptables user 11:22 < MrMarshall> thanks ecrist 11:22 < Remowylliams> ok ecrist 11:23 -!- protocols [n=protocol@p5791FC06.dip.t-dialin.net] has quit ["Leaving"] 11:29 -!- dresdn [n=dresdn@ip68-226-17-14.tc.ph.cox.net] has joined ##openvpn 11:30 < Remowylliams> ecrist: http://pastebin.com/m2f58cdf 11:44 < Remowylliams> ecrist: see any problems? 11:49 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 12:11 -!- MrMarshall [n=MrMarsha@151.56.81.203] has quit [Read error: 60 (Operation timed out)] 12:11 -!- dresdn [n=dresdn@ip68-226-17-14.tc.ph.cox.net] has quit [Read error: 54 (Connection reset by peer)] 12:14 -!- dresdn [n=dresdn@ip68-226-17-14.tc.ph.cox.net] has joined ##openvpn 12:14 < Remowylliams> ecrist: here's hoping you can find the configuration problem. have to go to lunch 12:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:25 -!- dresdn [n=dresdn@ip68-226-17-14.tc.ph.cox.net] has quit [Remote closed the connection] 12:39 < ecrist> will look now 12:40 < ecrist> Remowylliams: found your problem. 12:40 < ecrist> the server and client need to use the same device. 12:40 < ecrist> your server is using tun, whereas your client is using tap 12:47 < ecrist> ack, I always get nervous deleting lots of data 12:51 * ecrist waves good-bye to 2.6TB of data. 12:54 < ropetin> ecrist: as long as you are sure you didn't want it! 12:55 < ropetin> What fills that much space? 13:12 < hermetek> I have an engineering firm as a client that has multiple 12TB boxes they fill up with CAD files and backups. 13:13 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit ["asdf"] 13:14 < ecrist> ropetin: medical claims 13:15 < ecrist> that's our backups system - all disk based. 13:15 < ecrist> I'm decom'ing it, we got a new box, all the data was already transferred over a couple weeks ago, been using it for the last two weeks 13:15 < ecrist> all is well, so I'm re-purposing the old one. 13:19 < ecrist> the new box, waaay fast, too. 13:19 < ecrist> our backups, on the old system, ran from 12am to about 2:30pm every day. 13:20 < ecrist> now, they run from 12am to 7:15am or so 13:26 < jeev> shit ecrist 13:26 < jeev> the office i want to talk to does medical billing and stuff 13:26 < jeev> where is your back up server located compared to office? 13:30 < ecrist> jeev: all our systems are colocated at our ISP 13:33 < ecrist> so, it's all across gig-e 13:34 < jeev> oh 13:34 < jeev> so you do have a gig-e connection TO it ? 13:34 < jeev> what distance and how fast are your transfers? 13:35 < hermetek> anybody ever configure openvpn as a routing server on a box that only has a bridge and several vlan interfaces? 13:36 < hermetek> Ietting the "GET INST BY VIRT [FAILED]" error even for subnets to which the server is directly connected. 13:36 < hermetek> I'm getting* 13:36 < Remowylliams> ecrist: so somehow I have to setup a tap device on freebsd? 13:38 < Remowylliams> looks like I just had to set it to use tun instead of tap on vista. 13:46 < ecrist> jeev: *Everything* is at the colo 13:46 < ecrist> so, distance, about 2 meters 13:47 < ecrist> don't know how fast the file transfers are, haven't clocked 'em 13:47 < hermetek> with gigE a good network card & switch make a ton of difference. 13:48 < ecrist> Remowylliams: the openvpn docs are a good source of information. 13:48 < ecrist> we're mostly disk-bound on those types of transfers. 13:48 < Remowylliams> ecrist: thanks, I'll check where it says use dev tun on the tap interface for windows. 13:48 < ecrist> so, the old system, as I'm transferring data now, is 100% disk utilization at about 20Mb/s 13:49 < hermetek> what kind of arrays do the machines have in them? 13:49 < ecrist> the new system is at about 25% disk utilization 13:50 < hermetek> just curious, not trying to critique your setup or anything. 13:50 < ecrist> Remowylliams: it's not going to say that 13:50 < ecrist> didn't think that at all. just 'splining how it's configured 13:50 < jeev> ecrist 13:50 < jeev> so you have a colo at the office you mean 13:50 < jeev> ;d 13:50 < ecrist> well, no, we have an office. 13:50 < ecrist> all we do is ssh to the systems at the colo over an OpenVPN tunnel, though. 13:51 < jeev> ecrist 13:51 < jeev> i mean, what is the distance between the office and the server. 13:51 < jeev> is it at a remote datacenter 13:51 < ecrist> 10 miles 13:51 < jeev> oh ok 13:51 < jeev> you guys are connected at a gig, point to point ? 13:51 < ecrist> we used to have a T1 between them, but we dropped that for a cable connection that's faster 13:51 < jeev> oh 13:52 < jeev> ok so 13:52 < ecrist> about 120 times the latency, but more bw 13:52 < jeev> what's it worth to a company just like yours 13:52 < ecrist> jeev 13:52 < jeev> to have a point to point 13:52 < hermetek> jeev: that's a pretty common setup 13:52 < ecrist> read what I'm saying. 13:52 < ecrist> our servers, at the colo, are on a gigE switch with gigE cards and cat 6 cabling 13:53 < ecrist> no servers to back up at the office 13:53 < jeev> i understood that. 13:53 < ecrist> Remowylliams: trolls are unwelcome here 13:54 < jeev> ecrist, i just wanted to know what hooks you up to the bck up server 13:54 < jeev> and it's cable.. 13:54 < ecrist> no 13:54 < ecrist> the backup server is local to the others 13:55 < ecrist> unless you mean cat 6 cable 13:55 < Remowylliams> ecrist: I'm not trolling. 13:55 < jeev> you're making this so difficult. 13:55 < jeev> you're office is at point A 13:55 < jeev> datacenter, point B 13:56 < jeev> the connection between A and B is cable modem. 13:56 < ecrist> oh, right, that, sure. 13:56 < jeev> are costs at the datacenter expensive ? 13:57 < hermetek> jeev: they vary depending on the metro they're in and how much space/ power/ bandwidth you need. 13:58 < ecrist> if you don't count our various PVC's, and our two frame-relays, we pay $1300/mo for two full racks and 3Mb of bandwidth 13:58 < jeev> ahh i understand 13:58 < jeev> it's cause the neighbors in my friends building do medical billing 13:58 < jeev> i think they have 4 t1's 13:58 < jeev> i want to say, gimme that 2k/month and here you go, 100mbit ptp + 20mbit to the net 13:59 < hermetek> we pay $1600 for 25mbps (5 internap, 20 cogent/l3 blend) and 2x20a power drops at our dallas dc, for comparison purposes 13:59 < ecrist> as I look at our traffic graphs, we idle around 200K with random peaks to ~2Mb 13:59 < ecrist> bw here in Minneapolis is expensive as hell 13:59 < jeev> yea 13:59 < jeev> but the thing is 13:59 < jeev> i'm taking fiber to the office building 14:00 < jeev> so they could have 20mbit for their server + network 14:00 < jeev> office network 14:00 < jeev> and they could pay a little more, get space for their back up box 14:00 < ecrist> our 3 megs is just a general connection to our ISP, who's triple-homed on l3, sprint, and qwest 14:00 < jeev> that way they get ~2-3 ms latency + off site storage 14:00 < hermetek> jeev: those loops are expensive. 14:01 < jeev> hermetek :) i'm trying to bring it here, so i want to take them on as a client 14:01 < jeev> i May get the gig PTP for $2500/month if the company doesn't try to rip me 14:01 < jeev> and then i can get bandwidth from mzima or my friend's colo in LA 14:01 < jeev> i already have free space there.. ya know ? 14:01 < hermetek> i just don't see you getting a P2P that can support a gig for $2500/mo 14:01 < jeev> but i would prefer mzima, i dont like his network admins. 14:02 < jeev> hermetek, when the cable company needs $, they'll do anything 14:02 < jeev> they want 4k, i told them you told me 3 year commit @ 3k/month 14:02 < jeev> then they said 2500, then said that was for 100mbit. 14:02 < jeev> i said if it's not for a gigabit, i dont want it. 14:02 < jeev> i even offered a 5-10 year commit 14:02 < jeev> i want lowest $ possible 14:02 < hermetek> out here (2 hours east of dallas) a 20mbps p2p from the local cable company was quoted to us at $8k 14:02 < jeev> damn 14:02 < jeev> ask on webhostingtalk for a loop 14:03 < jeev> i will get mzima @ 17/meg 14:03 < jeev> up to 50mbit 14:03 < jeev> less for more. 14:03 < jeev> but friend said he'd give me same price with no commit 14:03 < hermetek> the bandwidth isn't where the cost is incurred, it's the loop 14:03 < jeev> he has level3, sprint, global crossing 14:03 < jeev> yea, i know 14:03 < hermetek> i can get 200mbps off bandwidth for $7/mb. but i can't afford the loop to run it on. 14:03 < jeev> yea ;) 14:03 < hermetek> *of 14:03 < jeev> so, i'll continue fighting for the loop 14:03 < jeev> but i figure, offer the guys 2k/month 14:04 < jeev> for 20mbit to the net 14:04 < jeev> 100mbit PTP 14:04 < hermetek> good luck 14:04 < jeev> i dont see why they wioldnt take it 14:04 < jeev> if they're already paying 2k/month. 14:04 < jeev> right ? 14:04 < hermetek> esp. considering a t1 still runs ~500 in a lot of areas 14:04 < jeev> yep 14:04 < jeev> itll cost me 14:04 < jeev> 100mbit will cost me 250 in ptp 14:04 < jeev> bandwidth will cost me 20 mbit 14:04 < jeev> aroun 250 14:04 < jeev> so i'll have 1500 to pay for the loop 14:04 < jeev> + gather more clients in the building 14:04 < jeev> a lot of people want to get the hell off of ATT 14:05 < hermetek> good luck with that 14:05 < hermetek> well, i take that back. one of our clients just signed on a ds3 for $4500/mo 14:06 < hermetek> so you -may- get 20mbps with $2k 14:06 < jeev> full ds3? 14:06 < hermetek> yeah 14:06 < jeev> even better, i'll give them 45mbit for 4000/month :D 14:07 < jeev> 540 14:07 < hermetek> they have a hefty discount because they know people in high places though 14:07 < jeev> for bandwidth 14:07 < jeev> 112.5 14:07 < jeev> that will cost me 700 bux a month 14:07 < jeev> with 100mbit to the datacenter for space for a server. 14:07 < jeev> to one wilshire 14:07 < jeev> LA 14:09 < Remowylliams> ecrist: thanks very much for the help. You were certainly instrumental in me getting this working. 14:10 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:13 < hermetek> you may also incur the cost of the equipment too. ds3 cards are not cheap. 14:14 < jeev> yea 14:14 < jeev> see? i want to do this!!! 14:14 < jeev> i also want to shoot out wimax 14:17 * ecrist wonders where jeev gets his cash, and why he's not sending him some... 14:17 < jeev> lol 14:18 < jeev> i got a good project going 14:18 < jeev> going throuhg 100000 pages of faxes 14:18 < jeev> with social security and names 14:18 < jeev> once i get those filtered 14:18 < jeev> i can match them against the database 14:18 < jeev> to see who has a hit 14:18 < jeev> (previously done) 14:18 < jeev> my friends business 14:18 < jeev> he makes 2.5/yea 14:19 < jeev> year 14:19 < jeev> but this new thing he wants to do will make 5 mil a year heh 14:19 < jeev> i just hate converting pdf to text then having to read the social 14:19 < jeev> and name 14:19 < jeev> what's the best way to do that? 14:19 < jeev> i mean i can read ???-??-???? 14:19 < jeev> but how do i know which name it is, the top or bottom 14:25 < hermetek> jeev: learn perl 14:26 < hermetek> jeev: http://search.cpan.org/~leocharre/PDF-OCR-1.09/lib/PDF/OCR/Thorough.pm 14:26 < vpnHelper> Title: PDF::OCR::Thorough - extract text fom pdf document resorting to ocr as needed - search.cpan.org (at search.cpan.org) 14:27 < ecrist> no doubt 14:27 < ecrist> perl can be your friend. 14:28 < hermetek> brb, thanksgiving leftovers! 14:29 < jeev> damn 14:29 < jeev> i already got them ocr'd 14:29 < jeev> i'm still doin it 14:30 < jeev> i need to pay someone like 20-30 bux to write the script for me 14:33 < jeev> i have 50,000 pdf's left with multiple pages in them 14:38 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 14:39 < unixSnob> how good is the compression? I'm thinking about setting someone up with a mobile broadband service that has a 3 or 5 GB monthly cap 14:39 < unixSnob> I'm thinking that limit may be tolerable, if they use openvpn and a vpn provider to compress the connection 14:40 < jeev> i dont know exactly how good it is heh 14:40 < jeev> but i'm sure there's stuff out there that tells you 14:40 < jeev> !compression 14:40 < jeev> !lzo 14:40 < jeev> dunno 14:40 < vpnHelper> jeev: Error: "compression" is not a valid command. 14:40 < vpnHelper> jeev: Error: "lzo" is not a valid command. 14:41 < Remowylliams> ecrist: Any clue what could be causing UDPv4: No buffer space available (code=55) on my server? 14:50 < ecrist> firewall problem. 14:50 < Remowylliams> ecrist: problem with FreeBSD's pf you think? 14:51 < ecrist> shouldn't be - we use FreeBSD and pf here. 14:51 < ecrist> check out !freebsd when you have time. 14:51 < ecrist> that show's a working tun setup 14:52 < Remowylliams> !freebsd 14:52 < vpnHelper> Remowylliams: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:59 < Remowylliams> ecrist: About the only thing I see might be the local flag but otherwise there's really no mention of buffer issues 15:03 < dvl> ecrist: FYI, krzie added my article to the bot last night: http://www.freebsddiary.org/openvpn.php 15:03 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - getting it running (at www.freebsddiary.org) 15:03 < dvl> ecrist: next plan: write another article about using this solution: http://www.ircpimps.org/openvpn.configs 15:04 < krzee> !factoids search fbsd 15:04 < vpnHelper> krzee: "fbsdbridge" is http://www.freebsddiary.org/openvpn.php for dvl's writeup on bridging openvpn in freebsd 15:05 < ecrist> nice 15:07 < ecrist> dvl: as far as freebsd goes, take a look at http://www.secure-computing.net/wiki/index.php/Special:Search?search=freebsd&go=Go 15:07 < vpnHelper> Title: Search results - Secure Computing Wiki (at www.secure-computing.net) 15:07 < ecrist> I've got a few wiki pages for some more common-obscure things 15:08 < ecrist> I've got a nearly complete OpenLDAP+FreeBSD auth in there somewhere 15:08 < hermetek> hey 15:08 < dvl> ecrist: nice. 15:08 < dvl> ecrist: work has been sponsored for adding network virtualization to FreeBSD to improve jails. 15:09 < hermetek> jeev: still there? 15:09 < ecrist> that would be nice. 15:09 < ecrist> it would be nice, actually, if jails were more compartmentalized than they currently are. 15:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 15:10 < ecrist> would be neat to be able to move a jail image from one host to another, so long as the kernel was compatible 15:10 < dvl> ecrist: announcement here: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=9283+0+current/freebsd-announce 15:10 < vpnHelper> Title: FreeBSD Mail Archives (at docs.freebsd.org) 15:11 < ecrist> that's pretty kick-ass 15:11 < dvl> ecrist: what a boost that would give jails. 15:11 < ecrist> yeah 15:12 < ecrist> well, time for beer and a movie, I think. 15:13 < ecrist> bbl folks 15:13 < dvl> good idea. 15:15 < dvl> Looking at adding static now. Considering giving each client a hostname that relates to their VPN address. They have public IP addresses already. So host nyi can also be accessed over the VPN via nyi-vpn 15:18 < dvl> Adding hostname to local DNS. 15:22 < dvl> krzie: you were right, very easy to do static. Once you know which configuration items to pick. 15:26 < dvl> starting work on the new article. You can follow the progress here by reloading: http://beta.freebsddiary.org:8080/openvpn-routed.php 15:26 < vpnHelper> Title: The FreeBSD Diary (at beta.freebsddiary.org:8080) 15:27 < dvl> when vpnHelper fetches, it supplies this in the referrer: "http://leguin.freenode.net/vpnHelper" 15:27 < dvl> That URL fails. 15:46 < dvl> server config is written. 15:47 < ecrist> dvl, I think the http:// is a misnomer 15:47 < ecrist> I think it's really saying "I'm vpnHelper logged into leguin,freenode.net 15:51 < dvl> ecrist: what happened to your movie? ;) 15:52 < ecrist> dvl - got side tracked. my amazon order for my in-desk usb hub showed up when I went out the door. 15:53 < ecrist> only thing I hate about it is the friggin' blue LED *everyone* insists on installing in everything that uses electricity these days. 15:53 < ecrist> blue LEDs = the suxorz 15:56 < dvl> URL for this in-desk USB hub? 15:58 < ecrist> looking 15:58 < ecrist> http://www.amazon.com/gp/product/B000PDQLF0 15:58 < ecrist> I think I might take it apart and either 1) replace the LED with a red one, or 2) remove it all-together 15:59 < dvl> OH very clever 15:59 < dvl> Never seen them before 16:00 < ecrist> I need to go to home depot and get a hole-saw, though. 16:01 < ecrist> I only use laptops these days. My MBP is setup with dual-monitors and I hide the laptop itself in a hide-away keyboard drawer 16:01 < ecrist> as such, USB ports are difficult to get to. 16:01 < ecrist> with that device, that won't be an issue any more. 16:02 < dvl> What is an MBP? 16:04 < ecrist> MacBook Pro 16:04 < dvl> AHH 16:04 < ecrist> I'll show you my setup here in a sec. 16:12 < ecrist> http://skitch.com/ecrist/h9aq/img00222 and http://skitch.com/ecrist/h9as/img00223 16:12 < vpnHelper> Title: Skitch.com > ecrist > My Desktop setup (MBP core) (at skitch.com) 16:19 < dvl> nice setup 16:23 < plaerzen> I'm tired 16:23 < dvl> Now writing about the static IP addreses for clients. 16:24 < plaerzen> ecrist, nice setup. I have dual monitor on linux host. one monitor permanently runs a windows xp VM om vmware server. g15 keyboard and g5 mouse 16:24 -!- MrMarshall [n=MrMarsha@151.56.81.203] has joined ##openvpn 16:25 -!- Remowylliams [n=Mare@71.16.217.178] has left ##openvpn [] 16:27 < ecrist> plaerzen: nice. which distro? 16:27 < plaerzen> ubuntu 8.04 16:27 < plaerzen> although the it manager is a RHEL/FC guy. I like apt. 16:28 < plaerzen> this machine is also the imaging server. I also run a ubuntu 8.04 LTS server VM on it as well 16:28 < plaerzen> for testing 16:29 < ecrist> I was running ubuntu at work for about a year, used it in parallel with my laptop (personal) as I hate dealing with email in multiple locations. 16:29 < ecrist> finally just dropped the desktop altogether 16:30 < ecrist> now, I work from home 3/5 days a week, so no point in having a desktop at the office for the other 2 16:30 < plaerzen> I like this setup. xp on the left, linux on the right. 16:31 < plaerzen> I was running compiz for a while. I love that shit. However with all the other processes and whatnot - it bogs the comp down a bit much. 16:32 < ecrist> what I've found I disklike about all the free OSes I've used on the desktop is the amount of work needed to make the usable. 16:32 < ecrist> just oo much maintenance for my taste. 16:33 < plaerzen> that's what I like about ubuntu. I would prefer gentoo - however I don't have 2 days to install it at work. Ubuntu installs and runs. Everything is plug and play.. even my ipod 16:33 < plaerzen> no hassles, no soft locks 16:34 < plaerzen> I need some cd burning software, quick!! "sudo apt-get install k3b" 16:34 < plaerzen> bickety bam 16:41 < plaerzen> is the kernel a little bloated? Hell yeah - but you can always recompile it if you want to - and it's still better than a registry. 16:47 * ecrist is Mac guy 16:47 < ecrist> I drank the kool-aid 16:51 < plaerzen> the electric kool aid ?\ 16:54 < plaerzen> http://www.amazon.com/Electric-Kool-Aid-Acid-Test/dp/0553380648 16:56 < reiffert> ecrist: btw, does running openvpn on OSX work when used in bridging mode and as server? 17:04 < dvl> OK, done, published: http://www.freebsddiary.org/openvpn-routed.php 17:04 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 17:05 < dvl> Ok, that took about 90 minutes to write. 17:12 < hermetek> has anybody seen "GET INST BY VIRT...[FAILED]" on the server when the server is directly connected to the network in question? 17:14 < hermetek> the server has a bridge with an IP, and then on that bridge a bunch of vlan interfaces. 17:32 -!- reiffert [n=thomas@mail.webersheim.de] has quit ["Changing server"] 17:35 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 17:38 < dvl> OK, changing over my Nagios checks to use the VPN... 17:43 -!- ikevin_ [n=kevin@ANancy-256-1-134-200.w90-33.abo.wanadoo.fr] has joined ##openvpn 17:52 < ecrist> reiffert: no idea - only running it (as of late) on FreeBSD as a server with tun 17:52 -!- ikevin [n=kevin@ANancy-256-1-53-233.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 18:06 < ecrist> yay, all installed 18:06 < ecrist> http://skitch.com/ecrist/h979/img00224 18:06 < vpnHelper> Title: Skitch.com > ecrist > belkin in-desk USB hub (at skitch.com) 18:10 < ecrist> lol @ Zimbra: http://skitch.com/ecrist/iwmf/so-google-maps-api-or-yahoo-wires-crossed-i-think 18:10 < vpnHelper> Title: Skitch.com > ecrist > So, google maps API or Yahoo? Wires crossed, I think. (at skitch.com) 18:13 -!- MrMarshall [n=MrMarsha@151.56.81.203] has quit [] 18:14 < hermetek> hah 18:19 -!- K_luffy [n=V3N@77.31.162.183] has quit [Read error: 110 (Connection timed out)] 18:33 < jeev> hermetek 18:33 < jeev> i'm here 18:34 < jeev> ecrist, so do you think the service that i want to offer is good ? 18:35 < hermetek> jeev: don't remember what i was going to say 18:35 < jeev> :) 18:36 < jeev> did it have to do with the script i was talkin about 18:43 < hermetek> i think so 18:43 < hermetek> i was going to ask what exactly you wanted it to do? 18:53 -!- unixSnob [n=jj@starfury.spearlink.com] has quit ["leaving"] 19:05 -!- mRCUTEO [n=info@124.13.93.172] has joined ##openvpn 19:31 -!- mRCUTEO [n=info@124.13.93.172] has quit [Read error: 110 (Connection timed out)] 19:37 < ecrist> jeev: what service? for a local loop? 19:37 < ecrist> as long as it's competitive 19:38 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has quit ["leaving"] 19:40 < jeev> offer them 100mbit ptp for their back up 19:40 < jeev> and 20 mbit to the net 19:40 < jeev> for 2k/month 19:40 < jeev> the ptp would be, i'd charge them for space and power, limit em to 100mbit 19:40 < jeev> for their back up.. 19:40 < jeev> therefor acting as off site back up and server.. 19:41 < jeev> and 20mbit would be provided for their server and office network since they'd have PTP 19:44 -!- hermetek is now known as shupej 19:45 -!- shupej [n=shupej@74.196.125.168] has quit [Remote closed the connection] 20:13 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 20:14 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 20:34 -!- shupej [n=shupej@74.196.125.168] has joined ##openvpn 21:25 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 21:26 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [] 21:28 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 21:32 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:37 < tjz> hello.. 21:40 < Dougy> hi 21:44 * jeev stares at Dougy 21:45 < Dougy> jeev? 21:45 * jeev stares at Dougy in disappointment. 21:45 < Dougy> what did i do 21:45 < Dougy> or didn't i do 21:45 < jeev> lol :) 21:45 < jeev> i haven't logged into my VPS for a while 21:45 < jeev> what a waste lol 21:45 < Dougy> nice 21:45 < jeev> crap man! 21:45 < jeev> i have to install 21:46 < jeev> Horde 21:46 < Dougy> ewwwwwwwwwww 21:46 < jeev> what do you use ? 21:46 < Dougy> zimbra hahaha 21:46 < jeev> uh 21:46 < Dougy> but if i have to use one like that, Roundcube 21:46 < jeev> first off, i use postfix. 21:46 < jeev> second, roundcube is annoying 21:51 < tjz> why 22:06 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [] 22:10 -!- ikevin_ [n=kevin@ANancy-256-1-134-200.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 22:10 -!- ikevin_ [n=kevin@ANancy-256-1-76-106.w90-26.abo.wanadoo.fr] has joined ##openvpn 22:20 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 22:20 < tjz> !iroute 22:20 < vpnHelper> tjz: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 22:20 < tjz> !route 22:20 < vpnHelper> tjz: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 22:28 < tjz> does this sound correct? 22:28 < tjz> iroute 192.168.100.0/24 255.255.255.0 22:39 -!- shupej [n=shupej@74.196.125.168] has quit [Read error: 110 (Connection timed out)] 22:46 < Dougy> bed 22:46 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Ex-Chat"] 22:50 < tjz> ... 23:16 -!- Luria [n=trashed@cpe-74-66-17-216.nyc.res.rr.com] has joined ##openvpn 23:33 < dvl> One thing I'd like to have is a passphrase for the OpenVPN on my laptop... almost like the passphrase you supply with ssh via ssh-agent. 23:33 < dvl> That way, should the certificate be unknowingly compromised, it is useless without the passphrase. 23:34 < dvl> Mind you, I could just do authpf and be done with it. :) 23:34 < jeev> huh 23:34 < jeev> so build the passphrase into the cert :) 23:34 < jeev> oh 23:34 < jeev> to use your laptop? :D --- Day changed Sat Nov 29 2008 00:00 < dvl> jeev: yes, passphrase into the cert 00:01 < dvl> and for my laptop. 00:01 < dvl> now... how do would I type that password when starting OpenVPN? 00:12 < ecrist> dvl: you can do that. 00:12 < ecrist> the openssl library will ask for it. 00:13 < ecrist> g'night all 00:17 -!- mRCUTEO [n=info@124.13.93.86] has joined ##openvpn 00:22 -!- mRCUTEO [n=info@124.13.93.86] has quit [] 00:39 < tjz> i really give up 00:39 < tjz> i can't get my openvpn to work correctly on my centos5 server 00:39 < ropetin> tjz: I'm late to the party, so I'll ask the dumb question, what's up with it? 00:39 < jeev> what's the problem 00:39 < jeev> anyone happen to have any Staples coupons on them? :D 00:40 * ropetin checks his pockets 00:42 < jeev> this dood i'm buying from 00:42 < jeev> i think he's generating the codes 00:43 < jeev> i've gotta make 3k more in purchases, that's 30 seperate transactions, manually type in info 00:43 < jeev> cause first 5 digits can only be used once on an account :/ 00:49 -!- mRCUTEO [n=info@64.235.47.77] has joined ##openvpn 00:49 < mRCUTEO> hi 00:50 < mRCUTEO> just tested openvpn as virtual IP in the server 00:50 < mRCUTEO> it works perfect 00:50 < mRCUTEO> multiple clients with different IP and port forwarding 00:50 < mRCUTEO> all IRC clients can connect using different Vhost which connected to multiple openvpn server :D 00:50 < mRCUTEO> awesome 00:56 -!- mRCUTEO [n=info@64.235.47.77] has quit [Read error: 104 (Connection reset by peer)] 00:56 < ropetin> Awesome indeed! You should write up some documentation on that :) 00:56 < ropetin> Or not :D 00:58 < tjz> anyone confident of setting openvpn server on a centos 5 server? 00:58 < tjz> will pay 00:58 < tjz> pm me .. 01:03 < tjz> :( 01:06 -!- uskill [n=uskill@h176.167.89.75.dynamic.ip.windstream.net] has joined ##openvpn 01:25 -!- Luria [n=trashed@cpe-74-66-17-216.nyc.res.rr.com] has quit ["Leaving"] 01:29 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [Nick collision from services.] 01:29 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 01:34 < tjz> how come jeev can set a topic while i can't? 01:34 < jeev> i used to be an op 01:34 < jeev> lol 01:34 < tjz> where are the op now? 01:34 < tjz> hmm 01:34 < tjz> maybe gone for thanksgiving 01:35 < tjz> jeff, r u around?? 01:35 < tjz> jefffffffffffffffffffff!!! 01:35 * tjz slaps krzie around a bit with a large trout 01:43 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 01:51 -!- acidchild [i=ash@208.92.232.20] has joined ##openvpn 01:51 < acidchild> how do i allow traffic to go over the 'server' part of openvpn's host... 01:51 < acidchild> acting as a router? maybe a bridge... 01:51 < ropetin> !route 01:51 < vpnHelper> ropetin: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:52 < ropetin> Maybe check that out acidchild? 01:52 < jeev> ropetin 01:52 < jeev> know of a fix for iptables: Unknown error 4294967295 ? 01:52 < jeev> on VPS's 01:52 < acidchild> ropetin: thanks :-) 01:52 < jeev> dougy had to have the guy rebuild his 01:52 < ropetin> Who is the VPS provider again? 01:53 < tjz> me.. 01:53 < tjz> :P 01:58 < ropetin> Scary! 01:58 < ropetin> jeev: did you try and flush all the rules and start again from scratch? 01:59 < tjz> lol 02:02 < jeev> yea 02:02 < ropetin> When is the error generated? 02:02 < acidchild> ropetin: both my clients are on the same /24 02:03 < acidchild> the example you posted above has them on diffrent ones.. i can ping .1 from both of them 02:03 < acidchild> but .6 can't ping .10 02:03 < acidchild> via .1 02:03 < ropetin> So you need two clients be able to contact each other? 02:03 < acidchild> yeah 02:04 < acidchild> i have arp.proxy on. 02:04 < acidchild> from tcpdump i can't see the packets going over the interface 02:04 < acidchild> oh maybe i have FORWARD set to DROP 02:04 < acidchild> Your problem is probably your firewall. <-- hehe 02:05 < acidchild> :FORWARD ACCEPT [0:0] 02:05 < acidchild> nope :-( 02:05 < acidchild> its on interface of tun0 on the 'gateway' how do you control each 'client' ? firewalling routing wise.. 02:06 < acidchild> !bridge 02:06 < vpnHelper> acidchild: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything 02:06 < vpnHelper> acidchild: where the protocol uses MAC addresses instead of IP addresses. 02:06 < acidchild> okey 02:06 < ropetin> Did you push out the route? 02:07 < acidchild> push "route 10.100.100.0 255.255.255.0" 02:07 < acidchild> just that one. 02:07 < acidchild> that should cover .6 -> .1 -> .10 02:10 < ropetin> True, it should :) 02:11 < acidchild> ooh ropetin it started working O.o 02:11 < acidchild> what on earth did i do err..mmm 02:12 < acidchild> 03:10:50.594193 IP lo 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 45386 unreachable, length 80 02:12 < ropetin> :D 02:12 < acidchild> i do not understand why i see that on my tcpdump 02:12 < acidchild> oh well! :X 02:12 < acidchild> ropetin: i didn't think my networking was that bad :-( 02:13 < ropetin> ! 02:13 < ropetin> As long as it's working 02:22 -!- gallatin [n=gallatin@dslb-092-072-094-204.pools.arcor-ip.net] has joined ##OpenVPN 02:25 < tjz> -_- 02:32 < acidchild> :P 02:34 < tjz> have you try setup openvpn server on a centos 5 server? 02:34 < acidchild> isn't it the same as any other distro? 02:35 -!- uskill [n=uskill@h176.167.89.75.dynamic.ip.windstream.net] has quit [Read error: 110 (Connection timed out)] 02:35 < tjz> ya 02:35 < tjz> mine is a centos 5 02:36 < tjz> did you manage to setup and get it working correctly? 02:37 < acidchild> on slackware sure 02:47 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [Nick collision from services.] 02:47 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 02:49 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 02:49 -!- acidchild [i=ash@208.92.232.20] has quit [" "] 02:51 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [Nick collision from services.] 02:51 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 03:10 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:11 < tjz> welcome, jeff~~~ 03:12 < tjz> krzee, r u around 03:15 < krzee> sup 03:15 < krzee> im not gunna be on too long 03:15 < krzee> just dropped off the girls 03:15 < tjz> yoooo 03:15 < tjz> oh man.. 03:15 < krzee> gunna roll a blunt and hit the bed soon 03:15 < tjz> nice 03:15 < krzee> its 5:15am 03:15 < tjz> oh 03:15 < tjz> 5:15pm here 03:15 < tjz> :P 03:16 < ropetin> It's 4:20 somewhere! 03:16 < tjz> hahaha 03:16 < tjz> rope: 4:20 morning? 03:16 < tjz> i just tickle jeev in WoW 03:16 < tjz> ^_^ 03:17 < krzee> hey thats true 03:17 < krzee> its about 4:20am EDT 03:17 < ropetin> Yup, that's where I am :D 03:17 < krzee> hahah 03:17 < krzee> werd 03:17 < tjz> hmm 03:17 < tjz> texas? 03:17 < krzee> texas isnt Eastern time 03:18 < krzee> its mountain and central times 03:18 < krzee> depending where 03:18 * ropetin is in Florida 03:18 < tjz> i hope i can figure out these correctly next time 03:18 < tjz> P 03:18 < tjz> :P 03:18 < ropetin> Despite what geolocating my IP might say... :P 03:19 < krzee> lol 03:19 < krzee> same 03:19 < tjz> lol 03:19 < krzee> mine would put me in california 03:19 < krzee> or mexico 03:19 * tjz slaps jeev around a bit with a large trout 03:19 < krzee> but i think its cali now 03:20 < tjz> jeev still killing monster 03:20 < tjz> krzee, why my openvpn doesn't work on a dedicated server.. 03:20 < tjz> :( 03:22 < krzee> cause you arent doing it right 03:23 < tjz> i guess so 03:23 < tjz> ^_^ 03:25 < jeev> krzee 03:25 < jeev> does he need any flags 03:25 < jeev> like 03:25 < jeev> forward flags in linux 03:25 < krzee> jeev, i have no clue whats wrong for him, all the info i got was this: [05:20] krzee, why my openvpn doesn't work on a dedicated server.. 03:26 < jeev> lol 03:26 < jeev> ok 03:26 < krzee> so i gave him an equally vague answer that was still true 03:26 < ropetin> tjz: if you can give me shell access to your server and client I can take a look :) 03:26 < tjz> lol 03:27 < tjz> ropetin: jeev is looking at my problem now 03:27 < ropetin> OK 03:27 * tjz hug ropetin 03:28 < tjz> ropetin, are you using a windows xp system now? 03:28 < krzee> jeev, oh forwarding on windows? 03:28 < jeev> no 03:28 < krzee> its a reg hack 03:29 < jeev> centos 03:29 < krzee> o ok 03:29 < krzee> that would be the same as any other lin box 03:29 < jeev> i'm in a WoW game right now 03:29 < jeev> i dont feel like 03:29 < jeev> putting a config and trying it 03:29 < jeev> but i should 03:29 < krzee> !factoids search forward 03:29 < vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 03:36 < tjz> setup openvpn server on a centos 5 server shouldn't be that hard...... 03:36 < tjz> -_-" 03:37 < tjz> my config is almost the same as openvpn.net/howto.. 03:40 * tjz prepare his white flag 03:40 < tjz> :P 03:40 < krzee> !sample 03:40 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:40 < krzee> thats a good starting point 03:42 < jeev> it's his nat 03:42 < jeev> not working 03:42 < jeev> i'm still in WoW 03:42 < tjz> this is my server.conf 03:42 < tjz> http://pastebin.ca/1270101 03:43 < tjz> NAT isn't working on the server? 03:43 < jeev> i mean 03:43 < jeev> the iptables 03:43 < jeev> gimme a few sec 03:43 < tjz> it is a dedicated server 03:43 < jeev> we're gonna try something funny as hell in the game 03:43 < jeev> then i'll hearth and 03:43 < jeev> i'll check it out 03:43 < tjz> hmm 03:44 < tjz> jeev, i think we stop here for now 03:44 < tjz> not wise to play game while fixing my issue 03:44 < jeev> lol 03:44 < jeev> it's nat 03:44 < jeev> i'm trying to tell him i wanna sleep 03:44 < jeev> give e a few min, seriously 03:45 < tjz> hmm 03:45 < tjz> nevermind... 03:45 < tjz> we will look at the problem another time 03:46 < jeev> no!!! 03:46 < jeev> just give me a few 03:46 < tjz> are you on the right server? 03:47 < jeev> yes 03:47 < jeev> snow 03:47 < krzee> lol 03:47 < tjz> cause i see you away for 1 hour on the server 03:47 < tjz> :P 03:47 < tjz> but back to active now 03:50 < krzee> !route 03:50 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 03:50 < tjz> yup 03:50 < tjz> i have also tried iroute .. 03:51 < jeev> going to turn in quests. 03:51 < tjz> it must be a problem with my computer 03:51 < tjz> i have also tried created a ccd directory with a file called 'client1' 03:51 < tjz> > with this content where 192.168.1.101 is my client lan IP..: 03:52 < tjz> iroute 192.168.1.101 255.255.255.0 03:52 < jeev> there 03:52 < jeev> logged out 03:52 < tjz> lvl 73 now? 03:52 < tjz> can't be 03:52 < tjz> it is not so easy to level.. 03:53 < jeev> i'm tired man 03:53 < jeev> there's a big ass spider here 03:53 < jeev> i want to catch it and piss on it 03:53 < jeev> heh 03:53 < tjz> spider in your room? 03:54 < tjz> qls /tmp 03:54 < jeev> on the wall 03:54 < jeev> ? 03:54 < tjz> ops 03:54 < tjz> hmm 03:54 < tjz> well... 03:54 * tjz gonna surrender 03:55 < krzee> tjz, i was grabbing that url for a response on the mail list 03:55 < krzee> Aaron, 03:55 < krzee> Please take a look at this as well: 03:55 < krzee> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 03:55 < krzee> If after reading that you find that you have the right setup, make sure your OS has IP forwarding enabled (saying that makes me think i should add that to my routing writeup) and check the client's firewall. 03:55 < krzee> -krzee 03:55 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 03:55 < tjz> i think something wrong with my computer 03:55 < tjz> i have echo "1" to /proc/sys/net/ipv4/ip_forward 03:55 < krzee> check the thing that interfaces to the keyboard 03:56 < jeev> dont surrender! 03:56 < tjz> -_- 03:56 < jeev> well, nat is in place 03:56 < tjz> not even night time for me yet 03:56 < jeev> ip_forward too 03:56 < jeev> net.ipv4.ip_forward = 1 03:56 < tjz> ya.. 03:57 < tjz> server seem to be fine, i think 03:57 < tjz> can't be so difficult to setup & connect to openvpn server 03:57 < jeev> DOOD 03:57 < jeev> you're eth1 03:57 < tjz> -_- 03:57 < jeev> you DORK 03:57 < jeev> ! 03:57 < tjz> oh 03:57 < tjz> i forgot to mention it is eth1 03:57 * jeev stabs tjz 03:57 < jeev> try now 03:57 < tjz> lol 03:57 < krzee> !learn linipforward as echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 03:57 < vpnHelper> krzee: Joo got it. 03:57 < tjz> ok 03:57 < jeev> wow 03:57 < jeev> i'm gonna kill this guy 03:57 < jeev> lol 03:58 < jeev> i'm like 03:58 < jeev> wtf man 03:58 < tjz> no dice 03:58 < tjz> couldn't surf page 03:58 < tjz> ya 03:59 < tjz> i am really clueless with setup 03:59 < tjz> i am really suspecting it is my computer's problem 03:59 < jeev> wtf 03:59 < jeev> traceroute again 03:59 < jeev> it's not 03:59 < jeev> traceroute -d 4.2.2.2 03:59 < jeev> or 03:59 < jeev> traceroute 4.2.2.2 -d 03:59 < jeev> whatever it is 03:59 < jeev> dood, should i kill this spider? 03:59 < jeev> i always feel bad. 04:00 < tjz> request timed out 04:00 < jeev> where 04:00 < jeev> pastebin 04:01 < tjz> http://pastebin.ca/1270097 04:01 < krzee> tjz 04:01 < tjz> yup.. 04:01 < krzee> Hi Andrew, 04:01 < krzee> yes, i have also tried created a ccd directory with a file called 'client1' with this content where 192.168.1.101 is my client lan IP..: 04:01 < krzee> iroute 192.168.1.101 255.255.255.0 04:01 < krzee> I am still getting bad source address error... 04:01 < krzee> Setting up openvpn server can't be that difficult ,right? 04:01 < krzee> I wonder why i keep hitting into these brickwalls while others able to ride through easily.. 04:01 < krzee> that still your problem? 04:01 < jeev> he gets that 04:01 < tjz> ya.. 04:01 < jeev> but 04:01 < tjz> :( 04:01 < krzee> (the mail shows info from the thread 04:02 < jeev> isn't iroute only for LAN shit ? 04:02 < krzee> jeev 04:02 < krzee> let me paste from routing for ya 04:02 < krzee> !route 04:02 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:02 < tjz> do you guys have a windows pc? 04:02 < jeev> krzee 04:02 < tjz> maybe you can try use openvpn gui to connect.. 04:02 < jeev> i thought the iroute was for freaking lan shit 04:02 < krzee> Iroute does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. The iroute entry tells the openvpn server which client is responsible for the network. 04:03 < krzee> the thing is 04:03 < jeev> the iroute thing isn't his problem 04:03 < krzee> is his client 192.168.1.101 on its lan? 04:03 < jeev> i always get multi errors cause i dont care for that 04:03 < jeev> i could still leave the network 04:03 < jeev> he can't. 04:03 < tjz> yup 04:03 < tjz> "route print" result - http://pastebin.ca/1270089 04:04 < jeev> grr 04:04 < jeev> i wish my other laptop was here 04:04 < jeev> i'd connect 04:04 < krzee> and the server is not also on a LAN is it? 04:04 < jeev> server aint on lan 04:05 < krzee> its a dedicated server so i figure its a direct connection to net 04:05 < krzee> k 04:05 < krzee> lemme see configs 04:05 < jeev> tjz 04:05 < jeev> can i flush ALL your iptables shit 04:05 < krzee> jeev 04:05 < krzee> you're prolly right 04:05 < jeev> but i'd break your shit 04:05 < tjz> hmm 04:05 < jeev> you got too much in iptables 04:05 < jeev> tjz 04:05 < tjz> okay.. 04:06 < tjz> you can do it.. 04:06 -!- gallatin [n=gallatin@dslb-092-072-094-204.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 04:06 < jeev> no 04:06 < jeev> sec 04:06 < krzee> dont forget to default allow 04:06 < krzee> haha 04:06 < tjz> this is a production server.. 04:06 -!- gallatin [n=gallatin@dslb-092-073-120-200.pools.arcor-ip.net] has joined ##OpenVPN 04:06 < tjz> i have a number of working sites.. 04:06 < tjz> :( 04:07 -!- acidchild [i=ash@dubstep.7a69.co.uk] has joined ##openvpn 04:07 < krzee> 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 1 04:07 < krzee> 0.0.0.0 128.0.0.0 192.168.50.5 192.168.50.6 1 04:08 < krzee> just need a basic nat 04:08 < krzee> for some reason you were natting to the server 04:08 < krzee> err 04:08 < krzee> to the client 04:08 < jeev> huhh 04:08 < krzee> but you only wanna nat from the client 04:09 < krzee> thats why it was sending with src 192.168 04:09 < krzee> when its on the 192.168.50.x network already and should send with that 04:09 < krzee> the big firewall you're going to flush was natting the wrong way 04:17 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:18 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [Nick collision from services.] 04:19 -!- tjz [n=tjz@67.215.233.114] has joined ##openvpn 04:19 < tjz> sorry 04:19 < tjz> d/c 04:19 < jeev> did you traceroute 04:19 < tjz> i miss the last sentence you wrote 04:22 < jeev> fuck 04:22 < jeev> the fucking spider 04:22 < jeev> went up the high ceiling 04:22 < jeev> near my bed 04:22 < jeev> it's gonna fuckin repell down onto me while i'm sleeping 04:22 < tjz> lol 04:22 < jeev> i should'v killed it 04:22 < tjz> fark the spider 04:22 < tjz> :P 04:23 < krzee> spray a fireball up there 04:23 < jeev> i hate spiders 04:23 < jeev> should've taken it to the toilet and pissed on it 04:23 < jeev> krzee 04:23 < jeev> you run postfix ? 04:23 < krzee> qmail 04:23 < jeev> ahh 04:23 < jeev> i dont like qmail anymore :/ 04:23 < krzee> werd 04:24 < krzee> ive never tried postfix 04:24 < krzee> qmail has always done what i wanted, never got around to it 04:24 -!- mRCUTEO [n=info@118.101.179.135] has joined ##openvpn 04:24 < jeev> dood 04:24 < jeev> postfix is AWESOME 04:24 < krzee> werd 04:24 < jeev> it blocks soooooooo much more spam with the config stguff 04:24 < krzee> bbiab 04:24 < jeev> sooooooooo much 04:24 < jeev> i used to live and die with qmail 04:24 < krzee> spamd catches my spam 04:24 < krzee> actually 04:25 < krzee> it blocks it in transit 04:25 < jeev> mine too 04:25 < jeev> i'd have that set up 04:25 < jeev> but postfix > * 04:25 < jeev> uses spamassassin also 04:25 < krzee> so if a sender were to somehow get a false positive, they get immediate notification 04:25 < krzee> cause SMTP is never accepted, with reason telling it was detected as spam 04:25 -!- tjz [n=tjz@67.215.233.114] has quit [Nick collision from services.] 04:25 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 04:26 < tjz> back 04:26 < jeev> postfix/smtpd[7810]: NOQUEUE: reject: RCPT from unknown[88.228.216.50]: 450 4.5.2 : Helo command rejected: need fully-qualified hostname; from= to 04:26 < jeev> .. 04:26 < jeev> fuckin awesome! 04:26 < krzee> but i actually stop a ton with a 30 second wait on SMTP 04:26 < jeev> really 04:26 < jeev> i want to impliment greylisting 04:26 < krzee> where if anything is sent before the delayed greeting 04:26 < jeev> but it's god already 04:26 < jeev> good 04:26 < jeev> but i still wanna do it 04:26 < krzee> its dropped 04:26 < mRCUTEO> sendmail :_) 04:26 < jeev> lol 04:26 < krzee> cause only spammers shove the message down the throats 04:26 < jeev> at sendmail 04:27 < krzee> ALL legit clients wait for the greeting banner to send data 04:27 < jeev> i've gotta read up on that 04:27 < krzee> greetdelay 04:27 < krzee> anyways 04:27 < krzee> gunna watch a national geographic i downloaded while i passout 04:27 < krzee> nite 04:28 < jeev> night 04:28 -!- Anon472 [n=Anon472@92.96.212.125] has joined ##openvpn 04:29 < Anon472> hi guys, what is openvpn-admin for? 04:29 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [Nick collision from services.] 04:29 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 04:29 < krzee> does that even work? 04:29 < Anon472> krzee: talking to me? 04:30 < krzee> i was but now the unrar is done 04:33 < acidchild> http://www.youtube.com/watch?v=yFBcjII3QAE 04:33 < vpnHelper> Title: YouTube - Aileen Wuornos gone insane (at www.youtube.com) 04:33 < Anon472> porting openvpn yay :) will use interactive authentication 04:34 < mRCUTEO> krzee: do you know how to make openvpn client to show real public ip instead of 10.8.0.* 04:34 < mRCUTEO> i configured using the ccd but cant push-ifconfig using public ip 04:34 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [Nick collision from services.] 04:35 -!- tjz [n=tjz@snow.xtardns.com] has joined ##openvpn 04:35 < tjz> it is working now!! 04:35 < jeev> yea 04:35 < jeev> it was your firewall 04:35 < tjz> darn it.. 04:36 * tjz trash the firewall 04:36 < reiffert> Moin 04:36 < mRCUTEO> tjz you're from sg ? 04:36 < jeev> dont trash it 04:36 < jeev> tjz 04:36 < tjz> ya.. 04:36 < tjz> how u know 04:36 < jeev> start the firewall 04:36 < mRCUTEO> oh 04:36 < jeev> kill your openvpn 04:36 < jeev> just start it 04:36 < jeev> hurry 04:36 < jeev> i need to sleep 04:36 < tjz> ok 04:36 < jeev> start it, iw anna look at something 04:36 < reiffert> go go go 04:36 < reiffert> faster 04:36 < jeev> dont disconnect vpn though 04:36 < reiffert> :) 04:36 < jeev> just start the firewall 04:38 -!- tjz [n=tjz@snow.xtardns.com] has quit [Nick collision from services.] 04:38 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 04:39 < jeev> you guys good at iptables? 04:39 * tjz noob 04:39 < jeev> i gotta sleep 04:40 < jeev> good night guys 04:40 < tjz> nite 04:40 < Anon472> any authentication script for openvpn to deal with text files? 04:41 < reiffert> Anon472: such as? 04:41 < Anon472> reiffert: a text file that has users separated by new lines, uname:pword format. similart to Squid text file pword format 04:42 < reiffert> There is a pam authentication module ... maybe you can do something there 04:42 < Anon472> reiffert: I already have a users text file database in this format being used by squid, and i'd like to use the same for openvpn. 04:42 < Anon472> so basically username:hispassw0rd anotheruser:h!sPw0rd.. and so on.. 04:43 < reiffert> openvpn-auth-pam 04:43 < reiffert> SYNOPSIS 04:43 < reiffert> The openvpn-auth-pam module implements username/password 04:43 < reiffert> authentication via PAM, and essentially allows any authentication 04:43 < reiffert> method supported by PAM (such as LDAP, RADIUS, or Linux Shadow 04:43 < reiffert> passwords) to be used with OpenVPN. 04:44 < reiffert> There is a pam module which implements user:pass files, sounds like it can be done. 04:44 < Anon472> so no need to reinvent the wheel.. will see how it goes. 04:50 < reiffert> it should be pam_userdb.so 04:57 -!- mRCUTEO [n=info@118.101.179.135] has quit [Read error: 110 (Connection timed out)] 05:26 < Anon472> hmm 05:50 -!- MrMarshall [n=aa@151.56.6.39] has joined ##openvpn 06:01 -!- gallatin [n=gallatin@dslb-092-073-120-200.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 06:21 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 06:52 -!- Cyllene [i=UNtQZrND@unaffiliated/cyllene] has quit [Read error: 104 (Connection reset by peer)] 06:56 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 07:08 -!- MrMarshall [n=aa@151.56.6.39] has quit [] 07:44 -!- Anon472 [n=Anon472@92.96.212.125] has quit ["leaving"] 07:54 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 08:11 -!- protocols [n=protocol@ip-88-152-40-90.unitymediagroup.de] has joined ##openvpn 08:38 -!- bandini [n=bandini@host50-109-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 08:55 < ecrist> jeev: I used sendmail for over a decade and liked it (still do) 08:56 < ecrist> I only went to postfix because it has better support for virtual users and such 09:36 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 09:57 < tjz> . 10:09 -!- mRCUTEO [n=info@124.82.99.239] has joined ##openvpn 10:10 -!- snejk [n=snejk@c213-89-24-35.bredband.comhem.se] has joined ##openvpn 10:11 < mRCUTEO> evening everyone 10:11 < snejk> krzie, there? 10:19 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 110 (Connection timed out)] 10:21 < snejk> anyone know the correct syntax for client config static ip when using topology subnet? http://openvpn.net/archive/openvpn-users/2007-03/msg00204.html 10:21 < vpnHelper> Title: [Openvpn-devel] BUG: ifconfig-push in client config when using topology = subnet (at openvpn.net) 10:24 < mRCUTEO> ifconfig-push 10.16.0.13 255.255.255.0 10:25 < ecrist> !betaman 10:25 < vpnHelper> ecrist: "betaman" is http://www.openvpn.net/man-beta.html 10:25 < mRCUTEO> or if you want your subnet bigger then : 10.16.0.13 255.255.0.0 10:25 < snejk> thx 10:25 < mRCUTEO> :) 10:25 < snejk> testing 10:25 < snejk> brb 10:25 < mRCUTEO> hiya ecrist 10:25 < ecrist> hi mRCUTEO 10:25 < ecrist> time to work on the snowblower 10:25 < ecrist> bbl 10:25 -!- snejk [n=snejk@c213-89-24-35.bredband.comhem.se] has quit ["brb"] 10:25 < mRCUTEO> if i have multiple connection for open vpnclient which traffic should it route to 10:48 -!- mRCUTEO [n=info@124.82.99.239] has quit [Nick collision from services.] 10:49 -!- MRCUTEO [i=IRCLUNAT@64.235.47.233] has joined ##openvpn 10:50 -!- MRCUTEO is now known as mRCUTEO 11:39 -!- mRCUTEO [i=IRCLUNAT@64.235.47.233] has quit [] 11:39 -!- mRCUTEO [i=IRCLUNAT@64.235.47.233] has joined ##openvpn 11:41 < dvl> I am confused by the man page for "--ifconfig-push local remote-netmask"... When used, the client says:WARNING: Since you are using --dev tun, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn) 11:41 < dvl> Let me check the man page again. 11:42 < dvl> Man page doesn't mention this at all. 12:02 < dvl> also seeing some of tihs: MULTI: bad source address from client [10.8.1.40], packet dropped 12:04 < mRCUTEO> ifconfig-pust 10.8.1.40 10.8.1.41 12:05 < dvl> mRCUTEO: Hmmm, it'd be nice to not to hardcode the second IP. I guess I could just add it to DNS. 12:07 -!- mRCUTEO [i=IRCLUNAT@64.235.47.233] has quit [] 12:09 < dvl> oopps, I had two clients with the same IP. naughy. 12:11 < jeev> :/ 12:17 < dvl> yes.... 12:17 < dvl> typo in DNS zone file 12:28 < Dougy[RV|Away]> hi kids 12:29 < dvl> Hi daddy 12:29 < jeev> lol 12:29 < jeev> dougy is 9 12:30 < dvl> jeev: with at 16 yo gf no less. 12:30 < tjz> lol 12:31 < jeev> uh huh 12:32 < dvl> I have converted over my Nagios monitoring to use the VPN connection to the remote hosts instead of going over the Internet. 12:32 < tjz> why the long way? 12:32 < dvl> tjz: Dynamic IP address at home. 12:32 < dvl> tjz: which is where Nagios sits. 12:32 < tjz> oh 12:32 < jeev> http://x.jeev.net/diag.jpg 12:33 < jeev> that's my asterisk router 12:33 < jeev> i mean 12:33 < jeev> system 12:33 < jeev> at an office 12:34 < jeev> alpha2/jupiter2 192.168.23.37 5060 OK (23 ms) 12:34 < jeev> alpha/jupiter 192.168.33.37 5060 UNREACHABLE 12:34 < jeev> :) 12:34 < jeev> and right now the cable modem is down 12:34 < jeev> isn't that awesome ? 12:34 < dvl> ecrist: just hear this: http://www.evilcoder.org/2008/11/29/bjoern-commits-multi-address-capable-jails/ 12:34 < vpnHelper> Title: Bjoern commits multi-address capable jails » Evilcoder.org (at www.evilcoder.org) 12:34 < Dougy[RV|Away]> nice 12:35 < dvl> very nice. 12:35 < Dougy[RV|Away]> freebsd gets better and better 12:35 < Dougy[RV|Away]> dude 12:35 < Dougy[RV|Away]> jeev 12:35 < Dougy[RV|Away]> i just got a really nice interserver LED flashlgiht 12:35 < Dougy[RV|Away]> flashlight 12:35 < dvl> Which reminds, me, I should adjust the original openvpn article to recommend the second. 12:35 < dvl> Dougy[RV|Away]: fleshlights come with leds now? 12:35 < Dougy[RV|Away]> huh/; 12:37 < jeev> send it 12:37 < Dougy[RV|Away]> jeev: eh? 12:38 < ecrist> dvl, and a speculum. ;) 12:38 < jeev> ? 12:39 < Dougy[RV|Away]> jeev: http://www.upload3r.com/serve/291108/1227983913.jpg 12:40 < ecrist> dvl, jails gets better and better. This is separate from your mention yesterday of a separate tcp/ip stack, though, if I'm not mistaken. 12:41 < dvl> ecrist: Yes, I think so.... I didn't realize that. 12:41 < ecrist> that is just multiple IPs per jail and IPv6 support within jails. 12:41 < jeev> cool 12:41 < jeev> i had a crazy expensive flashlight 12:41 < jeev> lost it. 12:42 < ecrist> re flashlights, I've got a stinger LED. plenty 'spensive for me. 12:42 < jeev> mine was 12:42 < jeev> one of those 12:42 < ecrist> http://galls.com/style.html?assort=general_catalog&style=FL653 12:42 < vpnHelper> Title: Streamlight Stinger DS LED w/ Fast Charge - FL653 : Galls (at galls.com) 12:42 < Dougy[RV|Away]> jeev: this is 12 bulb 12:42 < Dougy[RV|Away]> i looked at it in the eye 12:43 < Dougy[RV|Away]> im blind now 12:43 < dvl> Last LED lights I bought was for my mountain bike. 12:43 < ecrist> Dougy[RV|Away]: the stingers are only one LED 12:43 < jeev> i'm trying to find mine 12:43 < dvl> http://store.dinottelighting.com/shared/StoreFront/default.asp?CS=dinotte&StoreType=BtoC&Count1=487209498&Count2=404349923&ProductID=4&Target=products.asp 12:43 < vpnHelper> Title: DiNotte Lighting USA Shopping Cart (at store.dinottelighting.com) 12:44 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [Nick collision from services.] 12:44 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 12:46 < jeev> http://fenixgear.com/store/viewItem.asp?idProduct=5 12:46 < jeev> that's what i had 12:46 < jeev> ;( 12:46 < Dougy[RV|Away]> nice 12:47 < jeev> my flashlight could've beat up all your guy's flashlights/1 12:47 < jeev> ! 12:47 < ecrist> lol 12:47 < jeev> seriously though 12:47 < jeev> i wonder where this badboy is 12:48 * ecrist goes away. 12:48 < jeev> i think i left it in my car when i traded it in 12:48 < dvl> $50? 12:48 < dvl> wow 12:48 < ecrist> mine was $125 12:48 < jeev> i thought i was coming up, giving them a messed up cd changer without them seeing it 12:48 < jeev> but i lost mine 12:48 < jeev> so? 12:48 < jeev> it's not how expensive it is, it's how good it is! 12:48 < dvl> Do the newer maglites have LED? I still like maglite. 12:48 < jeev> maglite is a ripo 12:48 < jeev> rip off 12:48 < ecrist> jeev: 80 lumens for 6.75 hours 12:48 < jeev> i should just make the flashlights out of wood 12:49 < jeev> ecrist, 40000 lumens for 4 days. 12:49 < Dougy[RV|Away]> maglites are great 12:49 < Dougy[RV|Away]> good weapons 12:50 < tjz> . 12:50 < Dougy[RV|Away]> could totally blow someones knee out with one good shot with a decent size magliet 12:51 < Dougy[RV|Away]> s/magliet/maglite/ 12:53 < dvl> First three articles here deal with OpenVPN, I just added my routed solution: http://www.freebsddiary.org/ 12:53 < vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 12:53 < dvl> Dougy[RV|Away]: I do like the small maglite for travel and the big one for in the care. 12:53 < dvl> -e 12:53 < Dougy[RV|Away]> dvl: yup 12:53 < Dougy[RV|Away]> my dad has one big one right next to his driver's seat in case of some ass with road rage 12:53 < Dougy[RV|Away]> and small onse around the house 12:53 < Dougy[RV|Away]> ones 12:53 < Dougy[RV|Away]> incase of power failure 12:54 < jeev> yea 12:54 < jeev> i'm a flashlight freak 12:54 < jeev> i have flashlights everywhere 12:54 < Dougy[RV|Away]> this flashlight is great 12:54 < jeev> dood, i shot the spider with CLR last night 12:54 < jeev> i think it died 12:54 < Dougy[RV|Away]> im gonna carry it in my laptop bag 12:54 < Dougy[RV|Away]> lmfao 12:54 < Dougy[RV|Away]> hahaha 12:54 < jeev> it fell on an elevated position of my room and i'm not tall enough even when is tand on my bed 12:54 < jeev> stupid 6'1 12:54 * Dougy[RV|Away] wishes he was at his girlfriend's house 12:54 < jeev> heh 12:54 < Dougy[RV|Away]> 2 more weks 12:54 < Dougy[RV|Away]> weeks 12:54 < Dougy[RV|Away]> -.- 12:55 < jeev> for what 12:55 < Dougy[RV|Away]> till i see her again 12:55 < dvl> why so long? 12:55 < Dougy[RV|Away]> because she lives 40 miles west of here 12:56 < Dougy[RV|Away]> and i can't drive and neither can she 12:56 < dvl> Let me see, it'll be about 15 s before I see mine again. 12:56 < Dougy[RV|Away]> so 12:56 < dvl> She's in the kitchen, making oatmeal. 12:56 < Dougy[RV|Away]> i have to either take a 3 hour train during the week (thers no train service on weekends out there) 12:56 < dvl> here it is 12:56 < Dougy[RV|Away]> or i have to get a ride from my folks 12:56 < jeev> dvl, how fat is she 12:56 < Dougy[RV|Away]> lmfao 12:56 < Dougy[RV|Away]> jeev - thinner than you 12:56 < dvl> jeev: about 120 lbs I think 12:57 < dvl> maybe 130. 12:57 < Dougy[RV|Away]> my gf is much bigger than me 12:57 < Dougy[RV|Away]> ..> 12:57 < Dougy[RV|Away]> >.> 12:57 < jeev> heh 12:58 < dvl> I'm about 240, 6ft 12:58 * Dougy[RV|Away] is probably 20-50 pounds lighter than his gf 12:59 < Dougy[RV|Away]> < 6'1 ~137 13:01 < Dougy[RV|Away]> i'm little 13:02 < jeev> lol 13:02 < jeev> i should be fatter than i am 13:02 < jeev> right now i'm a little fat 13:02 < jeev> i just made, peanut butter and jelly 13:02 < jeev> and put butter on top 13:06 < tjz> . 13:09 < jeev> dougy 13:09 < jeev> you're centos 13:09 < jeev> you should help tjz 13:10 < dvl> for verbose, could the server be pushing that to the client? I'm setting it to 2 and still getting lots of stuff. 13:10 < Dougy[RV|Away]> oh 13:10 < Dougy[RV|Away]> wait 13:10 < Dougy[RV|Away]> what about centos 13:12 < jeev> yesterday his firewall was the rpoblem 13:12 < jeev> but now he's cleared it 13:12 < jeev> the nat line is in there 13:13 < jeev> but he can't get passed first hop i thin 13:13 < jeev> k 13:14 < Dougy[RV|Away]> tjz: what are you trying to do 13:14 < Dougy[RV|Away]> route all traffic thru vpn? 13:14 < tjz> tracert -d 4.2.2.2 result: http://pastebin.ca/1270446 13:15 < Dougy[RV|Away]> route all traffic thru vpn? 13:15 < Dougy[RV|Away]> is that what you want the end result to be? 13:15 < tjz> ya 13:15 < Dougy[RV|Away]> cat /proc/sys/net/ipv4/ip_forward 13:15 < Dougy[RV|Away]> 0 or 1 13:15 < Dougy[RV|Away]> ? 13:15 < Dougy[RV|Away]> on the server 13:16 < tjz> 0 13:16 < tjz> :( 13:16 < tjz> why is it 0 13:16 < tjz> -_-" 13:16 < Dougy[RV|Away]> because its not enabled in sysctl.conf 13:16 < Dougy[RV|Away]> so 13:16 < Dougy[RV|Away]> echo 1 > /proc/sys/net/ipv4/ip_forward 13:16 < Dougy[RV|Away]> that will be a good beginning 13:17 < tjz> let me try again.. 13:17 < Dougy[RV|Away]> there might be more 13:17 < jeev> ahh 13:17 < jeev> that must've been it 13:17 < Dougy[RV|Away]> jeev ? 13:18 < jeev> sup 13:18 < Dougy[RV|Away]> that is probably not all 13:18 < jeev> yea it is 13:18 < jeev> nat is in place 13:18 < jeev> has to be that 13:18 < Dougy[RV|Away]> not necessarily 13:18 < jeev> all he did was reboot it 13:18 < tjz> ok 13:18 < tjz> got it working.. 13:18 < tjz> on this server 13:18 < Dougy[RV|Away]> tjz: that fixed it? 13:18 < tjz> ya 13:18 < jeev> tjz 13:18 < jeev> add echo 1 > /proc/sys/net/ipv4/ip_forward 13:18 < jeev> to rc.local i think it is 13:18 < jeev> on the bottom 13:18 < jeev> /etc/rc.local 13:18 < Dougy[RV|Away]> no 13:18 < Dougy[RV|Away]> dont 13:18 < jeev> /sbin/iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o eth1 -j MASQUERADE 13:18 < jeev> maybe 13:18 < Dougy[RV|Away]> tjz: is this a vps or a dedicated server 13:18 < jeev> i dunno, i dont use linux much 13:18 < jeev> dedi 13:18 < jeev> his vps wa giving same error we were getting. 13:19 < jeev> dood i have a headache again 13:19 < Dougy[RV|Away]> tjz: Xen VPS or? 13:20 < jeev> bb in 20 13:23 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [Nick collision from services.] 13:23 < Dougy[RV|Away]> blah what good ish he 13:23 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 13:23 < Dougy[RV|Away]> tjz: is this a vps or a dedicated server 13:23 < tjz> the vps is openvz 13:23 < tjz> i guess it doesn't work well on that 13:23 < Dougy[RV|Away]> okay, so modifying sysctl.conf wont make a difference 13:23 < tjz> should look into xen vps.. 13:24 < Dougy[RV|Away]> yes 13:24 < Dougy[RV|Away]> xen will be much easier 13:24 < Dougy[RV|Away]> i have a vpn running on virtuozzo, pain in my ass 13:24 < tjz> did you manage to get it running? 13:24 < tjz> it is super duper pain in my a$$ 13:24 < tjz> lol 13:24 < Dougy[RV|Away]> sure i did 13:24 < tjz> wow 13:24 < Dougy[RV|Away]> it wasnt that hard once they enabled masquerading 13:24 < Dougy[RV|Away]> ive done it before, so i know what to do and where to look when it fails 13:24 < tjz> hmm 13:25 < tjz> how to enable masquerading on the hardware node? 13:25 < tjz> the command, do you know? 13:25 < Dougy[RV|Away]> modprobe ipt_masquerade 13:25 < Dougy[RV|Away]> and then theres some kind of VE config that needs to be done as well 13:25 < Dougy[RV|Away]> http://wiki.openvz.org/Using_NAT_for_container_with_private_IPs 13:25 < vpnHelper> Title: Using NAT for container with private IPs - OpenVZ Wiki (at wiki.openvz.org) 13:26 < tjz> ok 13:26 < tjz> will check it out 13:26 < Dougy[RV|Away]> !google Openvpn masquerading 13:26 < vpnHelper> Dougy[RV|Away]: OpenVPN - Masquerade Iptable Issues | Uno-Code: ; openvpn & Masquerading/Nat troubles: ; [Openvpn-users] Masquerading: 13:26 < Dougy[RV|Away]> !google enable masquerading on openvpn 13:26 < vpnHelper> Dougy[RV|Away]: Openvpn through an ISA server on linux - Foomagic: ; openvpn & Masquerading/Nat troubles: ; 1xHOWTO: 13:26 < Dougy[RV|Away]> blah 13:26 < Dougy[RV|Away]> !google enable masquerading +oepnvz 13:26 < vpnHelper> Dougy[RV|Away]: No matches found. 13:26 < Dougy[RV|Away]> !google enable masquerading +openvz 13:27 < vpnHelper> Dougy[RV|Away]: OpenVZ Forum: Support => *SOLVED* NAT/MASQUERADING inside VZ: ; OpenVZ Forum: Support => Networking/IPTables, cannot ping domains ...: ; Common Networking HOWTOs - OpenVZ Wiki: 13:27 < Dougy[RV|Away]> there 13:27 < tjz> wow. nice robot 13:27 < tjz> :P 13:27 < Dougy[RV|Away]> it is a nice bot 13:28 < tjz> i gonna try the ccd solution to fix "MULTI: bad source addr" problem 13:30 < tjz> ok 13:30 < tjz> i got the ccd solution working 13:30 < tjz> finally -_-" 13:31 < Dougy[RV|Away]> nice 13:32 < Dougy[RV|Away]> i only have ever setup 1 person vpn's 13:32 < Dougy[RV|Away]> so i dunno anything about that 13:32 < tjz> what if someone hijack your .ca,.crt and .opvn file 13:32 < tjz> like your laptop got stolen.. 13:32 < Dougy[RV|Away]> then they get access to my vpn 13:32 < tjz> ya.. 13:33 < Dougy[RV|Away]> theres nothing critical on it 13:33 < Dougy[RV|Away]> so 13:33 < tjz> possible to get the server to reject.. 13:33 * Dougy[RV|Away] doesnt care 13:33 < tjz> like not letting anyone access the vpn 13:33 < dvl> If that happens, just turn off your vpn at home, and create a new CA 13:34 < Dougy[RV|Away]> Uptime: 2w 22h 10m 22s 13:34 < Dougy[RV|Away]> that explains why its locking up 13:35 < tjz> hmm 13:35 < tjz> dvl, can we do something on the openvpn server instead ? 13:36 < tjz> to stop them from using the stolen vpn.. 13:37 < dvl> tjz: revoke the certificate? 13:37 < tjz> oh 13:37 < tjz> ^_^ 13:37 < dvl> I see no mention of it on the man page 13:38 < tjz> i am learning fast ^_^ 13:38 < tjz> after a super intensive training with jeev.. 13:38 < tjz> lol 13:39 < Dougy[RV|Away]> lmao 13:39 < Dougy[RV|Away]> jeev is a scrub 13:39 < tjz> not to mention..jeev still stuck at lvl 72/3 on WoW 13:39 < tjz> oh..and a spider in his room 13:39 < dvl> tjz: other thing: insist upon passworded certificates: 13:39 < dvl> --askpass [file] 13:39 < dvl> Get certificate password from console or file before we daemonize. 13:40 < dvl> see also: 13:40 < dvl> --crl-verify crl 13:40 < dvl> Check peer certificate against the file crl in PEM format. 13:42 < tjz> ok 13:42 < tjz> i will read that up 13:42 < tjz> 3.42am morning here 13:44 < tjz> . 13:44 < tjz> gonna catch some sleep 13:45 < tjz> will be back in 5-6 hours time 13:46 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 13:46 < reiffert> :) 13:47 < kraut> moin reiffert! 13:47 < reiffert> moin kraut! 13:47 < kraut> arrrrrhoi 13:47 < jeev> heh 13:47 < jeev> i dont know much about the crl and stuff 13:47 < tjz> jeeeeeeeeeeeeeeeeev 13:47 < tjz> my turn to beg for some sleep 13:47 < reiffert> krzie: moin moin 13:47 < tjz> lol 13:47 < jeev> lol 13:48 < tjz> 3.48am 13:48 < tjz> -_- 13:48 < jeev> you know my friend got 1.1 million xp for me last night on my account 13:48 < jeev> after i sent to sleep? 13:48 < jeev> i'm almost 74 13:48 < tjz> wow! 13:48 < tjz> ok 13:49 < tjz> can't talk anymore 13:49 < tjz> be back in 5-6 hours time 13:49 < tjz> lol 13:49 -!- tjz is now known as tjz|sleep 13:50 < jeev> ok 13:51 < jeev> i've gotta learn the revokation thing 13:51 < Dougy[RV|Away]> krzie: hi 13:51 < Dougy[RV|Away]> ecrist: poke 13:52 < Dougy[RV|Away]> jeev: http://demo.phpbb3styles.net/Avalon+Cyan 13:52 < vpnHelper> Title: Avalon Cyan phpBB3 Styles Demo - phpBB3styles.net (at demo.phpbb3styles.net) 13:52 < Dougy[RV|Away]> for ovpn forum 13:53 < ecrist> Dougy[RV|Away]: what? 13:53 < ecrist> sure 13:53 < jeev> dougy is crazy 13:53 < Dougy[RV|Away]> too simple? 13:53 < Dougy[RV|Away]> or is that what you meant ecrist 13:55 < Dougy[RV|Away]> or like http://demo.phpbb3styles.net/eTech+DarkGreen 13:55 < vpnHelper> Title: eTech DarkGreen phpBB3 Styles Demo - phpBB3styles.net (at demo.phpbb3styles.net) 13:56 < Dougy[RV|Away]> http://demo.phpbb3styles.net/Revival 13:56 < vpnHelper> Title: Revival phpBB3 Styles Demo - phpBB3styles.net (at demo.phpbb3styles.net) 13:57 < Dougy[RV|Away]> http://demo.phpbb3styles.net/Infinity 13:57 < vpnHelper> Title: Infinity phpBB3 Styles Demo - phpBB3styles.net (at demo.phpbb3styles.net) 13:57 < Dougy[RV|Away]> one of those four 13:59 -!- ikevin [n=kevin@ANancy-256-1-118-159.w90-33.abo.wanadoo.fr] has joined ##openvpn 14:04 < Dougy[RV|Away]> reminder to all 14:04 < Dougy[RV|Away]> !forum 14:04 < vpnHelper> Dougy[RV|Away]: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 14:08 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 14:08 -!- ikevin_ [n=kevin@ANancy-256-1-76-106.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 14:12 < Dougy[RV|Away]> plaxico burress got shot in the leg 14:12 < Dougy[RV|Away]> hah 14:12 < jeev> lol 14:12 < jeev> really ? 14:12 < jeev> shot himself 14:12 < jeev> lol 14:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:15 < Dougy[RV|Away]> nope 14:15 < Dougy[RV|Away]> krzee: hey 14:23 < krzee> werd 14:23 < Dougy[RV|Away]> krzee: http://demo.phpbb3styles.net/Infinity 14:23 < Dougy[RV|Away]> yes or no 14:23 < ecrist> Dougy[RV|Away]: your project. 14:23 < vpnHelper> Title: Infinity phpBB3 Styles Demo - phpBB3styles.net (at demo.phpbb3styles.net) 14:24 < Dougy[RV|Away]> ecrist: ok but i still want your input 14:24 < krzee> looks nice 14:24 < Dougy[RV|Away]> alright, that one it is 14:24 * Dougy[RV|Away] needs a nap 14:25 < ecrist> Dougy[RV|Away]: my recommendation is to make it look original. get a logo from somewhere - steal the OpenVPN one and tweak it or something. 14:25 < krzee> good call 14:25 < Dougy[RV|Away]> alright 14:26 < Dougy[RV|Away]> eerrr 14:26 < Dougy[RV|Away]> ecrist 14:26 < Dougy[RV|Away]> ftp on dougy.hosting.secure-computing.net only lets me into /pub 14:26 < Dougy[RV|Away]> where your ssl admin is 14:26 < ecrist> Dougy[RV|Away]: ftp access is not available for web hosts on my network 14:26 < Dougy[RV|Away]> oh 14:27 < Dougy[RV|Away]> this will work then 14:27 < ecrist> ? 14:28 < ecrist> what will work 14:29 < ecrist> Dougy[RV|Away]: keep in mind you're not on a VPS or anything. you've simply got a vhost on my apache instance 14:29 < ecrist> also, you're not paying anything for it. 14:32 < ecrist> Dougy[RV|Away]: I'm getting mail bounces for you now 14:34 < Dougy[RV|Away]> i was just going to say that 14:34 < Dougy[RV|Away]> the forum mail is prob bouncing 14:34 < Dougy[RV|Away]> ecrist: i'll pay for it if you want 14:35 < krzee> mail bounces, you changed the MX entry too? 14:35 < Dougy[RV|Away]> no i didnt 14:35 < krzee> umm 14:35 < Dougy[RV|Away]> oh 14:35 < Dougy[RV|Away]> no i didnt 14:36 < Dougy[RV|Away]> -bash-3.2# cat ovpnforum.com.db | grep mail 14:36 < Dougy[RV|Away]> mail 500 IN A 69.73.151.185 14:36 < Dougy[RV|Away]> ovpnforum.com. 500 IN MX 10 mail 14:36 < ecrist> Dougy[RV|Away]: whoever runs bergenhosting needs to start running postfix. 14:36 < krzee> lol 14:36 < krzee> then yes you did 14:36 < Dougy[RV|Away]> ecrist: it's my directadmin server 14:36 < ecrist> the mail delivery failure exim gives out blows 14:36 < krzee> err nm 14:36 < ecrist> it just says, hey, it failed. 14:36 < Dougy[RV|Away]> indeed 14:36 < krzee> exim is ghey 14:37 < ecrist> postfix/sendmail are my MTAs of choice 14:37 < Dougy[RV|Away]> exim is a pita 14:37 < Dougy[RV|Away]> i was trying to reset the passwd for the admin user 14:37 * Dougy[RV|Away] lost it again 14:37 < ecrist> not as big a pita as qmail, though 14:38 < ecrist> their motto is, 'you need a plugin for that' 14:38 < Dougy[RV|Away]> exim+dovecot 14:38 < Dougy[RV|Away]> is DA 14:38 < reiffert> krzee: look .... 14:38 < reiffert> kraut: say it! 14:39 < ecrist> ... 14:39 < krzee> hey its kraut! 14:39 < krzee> wassup man 14:39 < krzee> http://www.doeshosting.com/code/queuedig 14:39 < krzee> if you're admin'ing exim theres a script i wrote for digging through the queue 14:40 < krzee> (i accepted $ to admin an exim server for some guy awhile back) 14:40 < ecrist> Dougy[RV|Away]: I'll set it to the same password as what's on the douglas account 14:40 < ecrist> wait a min 14:41 < ecrist> can I drop the _vb db? 14:41 < Dougy[RV|Away]> i got it ecrist 14:42 < Dougy[RV|Away]> the pw that is 14:42 < ecrist> oh, then I won't change it on ya 14:42 < Dougy[RV|Away]> if the conversion doesnt need _vb 14:42 < Dougy[RV|Away]> then sure, tossi t 14:42 < Dougy[RV|Away]> im not using it 14:42 < Dougy[RV|Away]> http://www.ovpnforum.com @ all 14:42 < vpnHelper> Title: OpenVPN Forum Index page (at www.ovpnforum.com) 14:42 < jeev> i believe, the world, is coming to an end 14:43 < ecrist> Dougy[RV|Away]: _vb db was dropped 14:43 < ecrist> Database `xxxx_vb` has been dropped. (Query took 0.0639 sec) 14:44 < Dougy[RV|Away]> k 14:44 < Dougy[RV|Away]> now i need to fix the email thing 14:44 < Dougy[RV|Away]> and the forum is set 14:48 < ecrist> Dougy[RV|Away]: I can host email if you want, up to you. 14:49 < ecrist> lol, I just realized I haven't been pruning my mysql backups 14:49 < ecrist> I had 5 years worth of daily mysql dumps. 14:49 < ecrist> hello 40G worth of free space 14:52 < jeev> heh 14:52 < ecrist> tells you how long it's been since I've had to do a restore. 14:56 < Dougy[RV|Away]> nice ecrist 14:56 < Dougy[RV|Away]> lol 14:57 < jeev> my mailserver owns 14:57 < jeev> i swear 14:57 < jeev> my box at the stupid digital realty trust is it ? 14:57 < jeev> 111 8th i think 14:57 < jeev> is going down either tomorrow or monday 14:57 < jeev> forlike 12 hours 14:57 < jeev> :( 14:57 < Dougy[RV|Away]> nice 14:59 < ecrist> Dougy[RV|Away]: need anything else from me before I go play WoW for a bit? 14:59 < jeev> ecrist 14:59 < jeev> what server 14:59 < ecrist> Thunderlord 15:00 < jeev> oh 15:00 < jeev> move to skywall 15:00 < jeev> what level are you 15:00 < ecrist> highest is 67, I'm very much a casual player 15:00 < ecrist> my whole fam is on tl, so I can't move 15:01 < jeev> i dont play much 15:01 < jeev> my friend plays for me, i'm at 73, almost 74 15:01 < jeev> i like occaisionally playing, hadn't played for 6 months 15:03 < ecrist> yeah, we turn our accounts off from Feb to about the end of Sept 15:03 < ecrist> too much other stuff to do when it's nice outside 15:04 < jeev> my friend pays for it 15:04 < jeev> crap, i'm looking at my quarantine and i see an email to my friend taht's been quarantined 15:05 < ecrist> l8r guys 15:17 < dvl> here I was, for a moment, thinking you kids were 65+ yo.... 15:28 < acidchild> packet loss confuses me ;( 15:29 < acidchild> mtr says their is packetloss of about 15% over 75% of the tops ;/ 15:29 < acidchild> hops 15:45 < krzie> dvl, im in late 20's 15:45 -!- kraut [i=kraut@blackhole.packetloss.biz] has quit [Read error: 61 (Connection refused)] 15:45 < krzie> and i dont play any mmrpg's 15:45 < krzie> lol 15:45 < ecrist> I'll be 30 in less than a year. 15:46 < krzie> careful 15:46 < krzie> according to the book crist only makes it to 33 15:46 < krzie> 15:58 < jeev> hmm 16:06 < Dougy[RV|Away]> hi all 16:06 < krzie> high 16:08 < jeev> hey 16:08 < jeev> ok so the crl, is that something you guys suggest? 16:08 < jeev> or should i just delete the key? 16:09 < krzie> depends 16:09 < krzie> any thought it may have been comprimised? 16:09 < krzie> are YOU the client? 16:12 < ecrist> jeev: deleting the key doesn't do anything, as long as the server sees a cert that was signed by the valid CA, it will auth the client 16:12 < ecrist> you *need* to use a CRL unless you're going to reissue certs under a new CA everytime. 16:14 < dvl> when you want to add something to the crl, it is just the .crt file for that cert? 16:15 < jeev> really ? 16:15 < jeev> i dont hand out certs 16:19 -!- dvl [n=nnnnnndv@pdpc/supporter/professional/dvl] has left ##openvpn ["Leaving"] 16:19 -!- dvl [n=nnnnnndv@pdpc/supporter/professional/dvl] has joined ##openvpn 16:19 < dvl> jeev: what do you mean you don't had out certs? 16:19 < Dougy[RV|Away]> krzie 16:19 < Dougy[RV|Away]> that bible joke was terrible 16:22 < jeev> anyone use itunes? 16:22 < jeev> i dunno dvl, we'll see. 16:25 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 16:26 < kraut> moin reiffert! ;) 16:32 < krzie> ecrist, unless he is the client and it wasnt comprimised 16:32 < krzie> kraut, moin! 16:32 < ecrist> jeev: yes 16:32 < kraut> moin krzee 16:32 < jeev> hmm 16:32 < jeev> ecrist, what do you suggest for webmail? 16:32 < jeev> pop/imap 16:32 < krzie> jeev, i use osX, so yes on itunes 16:33 < ecrist> jeev: IMAP 16:33 < jeev> heh 16:33 < jeev> i mean what do you suggest for webmail. 16:33 < krzie> webmail can use POP? 16:33 < krzie> jeev, i liked squirrelmail 16:33 < ecrist> dvl, CRLs are basically a list of serial numbers that ahve been roked, which is signed by the CA 16:33 < ecrist> roundcube is nice 16:33 < ecrist> krzie: yes, it can. 16:34 < ecrist> jeev: IMAP would be the 'correct' protocol to use. 16:34 < jeev> hmm 16:34 < jeev> yea, webmail can use pop 16:35 < jeev> i dont know why i dont like roundcube 16:36 < krzie> roundcube was nice but i preferred squirrelmail when i was running webmail 16:36 < krzie> although i cant give a real reason 16:37 < krzie> although you'll wanna add plugins to it 16:37 < jeev> hmm, i'll probably drop squirrelmail and horde on it i gues 16:45 < dvl> well, now have roundcube installed just for fun. Let's see about getting it running. 16:48 < jeev> heh 16:48 < jeev> it's very easy 16:51 -!- oxtub [n=mike@d60-65-190-138.col.wideopenwest.com] has joined ##openvpn 16:53 < dvl> docs talk about installer, can't find it 16:56 < Dougy[RV|Away]> going home 16:56 < Dougy[RV|Away]> im outtie 16:58 -!- oxtub [n=mike@d60-65-190-138.col.wideopenwest.com] has quit ["Killed by gemini (Requested by panasync)"] 17:01 < dvl> So far, not impressed with roundcube. Installation instructions fail me. 17:02 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 60 (Operation timed out)] 17:02 < jeev> how'd it fail 17:04 < dvl> The requested URL /roundcube/installer was not found on this server. 17:04 < jeev> heh 17:06 < dvl> The biggest hurdle in winning new users is getting them going with a simple configuration that is easily acccomplished. 17:07 < dvl> It does not matter how good your code is or how great it is to use. If joe user cannot install, pack up your toys and head home. 17:07 < jeev> roundcube was easier to install than windows xp 17:09 < krzie> The requested URL /roundcube/installer was not found on this server. 17:09 < dvl> correct 17:09 < krzie> looks apache related to me 17:10 < krzie> not giving the right rootdir 17:10 < dvl> krzie: /roundcube/ gets me a roundcube login. 17:10 < krzie> interesting 17:10 < dvl> krzie: there is no installer/ directory included. 17:10 < krzie> ahh ok 17:10 < dvl> or *installer* anything. 17:12 < dvl> This may be packaging. 17:39 < ecrist> I've been using roundcube for a couple years. it's not had any real problems so far. 17:41 < dvl> ecrist: The problem I encountered seems to be the fault of the FreeBSD maintainer. 17:42 < dvl> ecrist: I have emailed him regarding the lack of an installer directory. :) 17:47 < krzie> ahh i see 18:08 -!- K_luffy [n=V3N@77.31.162.183] has joined ##openvpn 20:07 -!- tjz|sleep is now known as tjz 20:07 < krzie> good morning tjz 20:08 < tjz> ^_^ 20:08 < tjz> hello 20:08 < tjz> hmm 20:08 < tjz> are you krzee ? 20:08 < tjz> -_- 20:08 < krzie> i am 20:08 < tjz> oh 20:08 < tjz> ^_^ 20:08 < tjz> why is there two nick.. 20:08 < krzie> i use this when im not home 20:08 < krzie> krzee is my laptop sitting at my house 20:09 < krzie> this client is on 1 of my servers, i leave it logged in all the time 20:09 < tjz> cool 20:09 < tjz> hmm, are you working? 20:10 < krzie> kinda just hangin out 20:10 < jeev> sup 20:10 -!- oxtub [n=mike@d60-65-190-138.col.wideopenwest.com] has joined ##openvpn 20:11 < jeev> ok, time for food 20:13 -!- oxtub [n=mike@d60-65-190-138.col.wideopenwest.com] has quit [Client Quit] 20:13 -!- oxtub [n=mike@d60-65-190-138.col.wideopenwest.com] has joined ##openvpn 20:15 < tjz> yooooooooooooo jeev~~~~~~~~~~~ 20:16 < ecrist> dvl: here's a bit of advice from me: don't use freebsd ports for web apps. 20:17 < ecrist> some examples would be roundcube, cacti, php*admin, etc 20:17 < ecrist> you put yourself at the mercy of the maintainer 20:17 < ecrist> and in most cases, the depends are pretty simple to remedy 20:19 < krzie> good advice 20:33 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 20:47 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 21:04 -!- mRCUTEO [i=IRCLUNAT@64.235.47.233] has joined ##openvpn 21:05 < mRCUTEO> hiya evening all 21:06 -!- mgs` [n=mgs@mail.polyvalent.org] has joined ##openvpn 21:07 < mgs`> I've set up openvpn according to the howto and it is working flawlessly between my mac and my ubuntu server!! 21:07 < mgs`> actually, one flaw :) 21:07 < mgs`> My traffic should be redirected so all client traffic is tunneled through the vpn 21:08 < mgs`> however, i can browse normally while the vpn conenction is live and my traffic is most certainly still coming from my local ip not my server 21:08 < mgs`> i didn't even know it was possible for it to work that way! 21:08 < mgs`> haha 21:09 < mgs`> but what I really want is the traffic to tunnel because that's the whole reason for the vpn, i want to make my traffic private on public lans 21:10 < mgs`> so although my nfs etc is perfect, one last wrinkle to iron out. but i'm not even sure what's wrong because my client.conf and server.conf have matching directives for all the redirection and I've assigned a static ip to the client to allow iptables routing 21:14 -!- oxtub [n=mike@d60-65-190-138.col.wideopenwest.com] has quit ["BitchX-1.1-final -- just do it."] 21:21 < ropetin> mgs`: Did you enable redirect-gateway? 21:21 < mgs`> amazingly, after looking through conf 20 times I just discovered that I had not removed the ; 21:21 < mgs`> :( 21:21 < ropetin> And did you set up a masquerade rule for IP tables? 21:21 < ropetin> Ahhh, ok! 21:21 < mgs`> the ; comment system really messed me up 21:21 < mgs`> it's confusing how it's mixed with # 21:21 < ropetin> So you're good to go now? 21:22 < mgs`> is it possible to restart with killing the server? 21:23 < mgs`> without 21:23 < ropetin> Restart openvpn? 21:23 < ropetin> You mean you don't want to kick users off? 21:23 < mgs`> i thought i remembered reading something about the conf files updating themselves 21:23 < mgs`> right 21:24 < ropetin> I don't know, I'm the only user on my VPN, so I just restart the service when I have to 21:24 < mgs`> :) 21:24 < mgs`> is it normal for the server to show no output and the cliant to stream info 21:24 < mgs`> client 21:25 < mgs`> my server just hangs as if it were frozen 21:25 < mgs`> but it's actually up 21:25 < mgs`> while my client spews data 21:25 * ropetin is confused 21:25 < mgs`> the only way i knew the server was working was that the log files get data 21:25 < mgs`> openvpn 21:25 < mgs`> i hit enter and the line is blank and stays like that 21:26 < mgs`> on the client 21:26 < mgs`> openvpn 21:26 < mgs`> and I see all kinds of vpn communication streaming 21:26 < mgs`> output on screen 21:26 < ropetin> Oooo, I get ya 21:26 < ropetin> I running it from an init script so I never see that, but yes, sounds reasonable 21:27 < ropetin> The server should be logging into syslog 21:28 < mgs`> can it run in the background so i dont have to use a tty like this? 21:28 < mgs`> your init script must do that :) 21:28 < mgs`> i don't have one :( 21:28 < ropetin> Your server is Linux? 21:28 < mgs`> ubuntu 2.1rc15 21:28 < mgs`> i compiled from source 21:29 < ropetin> Ahhh, ok, that would explain it. Hmmm, you could theoretically use the init script that would come with the repo version of OpenVPN. I don't think anything would have changed too much 21:35 < krzie> openvpn --config openvpn.conf 21:41 < krzie> => awstats-6.8.tar.gz doesn't seem to exist in /usr/ports/distfiles/. 21:41 < krzie> => Attempting to fetch from http://awstats.sourceforge.net/files/. 21:41 < krzie> fetch: http://awstats.sourceforge.net/files/awstats-6.8.tar.gz: size mismatch: expected 1097085, actual 1101851 21:41 < krzie> heh 21:42 < krzie> doh 21:42 < ropetin> Hate it when that happens 21:42 < krzie> heh, now i see awstats and awstats-devel are the same file anyways 21:43 < krzie> just -devel has a size mismatch 21:43 < krzie> *shrug* 21:44 < ropetin> Weird 21:47 < krzie> yup, but unimportant =] 21:48 < mgs`> still not working 21:48 < mgs`> ropetin: i restarted the server, client logged in and cannot access internet 21:48 < krzie> i thought i remembered reading something about the conf files updating 21:48 < krzie> themselves 21:48 < krzie> that does NOT happen 21:48 < krzie> mgs, can it ping over the tunnel? 21:48 < mgs`> its the ipp file :) 21:48 < krzie> like it can ping the servers vpn ip? 21:48 < mgs`> krzie: it can ping intervpn 21:49 < krzie> check your NAT rules 21:49 < ropetin> How about setting up the routes mgs`? 21:49 < krzie> and be sure your server has ip forwarding on 21:49 < krzie> !linipforward 21:49 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 21:49 < ropetin> In my short amount of experience with OpenVPN, it's generally something to do with teh routes 21:49 < krzie> mgs`, you have NAT enabled on your server? 21:50 < ropetin> The masquerade thing I mentioned earlier? 21:50 < krzie> oh sorry i didnt scroll 21:50 < mgs`> i can show you my iptables, i think they're right i followed the howto 21:50 < ropetin> A pastebin would be interesting, yeah 21:51 < mgs`> should both sides run openvpn with sudo? 21:51 < krzie> they MUST start as root 21:51 < mgs`> i wonder if my not using an initscript is missing some flags 21:51 < krzie> you can drop privs after with --user and --group 21:51 < mgs`> ok thats what i do 21:51 < mgs`> both start as sudo and rop to nobody 21:51 < krzie> (or in windows, another way i can tell you if you need it) 22:03 < ropetin> OK, reading random peoples pastebin entries is adictive! 22:04 < krzie> hahahah 22:04 < tjz> i bet you have read mine 22:04 < tjz> i pasted alot recently 22:04 < tjz> lol 22:04 < ropetin> :D 22:05 < krzie> mgs, if you can ping the servers vpn ip, your problem is 1 of these 3 things: 22:05 < tjz> like my grandmother's bra size 22:05 < krzie> 1) you dont have redirect-gateway 22:05 < mgs`> yes :) 22:05 < tjz> lol 22:05 < krzie> 2) your NAT is broken 22:05 < mgs`> i ahve push redirect gateway 22:05 < krzie> 3) you dont have ip forwarding turned on 22:05 < krzie> k then cross out #1 22:06 < krzie> and if you haave ip forwarding turned on, cross out #3 22:06 < ropetin> My money is on NAT 22:06 < krzie> which would leave you with #2 (NAT) 22:06 < krzie> ropetin NAT is a big favorite, you have to risk a lot to win anything 22:06 < krzie> (your $ is on it...) 22:06 < tjz> my money on NAT too 22:06 < ropetin> :P 22:06 < mgs`> ok, so where do i start with NAT on a machine that is a remote server 1 eth0 and just a 127.0.0.1 private 22:07 < mgs`> the acronym alone makes me feel not so good 22:07 < krzie> umm, and a TUN 22:07 < mgs`> im tun 22:07 < mgs`> over tcp 22:07 < krzie> !tcp 22:07 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 22:07 < mgs`> :( 22:08 < ropetin> Yeah, when you think about the TCP thing its logical that it would cause huge issues. I'd never really thought about it before 22:08 < mgs`> this is my first server from scratch, wowza :) 22:08 < krzie> ropetin, same 22:08 < mgs`> i thought TCP guaranteed UDP fast unreliable 22:08 < mgs`> to me sensibility said go for the slower guaranteed 22:08 < krzie> you still have TCP inside the UDP tunnel 22:09 < krzie> but tcp over tcp, bad 22:09 < mgs`> ah 22:09 < mgs`> the tunnel is tcp no matter 22:09 < krzie> that link was grabbed from the manpage 22:09 < krzie> it is a good read 22:09 < mgs`> the openvpn man page? 22:09 < mgs`> that's my next step 22:09 < mgs`> i followed the howto to configure 22:10 < krzie> !nat 22:10 < vpnHelper> krzie: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 22:10 < mgs`> i'm trying to really understand the conf files so i only have to learn this once 22:10 < krzie> !factoids search nat 22:10 < vpnHelper> krzie: 'bsdnat' and 'nat' 22:10 < krzie> !bsdnat 22:10 < vpnHelper> krzie: "bsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 22:10 < krzie> heh nice i forgot i made that 22:10 < krzie> i should make a linnat too 22:11 < mgs`> is there any way that i can better diagnose what is happening before i start in on natd 22:11 < mgs`> because i don't want to change things that aren't broken 22:11 < krzie> !learn linnat as for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 22:11 < vpnHelper> krzie: Joo got it. 22:11 < krzie> mgs`, i told you the 3 possible problems 22:12 < krzie> you said it wasnt #1 22:12 < krzie> you didnt say if ip forwarding was turned on or not 22:12 < krzie> but if it is, your problem IS nat 22:12 < krzie> cat /proc/sys/net/ipv4/ip_forward 22:12 < krzie> if that returns 1, ip forwarding is on 22:12 < krzie> if it is 0, it is not 22:13 < mgs`> oops sorry 22:13 < ropetin> krzie: is it possible to get a full list of which !xxx messages are available? 22:13 < ropetin> Cus those are useful! 22:13 < krzie> ropetin: !menu 22:13 < ropetin> Thanks 22:14 < krzie> np 22:14 < mgs`> where in the iptables chain should this -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE 22:14 < mgs`> i have it at the bottom 22:14 < mgs`> before drop 22:14 < krzie> menu points to the command you really use 22:14 < krzie> !menu 22:14 < vpnHelper> krzie: "menu" is please use '!factoids search *' 22:14 < krzie> you keep it * for ALL 22:14 < krzie> or you can use win to see all terms that contain win 22:15 < krzie> it only searched the factoids, not their definitions 22:16 < krzie> mgs` i dont use iptables but maybe ropetin or someone else here does and can help with that 22:16 < krzie> but just so you know, this problem is not openvpn related 22:16 < krzie> it is a general linux question 22:17 < mgs`> iptables won't take the MASQUERADE this must be the issue (at least part) 22:17 < mgs`> iptables-restore v1.4.0: Line 34 seems to have a -t table option. 22:18 < krzie> asking a linux channel might provide a faster answer 22:18 < mgs`> krzie: i've never had to make a line like that in my iptables for anything else so I would say think this is quite relevant to openvpn? 22:19 < krzie> that is because you never ran linux as your home router 22:19 < mgs`> i've used iptables forever 22:19 < dvl> ecrist: I have an in... with FreeBSD... I can submit PRs to update the apps. :) and get them committed. 22:19 < ropetin> mgs`: but the issue isn't OpenVPN it's Iptables 22:19 < krzie> but if you had, you would have done this before 22:19 < mgs`> krzie, oh please, i run an irc 22:19 < mgs`> ircd 22:19 < krzie> thats like saying you never had to us ls and cd before, so they are openvpn related 22:19 < ropetin> :D 22:19 < mgs`> not at all 22:20 * ropetin puts on his flame-proof pants 22:21 < mgs`> i fail to understand this trend of shoeing people off to other channels. it is perfectly reasonable that someone in here would know the answer, ropetin gave me the line to add. going to another room is supposed to be a faster method? 22:21 < ropetin> I can promise on my Ubuntu box I did 'iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -o eth0 -j MASQUERADE' 22:21 < ropetin> And it worked like a champ 22:21 < krzie> mgs` if i knew ild help you 22:21 < mgs`> ropetin: everytime you boot? 22:21 < krzie> im not sdaying we wont help you 22:21 < krzie> im saying you have a better chance asking in a linux channel cause your question is about the linux firewall 22:22 < ropetin> It's a moot point, I don't reboot. I know nothing about Iptables other than what I needed to get the VPN up, so I don't know if it's persistent or not 22:22 < mgs`> no, adding a rule like that is not 22:23 < mgs`> thats what i meant about a test set and live set 22:23 < ropetin> I guessed 22:23 < krzie> seems you know more about iptables than me 22:23 < mgs`> there are scripts iptables-restore and iptables-save 22:23 < krzie> and ropetin as well, im guessing 22:23 < mgs`> i know a lot bout iptables 22:23 < mgs`> i just know nothing about masquerade 22:23 < mgs`> and it can't be added to my init rules the same as others 22:23 < mgs`> the -t produces an error 22:23 < mgs`> saying that -t is looking for a table 22:24 < ropetin> So presumably there is some 'conversion' that has to be done to change the CLI entry into an init compatible rule? 22:24 < krzie> like i said, ild help ya if i could, and if anyone here is active that uses iptables im sure they'll help too, but if you're looking for a fast answer a linux chan would be the best bet 22:24 < mgs`> yeah 22:24 < krzie> thats where ild be asking at least 22:24 < krzie> cause your problem is not openvpn 22:24 < mgs`> the conversion is a linux question :) 22:24 < mgs`> god damn, i've heard every time you've said it. chill out. 22:25 < krzie> i seem to be more chill 22:25 < krzie> heh 22:25 < ropetin> No one chiller than krzie that's for sure 22:25 < mgs`> i meant it in a chuckling way 22:25 < krzie> werd 22:25 < mgs`> irc bad for sarcasm 22:25 < krzie> lol 22:25 < krzie> ya voice tones dont translate 22:25 < mgs`> irc doesn't make me mad :) 22:26 < ropetin> Yup, it's hell for us Brits, people think we're just being assholes the whole time! 22:26 < krzie> lol rope 22:26 < krzie> most people i know on irc from uk are cool as hell 22:26 < mgs`> yeah well english is my 2nd lang! i'm from buenos aires but live in nyc 22:26 < mgs`> so even more crazy! 22:26 < krzie> and spanish is my 2nd lang 22:26 < krzie> im from california but live in the carib 22:27 < ropetin> Buenos Aires? How old are ya? 22:27 < mgs`> i think i'm saying something funny and people think i am being rude 22:27 * ropetin is from UK but live in FLoriad 22:27 < mgs`> 25 22:27 < ropetin> FLorida 22:27 < ropetin> Ahhh, a bit too young for me to blame for the 'Hand of God' in the World Cup then. I'll let you off 22:27 < ropetin> :P 22:27 < mgs`> my family is still there, it is a lovely place! 22:27 < ropetin> (that was some of that sarcasm) 22:27 < mgs`> haha 22:27 < ropetin> I'm not saying Maradona cheated. But, he cheated 22:28 < mgs`> Argentina is great, buenos aires at least, nothing like a lot of other places down in that part of the world. 22:28 < mgs`> Everyone is european mostly in the city. 22:28 < ropetin> It's amazing, back home the whole Falklands Conflict is forgotten, but they will not let the Hand of God go 22:28 < mgs`> I think it resembles paris more than rio or parts of brazil 22:29 < mgs`> maradona cheated :) 22:29 < ropetin> Yeah, seems like a fun place to visit 22:29 < ropetin> mgs`: can I quote you on that? An Argentine admitting it? :) 22:29 < mgs`> people are kind, women are beautiful, food is delicious! 22:29 < mgs`> i'm sort of argentine, my father is french and my mother is from connecticut :) 22:29 < ropetin> mgs`: The best sausages I've ever had are from Argentina, so I'd agree on the food 22:30 < ropetin> Meh, that doesn't count then! 22:30 < mgs`> yeah, it really doesn't. 22:30 < mgs`> haha 22:30 < ropetin> Don't get me started on the French... 22:30 < ropetin> ;) 22:30 < mgs`> luckily i have darker skin from my french side so i looked like most others 22:30 < mgs`> not really a luckily 22:31 < mgs`> haha 22:31 < mgs`> but left me feeling i have some argentine identity 22:31 < ropetin> That's cool 22:31 < mgs`> ok, i'm going to fix iptables 22:31 < ropetin> :D 22:31 < mgs`> i'll let you know the new rule when i get it 22:31 < ropetin> KK 22:33 < krzie> nice, we can put it in !linnat 22:34 < krzie> im headed down to peru in feb 22:34 < krzie> i know it isnt ARG, but its not far away either 22:34 < krzie> im looking forward to it! 22:36 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 104 (Connection reset by peer)] 22:37 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 22:37 < ropetin> krzie: for work or fun? 22:39 < krzie> fun 22:39 < ropetin> Excellent, from what I've seen there is lots to do, if you like exploring 22:40 < dvl> krzie: seems the whole VPN is running fine. BTW, you you said a routed, I first thought you meant routed(8). 22:41 < krzie> ahhh 22:41 < krzie> nah just meant tun 22:42 < dvl> yeah, well, my confusion. All written up now. 22:46 < krzie> ropetin, ya plus my buddy there has a place for me to stay 22:46 < ecrist> evening, folks 22:47 < krzie> so its gunna be awesome! 22:47 < krzie> hey eric! 22:48 < ropetin> Party time krzie 22:57 < troy-> sup krzie 23:00 < krzie> wassup 23:00 < krzie> on my way out, time to hit up the party 23:00 < krzie> later all 23:12 -!- mRCUTEO [i=IRCLUNAT@64.235.47.233] has quit [] 23:23 -!- aegis [n=aegis@pool-96-225-73-107.bflony.fios.verizon.net] has quit ["changing servers"] 23:26 -!- mgs` [n=mgs@mail.polyvalent.org] has quit [Remote closed the connection] 23:39 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 131 (Connection reset by peer)] 23:40 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn --- Day changed Sun Nov 30 2008 01:12 < tjz> o_0 02:03 < krzee> werd 02:04 < krzee> tjz, you pursue my answer from last night? 02:04 < krzee> i answered you here and the mail list 02:25 < krzee> the great entrepreneur Henry Ford said on February 11, 1934: "Let them fail; let everybody fail! I made my fortune when I had nothing to start with, by myself and my own ideas. Let other people do the same thing. If I lose everything in the collapse of our financial structure, I will start in at the beginning and build it up again." 02:28 < troy-> krzee, there is too much at stake sadly 02:28 < tjz> krzee, yup. i have read through your answer in the mail list 02:28 < krzee> tjz, you use linux right? 02:29 < tjz> yup 02:29 < krzee> !linnat 02:29 < vpnHelper> krzee: "linnat" is for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 02:29 < krzee> and everything else set to allow 02:29 < tjz> ya.. i finally understand this 02:29 < krzee> oh ok 02:29 < krzee> so you're working good now? 02:30 < tjz> ya 02:30 < tjz> i have a few more qquestions.. 02:31 < tjz> i know we have to create an iroute in "ccd" to fix the MULTI: bad source error 02:31 < tjz> for me, i am on lan 192.168.1.x .. 02:32 < krzee> !route 02:32 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 02:32 < krzee> that gives a full explanation of when to push routes, use iroute, etc 02:33 < tjz> oh 02:33 < tjz> the " MULTI: bad source error" problem do not necessary happen to everyone ? 02:33 -!- aegis [n=aegis@pool-96-225-73-107.bflony.fios.verizon.net] has joined ##openvpn 02:34 < krzee> not when they have the correct setup 02:34 -!- aegis [n=aegis@pool-96-225-73-107.bflony.fios.verizon.net] has quit [SendQ exceeded] 02:34 < krzee> you were getting yours because of a backwards nat 02:34 < krzee> your client was sending at the vpn with a source of its lan 02:34 < tjz> oh 02:35 < krzee> because the nat was saying that any traffic out to vpn_network should go as lan_ip 02:35 < krzee> instead of the other way around 02:35 < krzee> it should be any traffic from vpn_network goes out as lan_ip 02:36 < tjz> ya..i guess because i am using a router.. 02:36 < krzee> so instead of 2 problems its one 02:36 < krzee> no its not your router 02:36 < krzee> its your backwards NAT rule 02:36 < krzee> in iptables 02:36 < tjz> oh 02:37 < krzee> see i think you were thinking not only did inet browsing not work, but also you got this error 02:37 < tjz> backwards NAT rule in iptables on my server ? 02:37 < krzee> but the thing is, your inet browsing didnt work because your NAT was broken 02:37 < krzee> and the error shoes exactly how its broken 02:37 < krzee> it is NATing just fin 02:37 < krzee> fine 02:38 < krzee> but it is NATing the wrong direction 02:38 < krzee> instead of packets from vpn bound for inet being NATed to come from lan_ip, now packets bound for vpn are showing up as lan_ip 02:38 < krzee> see the difference? 02:39 < krzee> if you draw it, the arrows are just going the wrong way 02:39 < tjz> quite weird that this happen happen to me.. 02:39 < tjz> -_- 02:39 < krzee> if you lose the nat you will see you can only communicate over the vpn (no inet) and you do not get the error 02:40 < krzee> then if you add the rule: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 02:40 < krzee> it will work 02:40 < krzee> if everything is default allow 02:40 < krzee> then you secure your firewall however you want, and if you break your NAT from there it should be easy to troubleshoot 02:41 < tjz> oh 02:41 < tjz> is it possible to assign client1 to use a specific IP address.. and client2 to use another IP address? 02:42 < tjz> for a multipple vpn instances setup on the server.. 02:45 < tjz> http://boston.com/bigpicture/2008/11/mumbai_under_attack.html 02:46 < vpnHelper> Title: Mumbai under attack - The Big Picture - Boston.com (at boston.com) 02:46 < tjz> Mumbai under attack - the big picture 02:59 < tjz> . 03:07 < tjz> . dot . dot 03:14 < krzee> if you are talking about the external ip address each uses, yes 03:14 < krzee> but you are not asking an openvpn question 03:14 < krzee> you are asking a NAT question 03:15 < krzee> and for how to do it, it becomes specific to iptables, which i dont know 03:20 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 03:21 -!- bandini [n=bandini@host50-109-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 03:32 < tjz> ohok 03:32 < tjz> let me try 03:39 < unixSnob> openvpn doesn't seem to respond to SIGUSR2 03:40 < unixSnob> what am i doing wrong? 03:40 < unixSnob> kill -s SIGUSR2 does nothing interesting 03:43 < krzee> SIGUSR2 03:43 < krzee> Causes OpenVPN to display its current statistics (to the syslog file if --daemon is used, or stdout otherwise). 03:43 < krzee> !man 03:43 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 03:43 < krzee> under SIGNALS 03:43 < unixSnob> ah, syslog.. i'll have to check that out 03:44 < krzee> if you're going to be a unix snob you'll need to check the manpages too :-p 03:45 < unixSnob> i'm running openvpn on dd-wrt.. no man page 03:48 < krzee> !man 03:48 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend!, or (#2) "betaman" is http://www.openvpn.net/man-beta.html for 2.1 03:48 < krzee> those are the man pages 03:48 < krzee> first is 2.0 second is 2.1 03:48 < unixSnob> thanks 03:48 < krzee> np 03:51 < krzee> !iptables 03:51 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept 03:54 < krzee> !learn iptables as please see http://openvpn.net/man#lbBD for more info 03:54 < vpnHelper> krzee: Joo got it. 03:55 < krzee> !forget man * 03:55 < vpnHelper> krzee: Joo got it. 03:55 < krzee> !learn man as http://openvpn.net/man for 2.0 manual 03:55 < vpnHelper> krzee: Joo got it. 03:55 < krzee> !learn man as http://openvpn.net/man-beta.html for 2.1 manual 03:55 < vpnHelper> krzee: Joo got it. 03:56 < krzee> !learn man as the man pages are your friend! 03:56 < vpnHelper> krzee: Joo got it. 03:58 -!- mRCUTEO [i=IRCLUNAT@64.235.47.233] has joined ##openvpn 03:58 < mRCUTEO> evening all 04:04 < ropetin> Morning 04:07 < tjz> evening~ 04:07 < tjz> 6pm :) 04:08 < mRCUTEO> yeah tjz 04:08 < mRCUTEO> my time is same as you 04:09 < ropetin> 5:09am, morning :D 04:09 < mRCUTEO> tjz are you using singtel isp ? 04:09 < mRCUTEO> i heard singtel offering a SGD53 10 Mbps ADSL 04:11 < tjz> huh.. 04:11 < tjz> hmm 04:11 < tjz> ya 04:11 < tjz> mRCUTEO, where r u from? 04:11 < mRCUTEO> your neighbour 04:11 < tjz> malaysia? 04:11 < tjz> hehe 04:11 < mRCUTEO> yerp 04:11 < tjz> cool 04:11 < tjz> nice nice 04:11 < mRCUTEO> oujr net sucks big time tho 04:12 < tjz> oh..streamyx? 04:12 < mRCUTEO> yerp 04:12 < tjz> hehe 04:12 < mRCUTEO> :) i think you wll known streamyx :D 04:12 < mRCUTEO> 10 mbps for SGD53 thats a great deal to me :) 04:12 < mRCUTEO> and dedicated too :D 04:13 < mRCUTEO> what connection u have there tjz? 04:13 < tjz> 3mbps 04:13 < tjz> paying about 50+ a month 04:13 < tjz> -_-" 04:13 < tjz> gonna re-contract for a cheaper 04:14 < mRCUTEO> ic 04:14 < tjz> 3mbps is around 30/mo now.. 24 months contract.. 04:14 < tjz> 30-32/mo 04:14 < mRCUTEO> you/re subscribing singtel ADSL? 04:15 < mRCUTEO> hiya ropetin o/ where you from? 04:15 < tjz> ya..singnet adsl 04:15 < mRCUTEO> ic 04:15 < mRCUTEO> :) 04:15 < mRCUTEO> anyway singtel is the best i think in singapore 04:16 < mRCUTEO> i've been to singapore and stay for 1 month there.. i use singtel adsl, its fast furious :D 04:16 < tjz> ya 04:16 < mRCUTEO> i hope one day malaysia will have the same speed and tech as singapore too .. we are way fa behind the internet tech.. 04:16 < tjz> it is stable 04:17 < tjz> if compare singapore to USA, japan.. 04:17 < tjz> we are far 04:17 < mRCUTEO> yerp you're adsl is world standard 04:17 < tjz> fibre optic connection is up for other countries 04:17 < mRCUTEO> yerp heard in japan they started using fibre for adsl 04:18 < mRCUTEO> our line streamyx is a shared adsl.. very poor connection :( 04:18 < mRCUTEO> 1 mbps shared with 100 users sure die liao 04:18 < tjz> haha 04:18 < tjz> are you using 1mbp? 04:18 < mRCUTEO> yes 04:19 < mRCUTEO> quite slow 04:19 < tjz> omg 04:19 < tjz> ya 04:19 < mRCUTEO> dload max is 80 KB/s 04:19 < tjz> i cannot take 1mbps 04:19 < tjz> i went for minimum 3mbps 04:19 < mRCUTEO> average speed 20 KB/s 04:19 < tjz> ya.. 04:19 < mRCUTEO> :) 04:19 < mRCUTEO> very poor 04:19 < mRCUTEO> i dunno maybe because of our gov policies 04:19 < tjz> hhaa 04:19 < mRCUTEO> u knowlah malaysian gov :D 04:20 < tjz> why not upgrade your plan? 04:20 < mRCUTEO> i dont think i want to upgrade.. its useless upgrade to 4mbps but shared with 100 users 04:20 < mRCUTEO> :) 04:21 < mRCUTEO> its the same 80 KB/s you will have at the end of the day 04:21 < mRCUTEO> hehe 04:24 < tjz> hmm 04:24 < tjz> is streamyx using cable or adsl? 04:25 < mRCUTEO> adsl 04:26 < tjz> hmm 04:26 < tjz> should be dedicated.. 04:26 < mRCUTEO> nope they shared the bandwidth 04:26 < mRCUTEO> extremely slows at peak hours 04:26 < tjz> omg.. 04:26 < tjz> not dedicated adsl at all 04:27 < mRCUTEO> yerp 04:27 < mRCUTEO> its a nightmare 04:27 < mRCUTEO> checkout the malaysian forum lowyat.net at type streamyx 04:27 < mRCUTEO> you know what i mean 04:28 < mRCUTEO> lots of singaporean stays here and the're subscribes to streamyx too.. they found their nightmare using the services.. checkout their comment in lowyaet :P 04:30 < tjz> cool 04:30 < tjz> i am a mmember of lowyat too 04:30 < tjz> hee 04:30 < tjz> nice community 04:31 < mRCUTEO> :) 04:49 -!- unixSnob [n=jj@starfury.spearlink.com] has quit ["leaving"] 04:55 -!- mRCUTEO [i=IRCLUNAT@64.235.47.233] has quit [] 05:33 -!- mRCUTEO [i=IRCLUNAT@64.235.47.233] has joined ##openvpn 05:33 < mRCUTEO> o/ 05:38 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Remote closed the connection] 05:42 < tjz> wb 05:43 < ropetin> They come they go 05:43 < krzee> i come they go 05:43 < krzee> ;] 05:44 < tjz> lolz 05:45 < mRCUTEO> ;-) 05:46 < mRCUTEO> krzee if i have 2 openvpn client connected simultanously which traffic will the packet follow? the first conneted or 2nd connected? 05:46 < krzee> connected to the same server with different configs? 05:47 < mRCUTEO> yes 05:47 < krzee> the first one 05:47 < krzee> cause the second wont be able to add a route to the server 05:47 < mRCUTEO> okay 05:47 < krzee> note, you shouldnt be doing that anyways 05:48 < mRCUTEO> i try connecting 6 client simultanously from different location and a feel a lil bit faster .. 05:48 < mRCUTEO> but i dunno maybe its was luck 05:48 < krzee> lol 05:48 < mRCUTEO> :) 05:48 < mRCUTEO> 6 location in different DC :D 05:49 < ropetin> DC? 05:49 < mRCUTEO> data centre 05:50 < tjz> mrcuteo, your ISP still limit you to 20-50kb/s 05:50 < tjz> :P 05:50 < ropetin> Ahhh, ok 05:50 < mRCUTEO> tjz yeah i can burst above the limit if i use openvpn :_) 05:50 < mRCUTEO> at least i can fully use my 1 mbps :_) 05:54 < tjz> ya 05:54 < tjz> i bet they block port too 05:55 < ropetin> That's ISPs for you :( They want to keep all the bandwidth for themselves 05:56 < ropetin> We should move to Japan and get Gig Ethernet connections to our apartments 05:57 < mRCUTEO> :) 05:58 < mRCUTEO> ya lets all move to japan 05:59 < krzee> !security 05:59 < vpnHelper> krzee: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 06:05 < tjz> i love japan 06:05 < tjz> ^_^ 06:06 < tjz> ya 06:06 < tjz> fibre connection over in japan 06:18 -!- mRCUTEO [i=IRCLUNAT@64.235.47.233] has quit [Read error: 113 (No route to host)] 07:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 08:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:25 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 08:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:56 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 09:29 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 09:42 < Dougy[RV|Away]> hi all 09:44 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 09:44 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: ropetin, gcarrier 09:45 < Dougy[RV|Away]> hi tjz 09:46 -!- Netsplit over, joins: ropetin 10:02 < tjz> hey dougy 10:02 < tjz> ^_^ 10:02 < tjz> i have to go 10:02 < tjz> sleep X_X 10:03 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [] 11:35 -!- Gioacchino [n=Gioacchi@79.171.56.77] has joined ##openvpn 11:36 < Gioacchino> hey all 11:36 < Gioacchino> exist a way to use only certificate identification with openvpn ? 11:36 < Gioacchino> because I obtain an error when it load key.txt... 11:37 < Gioacchino> Sun Nov 30 18:26:44 2008 Cannot load private key file key.txt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib 11:37 < Gioacchino> Sun Nov 30 18:26:44 2008 Error: private key password verification failed 11:43 < Gioacchino> someone can help me ? 11:47 < Gioacchino> heyyyyyy ?????? 11:55 -!- adj [i=ssanders@unaffiliated/adj] has joined ##openvpn 11:57 < adj> i have set up a very simple multi-client/server openvpn but keep getting cert problems 11:57 < adj> the client keeps saying the cert verify failed 11:57 < adj> i had known this at one point, but how can i test the ssl handshake? 12:05 -!- protocols [n=protocol@ip-88-152-40-90.unitymediagroup.de] has quit ["Leaving"] 12:08 < Gioacchino> I have the same problem but with server.key 12:08 < Gioacchino> and server wont start... 12:10 < adj> Gioacchino: thats simply a static key setup? 12:10 < Gioacchino> yes 12:10 < adj> Gioacchino: thats simply a static key setup?? 12:10 < adj> shit, scrollback. hehe 12:10 < adj> what user and group did you specify for openvpn? 12:10 < Gioacchino> I have not specified 12:11 < Gioacchino> I start openvpn by root 12:11 < adj> this is on linux? 12:11 < Gioacchino> yes 12:11 < adj> specify user nobody and group nobody 12:11 < Gioacchino> I try 12:11 < adj> then chmod 600 server.key 12:11 < adj> and chown nobody:nobody server.key 12:11 < adj> try a restart, and tell me what the log files say 12:13 < Gioacchino> it tell that nobody isn't a valid group 12:13 < adj> hehe, well, you need to use a valid group on your system =) 12:13 < Gioacchino> ok 12:13 < adj> 'getent group' will list them 12:14 < adj> if nobody isn't available, what distro is this? 12:15 < Gioacchino> ubuntu 12:16 < Gioacchino> I tried with lopez that is the user:group of the computer 12:16 < Gioacchino> but it wont work 12:16 < Gioacchino> the same error.. 12:16 < Gioacchino> Sun Nov 30 19:15:11 2008 Cannot load private key file server.key: error:0906D066:PEM routines:PEM_read_bio:bad end line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib 12:16 < Gioacchino> Sun Nov 30 19:15:11 2008 Error: private key password verification failed 12:17 < Gioacchino> but there is some way to disable all this security ?? I need only a simple login and pass.... 12:17 < Gioacchino> I had to do certificate key bla bla bla... 12:17 < Gioacchino> now I have certificate working 12:17 < Gioacchino> but not key 12:17 < adj> what is your goal? 12:18 < adj> multiple clients connecting to one server? 12:18 < adj> or just a secure vpn tunnel between two hosts 12:18 < Gioacchino> I need just a bridge between teo LAN 12:19 < Gioacchino> I also disablen encription because I dont need 12:19 < Gioacchino> and I don`it want slow down tunnel with encription.. 12:19 < adj> you do want encryption. 12:19 < Gioacchino> I need only a ovpn server with only a client 12:19 < adj> the overhead is not that much, and the benefits far outwiegh the costs 12:20 < adj> you need a simple server to server vpn 12:20 < adj> i'll bin you the configs 12:20 < Gioacchino> but the two cachien are very slow... 500mhz with 256MB ram... 12:20 < adj> whats the bandwidth betweent hem? 12:20 < Gioacchino> I can't NAT in one of two machine then I can only do a 1 server 1 clinet 12:21 < Gioacchino> 10KB/s 12:21 < adj> 500mhz with that much ram should have zero problems. i've had dozens of vpn connections running on embedded boards wtih only 256M ram and a 233mhz ARM cpu 12:21 < Gioacchino> then 12:21 < adj> do both machines have a public IP? 12:21 < Gioacchino> but how to fix server.key ? 12:21 < Gioacchino> do both machines have a public IP? only one 12:22 < adj> you realize that communication will really just be one direction then? 12:22 < Gioacchino> no 12:22 < Gioacchino> I need to do a bridge 12:22 < adj> for example. network 1 is 192.168.1.0/24 and network 2 is 192.168.2.0/24 12:22 < Gioacchino> yes 12:23 < adj> host a on network one is the gateway for the whole subnet. host b on network 2 is a LAN machine (not a gateway for the subnet) 12:23 < Gioacchino> network 2 have a public ip but I can't nat on router... 12:23 < Gioacchino> mm 12:24 < Gioacchino> I do a paint 12:24 < adj> when a machine in network 1 sends to an ip in network b, the packet will go to the gateway (host a) and the routing table will instruct the packet to use the virtual tun/tap vpn interface 12:24 < Gioacchino> is more clear 12:24 < adj> however, if a machine in network 2 tries to send to network 1, it will use its default route (the network gateway) and that gateway will have no idea how to route traffic for network 1 12:25 < adj> unless each machine in the network 2 subnet has a specific route telling traffic headed towards network 1 to use the vpn host 12:25 < adj> that does sound a bit convoluted written out that way 12:26 < adj> but does is make sense? 12:26 < adj> to correctly bridge two LAN's you would ideally have the vpn endpoints on each network gateway 12:27 < Gioacchino> but I cant.. 12:27 < Gioacchino> I have two home 12:27 < Gioacchino> 1 home I have a internet connection and I can nat port on router 12:27 < Gioacchino> 2 home I have internet but I can't nat port on router 12:28 < Gioacchino> I want to do a bridge between the two lan 12:28 < Gioacchino> than I can benefit of natting from home 1 also into home 2 12:28 < Gioacchino> I am clear ? 12:28 < adj> yes. 12:28 < Gioacchino> already do all the configuration 12:29 < adj> is the routing issue i described clear? 12:29 < Gioacchino> yes 12:29 < adj> ok 12:29 < adj> can you pastebin you config? 12:29 < Gioacchino> but now it tell me that it can't load the key 12:29 < Gioacchino> ok 12:30 < Gioacchino> here is the server config 12:30 < Gioacchino> http://pastebin.com/mf9b1c36 12:31 < adj> that is totally wrong 12:32 < adj> that is the multi-server config template with a few changes made 12:32 < Gioacchino> in home 1 I have 192.168.1.* ips, in home 2 I have 192.168.50.* ips 12:32 < adj> yes. it is not correct. let me paste you a working config 12:32 < Gioacchino> where I found the oneserver one client config ? 12:32 < Gioacchino> thanks 12:33 < adj> well, read the documentation and develop it 12:33 < adj> openvpn is extremely flexible 12:33 < Gioacchino> paste 12:34 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 12:34 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:35 < Gioacchino> I hey ? 12:35 < adj> http://pastebin.com/m22cda325 12:36 < adj> that bridges 192.168.1/24 and 192.168.2/24 together over openvpn 12:36 < adj> the endpoints are 1.2.3.4 and 4.3.2.1 12:36 < adj> the tun interfaces are 10.0.0.1 and 10.0.0.2 respectively 12:37 < adj> they share a static key file. (no need for all that CA and server/client keypairs) 12:37 < adj> and i doubt you need the TAP driver. that will just make things more complicated 12:38 < adj> especailly on a low bandwidth link, since you are transmitting ethernet frames instead of IP traffic 12:39 < adj> does that make sense? 12:39 < adj> make your key with 'openvpn --genkey --secret static.key' 12:44 < adj> ? 12:46 < Gioacchino> yes 12:47 < Gioacchino> thanks now I must go 12:47 < Gioacchino> byeee 12:47 < adj> ok 12:49 * adj thinks his datacenter is doing some sneaky packet filtering 12:50 < adj> there is no other reason i can think of that would make my setup work on ports other than 53 13:10 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: K_luffy 13:15 -!- K_luffy [n=V3N@77.31.162.183] has joined ##openvpn 14:00 -!- cj [n=cjac@66.152.65.2] has joined ##openvpn 14:01 < cj> hey all 14:02 < Dougy[RV|Away]> adj 14:02 < Dougy[RV|Away]> what datacenter 14:03 < cj> I want to have an invariable interface name so that I can add it to /etc/shorewall/interfaces... is there a config param I can use to name the interface? 14:05 < krzee> --dev tunX | tapX | null 14:05 < krzee> TUN/TAP virtual network device ( X can be omitted for a dynamic device.) 14:05 < krzee> dont omit the X and it wont be dynamic 14:22 < cj> krzee: okay. does it have to be in the form tapX / tunX, or could I call it OMGVPN, for instance? 15:20 -!- K_luffy [n=V3N@77.31.162.183] has quit [Read error: 110 (Connection timed out)] 15:48 * cj tries 15:53 -!- kraut [i=kraut@blackhole.packetloss.biz] has quit [Read error: 104 (Connection reset by peer)] 15:54 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 16:11 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 16:12 < reiffert> moin 16:15 < ecrist> dvl: then put one in to get openfire updated. port is at 3.6.0 and the app is at 3.6.2 16:21 -!- Gioacchino [n=Gioacchi@79.171.56.77] has quit ["KVIrc 3.4.0 Virgo http://www.kvirc.net/"] 16:48 < cj> ah, I could set the name using iproute in the post-up script: ip link set tapX down && ip link set tapX name OMGVPN && ip link set OMGVPN up 16:52 < cj> it might be better to add the interface to an already-existing bridge instead :) 17:07 < krzie> cj, why do you need tap instead of tun? 17:22 -!- mgs` [n=mgs@mail.polyvalent.org] has joined ##openvpn 17:23 < mgs`> Hey guys, made some headway on my vpn, traffic is flowing through the vpn and I can use the web normally again! However ... I cannot ping my server from the client 17:24 < krzie> ping the vpn ip 17:24 < krzie> not the external ip 17:24 < mgs`> thats what i'm doing 17:25 -!- whaletales [n=Paul@87-127-190-18.static-adsl.entanet.co.uk] has joined ##openvpn 17:25 < krzie> if traffic flows through but cant ping vpn internal ip, its your firewall on the server 17:25 < krzie> you're allowing forward, but not something else 17:25 < krzie> and your NAT is working 17:26 < krzie> !linnat 17:26 < vpnHelper> krzie: "linnat" is for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 17:26 < krzie> hrm thats not it 17:26 < krzie> !factoids search lin 17:26 < vpnHelper> krzie: 'linipforward' and 'linnat' 17:26 < mgs`> hmm 17:26 < krzie> hrmz 17:26 < krzie> !iptables 17:26 < vpnHelper> krzie: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 17:26 < krzie> maybe its INPUT 17:26 < krzie> see that link 17:27 < mgs`> gonna head over three now 17:27 < mgs`> so close .. yet so far :( 17:27 < krzie> im thinking its this: 17:27 < krzie> iptables -A INPUT -i tun+ -j ACCEPT 17:27 < krzie> to allow input packets from tun devices, 17:39 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:48 < jeev> my cable is doing 3.45mb/s right now 17:48 < jeev> lol 17:48 * jeev loves download.microsoft.com 18:00 -!- lyxan [n=zer0pyth@unaffiliated/zer0python] has quit [Read error: 104 (Connection reset by peer)] 18:06 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit [Read error: 104 (Connection reset by peer)] 18:07 -!- K_luffy [n=V3N@77.31.242.152] has joined ##openvpn 18:09 -!- whaletales [n=Paul@87-127-190-18.static-adsl.entanet.co.uk] has quit [Read error: 104 (Connection reset by peer)] 18:11 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 18:59 < cj> yeah, they've got some pretty l33t peering, I hear :) 19:04 -!- whaletales [n=Paul@87-127-190-18.static-adsl.entanet.co.uk] has joined ##openvpn 19:10 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:10 < Dougy> hey kids 19:17 < jeev> hey child 19:27 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit [Remote closed the connection] 19:33 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 19:36 < mgs`> hrm, ok now i can ping the server, browse through the vpn, etc, however I cannot connect to my imap which had been working prior. I'm at a loss on where to turn because this should not be an iptables issue any longer. 19:37 < mgs`> I'm concerned that it seems like my courier is only running on tcp6 19:56 -!- mRCUTEO [i=LUNAT@64.235.47.232] has joined ##openvpn 19:57 < mRCUTEO> hiya bucko 20:03 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 20:03 < mRCUTEO> wb tjz 20:03 < jeev> tjz 20:04 < jeev> everything ok? 20:04 < jeev> i gotta go 20:04 < Dougy> hebe 20:06 < tjz> yooooooooooo 20:06 < tjz> yooooooooooooo jeev~!~! 20:06 < tjz> ya 20:07 < tjz> so far so good. 20:07 < tjz> i don't wish to bug you guys all day 20:07 < tjz> :P 20:07 < tjz> hehehe 20:09 < mRCUTEO> :) 20:12 -!- mRCUTEO [i=LUNAT@64.235.47.232] has quit [] 20:14 < Dougy> hey tjz 20:19 < tjz> yooo dougy~!~ 20:19 < tjz> ^_^ 20:19 < Dougy> hi 20:19 < tjz> oh 20:20 < tjz> i enable MASQUERADE on the host node 20:20 < tjz> for the vps 20:20 < tjz> but couldn't surf the page when i connected to vpn server 20:21 < tjz> it is the exact config i did for a dedicated server 20:21 < tjz> it is really a pain to config on a openvz vps 20:21 < tjz> should look into xen next time 20:22 < Dougy> heh 20:22 < Dougy> xen is great 20:23 < krzie> anyone got GeoIPCity.dat ? 20:23 < mgs`> man, krzie, i'm still messing with it 20:23 < mgs`> so frustrating 20:24 < mgs`> I can access everything except services on the server yet I can ping the server and ping the client. 20:24 < krzie> firewall 20:29 < Dougy> krzieeeeeeeeeeee 20:47 -!- mgs` [n=mgs@mail.polyvalent.org] has quit ["[BX] Man I'm *SLEEPY*!!!! My keyboard is slipping away!"] 21:02 < acidchild> my tunnel is very unstable, any ideas? 21:03 < acidchild> ssh over it just freezes up, ssh is fine though to the box normaly 21:04 < krzie> acidchild, you using tcp? 21:04 < acidchild> nope 21:04 < krzie> try testing your mtu 21:04 < krzie> !mtu 21:04 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test as well 21:07 < acidchild> i'm connected to the other hosts over ethernet.. 21:07 < acidchild> about 2ms 21:08 < acidchild> 64 bytes from dubstep.7a69.co.uk (208.92.232.20): icmp_seq=1 ttl=62 time=0.336 ms 21:08 < acidchild> i guess .3 21:08 < krzie> oh, same lan? 21:08 < acidchild> same WAN 21:08 < krzie> gotchya 21:08 < krzie> using redirect-gateway? 21:09 < acidchild> nope. 21:09 < krzie> k 21:09 < krzie> still check your MTU 21:09 < krzie> you using tun or tap? 21:09 < acidchild> tun 21:09 < krzie> good 21:09 < krzie> check your mtu 21:09 < acidchild> how? 21:09 < krzie> well you dont have to, but you asked for ideas 21:09 < acidchild> on linux.. 21:09 < krzie> !mtu 21:09 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test as well 21:10 < acidchild> what is -l on windows ping? 21:10 < acidchild> 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 21:11 < acidchild> is what its set to at the moment. 21:11 < krzie> well 21:11 < krzie> test it or dont 21:11 < krzie> thats my suggestion 21:11 < acidchild> i'm asking how ;( 21:11 < krzie> (#2) 21:11 < krzie> you can just use --mtu-test as well 21:11 < krzie> --mtu-test is built into openvpn 21:11 < krzie> ive never used it, i assume you tell the server to use it 21:11 < krzie> maybe you tell both 21:12 < troy-> you are crazy 21:12 < krzie> play with it and lemme know which it is 21:12 < krzie> no no, i am krzee 21:12 < krzie> ;] 21:13 < acidchild> Sun Nov 30 22:14:03 2008 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes. 21:13 < acidchild> i guess i'll know in 3 to 4 minutes 21:13 < acidchild> :p 21:13 < krzie> and you only had to use it on server? 21:13 < acidchild> i did it on a client. 21:13 < krzie> not server? 21:14 < acidchild> i don't wana take the server down 21:14 < krzie> no thats good for me to know 21:14 < krzie> thank you 21:14 < krzie> !forget mtu 2 21:14 < vpnHelper> krzie: Joo got it. 21:14 < krzie> !learn mtu as you can just use --mtu-test on the client as well 21:14 < vpnHelper> krzie: Joo got it. 21:14 < krzie> =] 21:15 < acidchild> i'm not sure... 21:15 < acidchild> where the results come from? :/ 21:15 < acidchild> :p 21:15 < krzie> where they come from? 21:15 < krzie> they come from testing 21:15 < krzie> as explained in the manpage under --mtu-test 21:15 < acidchild> i'm running it in forground, so i'm hoping stout =p 21:15 < krzie> !man 21:15 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:16 < krzie> oh where they end up 21:16 < krzie> ya if in foreground likely to be stout 21:16 < acidchild> Sun Nov 30 22:17:08 2008 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541] 21:16 < acidchild> its correct :-( 21:17 < krzie> interesting 21:18 < acidchild> indeed. 21:26 -!- mgs` [n=mgs@mail.polyvalent.org] has joined ##openvpn 21:26 < mgs`> argh! 21:26 < mgs`> iptables is fixed 21:26 < mgs`> but now a slew of new issues 21:27 < mgs`> the vpn is not seeing me as a trusted user on the network 21:27 < mgs`> instead all my services are saying unknown user 21:27 < mgs`> !linnat unknown user 21:27 < vpnHelper> mgs`: Error: "linnat" is not a valid command. 21:27 < mgs`> :( 21:27 < mgs`> so i get permission denied from nfs 21:28 < mgs`> unknown user from mail servers 21:28 < ecrist> mgs`: that's not an OpenVPN problem... 21:30 -!- K_luffy [n=V3N@77.31.242.152] has quit [Read error: 110 (Connection timed out)] 21:33 < krzie> ya now packets are coming from vpn ip 21:33 < krzie> those services need to know bout that 21:33 < krzie> as eric said, totally not openvpn related 21:34 < mgs`> but how can i deciper when traffic is allowed 21:34 < mgs`> everything works 21:34 < mgs`> when connected over vpn 21:34 < mgs`> nothing works 21:34 < mgs`> it's STILL not an openvpn issue!? 21:34 < ecrist> yes 21:34 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 21:34 < mgs`> the iptables stuff I could understand is not but this not a routing issue 21:35 < mgs`> i'm hitting the ports and getting denied 21:35 < mgs`> because of the user 21:35 < ecrist> sounds like a firewall issue 21:35 < ecrist> by design, ports don't care what 'user' is hitting them. 21:35 < mgs`> no it doesn't if it was firewall I wouldn't hit the ort 21:35 < ecrist> different layers in the OSI 21:35 < mgs`> the port is not the issue! 21:35 < mgs`> nfs is rejecting the user 21:35 < ecrist> then use a valid user. ;) 21:35 < mgs`> nfs is saying: you are not trusted 21:37 < ecrist> mgs`: you need to allow the OpenVPN subnet within your NFS exports file 21:37 < ecrist> *not* openvpn problem. 21:37 < ecrist> try man exports 21:37 < mgs`> well, it's something you would never have to do without openvpn so to me IT IS an openvpn problem. 21:38 < ecrist> your opinion is irrelevant 21:38 < ecrist> man exports 21:38 < ecrist> are you using tun or tap? 21:39 < mgs`> tun 21:39 < mgs`> the traffic is flowing through tun 21:39 < mgs`> i can look at kern.log 21:39 < ecrist> I'm aware of that 21:39 < mgs`> everything is mooth 21:39 < mgs`> imap and nfs were the problems, i'm reading man exports 21:39 < ecrist> I'm trying to pound the concept into your head. what is the IP network for your LAN? 21:39 < mgs`> (imap and nfs were all i tried) 21:39 < mgs`> 10.8.0.1 is the server 21:40 < mgs`> which is what I use as my mailserver 21:40 < mgs`> NOT the external hostname 21:40 < ecrist> ok, a couple things will need to happen for that, but that's outside this scope 21:40 < mgs`> mail.log shows me requesting my mail 21:40 < ecrist> what's your LAN subnet? 21:40 < mgs`> and the request comes from a strange user 21:40 < mgs`> unknown@myhost 21:41 < mgs`> the server says, no thank you 21:41 < mgs`> lan subnet is 10.8.0.x 21:41 < mgs`> so client is 10.8.0.5 21:41 < ecrist> that's your OpenVPN subnet 21:41 < mgs`> right 21:41 < mgs`> so lan is 127.0.0.1 21:41 < ecrist> what's your lan subnet? what IP is NFS listening on? 21:41 < mgs`> there is no other 21:41 < mgs`> the server is remote vps 21:42 < ecrist> well, it must have another IP. 21:42 < ecrist> otherwise, you couldn't reach it 21:42 < mgs`> so it had 127.0.0.1 and it had it's external ip 21:42 -!- K_luffy [n=V3N@77.31.242.152] has joined ##openvpn 21:42 < mgs`> so nfs was listening on 0.0.0.0 21:42 < ecrist> show me your ns exports file? 21:42 < mgs`> ok, brb with pastebin 21:45 < mgs`> http://rafb.net/p/m6be4e22.html 21:45 < vpnHelper> Title: Nopaste - Pasted with DashPaste (at rafb.net) 21:45 < mgs`> getting the map for you 21:47 < mgs`> oh shit, my client exports is funky, something created this. 21:50 < mgs`> http://rafb.net/p/NQSAPY68.html 21:50 < vpnHelper> Title: Nopaste - No description (at rafb.net) 21:51 < ecrist> and, after creating that map, did you restart NFS? 21:52 < ecrist> nm, this isn't an openvpn problem, and I'm not really up to troubleshooting NFS tonight 21:52 < mgs`> those were all in place 21:52 < mgs`> i didn't create any of it tonight 21:52 < mgs`> this all worked prior to openvpn 21:53 < mgs`> nothing has been altered 21:53 < ecrist> well, I'm not up to helping you with your NFS 21:53 < mgs`> if I disconnect and default allow traffic, it works. 21:53 < ecrist> openvpn, itself, is not your direct problem. 21:53 < mgs`> that's fine, then stfu 21:53 < mgs`> be useful or dont speak 21:53 -!- mode/##openvpn [+o ecrist] by ChanServ 21:54 < mgs`> :\ 21:54 < mgs`> don't abuse it 21:54 < mgs`> you're being hostile for no reason 21:54 -!- mode/##openvpn [+b mgs`*!*@*] by ecrist 21:54 -!- mode/##openvpn [-o ecrist] by ecrist 21:55 < ecrist> it's not polite to insult and swear at those trying to help you. 22:01 * ecrist wonders how he was being hostile 22:12 < krzie> that's fine, then stfu 22:12 < krzie> lol 22:12 < krzie> someone doesnt know how to act when people are helping him 22:12 < krzie> (for free) 22:16 < tjz> lol 22:16 < ecrist> yeah 22:16 < ecrist> but, I was apparently the hostile one 22:18 < ecrist> now I'm getting PMs 22:18 < ecrist> :\ 22:18 < ecrist> hey krzie, where do you host your DNS? 22:19 < tjz> hahahaz 22:20 < krzie> i run my own dns servers 22:20 < krzie> ya im getting pms to 22:20 < krzie> but i dont care to respond 22:20 < krzie> im on my way out 22:21 < krzie> and if you need a secondary NS, ild be happy to 22:21 < krzie> bbl 22:28 < tjz> can i ask something not related to openvpn here? 22:31 < ecrist> sure, we try to keep it on-topic, but you're not being obtuse. 22:34 < tjz> let me make one last try 22:34 < tjz> see whether i can fix the problem 22:37 < tjz> ok 22:37 < tjz> i fix it 22:37 < tjz> :P 22:41 < ecrist> great! 22:56 -!- mRCUTEO [n=david@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 22:57 -!- mRCUTEO [n=david@r0x.dave.ksh2008-sarawak.com] has quit [Client Quit] 23:02 -!- mRCUTEO [n=david@64.235.47.77] has joined ##openvpn 23:02 < mRCUTEO> hi tjz 23:02 < mRCUTEO> u there? 23:02 < mRCUTEO> anybody 23:04 < tjz> ya 23:04 < tjz> i am going off for lunch 23:04 < tjz> :) 23:04 < tjz> brb 23:04 < mRCUTEO> tjz 23:04 < mRCUTEO> can u do me a favour 23:04 < mRCUTEO> whois me and tell my IP 23:04 < mRCUTEO> :) 23:05 < ecrist> 23:05 -!- mRCUTEO [n=david@64.235.47.77 23:06 < ecrist> you can get the same at http://www.secure-computing.net/ip.php 23:06 < mRCUTEO> thanks ecrist 23:06 < mRCUTEO> actually i tested the openvpn 23:06 < mRCUTEO> i multi connect thje openvpn 23:06 < ecrist> ah 23:06 < mRCUTEO> and from the IPs i try to make it to irc vhost 23:06 < mRCUTEO> so i get many vhosts from different provider in my local PC bhy connecting to different openvpn simultanously 23:07 < mRCUTEO> :) 23:07 < mRCUTEO> and with port forwarding i can have different IP from anywhere in the world to become my local IP 23:07 < mRCUTEO> openvpn is awesome@ 23:07 < mRCUTEO> superb 23:08 * mRCUTEO if only there is a way to do load balancing between the openvpn client which conneted simultanously :D 23:08 * mRCUTEO maybe not thats my only stupid idea :P 23:09 < mRCUTEO> hold on i change my vhost and connecting to my 3rd openvpnclient which connects simultanously 23:09 -!- mRCUTEO [n=david@64.235.47.77] has quit ["changing servers"] 23:10 -!- mRCUTEO [n=david@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 23:10 < mRCUTEO> it works 23:10 < mRCUTEO> :D 23:10 < mRCUTEO> :D 23:11 < mRCUTEO> with openvpn i can have different IP to act as my local PC IP from different data centre in the world 23:11 < mRCUTEO> Yah00! 23:11 < mRCUTEO> :D 23:12 < mRCUTEO> ecrist: which traffic it will follow if 2 openvpn clients get connected simultanously? the first or second? 23:12 < ecrist> if they are identical configs, the last one to connect 23:13 < mRCUTEO> ic 23:13 < mRCUTEO> is there a way to make it to do load balancing among the clients? 23:13 < ecrist> not within OpenVPN itself. 23:13 < ecrist> that kind of thing can get complicated 23:14 < mRCUTEO> ic 23:14 * mRCUTEO brb 23:14 -!- mRCUTEO [n=david@r0x.dave.ksh2008-sarawak.com] has quit [Read error: 54 (Connection reset by peer)] 23:17 -!- K_luffy [n=V3N@77.31.242.152] has quit [Read error: 110 (Connection timed out)] 23:20 -!- mRCUTEO [n=david@64.235.47.77] has joined ##openvpn 23:20 < mRCUTEO> :D 23:21 < mRCUTEO> wierd if i get connected concurrently with 3-4 clients my speed increase tremondously :D 23:23 < tjz> back 23:24 < tjz> id@64.235.47.77 23:24 < mRCUTEO> tx 23:25 < mRCUTEO> i connected with multiple openvpn client and i can use the different ip as my local PC vhost :) 23:25 < mRCUTEO> and somehow my speed is increasing tremondously, do you experience this before tjz? 23:26 < mRCUTEO> previously it was just 20 KB/s download speed .. now 200 KB/s 23:26 < mRCUTEO> .. 23:27 < tjz> i haven't try your setup before.. 23:27 < tjz> hehe 23:27 < tjz> hmm 23:27 < mRCUTEO> :) oh 23:27 < mRCUTEO> yeah really this is weird 23:27 < tjz> are you sure it shoot to 200kb/s? 23:27 < tjz> constantly? 23:27 < mRCUTEO> yes 23:27 < tjz> hmm.. 23:27 < mRCUTEO> yes no kiddin 23:28 < mRCUTEO> and when disconnect all my clients the speed comes back to 20 KB/s 23:28 < ecrist> night folks 23:28 < mRCUTEO> night ecrist 23:28 < tjz> nite ecrist 23:28 < ecrist> krzie: you're welcome to unban sparky if he's gonna behave. I'm going to bed. 23:28 < mRCUTEO> dont u think this is weird.. 23:29 < tjz> ok..can you try use only 1 client 23:29 < tjz> maybe 1 client is enough to get you to 200 kb/s 23:29 < mRCUTEO> yes but the speed wont increase to 200 23:29 < mRCUTEO> nope its the same 20 KB/s 23:29 < mRCUTEO> with 2 clients and some port forwarding rules it change the whole speed :) 23:29 < mRCUTEO> weird.. 23:30 < mRCUTEO> somehow i can even get up to 300 KB/s 23:31 < mRCUTEO> i dont know maybe stramyx put a firewall to throttle all bandwdith speed, but with openvpn it bypass the throttling i guess 23:31 < tjz> omg 23:31 < mRCUTEO> :D 23:31 < tjz> so strange 23:32 < tjz> i thought with just 1 client, you have already bypass streamyx 23:32 < mRCUTEO> yeah i was able to dload my fav videos at full speed now :D 23:32 < mRCUTEO> i dunno this just too strange i guess 23:32 < mRCUTEO> the download speed stays at 250KB/s - 300 KB/s 23:32 < mRCUTEO> around 4 mbps 23:33 < mRCUTEO> i subscribes for 1 mbps and i get 4 mbps quite okay :) 23:35 < tjz> did you run 3-4 open-gui on your windows pc? 23:35 -!- mRCUTEO [n=david@64.235.47.77] has quit [Nick collision from services.] 23:36 < tjz> .. 23:36 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 23:36 < mRCUTEO> omg 23:36 < mRCUTEO> i got dc 23:36 < mRCUTEO> isp kills my port no more connection to the openvpn default port 23:36 < mRCUTEO> argh.. 23:36 < tjz> no more 1994? 23:36 < tjz> 1194 23:36 < tjz> i mean 23:37 < mRCUTEO> yes 23:37 < mRCUTEO> it was blocked 23:37 < mRCUTEO> i was able to download at full speed few minutes ago but now its back to the old 20 KB/s :( 23:37 < mRCUTEO> ;-( i ahve to cry without tears 23:37 < mRCUTEO> warghhhhhhhh 23:38 < tjz> look like they did monitor 23:38 < tjz> :) 23:38 < mRCUTEO> yes :( 23:38 < mRCUTEO> they kill me :( 23:39 < mRCUTEO> i cant even connect openvpn now 23:39 < mRCUTEO> very wierd :( 23:39 < mRCUTEO> connection refused.. 23:41 < tjz> if your openvpn server accepting other port? 23:42 < tjz> you need to update the port on the openvpn server.. 23:42 < mRCUTEO> im using port 80 now 23:42 < tjz> use another port for openvpn :) 23:42 < tjz> oh 23:42 < mRCUTEO> im alive again 23:42 < mRCUTEO> :) 23:42 < tjz> lol 23:42 < mRCUTEO> let me test my speed 23:43 < tjz> did you get several xen vps? 23:43 < mRCUTEO> i use vbox 23:43 < mRCUTEO> and inside vbox i create xen 23:43 < mRCUTEO> and inside xen i created openvz 23:43 < mRCUTEO> there some layers of networking there :) 23:45 < mRCUTEO> oh my goodness gracious heavenly sake.... 23:45 < mRCUTEO> its back to 20 KB/s even with openvN 23:45 < mRCUTEO> NOoooooooooooooooOO 23:45 < tjz> hmm 23:45 < tjz> wah 23:45 < tjz> what is vbox? 23:46 < mRCUTEO> www.virtualbox.org 23:46 < mRCUTEO> hypervisor 1 23:46 < mRCUTEO> :) 23:46 < mRCUTEO> just like vmware 23:46 < tjz> oh 23:46 < mRCUTEO> man its 20 KB/s again :) looks like i have to live with it .. 23:46 < tjz> it is an OS? 23:46 < mRCUTEO> :( 23:46 < mRCUTEO> a virtual machine 23:46 < tjz> ok 23:47 < mRCUTEO> it just looks like a full dedicated server 23:47 < tjz> oh 23:47 < mRCUTEO> you cant tell which one is vbox and which one is real server :) 23:47 < tjz> oh 23:47 < mRCUTEO> but xen is hypervisor 2 i guess 23:47 < tjz> basically, you got yourself a server.. and duplicate a few clients.. 23:47 < mRCUTEO> since it has to modify the kernel 23:48 < mRCUTEO> yes 23:48 < tjz> oh 23:48 < mRCUTEO> and different location 23:48 < mRCUTEO> one in brasil 23:48 < mRCUTEO> one in findland 23:48 < mRCUTEO> one in netherland and one in USA 23:48 < tjz> hmm.. 23:48 < mRCUTEO> then i set all my 16 openvpn to connect simultanoutsly 23:48 < tjz> with just 1 dedicated server? 23:48 < mRCUTEO> yes 23:48 < mRCUTEO> oh no different server 23:49 < mRCUTEO> different oepnvpn client and servers too 23:49 < tjz> oh 23:49 < mRCUTEO> its like mesh network.. 23:49 < tjz> you have 4 dedicated servers.. 23:49 < mRCUTEO> somehow i manage to bypas streamyx firewall 23:49 < mRCUTEO> yes 23:49 < mRCUTEO> but now its back to 20 KB/s 23:49 < mRCUTEO> :) 23:49 < tjz> lol 23:49 < mRCUTEO> i can cry without tears now :-\ 23:50 < mRCUTEO> whats your highest speed u can get tjz when you download videos from the USA? 23:50 < tjz> hmm 23:51 < tjz> 150kb/s 23:51 < tjz> hmm 23:51 < tjz> i think so 23:51 < tjz> 100kbs+/s 23:51 < mRCUTEO> thats quite good 23:51 < tjz> 3mbp :) 23:51 < tjz> i should be getting 300kbs/s , i think 23:51 < mRCUTEO> yerp :) 23:51 < tjz> kb/s 23:51 < mRCUTEO> yeah u should get around 300 kb/s 23:52 < mRCUTEO> can u really burst up to that? 23:52 < mRCUTEO> ever reach that? 23:52 < tjz> let me recall.. 23:52 < mRCUTEO> okie :) 23:52 < tjz> hmm.. 23:53 < tjz> don't think i have hit that 23:53 < mRCUTEO> oh.. 23:53 < mRCUTEO> mine is like the CHIPSMORE BISCUITS.. now you see now you dont :) 23:53 < tjz> hahahz 23:53 < mRCUTEO> and if im lucky stays at 20 KB/s otherwise it chipsmore time -- 56 kbps dial-up with adsl :D 23:54 < tjz> 56k..omg 23:54 < tjz> did you get that kind of speed at night? 23:54 < mRCUTEO> yeah really no kiddin u 23:54 < mRCUTEO> especially peak hours 23:54 < mRCUTEO> 2 pm - 7 pm 23:54 < tjz> omg.. 23:54 < mRCUTEO> now packet started to drop a lot 23:54 < tjz> i can't believe the problem is so serious 23:55 < mRCUTEO> dloading at 11 KB/s.. now.. 23:55 < mRCUTEO> yeah deadly serious 23:55 < mRCUTEO> i think vietnam internet is better than malaysia 23:56 < tjz> i never tried vietnam isp b4 23:56 < tjz> did you? 23:56 < mRCUTEO> yes 23:56 < mRCUTEO> been to vietnam once 23:56 < mRCUTEO> their speed is T1 23:56 < mRCUTEO> 1.5 mbps 23:57 < mRCUTEO> but their adsl can easily reached minimum 100-200 KB/s at peak hours 23:57 < mRCUTEO> maybe they dont have many citizen playing internet there.. 23:58 < tjz> ya 23:58 < tjz> that is what i think so too 23:58 < mRCUTEO> but malaysian 20 KB/s how far can i go :( 23:58 < tjz> not fully developed country yet 23:58 < tjz> lol 23:59 < mRCUTEO> there is a saying in Malaysia "Streamyx is just like Chipsmore Biscuit - Now You See Now You Dont" :_) 23:59 < mRCUTEO> but what can we do they monopoly the adsl business no other providers here :( 23:59 < mRCUTEO> how many providers you have there in singapore tjz? --- Day changed Mon Dec 01 2008 00:00 < tjz> we have starhub who is using cable 00:00 < tjz> singtel using adsl 00:00 < mRCUTEO> ic 00:00 < tjz> pacific net (i think they lease cable & adsl from starhub & singtel) 00:00 < tjz> your situation is like our starhub users 00:00 < mRCUTEO> ic 00:00 < tjz> :) 00:00 < mRCUTEO> really? 00:01 < tjz> at night, they are getting crappy speed 00:01 < mRCUTEO> what happen to starhub? 00:01 < mRCUTEO> ic 00:01 < mRCUTEO> lol.. 00:01 < tjz> basically, you are sharing the bandwidth 00:01 < mRCUTEO> you know what they said: Now you see now you dont 00:01 < tjz> yes 00:01 < mRCUTEO> :) 00:01 < tjz> they advertise you can get so much speed 00:01 < tjz> but in actual fact, you don't 00:01 < mRCUTEO> yeah.. 00:01 < mRCUTEO> their business streategies are all fake :( 00:02 < mRCUTEO> but its different in dev country like europe and USA.. 00:02 < mRCUTEO> they really give you what the promise 00:03 < mRCUTEO> i stay in dallas during school holidays, use some of their local isp... speed is awesome there :) 00:05 < tjz> ya 00:05 < tjz> with the same price pay here... 00:05 < mRCUTEO> even cheaper 00:05 < mRCUTEO> :) 00:05 < tjz> we can get alot more speed 00:06 < mRCUTEO> yeah.. 00:06 < tjz> i think they got 100mbp plan 00:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:06 < tjz> at our price 00:06 < tjz> lolz 00:06 < mRCUTEO> :D 00:06 < mRCUTEO> i wish someday i can migrate to USA 00:06 < mRCUTEO> get a green card and social ID hopefuly :P 00:08 < tjz> serious? 00:08 < tjz> hehe 00:08 < mRCUTEO> yeah :) 00:08 < tjz> 4 seasons over there 00:08 < mRCUTEO> damn serious 00:08 < mRCUTEO> :P 00:08 < mRCUTEO> yerp 00:08 < mRCUTEO> i can surf during summer, sleep during spring, eat during autumn and ice sliding duing winter 00:08 < mRCUTEO> haha 00:09 < tjz> lol 00:09 < mRCUTEO> and i can say goodbye to my chipsmore internet :) 00:09 < tjz> really nice 00:09 < tjz> lol 00:10 < mRCUTEO> but for now its reality 20 KB/s :) 00:11 < tjz> really slow 00:12 < tjz> any file to test speed? 00:12 < tjz> this holiday season, i may see a drop for my download speed 00:12 < mRCUTEO> oh 00:12 < mRCUTEO> i thought they give u dedicated? 00:14 < mRCUTEO> my dream: to have 100 mbps adslc connection, to have unlimited IP address and 1000 GB/s dedicated server :D 00:14 < acidchild> mRCUTEO: thats your 'dream' ? 00:14 < acidchild> lol 00:14 < acidchild> ;x 00:14 < tjz> just tested 00:15 < tjz> currently.. 202kb/s 00:15 < tjz> hehe 00:15 * mRCUTEO envy with tjz :( 00:15 < tjz> completed 00:15 < tjz> 13mb file 00:16 < mRCUTEO> yes acidchild 00:16 < tjz> it is dedicated.. 00:16 < tjz> :P 00:17 < mRCUTEO> :P 00:18 < mRCUTEO> good for you my friend 00:18 < mRCUTEO> i wish i can have at least 1 mbps dedicated :( 00:18 < mRCUTEO> i can only have 20 KB/s :( 00:19 < tjz> i think i got 50kb/s when i downgrade to 1mbps back then 00:19 < mRCUTEO> oh.. 00:20 < tjz> ^_^ 00:20 < tjz> but 00:20 < tjz> i like to see some 100kb/s at least for download 00:20 < tjz> i switch back to 3mbp 00:20 < tjz> :P 00:20 < mRCUTEO> :) 00:20 < mRCUTEO> yeah me too 00:20 < mRCUTEO> yeah yeah give me 100 kbs/s 00:20 < mRCUTEO> :DP 00:20 < mRCUTEO> :DP 00:20 < mRCUTEO> D:PD 00:21 < mRCUTEO> 2034f03if3 00:21 < mRCUTEO> ---------> 20 KB :~-( 00:21 < tjz> what if you upgrade to 3mbps.. 00:22 < mRCUTEO> its USD40 for 4 mbps here 00:22 < tjz> -_-" 00:22 < mRCUTEO> maybe you're right.. but what if you're wrong :D :D :D 00:22 < tjz> and they don't guarantee 4mbps 00:22 < mRCUTEO> yes 00:22 < mRCUTEO> shared 00:23 < mRCUTEO> im sure i can get worst than my 1 mbps :( 00:23 < mRCUTEO> argh and its a whole damn year contract lol.. 00:23 < mRCUTEO> * 1 year 00:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 00:24 < tjz> nowadays, ISP are binding us to 24 months contract 00:24 < mRCUTEO> oh .. 00:24 < mRCUTEO> its painful to pay USD40 a month for some unstable internet connection :( 00:24 < mRCUTEO> its USD25.00 for my stupid 1 mbps :( 00:25 < jeev> my cable modem at home does 24mbit sometimes 00:25 < jeev> of course, it's stolen haha 00:26 < mRCUTEO> :D :D :D 24mbit 00:28 < tjz> 24mb.. 00:28 < tjz> -_-" 00:28 < tjz> why is it stolen? 00:31 * tjz poke jeev 00:31 < mRCUTEO> tjz guess you right maybe i should upgrade to 4 mbps 00:31 < mRCUTEO> i heard lots of good review abut streamyx 4 mbps 00:33 < tjz> hmm... 00:34 < tjz> not sure how it will turn out during peak hours 00:34 < tjz> :) 00:34 < mRCUTEO> yeah gotta check lowyat forum then 00:34 < mRCUTEO> seen anyone has experience with 4 mbps :) 00:34 < tjz> lol 00:35 < mRCUTEO> some good some bad 00:35 < mRCUTEO> i dunno 00:35 < mRCUTEO> its just like the chipsmore saying 00:35 < mRCUTEO> again and again playing in my mind 00:35 < mRCUTEO> lol.. 00:36 < tjz> haha 00:37 < tjz> btw 00:37 < tjz> are you working or still studying? 00:37 * tjz super poke jeev 00:37 < mRCUTEO> working and studying for my masters degree.. 00:38 < tjz> cool 00:38 < mRCUTEO> but with 20 KB/s its dead uncool :( 00:39 < mRCUTEO> phew~!~ its 2.48 KB/s download speed 00:39 < mRCUTEO> very nice :) 00:39 < tjz> LOL!! 00:39 < mRCUTEO> yeah this is very very nice :) 00:39 < mRCUTEO> chipsmore ~~!!!!!!!!!!!!! 00:39 < tjz> hahaha 00:40 < tjz> ridiculous speed 00:40 < mRCUTEO> maybe it ws running heavily here.. 00:40 < mRCUTEO> does it effect your connection when its raining at your place tjz? 00:41 < tjz> nope 00:41 < tjz> quite stable 00:41 < tjz> ^_^ 00:41 < mRCUTEO> oh, here, when its raining, connection is dead .. 00:41 < mRCUTEO> im transfeiring a 3 GB video with 2.45 KB/s nice isnt it :) 00:42 < mRCUTEO> i can see 30 hours ETA here 00:42 < mRCUTEO> :) 00:42 < mRCUTEO> the turtle walks faster than my connection :( 00:42 < mRCUTEO> www.streamyxsucks.com 00:43 < tjz> haha 00:43 < tjz> omg..even a site for streamxy 00:43 < tjz> lol 00:43 < mRCUTEO> yes :D 00:44 < mRCUTEO> very nice review there 00:44 < mRCUTEO> :) 00:44 < tjz> http://www.streamyxsucks.com/banners/streamyx-turtle.jpg 00:44 < tjz> check that 00:44 < tjz> LOL 00:44 < mRCUTEO> :) 00:44 < mRCUTEO> hahaha 00:45 < tjz> hilarious banners 00:45 < mRCUTEO> :) 00:45 < mRCUTEO> nice turtle 00:45 < mRCUTEO> u see turtle walks faster than streamyx 00:45 < mRCUTEO> :) 00:45 < tjz> haha 00:46 < tjz> just bear with it 00:46 < tjz> afterall, they are the only broadband provider 00:46 < tjz> :( 00:46 < tjz> maybe invite prime minister to your home.. 00:46 < tjz> one day 00:46 < tjz> ask him surf the net 00:46 < tjz> :) 00:48 < mRCUTEO> yeah, have to migrate go to singapore 00:48 < mRCUTEO> lol 00:48 < mRCUTEO> lol 00:48 < mRCUTEO> hahahah 00:48 < mRCUTEO> our prime minister doesnt even know how to use a mouse 00:48 < mRCUTEO> a MOUSE! 00:48 < mRCUTEO> wahahahaha 00:48 < tjz> hahaz 00:51 < mRCUTEO> okay gtg tjz 00:51 < mRCUTEO> see ya 00:51 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has quit [] 01:37 -!- Haris1 [n=Haris@unaffiliated/haris] has joined ##openvpn 01:38 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 01:38 < Haris1> Hello people 01:38 < Haris1> damned 01:39 < tjz> i am alive.. 01:40 < Haris1> Can openvpn do 55 simultaneous vpn connections through a box? 01:44 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 01:48 < kala> Haris1: depends on the hardware 01:51 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 60 (Operation timed out)] 01:52 < Haris1> kala: What kind of hardware would I be looking at? 01:52 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 01:56 < Haris1> Any ideas, experiences? 01:58 < kala> what kind of throughput are you looking for? 01:58 < kala> I suppose that you can test your hardware with openssl test 01:59 < Haris1> kala: 10 Mbps max at this point 01:59 < kala> per client? 01:59 < Haris1> kala: nope, total 02:00 < kala> oh. I think any modern box would handle that 02:00 < Haris1> total 55 simultaneous in/out vpn connections 02:09 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 02:24 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 02:30 < kraut> moin 02:33 < Haris1> kala: Can a PIII 800 MHz with 1 GB RAM, SCSI hard drive, that can do 24 MB/s do it? 02:33 < Haris1> I have some 2.4 and 3.0 GHz P-IV with IDE hard drives 02:34 < tjz> Haris1: will all your 51 vpn have their own unique IP ? 02:34 < tjz> i mean you are setting up 51 vpn instances? 02:35 < Haris1> yep 02:35 < Haris1> each vpn client will have their own IP 02:35 < Haris1> groups of vpn connections need to go to a specific VLAN 02:36 < Haris1> for example, team one meets client 1, team 2 meets client 2, and so on 02:36 < Haris1> meets = conducts meetings, collaborates 02:37 < krzee> !policy 02:37 < vpnHelper> krzee: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 02:37 -!- mvazquez [n=mvazquez@193.144.34.245] has joined ##openvpn 02:37 < krzee> you'll need this: 02:37 < krzee> !sample 02:37 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 02:37 < krzee> !route 02:37 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 02:37 < krzee> !policy 02:37 < vpnHelper> krzee: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 02:37 < krzee> 2 options for seperating teams 02:37 < krzee> 1) firewall rules as shown in !policy 02:37 < krzee> 2) diff server instance for each team 02:38 -!- mvazquez [n=mvazquez@193.144.34.245] has left ##openvpn [] 02:38 < Haris1> so for example, I'v setup openvpn and the clients can reached my linux box, can the traffic move inside LAN on different VLANs? 02:38 < krzee> could just use a diff port 02:38 < krzee> well 02:38 < Haris1> clients can reached = clients have reached 02:38 < krzee> you're talking about real vlans or ones you're imaging mking up inside openvpn? 02:38 < krzee> imagining 02:39 < Haris1> real VLANs 02:39 < Haris1> implemented via manageable switches 02:39 < krzee> can the linux box even see the other vlans? 02:39 < Haris1> That's my question, can a linux box see and use them? 02:39 < krzee> is the linux box their router? 02:40 < krzee> ok im confused here 02:40 < krzee> the vlans are on same network as the server 02:40 < krzee> which is running linux 02:40 < krzee> right? 02:40 < Haris1> yes 02:40 < krzee> can that server see the vlans without openvpn? 02:40 < Haris1> That, I need to find out 02:41 < krzee> heh 02:41 < krzee> well unless its their router... 02:41 < krzee> and if the vlans are configured correctly 02:41 < Haris1> I'v seen vlan interfaces on fbsd 02:41 < krzee> (which i doubt they are if you admin them and dont even know if the box can see them) 02:41 < Haris1> but am not sure about linux 02:42 < krzee> k im out 02:42 < krzee> gnite gluck 02:42 < Haris1> thanks 02:42 < tjz> hmm 02:42 < tjz> how to assign unique IP to each vpn instance.. 02:43 < Haris1> via quagga/zebra? or static assignments? 02:46 < Haris1> yes, linux and fbsd both can have cvlan interfaces 02:46 < Haris1> I can assign them seperate subnets also, if needed 02:48 < tjz> it is a plain centos 5 box 02:48 < tjz> let's say i got 10 ip for the box 02:48 < tjz> :) 02:49 < tjz> haris1, how did you assign ip? 02:50 < Haris1> tjz: openvpn assigns private IPs 02:50 < Haris1> tjz: I'll host my centos box on 1 public IP 02:51 < Haris1> and will have 10 different IP subnets for 10 different VLANs 02:51 < Haris1> actually having different subnets is not required, its just so I can keep networking simple for my head 02:51 < Haris1> my head = my head, not my boss 02:51 < tjz> ya 02:51 < tjz> more organise 02:52 < Haris1> each VLAN interface on the linux box will go to a different team 02:52 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 02:52 < Haris1> if I can somehow assign IPs based on user or VLAN numbers, its all straight forward 02:59 < tjz> do you have a tutorial on how you do that.. 03:22 < tjz> -_- 03:22 * tjz poke haris1 03:26 -!- kraut [i=kraut@blackhole.packetloss.biz] has quit [Read error: 60 (Operation timed out)] 03:26 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 03:46 < Haris1> tjz: Not yet 03:53 < tjz> ok 04:20 -!- AukeF [n=auke@dhcp-121.wind.surfnet.nl] has quit ["Leaving"] 04:20 -!- AukeF [n=auke@dhcp-121.wind.surfnet.nl] has joined ##openvpn 04:26 -!- mRCUTEO [n=info@124.82.98.71] has joined ##openvpn 04:32 -!- mRCUTEO [n=info@124.82.98.71] has quit [] 05:40 -!- mRCUTEO [n=info@115.132.122.211] has joined ##openvpn 05:51 -!- mRCUTEO [n=info@115.132.122.211] has quit [Read error: 104 (Connection reset by peer)] 06:40 -!- mRCUTEO [i=IRCLUNAT@64.235.47.232] has joined ##openvpn 06:40 < mRCUTEO> hiya all 06:41 < mRCUTEO> :D 06:47 -!- mRCUTEO [i=IRCLUNAT@64.235.47.232] has quit [] 06:47 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:53 -!- mRCUTEO [i=IRCLUNAT@64.235.47.232] has joined ##openvpn 06:55 < tjz> wb 06:56 < tjz> :) 06:56 < mRCUTEO> :) hiya tjz 06:57 < tjz> ^_^ 06:57 < mRCUTEO> here i go again 20 KB/s ready to dload 3 GB movie :D 07:00 -!- mRCUTEO [i=IRCLUNAT@64.235.47.232] has quit [] 07:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:42 < ecrist> morning. 07:50 -!- Haris1 [n=Haris@unaffiliated/haris] has left ##openvpn ["Time to jet!"] 08:11 < cpm> morning 08:43 < tjz> morning 09:21 -!- gfather1 [n=g@77.241.65.47] has joined ##openvpn 09:21 < gfather1> hello guys 09:21 < gfather1> im trying to set opnvpn between untangle and dd-wrt 09:22 < gfather1> and im confused a littel 09:26 < ecrist> ok, what's untangle? 09:26 < gfather1> its a security gateway that uses openvpn as its vpn 09:26 < gfather1> so untangle generate the needed files for vpn 09:27 < ecrist> ok. 09:27 < ecrist> what's your issue? 09:27 < gfather1> so its ok from here becouse i have the info already 09:27 < gfather1> but when i try to put the certeficates in dd-wrt im lost 09:28 < ecrist> have you asked in dd-wrt? I've never used it. 09:28 < ecrist> I'm guessing you need to copy/paste the contents of the files into a web browser 09:28 < gfather1> yes , nobody is answers there 09:28 < gfather1> yes thats true 09:28 < gfather1> let me exlain more 09:28 < gfather1> eplain 09:28 < gfather1> ahhh , explain :) 09:29 < gfather1> untangle has generated 3 certificates for me 09:29 < gfather1> hdk-ca.crt 09:29 < gfather1> hdk-hdk3.crt 09:29 < gfather1> hdk-hdk3.key 09:30 < gfather1> in dd-wrt web interface , it askes for 09:30 < gfather1> Public Server Cert 09:30 < gfather1> Public Client Cert 09:31 < gfather1> Private Client Key 09:31 < gfather1> so hdk-hdk3.key = private client key 09:31 < gfather1> right ? 09:31 < gfather1> the other 2 im not sure about 09:33 < gfather1> thats what confusing me 09:37 < ecrist> ah, easy 09:37 < ecrist> hdk-ca.crt is Public Server Cert 09:37 < ecrist> hdk-hdk3.crt is Public Client Cert 09:41 < gfather1> are you sure ? 09:41 < ecrist> yes 09:41 < gfather1> its the same as i thought :) 09:41 < gfather1> how can i test if im conected ? 09:42 < ecrist> a CA certificate is a server certificate, not a client certificate 09:42 < gfather1> i should be able to ping the any pc there 09:42 < ecrist> well, are you able to connect to the VPN? 09:43 < gfather1> dd-wrt is not showing me any info :( 09:43 < gfather1> thats the problem 09:43 < ecrist> sorry, can't help with dd-wrt 09:43 < gfather1> yes i see 09:44 < gfather1> ill try to insert the untangle clint config in the dd-wrt command 09:44 < gfather1> other than using the web clint 09:44 -!- K_luffy [n=V3N@77.31.147.117] has joined ##openvpn 10:07 -!- gfather1 [n=g@77.241.65.47] has quit [Read error: 110 (Connection timed out)] 10:16 -!- odiumx [n=odium@66.238.175.150.ptr.us.xo.net] has joined ##openvpn 10:46 -!- lilalinux [i=e-trolle@fellatio.deswahnsinns.de] has joined ##openvpn 10:46 < lilalinux> I have some performance problems using sambe via openvpn (tun) 10:47 < lilalinux> The setup is: osx client, tunnelblick/openvpn, openvpn server at bsd firewall, samba on linux server 10:56 < ropetin> lilalinux: Performance in what way? 11:00 < lilalinux> ropetin: I get 1.6MB/s (the wlan limit) via scp and openvpn 11:00 < tjz> -_-" 11:00 < tjz> that is quite good.. 11:00 < lilalinux> And samba via vpn only 22KB/s 11:01 < lilalinux> that is quite lame :-) 11:01 < lilalinux> samba itself is lightenly fast 11:01 < ecrist> lilalinux: run a transfer and run 'top' on the freebsd OpenVPN server, see if you're CPU bound. 11:03 < cj> anyone here familiar with installing CSPs on windows? 11:03 < ropetin> Also, I had huge issues running samba across VPN when using TCP, but UDP improved it quite a lot 11:03 < ropetin> (Still sucked though) 11:04 < lilalinux> ecrist: I'll test that, but I'm 99% sure, that this can't be the problem, as scp via vpn is really fast 11:05 < ropetin> samba has a lot of overhead though 11:06 < lilalinux> CPU states: 2.5% user, 0.0% nice, 0.2% system, 1.4% interrupt, 95.9% idle 11:07 < ropetin> Are you using UDP or TCP? 11:07 < lilalinux> hm 11:07 < lilalinux> hm 11:07 < lilalinux> how do I find out? 11:07 < ropetin> It's in the server config file 11:08 < ropetin> And client actually 11:08 < lilalinux> firt: what tun-mtu should I use? 11:08 < lilalinux> client is osx 11:08 < ropetin> Check the server config file, it'll be righ tin there 11:09 < lilalinux> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 11:09 < ropetin> !example 11:09 < vpnHelper> ropetin: Error: "example" is not a valid command. 11:09 < ropetin> It so is! 11:09 < ropetin> !sample 11:09 < vpnHelper> ropetin: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 11:10 < ropetin> The entry in the config file will say 'proto tcp' or 'proto udp' 11:10 < lilalinux> I have no such entry 11:10 < lilalinux> so it must be the default 11:11 < ropetin> ecrist: Is that possible? Is there a default? 11:13 < lilalinux> ropetin: oh 11:13 < lilalinux> you mean vpn config 11:13 < lilalinux> I thought samba config 11:13 < lilalinux> hold on 11:13 < lilalinux> proto is tcp-client 11:16 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 11:16 < ecrist> lilalinux: there's your problem 11:16 < ecrist> !tcp 11:16 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 11:21 < lilalinux> I have to tweak that in client and serer i guess? 11:23 < lilalinux> does that hold for tcp-server too? 11:26 < ropetin> tcp-server where? It should be UDP in both configs 11:28 < lilalinux> we use tcp-server at the server and tcp-client at the client 11:28 < lilalinux> so that we can use port 443 tcp 11:28 < ropetin> Ahhh, so that could be one of those requirements where you HAVE to use TCP 11:29 < ropetin> Would you network allow UDP connections? Firewall or whatever? 11:39 < lilalinux> ropetin: actually, the guy who configured the firewall has spend a lot of time to get it working the way it is 11:40 < lilalinux> He told me, if I want UDP, do it yourself :-) 11:40 < lilalinux> so technicall it would be possible, but as the firewall is bsd, I'm a bit lost 11:40 < ropetin> :D If you have the appropriate port open for UDP traffic, incoming and outgoing, it shouldn't be difficult 11:41 < lilalinux> ropetin: but the current setup has to work in parallel 11:41 < ropetin> I think the knowledgable people in here would say UDP is the key to fixing your issue. I'm just a newbie, so ignore me! 11:42 < ropetin> Hmmm, two server configs? That's possible 11:44 < lilalinux> ropetin: do I simply have to change the proto? 11:44 < lilalinux> nothing else? 11:46 -!- mRCUTEO [n=info@124.13.95.119] has joined ##openvpn 11:54 < lilalinux> I tried a new instance for udp on port 444 11:54 < lilalinux> but it can't connect 12:01 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [] 12:04 < ropetin> lilalinux: how about udp on port 443, seeing as that seems to be open in your firewall? 12:06 < dvl> so... donations for OpenVPN... do they go to a company or to the coders.. an organization? 12:12 -!- mRCUTEO [n=info@124.13.95.119] has quit [Read error: 110 (Connection timed out)] 12:33 < lilalinux> WOOHOO 12:33 < lilalinux> thx alot 12:34 < lilalinux> udp ist "acceptable" fast now 12:34 < lilalinux> not ideal, but acceptable 12:37 -!- gfather [n=g@77.241.65.47] has joined ##openvpn 12:37 < gfather> im back :) 12:38 < gfather> now i can connect from dd-wrt to untangel , and i can log the files 12:38 < gfather> im having some minor errors :) 12:38 < gfather> i hope you can help me guys 12:39 < ecrist> dvl: the company, I believe. 12:39 < ecrist> ping krzie 12:39 < gfather> http://pastebin.com/d7f9256c3 12:40 < gfather> pleas chek the log file 12:40 -!- ikevin_ [n=kevin@ANancy-256-1-118-159.w90-33.abo.wanadoo.fr] has joined ##openvpn 12:40 -!- ikevin_ [n=kevin@ANancy-256-1-118-159.w90-33.abo.wanadoo.fr] has quit [Read error: 131 (Connection reset by peer)] 12:41 < ecrist> Dougy[RV|Away]: ping, too 12:42 -!- tessier_ [n=treed@kernel-panic/sex-machines] has joined ##openvpn 12:42 < tessier_> Hello all 12:43 < gfather> hello 12:43 < tessier_> Anyone know how to list the currently available credentials? I need to see who is allowed to login to this thing. I inherited this openvpn server and have been asked to audit who has access. 12:46 -!- zuran_ [i=zuran@wanktard.com] has joined ##openvpn 12:47 < zuran_> I'm trying to setup a bridged openvpn 12:48 < zuran_> which interface should I bridge br0 with, the public ip interface or the internal lan interface 12:48 < zuran_> my users will connect from the outside 12:48 < reiffert> Moin 12:50 < ecrist> !search factoids * 12:50 < vpnHelper> ecrist: (search ) -- Searches for in the current configuration variables. 12:50 < ecrist> !search * 12:50 < vpnHelper> ecrist: There were no matching configuration variables. 12:50 < dvl> reiffert: you were around when I was trying to set up my VPN.... FYI, written it up, latest three articles here: http://www.freebsddiary.org/ Thanks for your help. 12:50 < vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 12:51 < ecrist> dvl: did you see !freebsd? 12:51 < ecrist> there is an ssl management script I wrote, had commited to ports 12:52 < ecrist> discussed on that page 12:52 < ecrist> easy-rsa sucks 12:52 < reiffert> dvl: you are welcome, anything worth reading up on the page? 12:53 < reiffert> dvl: send all the guys to the irc channel? ;) 12:54 < reiffert> dvl: I totally miss a link to the official openvpn HOWTO. 12:54 < ecrist> reiffert: I've gotten in touch with the owner/admin for openvpn.net 12:54 < ecrist> he's going to point people here, to the wiki, and to the forum 12:54 < reiffert> ecrist: so he can remove his openvpn HOWTO finally? 12:54 < ecrist> lol 12:55 < ecrist> don't know *how* he'll use our support channels, but he's open to them. 12:55 < reiffert> did you invite him to take part at the excellent front war? 12:55 < dvl> reiffert: of course there's stuff worth reading... best case, you'll find errors in what I did. ;) 12:55 < ecrist> he wants me to enable things so he can mirror the content, in case I/we get bored and just quit 12:55 < reiffert> dvl: all right, here's error no 1: openvpn howto link is missing. 12:56 < dvl> reiffert: front wat? what's that? 12:56 < dvl> "For another view on installing OpenVPN on FreeBSD, see FreeBSD OpenVPN Server HowTo." <-== that ? 12:56 < dvl> http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 12:56 < vpnHelper> Title: FreeBSD OpenVPN Server HowTo - Secure Computing Wiki (at www.secure-computing.net) 12:56 < reiffert> dvl: front war .. thats fighting the people on #openvpn ... e.g. "You dont want openvpn, use windows vpn instead (for the hard cases)" 12:57 < reiffert> dvl: no, the official openvpn howto from the openvpn homepage. 12:57 < dvl> Or do you mean http://openvpn.net/index.php/documentation/howto.html ahh, well, that's rather complex for first timers. But I see your point. 12:57 < vpnHelper> Title: HOWTO (at openvpn.net) 12:58 < stephenh> really? i thought it was rather straight forward. 12:58 < krzie> as did i 12:58 < krzie> i think the howto rox 12:58 < stephenh> even if copied verbatum (which i did) 12:58 < reiffert> dvl: Too my eyes it is excellent for 1st timers. It's the best howto ever on the net. 12:58 < krzie> off topic - any samba ninjas here? 12:58 < stephenh> and i got a working setup first time :-) 12:59 < reiffert> krzie: security = ads; 12:59 < stephenh> krzie: what do you need to do? i'm not a ninja but i work with it occasionally 12:59 < krzie> mount a samba share after joining a AD 12:59 < ecrist> krzie: aye 12:59 < krzie> i can get on the AD myself with a howto 12:59 < reiffert> krzie: it can be found in the samba howto. 12:59 < krzie> feel free to msg me to leave the channel free for openvpn help 12:59 < krzie> oh opk\\k, i will find it 12:59 < krzie> thanx 13:00 < krzie> im using this: http://www.ctdx.net/2008/07/11/freebsd-single-sign-on-with-active-directory-and-access-control/ 13:00 < vpnHelper> Title: Christophers Tiki Data Exchange Network » FreeBSD Single Sign on with Active Directory and Access Control (at www.ctdx.net) 13:00 < reiffert> http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ 13:00 < vpnHelper> Title: The Official Samba 3.2.x HOWTO and Reference Guide (at us3.samba.org) 13:00 < krzie> ill find the official samba howto now =] 13:00 < krzie> perfect, thanx 13:00 < ecrist> krzie: openvpn.net is going to link the chan, wiki, and forum 13:00 < ecrist> I've gotta config so they can mirror content, first, though. 13:00 < krzie> killer =] 13:00 < stephenh> krzie: client? linux or windows? 13:01 < krzie> client = freebsd 13:01 < reiffert> ecrist: while allready talking to him .. send him an invatation and short irc explanation and get him here ... 13:01 < stephenh> i might not understand question, but smbmount? 13:01 < krzie> ecrist, good call on letting them know bout all that stuff 13:01 < dvl> reiffert: front wars? here on freenode? 13:01 < stephenh> haven't played with *nix client and AD realy. more samba server and windows clients 13:02 < krzie> thanx guys, i think you gave me all i need to find my answers 13:02 < reiffert> dvl: I call the irc channels much closer to the user and software and even faster than the appropriate mailinglists, whatever software we are on about. 13:03 < dvl> reiffert: well, for some products, yes, IRC seems to be faster. But mailing lists are good for the answers you can't get on IRC. 13:03 < reiffert> krzie: oh and there is #samba, #samba-technical, #samba-devel ... all the samba dev's are in the latter. 13:03 < krzie> reiffert, i think so too... in fact i think the mail list and IRC chan compliment eachother nicely 13:03 < krzie> reiffert ahh good to know as well 13:04 < reiffert> I mean .. Andreew Tridgell just one click away. I love irc. 13:06 < dvl> who? 13:06 < jeev> crap, my main server is down for like 12 hours 13:06 < jeev> ;/ 13:07 < dvl> jeev: just finding out now? 13:07 < jeev> i guess it's notm ain anymore, it's just a nameserver, been a while since i used it for named 13:07 < krzie> jeev, ive had 2 servers down for months 13:07 < jeev> no 13:07 < jeev> it's being moved to another building 13:07 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [] 13:07 < ecrist> lol at Andrew Tridgell's wikipedia phot 13:07 < jeev> from NY to NJ 13:07 < ecrist> looks like he's 19 13:07 < dvl> jeev: oh damn 13:07 < jeev> krzie, i've had a server down at the datacenter for a while.. 13:07 < krzie> and ive been waiting for the guy to send me my servers for anther month 13:07 < jeev> yea, i told them to tae their time to bring it back 13:07 < jeev> i'm in no rush 13:07 < stephenh> how would i nat my vpn so i can i reach networks not connected to my openvpn server, i know masq or nat is required, would i do something like 'ip route add nat 172.16.0.0/24 via 192.168.1.2; ip rule add nat 192.168.1.2 from 172.16.0.0/24' ? 13:07 < jeev> i didn't need two servers there 13:07 < krzie> both servers already have new homes, but i cant ship them cause that lazy fuck wont send them 13:07 < krzie> hahah 13:08 < stephenh> i tried using the masq file in my shorewall setup, but couldn't get it working. 13:08 < dvl> jeev: take their time, and now they are taking their time? 13:08 < krzie> stephenh, linux? 13:08 < stephenh> yes. 13:08 < krzie> !linnat 13:08 < vpnHelper> krzie: "linnat" is for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 13:08 < jeev> no, dvl, wrong datacenter. 13:08 < krzie> you will also want: 13:08 < jeev> the datacenter that is being moved now had a box up for over 2000 days, i think it was 3000 13:08 < stephenh> i have 13 sites connected, and it's a pain to connect to each one, would like to connect to the HO (more b/w) and from there do what i need. i'm already pushing my routes. 13:08 < dvl> jeev: what? they sent it to the wrong datacenter? 13:09 < jeev> my uptime on my server was 1200. 13:09 < krzie> !linipforward 13:09 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 13:09 < krzie> and: 13:09 < jeev> the one i'm talking about that i told them to take their time is in the west coast. 13:09 < jeev> shit, why does coreftp show this 7.7 gig file as 3.5 13:09 < krzie> !def1 13:09 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:09 < dvl> 3000 days is close to 10 years... without an upgrade? 13:09 < jeev> kernel was never upgraded hehe yea 13:09 < dvl> tsk tsk tsk.... might be some interesting exploits in there. 13:09 < jeev> na 13:09 < jeev> he's safe, believe me 13:10 < krzie> dvl, im with you there, an uptime that big is NOTHING to brag about 13:10 < jeev> but i know what you sayin 13:10 < jeev> krzie, stop hatin. 13:10 < jeev> that thing has been up longer than you've been alive! 13:10 < krzie> jeev, its true 13:10 < dvl> krzie: a year, perhaps... I have a few now that are 200 days or so 13:10 < krzie> umm, i think im older than you jeev 13:10 < stephenh> don't think i'll use def1, i like to keep my default gateay as my isp, i'm pushing my routes in my server.conf, although once i get this working, i'm keen to move to ccd setup to push routes based on common name 13:10 < stephenh> thanks for info 13:10 < jeev> :) 13:10 < krzie> np stephenh 13:11 < krzie> know that you can only push so many routes 13:11 * ecrist had a fbsd 4.11 box up for 1012 days... 13:11 < krzie> theres a something-kb limit to it 13:11 < krzie> i think around 25 routes 13:11 < jeev> heh 13:11 < stephenh> oh ok. 13:11 < dvl> I may be the eldest here.. born in 1961 13:12 < krzie> dvl, ya got me beat 13:12 < krzie> <-- late 20's, but not as late as ecrist 13:12 < jeev> ecrist is like 74 13:12 < stephenh> krzie: is that an ip limit or microsoft? 13:12 < krzie> nah ecrist isnt very old 13:13 < krzie> stephenh, its an internal openvpn limit 13:13 < stephenh> ok 13:13 < krzie> it only takes a certain # of KB in pulling routes 13:13 < jeev> oh krzie, you're a mac-cer 13:13 < krzie> but you can get around that with a --up script 13:13 < jeev> was trying to burn leapord dmg 13:13 < jeev> on pc. 13:13 < krzie> it just wouldnt be pushed routes 13:13 < jeev> it was coming up with dmg2iso as corrupt, so i used hdiutil from the mac i have here. 13:13 < jeev> that the best idea? 13:14 < krzie> dunno, i never used hackintosh yet 13:14 < jeev> hackintosh ? 13:14 < krzie> but for google, hackintosh is the term you want 13:14 < stephenh> one more question :-) 13:14 < krzie> yes, osx on PC is called hackintosh 13:14 < jeev> i'm just trying to burn it. 13:14 -!- gfather [n=g@77.241.65.47] has quit [Read error: 110 (Connection timed out)] 13:14 < jeev> and install it on a mac. 13:14 < krzie> right but you want it as ISO 13:14 < krzie> in apple you burn the dmg 13:14 < jeev> i want to just burn on ISO 13:15 < krzie> so you ned to google on hackintosh 13:15 < jeev> i mean on PC 13:15 < krzie> no shit, google hackintosh 13:15 < krzie> hah 13:15 < ecrist> jeev: you could buy a legit copy 13:15 < krzie> ya or that ;] 13:15 < krzie> stephenh fire away =] 13:15 < ecrist> it's not like Apple charges an unreasonable fee for the OS. $129 is fair, IMHO 13:17 < jeev> legit? 13:17 < jeev> what's that 13:17 < krzie> ecrist, not for windows, but for osX i will agree 13:18 < ecrist> Apple charges for windows? 13:18 < krzie> nah, MS does 13:18 < krzie> but i wouldnt pa y$100 for win 13:18 < krzie> would for osx 13:18 < reiffert> OSX Server is a bit overrated in fee. 13:18 < ecrist> oh, right. I'd pay $129 for windows XP 13:18 < krzie> osx is worth the $ 13:18 < ecrist> I won't pay for vista 13:18 < jeev> vista? 13:18 < ecrist> reiffert: I agree. 13:18 < jeev> i wouldn't take it for free. 13:18 < krzie> you couldnt pay me to run vista 13:18 < stephenh> using ccd and seperating people into common name groups, like developers, admins, etc, do i need to have seperate instances running? seems not, but can't get my head around if my tun1 is 10.8.01 as in the example, how can i dish out 10.8.1.0/24 and 10.8.2.0/24 for sysadmins and contractors 13:19 < ecrist> my business partner runs vista on his laptop 13:19 < reiffert> however, good god knows that you are two clicks away from an osx server license number. 13:19 < krzie> stephenh, theres 2 ways 13:19 < stephenh> i'm asking this in a round about way :-) 13:19 < krzie> stephenh, 1 is a seperate server for each group 13:19 < stephenh> i want to be able to group users like that, and firewall per subnet 13:19 < krzie> other is: 13:19 < krzie> !policy 13:19 < vpnHelper> krzie: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 13:19 < ecrist> stephenh: server 10.8.0.1 255.255.0.0 13:19 < krzie> using firewall 13:20 < krzie> you would give them the same subnet 13:20 < krzie> and firewall them into their own access rules 13:20 < krzie> OR give them diff subnets using multiple servers 13:20 < stephenh> yeah, that's what i'm doing at the moment, allocating static IPs and firewalling like that 13:20 < stephenh> ah ok, so in that example there are different servers running 13:20 < krzie> multiple servers is easier, firewall using !policy is more elegant 13:20 < stephenh> that's what i as wondering 13:21 < krzie> in !policy theres only 1 server 13:21 < krzie> seperating client-to-client stuff by firewall 13:21 < krzie> !factoids search some 13:21 < vpnHelper> krzie: "someclient2client" is "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 13:21 < stephenh> well i don't want to reinvent how this wan was setup, but at the moment there is 13 running on one box, 5001-5013 for different sites 13:21 < stephenh> and then road users use 1194 13:21 < krzie> (same as !policy), makes client-to-client only work for diff groups 13:22 < krzie> the first link has a table 13:22 < krzie> look at the table and say if thats what you're looking for 13:22 < stephenh> ok, 13:23 < krzie> and i guess i was wrong, they dont go in the same subnet 13:23 < krzie> (i never used !policy, but ive helped people with it) 13:24 < stephenh> i got that from the http://openvpn.net/index.php/documentation/howto.html 13:24 < vpnHelper> Title: HOWTO (at openvpn.net) 13:24 < stephenh> just couldn't get my head around how i would have server 10.8.0.1, and then issue IPs to 1.8.2.0 and 1.8.1.0 13:24 < stephenh> looking at that first page now. 13:24 < krzie> Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. 13:25 < krzie> when you do the ifconfig-push on the clients not in the default vpn subnet i think the server adds the right route to handle it 13:26 < stephenh> ah ok. 13:27 < stephenh> that page appears to be for local networks, which i'm fine with (3 subnets for network in question), but i can't get to a network not physically connected, like another openvpn connection. for example: 13:28 < krzie> !route 13:28 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:28 < krzie> im not sure exactly what you mean, but see if that has info you need 13:28 < krzie> it might, but like i said i dont follow 100% 13:29 < ecrist> krzie: speaking of wiki, I'm going to be moving it to it's own site this week, and I will try to manually migrate all the articles 13:29 < ecrist> it will be at http://www.secure-computing.net/openvpn/ 13:29 < krzie> nice 13:29 < jeev> krzie, ecrist.. you guys suggest i set up a back up MX? i'm being told it's not worth it unless if i feel like a disaster could hit my primary.. 13:29 < jeev> cause secondary will get hit a lot by spammers. 13:29 < krzie> jeev, i dont run a secondary 13:30 < jeev> ok 13:30 < krzie> and i do have the resources to run one if i wanted to 13:30 < jeev> yea 13:30 < jeev> i feel like i should.. but you know what i'll do? 13:30 < ecrist> jeev: I wouldn't bother 13:30 < krzie> if i have downtime it doesnt last long enough to bounce 13:30 < ecrist> I never have in 10 years 13:30 < jeev> i'll do a daily back up of the stuff, incase it goes down, just set it then. 13:30 < jeev> ok thanks 13:30 < krzie> ild rather have messages stay in the queue til my master is back up 13:30 < ecrist> typically, you have 4 days of downtime before you start getting bounces 13:30 < jeev> ok 13:30 < stephenh> i connect and have a 172.16.0.x address, my openvpn server has NICs connected to 10.0.0.0/24, 10.0.255.0/24, 192.168.1.0/24, but i need to get to 192.168.2.0/24, which is connected via router on 10.0.0.0 network. 13:30 < stephenh> i hope that makes sense 13:31 < stephenh> from the linux openvpn server the routing is fine 13:31 < krzie> stephenh ok you do want !route 13:31 < krzie> !route 13:31 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:31 < stephenh> i can ping host on 192.168.2.0 subnet, the routes are being pushed to client 13:31 < stephenh> but i can't ping that host 13:31 < stephenh> or connect to it 13:31 < krzie> its behind server or client? 13:31 < stephenh> it's on another network connected by routers + a diginet 13:32 < stephenh> it seems to be a similar problem with all my openvpn wans 13:32 < krzie> ohh 13:32 -!- Irssi: ##openvpn: Total of 46 nicks [0 ops, 0 halfops, 0 voices, 46 normal] 13:32 < krzie> is the openvpn server the router for its lan? 13:32 < krzie> if not you need to add a route to its router (which is mentioned in !route twords the bottom) 13:32 < stephenh> no, another router is 13:33 < stephenh> ah ok, i thought by having the openvpn server as the gatway, it would then route packets according to it's existing routing table 13:33 < stephenh> and i wouldn't need to put those routes for other networks in 13:33 < krzie> nope, when that router gets reply packets headed for vpn_network it doesnt know wtf to do with them 13:33 < krzie> it needs a route back to the vpn 13:34 < krzie> if you tcpdump you'll see packets get to target machine, just they have no route back 13:34 < stephenh> because a similar example is if i connect to vpn and server has lan ip of 10.10.1.1, and another openvpn server with lan ip of 10.10.2.1, between the two openvpn servers everything is perfect, but if i vpn to 10.10.1.1 i cannot ping 10.10.2.1 13:34 < stephenh> i hope that explains better my situation 13:34 < krzie> cause SRC address is vpn_net 13:35 < krzie> cause you need special iroutes for that 13:35 < krzie> i done it before, cant remember EXACTLY where 13:35 < krzie> but if you look at log files at verb 6 when testing that, you'll see MULTI errors 13:35 < stephenh> i see, that makes better sense than needing to nat or masq the interface 13:35 < krzie> letting you know what iroute to add 13:35 < krzie> !iroute 13:35 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 13:36 < krzie> i didnt connect 2 servers that way, but i did with 2 clients 13:36 < krzie> i had to read the iroute code to see how i needed to put my iroutes 13:36 < krzie> it was non-standard 13:36 < stephenh> ahh ok. 13:36 < krzie> and unfortunatly i dont have all my servers up to find it for ya =[ 13:37 < krzie> damn florida colo =/ 13:37 < stephenh> well, as far as business goes, all the branches see each other, that is fine, but this problem has arrisen because now road users vpn to a branch and want the same functionally rather than just accessing their local network 13:38 < stephenh> i think the best part now is that everyone has separate common names, so i need to make separate ccd files for each 13:38 < krzie> ya everyone should have a diff CN 13:38 < stephenh> iroute is only used in ccd? not in server.conf? 13:39 < krzie> ya you cant have it in server.conf or it is used for every client 13:39 < stephenh> ould i not use route to push routes to client but specify the cisco router as the gateway for the remote network? 13:39 < dvl> OH yes, the next thing I have to do is create a CRL... 13:39 < stephenh> i would like it pushed to every client :-) 13:40 < krzie> iroute is not for adding routes 13:40 < krzie> !iroute 13:40 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 13:40 < krzie> dude, please read ALL of !route 13:40 < krzie> it explains iroute, route, push route, ccd in detail 13:40 < krzie> and your problem you asked about wasnt about adding a route using cisco as its router 13:41 < krzie> your problem was the cisco router doesnt know about the vpn network 13:41 < krzie> so theres no return path for packets that go through it 13:41 < krzie> so packets go over the cisco, but cant get back 13:41 < krzie> cause SRC address was vpn_network 13:41 < krzie> so on the way back, DST address is vpn_network 13:41 < krzie> and when cisco wants to send to vpn_network 13:41 < krzie> it doesnt know how 13:42 < krzie> so it sends over default route, doesnt work 13:42 < stephenh> i understand now 13:42 < krzie> (i explain that in !route) 13:42 < krzie> if i didnt explain it well enough lemme know how to improve it) 13:42 < krzie> cause i made that so i wouldnt need to repeat myself daily (common stuff covered in that doc) 13:43 -!- adj [i=ssanders@unaffiliated/adj] has left ##openvpn [] 13:44 -!- jstrom [i=johan@core.stromnet.se] has quit [Broken pipe] 13:45 < stephenh> ok, so adding the route for vpn_network using gateway of openvpn server should solve it? what if i used what was shown in !linnat? 13:45 -!- cj [n=cjac@66.152.65.2] has quit [Remote closed the connection] 13:45 < ecrist> yes 13:45 < stephenh> and i understand now for wan with only openvpn servers i need ccd files so they are aware of each other's network 13:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 113 (No route to host)] 13:47 < krzie> stephenh !linnat is if you want to route to the inet 13:47 < reiffert> http://de.youtube.com/watch?v=faRlFsYmkeY 13:47 < vpnHelper> Title: YouTube - The Simpsons - Homer Evolution (at de.youtube.com) 13:48 < krzie> then you would NAT packets headed for the inet 13:48 < krzie> cut you could NAT them whereever packets are already NATed 13:48 < krzie> you would just have to make sure all routers between know how to handle the vpn network packets 13:48 < krzie> s/cut/but/ 13:50 -!- zuran_ [i=zuran@wanktard.com] has left ##openvpn [] 13:51 < ecrist> lol @ wanktard.com 13:53 < jeev> heh 13:53 < jeev> nobody laughs at my domain :( 13:53 < jeev> elongatedturd.com 13:53 < jeev> i should irc from that bad boy 13:53 < stephenh> krzie: after reading your routing wiki page i understnad now properly, ty 13:54 < krzie> ahh glad to hear it 13:54 < krzie> np 13:54 < krzie> i put some time into that doc 13:54 < krzie> cause its a common confusion 13:54 < krzie> confused me some my first time 13:54 < krzie> so now that i get it, figured it would be nice to make a comprehensive doc on it 13:54 < stephenh> yeah i couldn't get my head around, but it seems rule of thumb is iroute is used for local networks that won't be routed by via vpn even though routes are pushed by the server 13:54 < stephenh> right? 13:55 < krzie> iroute is for any time a route points to openvpn (tun) but openvpn internally doesnt know who the lan belongs to 13:55 < krzie> basically when a lan is behind a client 13:55 < stephenh> cool, got it 13:56 < krzie> i beieve its called iroute because its an internal route 13:56 < krzie> has nothing to do with the kernel routing table 13:56 < krzie> other than the fact that packets need to be going to openvpn for it to see them 13:59 -!- whaletales [n=Paul@87-127-190-18.static-adsl.entanet.co.uk] has quit [Read error: 110 (Connection timed out)] 14:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 14:27 < tessier_> ecrist: yes, easy-rsa does suck. Managing keys/access is the worst part of openvpn. I still don't know how to list all of the users who have access so I can audit this system. 14:28 < krzie> !ssl-admin 14:28 < vpnHelper> krzie: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:28 < tessier_> If I don't get this sorted out soon they are going to make me trash the whole system and start over. 14:28 < krzie> ecrist's solution to that 14:28 < tessier_> Probably with a Cisco VPN or something. :( 14:28 < krzie> list users with access, check your CA machine 14:29 < krzie> should have records of all certs you made on it 14:29 < krzie> (or signed on it) 14:29 < krzie> unless you deleted the file, in which case you shouldnt have before keeping records 14:29 < tessier_> What file? 14:29 < krzie> the .csr 14:29 < krzie> or .crt 14:30 < krzie> depending if before or after the signing 14:30 < krzie> csr is before, crt is after 14:30 < tessier_> The key database is in /var/db/openvpn 14:30 < tessier_> I have a file ca.crt 14:30 < tessier_> It is a certificate file, obviously. 14:30 < tessier_> How does this help me list who has access? 14:30 < krzie> if you dont have a .csr for each client in the CA box, you deleted them 14:31 < tessier_> I didn't delete them. Someone else may have. 14:31 < krzie> you cant make a cert without giving the CA box the csr, then signing it to make a .crt 14:31 < krzie> btw that would be on the box that has CA.key 14:31 < tessier_> Don't I need to have the clients public key stored in here somewhere? 14:31 < krzie> NOT just ca.crt 14:32 < krzie> no, the client cert is verified by checking it is signed by same CA as server cert 14:32 < krzie> which is why you need to keep track of what you sign 14:32 < tessier_> ugh 14:32 < krzie> so if its comprimised you can add to a CRL 14:34 < tessier_> I don't have the csr's. So I guess I'm SOL. I better just nuke the whole key database, start over, and issue new keys to anyone who needs them. 14:34 < krzie> yup, if you use unix check out ssl-admin 14:34 < krzie> ecrist you here? 14:34 < krzie> ecrist i have a question bout ssl-admin, possibly something you need to add 14:37 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 14:55 -!- gfather [n=g@77.241.65.47] has joined ##openvpn 14:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:01 -!- hkais [n=dpalic@p50816A25.dip.t-dialin.net] has joined ##openvpn 15:10 -!- sleon [i=sleon@p578b777b.dip0.t-ipconnect.de] has joined ##openvpn 15:10 < sleon> hi all 15:11 < sleon> i know that this should be asked in a non existant vpnc channel 15:11 < sleon> but 15:11 < sleon> do you think that vpnc supports the tcp encapsulation_ 15:11 < krzie> no idea, never heard of vpnc 15:11 < krzie> but openvpn does 15:11 < krzie> although, you should know this: 15:11 < krzie> !tcp 15:11 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:11 < sleon> krzie: vpnc is a os implementation of cisco vpn client 15:12 < krzie> cool, read that link before deciding you want tcp over tcp 15:12 < krzie> it is not openvpn specific 15:12 < sleon> krzie: right, i need to convince the admin to disable the forced tcp encapsulation 15:13 < krzie> that link should do it 15:13 < krzie> read it, understand it, then you know how to show him why its a bad idea 15:16 -!- Remowylliams [n=Mare@71.16.217.178] has joined ##openvpn 15:17 < Remowylliams> Hello everyone, got openvpn working with vista x64 but it seems the tun interface stops being primary and it falls back to passing data through my ethernet connection but initially it does take the data. 15:18 -!- hkais [n=dpalic@p50816A25.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 15:19 < sleon> krzie: thx 15:21 < sleon> krzie: what is a meltdown effect _ 15:21 < krzie> its fully explained in that link 15:21 < krzie> read the whole thing 15:21 < krzie> maybe 2x 15:21 < krzie> Remowylliams, try the newest beta if you can 15:22 < krzie> i remember vista 64bit having issues on the mail list 15:22 < sleon> krzie: hmm, do i understand it right ? meltdown effect is when the tcp connection sort of selfterminates , because it becomes very high exponetial backof ? 15:22 < krzie> i cant explain it any better than the link does 15:23 < krzie> if you dont get the link, i cant help you get it 15:23 < sleon> krzie: melt down effect is only citated there 15:23 < krzie> the term doesnt matter 15:23 < Remowylliams> krzie: I'm using 2.1rc15.. I'll check 15:23 < krzie> just get the point of it 15:24 < krzie> Remowylliams ok thats newest beta 15:24 < sleon> krzie: http://www.webopedia.com/TERM/N/network_meltdown.html 15:24 < vpnHelper> Title: What is network meltdown? - A Word Definition From the Webopedia Computer Dictionary (at www.webopedia.com) 15:24 < krzie> Remowylliams you have local dhcp and are using redirect-gateway? 15:25 < krzie> if so, try adding bypass-dhcp to your redirect-gateway statement as seen in !betaman 15:25 < krzie> !betaman 15:25 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 15:25 < krzie> under --redirect-gateway 15:26 < Remowylliams> krzie: I've got the redirect gateway directive in my server config 15:27 < Remowylliams> krzie: I just tried this: http://www.ctunion.com/node/226 15:27 < vpnHelper> Title: OpenVPN GUI client and Windows Vista | Computer Tech Union (at www.ctunion.com) 15:27 < Remowylliams> LOL 15:27 < krzie> try what i said 15:28 < sleon> krzie: thank you for that link! it is realy nice help 15:28 < krzie> np 15:33 < Remowylliams> krzie: You're saying I need to add --redirect-gateway to my push options in my server.conf? 15:33 < krzie> didnt you say you already have that? 15:33 < Remowylliams> you said try what you said. :) 15:33 < krzie> Remowylliams you have local dhcp and are using redirect-gateway? 15:33 < krzie> if so, try adding bypass-dhcp to your redirect-gateway statement as 15:33 < krzie> seen in !betaman 15:34 < Remowylliams> yes ahh sorry 15:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:34 < krzie> see the manual under --redirect-gateway 15:34 < krzie> !betaman 15:34 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 15:34 < krzie> it only exists in 2.1 15:34 < krzie> but thats no problem cause you use 2.1 15:37 < jeev> krzie, put the DVD DL with leopard in the mac and it spits it out.. 15:37 < krzie> *shrug* 15:41 -!- mgs` [n=mgs@mail.polyvalent.org] has quit [Client Quit] 15:42 -!- randra [n=sleepkno@189.72.79.35] has joined ##openvpn 15:48 < Remowylliams> krzie: I think I got it working will check back :) 15:48 < Remowylliams> thank you 15:49 < krzie> np 15:49 < krzie> was it bypass-dhcp? 15:50 < Remowylliams> krzie: don't know for sure yet.. 15:51 < Remowylliams> but it sure looks like it. I added this I found from a search: push "redirect-gateway def1 bypass-dhcp" 15:52 < krzie> you found that in a search!? 15:52 < krzie> why not read the manual i pointed you to 15:52 < krzie> manual > google 15:53 < Remowylliams> yes because I couldn't find the line at the time. I'm sorry 15:56 < Remowylliams> grrr no buffer space 15:59 < Remowylliams> write UDPv4: No buffer space availible. (code=55) 16:02 -!- AndyML [n=quassel@pool-96-227-91-204.phlapa.fios.verizon.net] has joined ##openvpn 16:02 < AndyML> has anyone setup a bridged VPN on a mac os x server? I can't get the tap interface configured properly... 16:03 < AndyML> when I start openvpn, tap0 shows up, but the IP address isn't set, etc. 16:04 < ecrist> krzie: what's up? 16:04 < AndyML> oh - i'm missing the br interface... 16:05 < Remowylliams> is no buffer space an important notice in the log? 16:06 * ecrist goes to help his sister move 16:10 < krzie> sup eric 16:10 < krzie> im just trying to get samba working 16:10 < krzie> ok so i do not already have a computer named LOGS in the DC, and i get an error saying there is no computer LOGS$ and if its a legit computer i should rejoin it to the domain (in event veiwer) 16:10 < krzie> so im playin with that 16:16 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has joined ##openvpn 16:18 -!- odiumx [n=odium@66.238.175.150.ptr.us.xo.net] has quit ["Leaving"] 16:20 -!- jeev [n=email@unaffiliated/jeev] has quit [Success] 16:21 -!- randra [n=sleepkno@189.72.79.35] has quit ["quit"] 16:42 < Remowylliams> is the No buffer space available (code=55) just a warning or is it a problem that can be resolved ? 16:42 < krzie> dunno 16:45 < Remowylliams> It seems to have been mentioned for many many versions and the current info seems to be that when too much data is trying to head out from the server this problem begins to squawk in the logfile. 16:47 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 16:58 -!- Remowylliams [n=Mare@71.16.217.178] has left ##openvpn [] 17:45 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 17:55 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has quit [] 18:21 -!- K_luffy [n=V3N@77.31.147.117] has quit [Read error: 110 (Connection timed out)] 18:23 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 19:18 -!- sleon [i=sleon@p578b777b.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 19:49 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Remote closed the connection] 19:58 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 19:59 * tjz poke jeev 19:59 * tjz poke dougy 19:59 * tjz poke ropetin 20:11 * jeev punches tjz 20:12 < tjz> lol 20:29 < ecrist> krzie: I'm back 20:29 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 20:35 < dvl> Good evening geeks. 20:40 < dvl> Tonight topic is CRLs. What for? 20:40 < dvl> But first, I have a URL to add to my docs. 20:43 < krzie> ecrist im back now too 20:44 < krzie> all done with the samba stuffs 20:44 < krzie> very nice =] 20:46 < dvl> That was easy. 20:47 < krzie> it would have been easier if i was asking the right questions from the start 20:47 < krzie> turns out i didnt even need t join the domain 20:47 < krzie> since my goal was only to mount a share that is shared in active directory 20:47 < dvl> krzie: no, sorry, I was logging what I was doing... :) Added a link to the HOWTO. 20:48 < krzie> turns out you dont need to be in the AD to mount a dir 20:48 < jeev> damn guys 20:48 < ecrist> krzie: what was your ssl-admin question? 20:48 < jeev> do you guys see venus and jupiter? 20:48 < krzie> to what howto? 20:48 < jeev> that's so sick :( 20:48 < krzie> ecrist, does ssl-admin allow users to make a server cert signed as a server cert? 20:48 < krzie> i saw the menu and couldnt find it 20:49 < ecrist> hrm, no, don't think so 20:49 < krzie> was helping someone with !mitm while they were using ssl-admin, we ended up using openssl with their ca they made in ssl-admin, just to make the server cert 20:49 < krzie> that would be good to add 20:50 < ecrist> http://www.secure-computing.net/ssl-admin - submit a ticket 20:50 < dvl> krzie: I ameneded my article to include a link to the howto. 20:50 < ecrist> ;) 20:50 < vpnHelper> Title: SCN Open Source - Trac (at www.secure-computing.net) 20:50 < jeev> has anyone looked outside? 20:50 < dvl> It would be nice if the HOWTO wasn't a mega-document, but split up. 20:50 < jeev> ecrist, maybe you can see it 20:50 < jeev> i can't believe i'm looking at jupiter! 20:51 < ecrist> cloudy here 20:51 < jeev> wow dood, such an amazing sight 20:51 < jeev> i wish i were there. 20:52 < jeev> (jupiter) 20:52 < krzie> *cough we do too*cough* 20:52 < krzie> 20:52 < jeev> damn an 20:52 < jeev> man 20:52 < jeev> that makes me so sad 20:52 < krzie> haha 20:52 < krzie> cant see anything here 20:53 < jeev> i wonder how old that light is 20:53 < dvl> jeev: I lived in Jupter (FL) for a short while. Lovely place. 20:54 < jeev> cool beans 20:54 < jeev> ahh 20:54 < jeev> one hour old 20:54 < jeev> the light 20:54 < krzie> one hour my ass 20:55 < krzie> Minimum Distance from Earth: 588 million km 20:55 < krzie> (365 million miles) 20:56 < jeev> yea 20:56 < jeev> 1962.365591 20:56 < jeev> 32.7 20:56 < jeev> it's 32 minutes old then 20:56 < jeev> depends on it's distance now. 20:56 < krzie> ~ 6.71x10^8 20:57 < krzie> (spd of light / hr) 20:57 < jeev> dood 20:57 < jeev> at 365 million miles 20:57 < jeev> it takes 32.7 minutes. 20:57 < jeev> i dont want to see exponents 20:57 < krzie> bahahah 20:57 < krzie> you dont see how easy it is to know in your head with sci notation? 20:57 < krzie> you were right tho, insane 20:58 < krzie> i didnt think it was so quick 20:58 < jeev> scientific notation is for wankers 20:58 < jeev> i was told a few stars are lik 20:58 < jeev> the light is like 400 years old.. 20:58 < jeev> but that would take.. damn 20:58 < jeev> 86400 20:58 < jeev> 12614400000 20:59 < jeev> 2346278400000000 20:59 < jeev> 2,346,278,400,000,000 20:59 < jeev> that would be that many miles away 20:59 < krzie> dude 20:59 < krzie> sci notation ftw 20:59 < krzie> look at you with 5 commas 20:59 < krzie> hahah 20:59 < jeev> ll 20:59 < jeev> i forgot 20:59 < jeev> so that'd be 21:00 < jeev> 2346278.4x10^8 ? 21:00 < jeev> or 7 or 9 haha 21:00 < jeev> i forgot which place 21:00 < krzie> 2.xxxxx 21:00 < jeev> 234627.84x10^8 ? 21:00 * krzie sends jeev back to math class 21:00 < jeev> math is for posers 21:00 < jeev> dood i was in geometry in 8th grade 21:00 < jeev> high school didn't require me any more 21:00 < jeev> i forgot * 21:00 < krzie> did you just bring up your 8th grade education in defense of yourself? 21:01 < jeev> yes! 21:01 * krzie baffles 21:03 < jeev> i wish i could go there 21:03 < jeev> we need to make a wormhole 21:03 < jeev> i wanna see it 21:04 < jeev> i think i'd shit myself and cry 21:04 < krzie> i think youd freeze to death instantly 21:04 < krzie> while suffocating 21:05 < jeev> i'd have protection 21:05 < jeev> hey 21:05 < jeev> i bet richard branson owned steve fosset 21:11 < ecrist> I'm going to log for the night... l8r guys 21:11 < jeev> later 21:12 < krzie> nite eric 21:14 < jeev> i'm getting texts ilke 21:14 < jeev> everyone look outside, this wont happen for another 4k years 21:14 < jeev> this wont happen for another 100 eyars 21:14 < jeev> 459 years 21:14 < jeev> .. 21:14 < jeev> 2013 dumbasses! 21:58 -!- jeev [n=email@unaffiliated/jeev] has quit [Read error: 104 (Connection reset by peer)] 22:04 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 23:04 -!- AndyML is now known as AwayML 23:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:20 -!- paruchuri [n=qvantel@61.16.248.247] has quit [Read error: 110 (Connection timed out)] --- Day changed Tue Dec 02 2008 00:13 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 00:13 < onats> whats going on 00:13 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 00:18 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 00:21 < krzee> !menu 00:21 < vpnHelper> krzee: "menu" is please use '!factoids search *' 00:22 < krzee> !learn menu as you can leave it a * to see all, or replace it with a word to search for 00:22 < vpnHelper> krzee: Joo got it. 00:24 < krzee> !mitm 00:24 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 00:24 < krzee> !servercert 00:24 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mtim 00:35 < troy-> why isnt openvpn in centos yum repo? 00:47 < krzee> odds are you can submit it if youd like to change that 00:50 < jeev> centos is lame 00:50 < jeev> you've gotta add like more "repos" 00:52 -!- gfather [n=g@77.241.65.47] has quit [Read error: 110 (Connection timed out)] 00:54 < troy-> jeev, your lame 01:04 < jeev> you're 03:36 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 04:47 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 05:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:20 -!- no_maam [n=no_maam@130.83.167.54] has joined ##openvpn 05:20 < no_maam> hi 05:21 < no_maam> got a little routing problem 05:21 < no_maam> openvpn server is at 1.2.3.4, client is in the internet, but should get the ip address 1.2.3.5, default gateway for the client should then be 1.2.3.254 05:24 < no_maam> the problem is, that the client needs to receive a note, that the route to 1.2.3.4 should be redirected to the local gateway, but the rest of 1.2.3.0/24 should go through openvpn 05:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 06:09 < lilalinux> aloha 06:09 < lilalinux> how do I get broadcasting for a tun openvpn? 06:09 < lilalinux> so that I can browser samba shares? 06:09 < lilalinux> s/browser/browse 06:51 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 06:51 < simplechat> heyyas, anyone around? 07:19 < lilalinux> simplechat: don't ask to ask just ask 07:19 < simplechat> ok 07:19 < simplechat> my issue is this 07:19 < simplechat> i'm setting up an openvpn vpn between a debian stable server and (atm) a fedora 9 client 07:19 < simplechat> the server is up, listening on the correct port and not firewalled 07:19 < simplechat> the client is also "starting", but i can't find any log messages anywhere 07:20 < simplechat> i can see packets going to the server and back again (iptables logs) 07:20 < ropetin> lilalinux: isn't that a 'networking' feature, rather than anything to do with OpenVPN? Configure a WINS server or whatever? 07:21 < simplechat> the issue is that when my end starts up it comes up with a completely wrong configuration 07:21 < simplechat> without using tun 07:21 < ropetin> Do you have multiple config files simplechat ? 07:21 < simplechat> and i can't actually connect to the server (i have no route in route -n, and trying to ping the servers ip fails) 07:21 < simplechat> just one 07:22 < ropetin> And are you starting it with an init script or from the CLI? 07:22 < simplechat> init script 07:22 < simplechat> for both 07:22 < simplechat> and i only have one config file for both 07:23 < ropetin> And if you restart the client from the CLI, does it output anything? 07:23 < simplechat> both from this http://www.annoying.dk/2007/10/14/quick-simple-tutorialhowto-on-openvpn-with-debian/ 07:23 < vpnHelper> Title: Quick simple tutorial/howto on OpenVPN with Debian | www.annoying.dk (at www.annoying.dk) 07:23 < simplechat> ropetin, how do i do that? 07:23 < ropetin> Which is the client, Debian or Fedora? 07:23 < simplechat> fedora 9 07:24 < simplechat> conf file is openvpn.conf 07:24 < ropetin> Hmmm, RedHat, I haven't touched that in years, but maybe; 07:24 < ropetin> service restart openvpn 07:24 < simplechat> nah, it uses init 07:24 < simplechat> ok 07:24 < simplechat> got it 07:25 < lilalinux> ropetin: do you know bcrelay? 07:25 < ropetin> I do not, no, sorry 07:26 < simplechat> ok, its doing slightly more 07:26 < simplechat> it found it and made up the new device all nicely 07:26 < simplechat> 172.16.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 07:26 < simplechat> 172.16.0.0 172.16.0.5 255.255.255.0 UG 0 0 0 tun0 07:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:26 < simplechat> two new entries into routes 07:27 < simplechat> however the ip address is unusable 07:27 < ropetin> Unusable? In what way? 07:27 < ropetin> And why does it create two tun0's? 07:27 < simplechat> cool 07:27 < simplechat> its iptables 07:27 < ropetin> :D 07:28 < simplechat> iptables was blocking the requests 07:28 < simplechat> now i need to work out a way to differentate based on type 07:28 < simplechat> but yeah, thanks for the help :) 07:28 < simplechat> openvpn is very, very, very cool :D 07:28 < ropetin> :D 07:28 < ropetin> Indeed 07:28 < simplechat> yeah 07:29 < simplechat> ok, so now i can connect to the server 07:29 < simplechat> if it works on the command line 07:29 < simplechat> init will work? 07:30 < ropetin> Didn't you just restart the init script? In which case, yes 07:36 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 104 (Connection reset by peer)] 07:37 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 07:51 < ecrist> morning, folks 07:54 < ropetin> Mooning 08:02 < simplechat> heyyas 08:02 < simplechat> and good evening 08:20 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 08:25 < reiffert> Moin 09:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:40 -!- Remowylliams [n=Mare@71.16.217.178] has joined ##openvpn 09:43 < Remowylliams> Hi everyone. found out what was causing the udpv4 No buffer space messages. it seems Secondlife tends to flood the network with a greater number of stream requests than the system/router has buffers for. I couldn't tell for sure how many but certainly the realm of several hundred at a go. 09:53 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 09:54 < c64zottel> \ufeffa longer key in openVPN connections just slows down the TLS negotiation not the later established connection, or? 09:55 < Remowylliams> c64zottel: sounds about right. But I'm just a visitor. 09:55 < c64zottel> Remowylliams: ty 09:56 < c64zottel> i can't see a reason why it should be slower, but i am very far away from being sure 09:59 < Remowylliams> well you can end up with speed issues if you are having buffer problems and such. are you seeing any notices in the server log? 10:01 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 10:02 < plaerzen> good morning #ovpn 10:02 < c64zottel> Remowylliams: i did'nt try anything, i am still setting up and studying the options 10:02 < ecrist> howdy plaerzen 10:03 < c64zottel> and was thinking to become paranoid, when it doesn't hurt 10:03 < Remowylliams> c64zottel: maybe this can be helpful. http://www.dslreports.com/forum/r20429387- 10:03 < vpnHelper> Title: Re: OpenVPN overhead - dslreports.com (at www.dslreports.com) 10:03 < Remowylliams> hello ecrist 10:04 < c64zottel> Remowylliams: that's nice, thx a lot 10:08 < Remowylliams> very welcome 10:19 < plaerzen> *sigh* For secret santa I got the absolute opposite type of person than myself to buy a gift for. 10:21 < ecrist> what's that, hot skinny chick? 10:21 * ecrist assumes most geeks idling in ##openvpn are fat ugly dudes 10:21 * ecrist fits into that crowd 10:25 < plaerzen> Well, How do I best describe myself? I am interested in Buddhism/eastern religion (although I'm an agnostic), I party ALOT, indulge in .... substances... and I like hand made gifts from the himalayan region. And for secret santa I got someone who answered the following questions like this: Books you enjoy reading: anything christian. Music you listen to: Christian. Movies you watch: Anything clean. 10:25 < plaerzen> exact opposite. 10:29 < plaerzen> So I'm trying to relate to the religion thing. For a gift I would'nt mind a Buddha and some prayer beads or something. So Do I get him a crusifix and a bible? Damn. 10:32 < cpm> hrmmm 10:32 < cpm> well a copy of 'because the bible tells me so' is probably a no-win. 10:33 < cpm> chances are pretty good he already has a 'strongs'. 10:33 < cpm> that's a tricky one. 10:34 < ropetin> Wouldn't you be best to just avoid the whole religion thing, and make sure whatever you get isn't offensive? 10:34 < plaerzen> Yeah, but all else I have to go on is that he like playing Wii 10:34 < plaerzen> and likes the colors blue and red 10:34 < ropetin> Christians tend to have a lot of bibles, and christian 'memorabilia' 10:34 < plaerzen> I'm nto getting him a Wii game - chances are he already has the good ones 10:34 < cpm> ropetin, yeah, no point in being redundant. 10:35 < ropetin> Excellent, do you have a price limit? 10:35 < Remowylliams> May I recommend lumber and 3 large nails? 10:35 < plaerzen> 25-35 10:35 < ropetin> US Dollars? 10:35 < plaerzen> cad 10:35 < ropetin> How does that relate these days to the US? 10:35 < plaerzen> pretty similar 10:35 < cpm> pretty close. 10:35 < ropetin> K... 10:36 < plaerzen> See, the thing is - I take pride in buying gifts for people. I like to put effort into it and get something good, creative and thoughtful. But I don't have much to go on here. 10:37 < plaerzen> I should get him blue and red paint. 10:37 * plaerzen mutters. 10:37 < cpm> plaerzen, I get it, and I'm stumped. 10:38 < ropetin> Something decorative? 10:38 < plaerzen> like a knick knack for the house ? 10:38 < ropetin> Exactly 10:40 < plaerzen> Hrm. 10:41 < plaerzen> I suppose I can check out my usual "new age" stores for some religion-neutral stuff. They tend to have a good selection. 10:42 < plaerzen> Thanks 10:43 < cpm> Just no Richard Dawkins 10:44 < plaerzen> I am so tempted to get him that book, and a buddha or something. 10:45 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [] 10:45 < krzee> ecrist, here? 10:52 < ecrist> yeah 10:52 < ecrist> i'm sorta flighty today, fyi 10:52 < jeev> what does flighty mean 10:52 < ecrist> wife's car was broken into yesterday, took $700 worth of stereo equipment and her iPod. Water heater cracked last night, got a flooded basement. 10:53 < ecrist> means I'm moving around a lot and can be here one min and gone the next. 10:53 < jeev> ah 10:54 < jeev> was her ipod in plain sight ? 10:54 < krzee> ouch 10:54 < krzee> well i modded ssl-admin 10:54 < krzee> ill email you the changes or the whole thing? 10:55 < krzee> ive never written perl but your code was clean enough to rip and modify for a new feature 10:57 < ecrist> jeev: no, it was in the glove-compartment. and the car was in our driveway 10:57 < ecrist> krzee: unif diff is fine 10:58 < jeev> damn 10:58 < krzee> k 11:00 -!- mRCUTEO [n=info@124.13.94.246] has joined ##openvpn 11:00 < mRCUTEO> hiya all 11:02 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 11:04 < krzee> ecrist, you know the command offhand to generate a unified diff? a quick peek at man made me think diff -u ssl-admin.pl ssl-admin-orig.pl but no 11:08 < jeev> http://typo3.org/development/bug-fixing/diff-and-patch/ 11:08 < vpnHelper> Title: typo3.org: Diff and Patch (at typo3.org) 11:08 < jeev> can't believe i have to google for you! 11:09 * jeev rolls eyes at krzee 11:09 < krzee> actually i have 4 pages loading 11:09 < krzee> thats how slow my inet is 11:09 < krzee> they been loading since before i asked 11:09 < krzee> i asked so i wouldnt need to keep waiting, you didnt help that any 11:11 < jeev> uh huh 11:11 * jeev continues rolling eyes 11:26 < krzee> !mitm 11:26 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 11:27 < krzee> !servercert 11:27 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mtim 11:27 -!- gfather [n=g@77.241.65.47] has joined ##openvpn 11:27 < gfather> hello guys 11:27 -!- gfather [n=g@77.241.65.47] has left ##openvpn [] 11:27 -!- gfather [n=g@77.241.65.47] has joined ##openvpn 11:28 -!- mRCUTEO [n=info@124.13.94.246] has quit [Read error: 110 (Connection timed out)] 11:30 < plaerzen> hey gfather 11:31 < plaerzen> what's up ? 11:31 < gfather> well man 11:31 < gfather> i began to hate dd-wrt 11:31 < plaerzen> why ? 11:31 < gfather> man that thing is stupid :( , man 2 days to make the vpn connect to server and not working 11:32 < gfather> i have a server that has openvpn , whn i connect to it as clint from windows xp , it wqorks like a charm 11:32 < gfather> when i try to connect from dd-wrt it dont work 11:33 < gfather> and i have to use a custom command for startup , becouse the config file wont take my custom configration 11:33 < gfather> what the F$#%^# 11:34 < gfather> i just want to put the openvpn config , and it should work , why i have to make custom command and extra non-usfull stuff 11:34 < gfather> thats all 11:34 < krzee> heh 11:34 < krzee> !ask 11:34 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/ 11:34 < krzee> as in, you seem to need help 11:35 < krzee> but still havnt asked anything 11:35 -!- mRCUTEO [n=info@64.235.47.77] has joined ##openvpn 11:35 < gfather> lool . this is openvpn # , i should ask about openvpn ;) , not dd-wrt 11:35 < gfather> i was just saying how much i hate dd-wrt right now , thats all 11:35 < krzee> ahh 11:35 < krzee> haha gotchya 11:36 < mRCUTEO> anyone use poptop before? 11:36 < krzee> thought you hated it cause of problems getting ovpn going 11:36 < mRCUTEO> can poptop connect through openvpn? 11:36 < krzee> no i havnt, it should 11:36 < gfather> would you recomnd me to change to openwrt for vn ? 11:36 < krzee> vn == vpn? 11:36 < gfather> yes 11:37 < krzee> to be honest ive never used either 11:37 < gfather> lool , im on openvon # 11:37 < gfather> loooooool 11:37 < krzee> the problems you're having are dd-wrt specific? 11:37 < gfather> i thought im in openwrt # 11:38 < mRCUTEO> whats the different btn openwrt and openvpn? 11:38 < gfather> openwrt is a firmwar for routers 11:38 < krzee> openvpn is for vpns, openwrt is a firmware for linksys routers making it run linux 11:38 < gfather> based on linux 11:38 < gfather> aallot other than linksys now :) 11:39 < mRCUTEO> ic 11:41 < krzee> oh a unified diff was easy, problem was i had overwritten the file in my sleep when i landed on the keyboard 11:41 < krzee> lol 11:42 < ecrist> back 11:42 < mRCUTEO> wb ecrist 11:42 < ecrist> $1000 for a new water heater, $300 to move a gas line, $200 to bring my stuff up to code. 11:42 < krzee> emailing unified diff now eric 11:42 < ecrist> :\ 11:43 < ecrist> okie 11:43 < ecrist> krzee: by writing a patch, you're forcing me to actually update the port. 11:44 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 104 (Connection reset by peer)] 11:44 < krzee> well server certs really should be made with !servercert 11:44 < krzee> as to be safe from !mitm 11:44 < ecrist> aye 11:44 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 11:45 < krzee> ok this is too much 11:45 < krzee> my inet is slower than corky 11:46 < mRCUTEO> my internet is 20 KB/s :) 11:48 < krzee> im getting less than that 11:49 < mRCUTEO> my goodness 11:49 < krzee> eric, i didnt test my code 11:49 < krzee> but i did check for any syntax mistakes 11:49 < krzee> basically if your old code worked, the new code does 11:50 < krzee> i just jacked you for your other functions and edited slightly 11:50 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 11:50 < krzee> sup TR 11:50 < krzee> moin 11:53 -!- _trine is now known as _trine_Tenerife 11:57 -!- unit3 [n=unit3@209.139.238.33] has joined ##openvpn 11:58 < unit3> Hey all... Just interested, what's the web GUI pictured on the main openvpn.net page? 12:02 < krzee> hah 12:02 < krzee> i cant believe ive never wondered that 12:02 < krzee> i wonder if thats even real 12:04 < unit3> Yeah, I dunno... I figured that the project wouldn't just put up a fake screenshot, but since I can't actually find it listed on the site anywhere it made me wonder. 12:04 < unit3> The closest thing I can see is the webmin module, and I don't really want to run webmin. 12:04 < krzee> i think it actually is a fake screenshot 12:04 < krzee> a nice lil picture 12:04 < unit3> well... that's... somewhat misleading. ;) 12:05 < krzee> not if you read the howto 12:05 < unit3> Well, except it's right on the main page. 12:05 < unit3> You see it *way* before you see the howto. 12:05 < krzee> ive read damn near everything that site has to offer and never thought there was a web gui 12:06 < krzee> hrm, there is a openvpn-web-gui 12:06 < krzee> found on google from googling openvpn web gui 12:06 < krzee> which i chose as my term cause its on that screenshot 12:06 < krzee> openvpn-web-gui.sourceforge.net 12:06 < unit3> Oh yeah, that looks like the right thing. Cool. 12:07 < unit3> I wonder why it isn't linked from the Documentation->GUI page on the site? 12:07 < krzee> *shrug* 12:08 < unit3> In any case, that's the one, so my curiosity is satisfied. ;) 12:08 < krzee> !learn webgui as http://openvpn-web-gui.sourceforge.net/ if you have tried this please give us feedback 12:08 < vpnHelper> krzee: Joo got it. 12:08 < krzee> heheh 12:08 < krzee> thanx for asking, thats interesting 12:09 < unit3> Yep, I'm gonna have to play with it now, see how well it works with 2.1. 12:11 < krzee> cool, pls to report back 12:11 < unit3> Sure. :) 12:13 < jeev> cool 12:13 < jeev> i want to try that 12:14 < unit3> hmm... hasn't been updated since 2005 though, which is sort of a warning sign. 12:14 < mRCUTEO> openvpn GUI wow 12:16 -!- gfather [n=g@77.241.65.47] has quit [Read error: 104 (Connection reset by peer)] 12:16 -!- mRCUTEO [n=info@64.235.47.77] has quit [] 12:23 < ecrist> krzee: got your patch, reviewing it now 12:23 < unit3> Oh, looks like ebox (web management for SMB stuff on Debian and Ubuntu) also has a module for managing openvpn. 12:27 < unit3> Hrm... looks like neither have robust enough config management for what I need (client specific configs, complex routing, more push options, etc). 12:27 < unit3> Still, for simple setups they should be good. 12:27 -!- unit3 [n=unit3@209.139.238.33] has quit ["Leaving"] 12:35 -!- lilalinux is now known as lila_schupfnudel 12:35 < krzee> look good ecrist ? 12:39 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:55 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit ["----"] 12:59 < ecrist> krzee: yes, it doesn 12:59 < ecrist> does* 12:59 < ecrist> committing to svn now 12:59 < ecrist> I have some updates i'll make tomorrow to the sources to fix some bugs and such, then I'll build the port update 12:59 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 13:05 < ecrist> krzee: where did you get the working ssl-admin perl script? 13:05 < ecrist> freebsd ports? 13:10 < krzee> from !ssl-admin 13:10 < krzee> tats whats in your link 13:11 < ecrist> ok, that's a *really* old copy 13:11 < ecrist> I'll build a diff tree and apply accordingly 13:12 < ecrist> I liked you my SVN repo, was hoping you'd use the one there. 13:13 < ecrist> s/liked/linked/ 13:15 < krzee> oops, didnt see it 13:16 -!- imbezol [i=imbezol@igloo.bigfiber.net] has joined ##openvpn 13:16 < krzee> here ill send the whole script 13:16 < krzee> for easier copy/paste 13:16 < ecrist> that's OK. think I'm going to just add that patch by hand. 13:16 < krzee> ok 13:16 < imbezol> anyone here using openvpn-gui? i'm having trouble figuring out what it's default path is when looking for keys 13:16 < krzee> in windows, it says in its docs 13:17 < krzee> ild google it but my inet is dog slow today 13:19 < imbezol> well it mentions that you can change the dir in the registry 13:20 < imbezol> but the HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\ key doesn't exist 13:23 -!- PatrickDK [n=guest@dyn-170-243-74.myactv.net] has joined ##openvpn 13:27 < imbezol> was able to specify the full path 13:28 -!- lila_schupfnudel is now known as lilalinux 13:30 < ecrist> krzee: you patch has been committed 13:30 < ecrist> I'm going to remove the tarball from the wiki at this point, until I build a better app. 13:43 -!- itguru [n=itguru__@5ac106ba.bb.sky.com] has joined ##openvpn 14:02 < ecrist> fixed ticket #8 14:03 -!- MissNeBuN [i=hidden-u@gw.mypublisher.com] has joined ##openvpn 14:24 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 14:25 < kexman> hello 14:25 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 14:25 < kexman> i selected hide tap adapter at the openvpn win32 installation 14:25 < kexman> how can i now unhide it ? 14:28 -!- itguru [n=itguru__@5ac106ba.bb.sky.com] has quit ["This computer has gone to sleep"] 14:35 < ecrist> krzee: you didn't update the man page. :( 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:46 < krzie> kexman, iirc thats a registry entry 14:49 < jeev> asterisk is pissing me off 14:52 < krzie> i wont see that til tonight late 14:52 < krzie> oops /q 14:55 < jeev> seriously 14:55 < jeev> dhclient needs to stop overwriting resolv.conf 15:02 < ecrist> krzie: I'm building the freebsd port now, need to submit PR for port update, you should see it in next day or so, i think. 15:02 < krzie> nice man 15:03 < ecrist> I still need to get this more usable on linux, as well as making a better OS agnostic version 15:03 < ecrist> too much to do 15:03 < krzie> what part of it is os specific?? 15:04 < ecrist> the install procedure 15:04 < krzie> seems like all youd need to do is move 1 dir to be user-configéd 15:04 < ecrist> i.e. an idiot cannot do it 15:04 < ecrist> also, without cygwin, it won't run on windows right now 15:04 < ecrist> I need to re-write the whole thing to use the perl OpenSSL library 15:04 < ecrist> that should be windows-friendly 15:05 < ecrist> provided they install the library, of course 15:05 -!- olarva [n=olarva@189.0.25.238] has joined ##openvpn 15:06 < krzie> your win script could install it 15:06 < kexman> krzie: uninstall / reinstall did the job :) 15:06 < ecrist> krzie: for sure. I don't even own a windows box any more 15:06 < kexman> krzie: now i dont know how to tell the windows machine that if the machine is on the vpn's real host (thus cant connect to the vpn (bridged vpn)) then it shouldnt try to start openvpn so many times 15:07 < kexman> i mean it can start it 15:07 < kexman> but it cant connect 15:07 < kexman> and it will spam my logs every 1 minute 15:07 < kexman> or is there any other option for this ? like restricting the log file ? 15:07 < kexman> how big can that grow ? 15:07 < kexman> if suppose the machine cant connect to the vpn server and it trys trys and retrys 15:07 < kexman> or anyway 15:07 < kexman> by logging 15:07 < kexman> how big can that log grow ? 15:08 < kexman> ehh maybe ill set the log to verb 0 :P 15:18 < krzie> it doesnt have to retry 15:20 < olarva> to use --shaper, the value should be equal em both sides? 15:22 < imbezol> so am i correct in realizng that openvpn just doesn't work on 64 bit vista? 15:23 < Remowylliams> imbezol no it works 15:23 < imbezol> i can't get past the missing TAP-Win32 problem 15:24 < imbezol> i'm not even trying to use tap.. trying to use tun 15:24 < Remowylliams> is there a tun/tap interface? 15:24 < imbezol> there's both 15:24 < Remowylliams> both? when I installed using 2.1rc15 I had just one 15:24 < Remowylliams> I right clicked on it and renamed it MyTap 15:24 < imbezol> Microsoft ISATAP Adapter, and Microsoft Tun Miniport Adapter 15:25 < imbezol> they don't show in the network devices 15:25 < imbezol> they show in ipconfig /all 15:25 < Remowylliams> I got a requester up when I installed asking if I wanted to install the tun/tap device 15:26 < imbezol> i get an error about the installation of the win32 tap device 15:26 < Remowylliams> hmm when I did the install I right clicked and ran it as administrator 15:27 < imbezol> i'll try that.. but it installed to c:\program files (x86)\ so i assume it must have been admin 15:28 < imbezol> still get the error 15:28 < Remowylliams> And when you get done you need to right click on the OpenVPN-gui and click on properties and go to advanced and select run as administrator 15:28 < imbezol> "An error occurred install the TAP-Win32 device driver." 15:28 < imbezol> er, installing 15:29 < imbezol> where is OpenVPN-gui? 15:29 < Remowylliams> should see it on your desktop 15:33 < imbezol> newp 15:33 < imbezol> i'll have to play with this later.. have a meeting in 30 mins 15:33 < imbezol> thanks tho 15:36 < Remowylliams> imbezol: you're welcome 15:36 -!- MissNeBuN [i=hidden-u@gw.mypublisher.com] has quit [] 15:38 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has left ##openvpn ["Leaving"] 15:39 < olarva> I have linux box, and run this: openvpn --secret my.key --comp-lzo --shaper 64000 --ifconfig 10.10.10.1 10.10.10.2 --dev tun 15:39 < krzie> you prolly need quotes around the ifconfig statement 15:40 < krzie> well, possibly 15:40 < krzie> why not just make a config file 15:41 < olarva> and, WinXP, openvpn.exe --remote my_linux_box --secret my.key --comp-lzo --shaper 32000 --ifconfig 10.10.10.2 10.10.10.1 --redirect-gateway def1 15:41 < krzie> im not sure if redirect-gateway works in static key mode 15:42 < olarva> krzie: work fine, my issue is shaper 15:43 < krzie> oh 15:43 < krzie> 1sec lets see what manpage says... 15:43 < krzie> you using 2.0 or 2.1? 15:43 < krzie> !man 15:43 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:44 < olarva> i sec... 15:45 < olarva> krzie: OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] 15:46 < krzie> --shaper n 15:46 < krzie> Limit bandwidth of outgoing tunnel data to n bytes per second on the TCP/UDP port. If you want to limit the bandwidth in both directions, use this option on both peers. 15:46 < krzie> OpenVPN uses the following algorithm to implement traffic shaping: Given a shaper rate of n bytes per second, after a datagram write of b bytes is queued on the TCP/UDP port, wait a minimum of (b / n) seconds before queuing the next write. 15:47 < krzie> Also note that for low bandwidth tunnels (under 1000 bytes per second), you should probably use lower MTU values as well (see above), otherwise the packet latency will grow so large as to trigger timeouts in the TLS layer and TCP connections running over the tunnel. 15:47 < olarva> ok, fine 15:47 < olarva> checked 15:47 < olarva> 32000 = 32kbps 15:52 < olarva> but, still poor 15:52 < krzie> and whats happening? 15:53 < Remowylliams> that might be very helpful info krzie thank you. 15:54 < olarva> transfer rates are very very slow... 15:56 < Remowylliams> 32kbps is this a dialup ? they have modems fasster than that :) 15:56 < olarva> Remowylliams: : ) 15:58 < krzie> hes forcing it that slow 15:58 < olarva> ok, sorry, 32kbs for simple http transfers tests is fine, but not work, 10min and not download all content, (less than 300k) 15:59 < olarva> I try with others values, same result. 16:00 < krzie> read and understand the manpage a couple times 16:03 < olarva> it makes me calm, the problem is my conf. : ) 16:04 -!- ndee [n=ndee@84-73-222-49.dclient.hispeed.ch] has joined ##openvpn 16:04 < olarva> ok, the winXP version is 2.0.9 16:06 -!- olarva [n=olarva@189.0.25.238] has quit ["WeeChat 0.2.6"] 16:07 < ndee> hi there, I'm using the standard ip networks from the howto. The routes look like this: http://pastie.org/329237 When I try to ping 10.8.0.1, it should take the 3rd route, is that correct? All firewalls are also turned off. Shouldn't I be able to ping one each another? 16:18 < krzie> !configs 16:18 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 16:20 < ndee> krzie: it's now on the pastie 16:21 < krzie> read my request again 16:21 < krzie> (with comments removed, you can use `grep -vE '^#' client.conf`) 16:21 < ndee> ah, sorry 16:21 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:21 < krzie> also include which OS and version of openvpn. 16:25 < ndee> krzie: it's updated. As a server, I'm running Ubuntu 8.04 with openvpn 2.1_rc7 and as a client, windows vista with openvpn 2.0.9. 16:25 < ecrist> 16:26 < ndee> I can connect to the vpn but just not ping the server. 16:29 < krzie> by pinging the server 16:29 < krzie> you mean the client cant ping 10.8.0.1 ? 16:29 < ndee> krzie: yes. 16:29 < krzie> !logs 16:30 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:33 < ndee> krzie: can I have a static IP on my client interface? 16:33 < ecrist> yes 16:33 < ndee> ok 16:34 < krzie> !static 16:34 < vpnHelper> krzie: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 16:35 < ndee> krzie: you need the whole log or just the last part of it? 16:35 < krzie> whole thing from both sides, verb set to 6 16:36 < ndee> ok 16:38 < ndee> krzie: the paste is updated 16:43 -!- yokyok [n=david@ppp-14.WLAN.FTG.panline.net] has joined ##openvpn 16:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:44 < yokyok> hi where is the botmaster? 16:50 < krzie> what do you mean by botmaster? 16:50 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 16:52 < ndee> krzie: did you maybe find something what could cause that I can't ping the server? 16:53 < krzie> try upgrading client to 2.1 16:53 < ndee> ok 16:53 < krzie> can cserver ping client? 16:53 < krzie> (10.8.0.6) 16:54 < ndee> krzie: no 16:55 < yokyok> yes krzie 16:55 < yokyok> could you type that command that gives the regex to remove comments? 16:57 < acidchild> egrep -v '^\#|$) openvpn.conf | tr -s '\n\n' '\n' 16:58 < acidchild> egrep -v '(^\#|$)' openvpn.conf | tr -s '\n\n' '\n' 16:58 < acidchild> sowwwie! 16:58 < acidchild> =) 16:58 < krzie> !logs 16:58 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:59 < yokyok> thanks acidchild :) 16:59 < krzie> oops 16:59 < krzie> i mean 16:59 < krzie> !configs 16:59 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 16:59 < yokyok> yes it was this one 17:00 < acidchild> some start with ';' too 17:00 < yokyok> right 17:00 < ndee> krzie: it helped :D 17:00 < acidchild> (^\#|$|\;) 17:00 < ndee> thanks alot :) 17:00 < krzie> ndee, np 17:00 < acidchild> oh is it ^$ to indicate a blank line? 17:01 < krzie> not 100% sure but easy to test 17:01 < ndee> krzie: do you by chance know how to route only certain websites thru the vpn channel? 17:01 < krzie> ndee, sure... only push routes to those websites 17:01 < krzie> note, you cant push more than a certain limit, i THINK 25 routes 17:01 < acidchild> ndee: ip route add $WEBSITE_IP via 10.1.1.1 dev tun1 17:01 < ndee> ok 17:02 < acidchild> turn on NAT on the 'gateway' ip 17:02 < ndee> yep, found that 17:02 < krzie> push "route $WEBSITE_IP 255.255.255.255" 17:02 < acidchild> yeah sorry ignore me :-( i'm a vtund oldschooelr 17:02 < acidchild> heh 17:02 < krzie> acidchild , where did you find ip route as an openvpn command? 17:03 < krzie> ohh, hehe 17:03 < krzie> ndee but if you need more than openvpn's limit, you can make an --up script on the client 17:03 < acidchild> its a iproute2 command? :/ 17:03 < ndee> krzie: and that push route, do I have to do that on the client I suppose? 17:04 < krzie> prolly want a --down script to undo it when you kill the vpn 17:04 < acidchild> can you 'push' 'ip' commands? 17:04 < krzie> there are no ip commands in ovpn 17:04 < acidchild> y 17:04 < acidchild> :-( 17:04 < krzie> you push config options to the client 17:04 < krzie> what are you trying to do? 17:04 < ndee> ah, from the server then 17:04 < krzie> !push 17:04 < vpnHelper> krzie: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 17:04 < acidchild> nothing, just wonder how i'd do packet marking :-/ 17:05 < krzie> using your firewall and static ips 17:05 < krzie> !static 17:05 < vpnHelper> krzie: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 17:05 < acidchild> i don't want static IP's 17:05 < acidchild> i just want my clients to mark there packets... 17:06 < acidchild> means i can keep tabs on them >:) 17:06 < PatrickDK> mark their packets? 17:06 -!- Remowylliams [n=Mare@71.16.217.178] has left ##openvpn [] 17:06 < acidchild> --mark --fwmark 17:06 < krzie> what exactly do you want to gain by marking the packets? 17:06 < PatrickDK> your going have to create a different tunnel for each client then 17:07 < acidchild> PatrickDK: yeah 17:08 < acidchild> krzie: means i can policy route traffic comming from diffrent clients 17:08 < acidchild> based on there packet marks. 17:13 < krzie> !policy 17:13 < vpnHelper> krzie: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 17:13 < krzie> acidchild, not based on packet marks, no 17:13 < krzie> based on firewall rules and routes, yes 17:13 < krzie> (if you use static ips) 17:13 < ndee> krzie: when I check with ipconfig /all, I see that the DNS server is the vpn-server. But somehow, the DNS requests don't get resolved. 17:14 < acidchild> krzie: don't worrie about it. 17:16 < krzie> ndee, i think you need to reset the resolver in windows with some net command 17:16 < krzie> i seen something on the mail list about that 17:16 < ndee> ah ok 17:18 -!- ndee [n=ndee@84-73-222-49.dclient.hispeed.ch] has quit [Nick collision from services.] 17:18 -!- ndee [n=ndee@84-73-222-49.dclient.hispeed.ch] has joined ##openvpn 17:18 < ndee> re 17:19 < ndee> yeah, that somehow didn't work :D 17:20 < ndee> pinging an ip works, dns not yet. push "redirect-gateway def1" what does the "def1" stand for? 17:21 -!- joshhunt_ [n=joshhunt@67-207-141-62.slicehost.net] has joined ##openvpn 17:22 < joshhunt_> Hey guys 17:23 < krzie> ndee, they made manpages for that 17:23 < joshhunt_> I installed openvpn from the repos on ubuntu 8.10. For easy-rsa, is the correct one to use at /usr/share/docs/openvpn/examples/easy-rsa/2.0 ? 17:23 < krzie> but ill tell ya anyways 17:23 < krzie> !def1 17:23 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:23 < krzie> joshhunt_ sure 17:24 < joshhunt_> Thanks 17:24 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 17:24 < ndee> krzie: yes, I found it thru googling, I sometimes ask too quick, sorry. 17:25 < ndee> krzie: so if my server can resolve dns names, and I have the push "redirect-gateway def1" directive in the server.conf, it should also be possible from my client, is that assumption correct? 17:25 -!- joshhunt_ [n=joshhunt@67-207-141-62.slicehost.net] has quit ["leaving"] 17:27 -!- Solarbaby [n=Dave@70-41-208-166.cust.wildblue.net] has joined ##openvpn 17:34 < krzie> ndee, anyone can put something on the net and have it show on google, for stuff like that look at the man page 17:35 < krzie> ndee, you're using redirect-gateway def1, are you pushing dhcp option to the windows client as well 17:35 < krzie> if not, are you using 2.1? 17:37 < krzie> if you are using 2.1, not pushing dhcp option for dns, and are using redirect-gateway def1, try adding bypass-dns after def1 17:38 < krzie> bypass-dns -- Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients). 17:38 < krzie> Using the def1 flag is highly recommended. 17:42 -!- joshhunt [n=joshhunt@67-207-141-62.slicehost.net] has joined ##openvpn 17:43 < joshhunt> Hey, im bACK with another 'problem' :P 17:43 < joshhunt> when runningrunning ./clean-all, how do i 'source the vars script first'? 17:44 < krzie> you could always just do what i do 17:44 < krzie> i paste the vars script into the prompt 17:44 < krzie> then they are part of my ENV 17:44 < krzie> but i think the docs say . ./vars 17:44 * joshhunt did that 17:44 < krzie> with the leading . being important 17:44 < joshhunt> ill try again 17:44 -!- ndee [n=ndee@84-73-222-49.dclient.hispeed.ch] has quit [Read error: 104 (Connection reset by peer)] 17:44 < krzie> just paste the vars if its gives you trouble 17:45 < krzie> we usually recommend ssl-admin but i gave ecrist a patch for it today so its down getting upgraded 17:45 * joshhunt cant paste the var. Im doi g all this using ajaxterm 17:45 < krzie> heh 17:46 < joshhunt> shoudl i be running that script as root? 17:46 -!- ndee [n=ndee@84-73-222-49.dclient.hispeed.ch] has joined ##openvpn 17:47 < krzie> i dont think any of it needs root 17:47 < krzie> unless only root can access the files and dirs it needs to read/write to 17:47 < krzie> you should be able to figure that out 17:48 < ndee> when my server routes everything, shouldn't it also root the DNS queries? 17:48 < joshhunt> Damn, ecause it toallt yisnt working 17:49 < joshhunt> Ill try logigng in as root andrunning it 17:49 -!- joshhunt [n=joshhunt@67-207-141-62.slicehost.net] has quit ["leaving"] 17:50 < krzie> ndee, show me ipconfig/all and route print in pastebin 17:51 < ndee> krzie: from the client I assume 17:52 < krzie> right 17:52 < krzie> after being connected 17:53 < ndee> krzie: http://pastie.org/329334 17:53 < krzie> and is the dns server even listening on 10.8.0.1? 17:53 < krzie> server is linux? 17:53 < ndee> krzie: do I need to have a dns server installed? 17:53 < ndee> yes, linux. 17:54 < krzie> LOL 17:54 < ndee> krzie: I thought it will forward the dns queries to his own dns server. 17:54 < krzie> of course you would need a dns server installed 17:54 < krzie> hahah 17:54 < krzie> not a chance 17:54 < ndee> ah ok :) 17:54 < ndee> bind in a standard configuration should be ok I guess. 17:54 < krzie> only if you tell bind to only listen on 10.8.0.1 17:55 < ndee> ok, gonna read how to configure that 17:55 < krzie> if it listens publicly it needs to be non recursive except for to 10.8.0.x 17:55 < krzie> or you become a DDOS drone 17:55 < krzie> and on top of that you as a ddos drone would amplify attacks by 50+ x 17:56 < krzie> if you didnt need a dns server running, you could point to any computer on the net as your dns server 17:56 < krzie> if it worked how you thought they would just forward your requests for you 17:56 < ndee> true, didn't think too far :D 18:04 < ndee> awesome, it works :D 18:04 < ndee> eeeverything works, awesome :D 18:04 < krzie> =] 18:04 < ndee> thanks alot krzie :) 18:06 < krzie> yw 18:07 -!- K_luffy [n=V3N@77.31.147.117] has joined ##openvpn 18:17 -!- ndee [n=ndee@84-73-222-49.dclient.hispeed.ch] has quit [] 18:26 < ecrist> krzie: you can still recommend, I changed the link 18:26 < ecrist> !ssl-admin 18:26 < vpnHelper> ecrist: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 18:27 < ecrist> there's a link there, links to the ssl-admin branch in my svn repo 18:27 < ecrist> that way, they're getting latest version 18:27 < ecrist> sometime, I'll actually build some sort of installer/wrapper for linux and windows 18:27 < ecrist> what matters is it's available via freebsd ports 18:27 < ecrist> ;) 18:27 < ecrist> just sent PR 18:32 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 18:36 < ecrist> http://www.freebsd.org/cgi/query-pr.cgi?pr=129380 18:36 < vpnHelper> Title: ports/129380: update to security/ssl-admin port (at www.freebsd.org) 19:09 < ecrist> ping Dougy[RV|Away] 19:19 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit [Remote closed the connection] 19:23 < ecrist> ok, PR updated, forgot to diff the distinfo 19:30 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 19:32 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 19:33 < Solarbaby> wow OpenVPN certainly does have a few features under the hood 19:33 < ecrist> yeah 19:34 < Solarbaby> it was easy enough setting up a static key, but I'm sure thats just not the way to go 19:34 < Solarbaby> in the end im going to want to use TLS right? 19:35 < Solarbaby> this is a home network.. mainly me connecting but I may extend this to a few more clients out there 19:37 < ecrist> you're going to want to use certificates. 19:37 < ecrist> what are you using for a server? 19:38 < Solarbaby> Linksys router flashed with OpenWrt 19:39 < ecrist> you may find that's not good for more than a couple connections 19:39 < Solarbaby> thats all it shall ever need 19:39 < Solarbaby> btw your pretty on top of your game.. I just read that somewhere 19:43 < ecrist> what? 19:43 < Solarbaby> I just read that the linksys router will only support up to 2 clients well 19:44 < ecrist> ah 19:44 < ecrist> I idle in here a lot, it's come up more than once. 19:44 < ecrist> problem is the low-power proc in that box 19:44 < Solarbaby> no sarcasm here.. I appreciate you being helpfull 19:44 < ecrist> can't handle the on-the-fly crypto so well 19:45 < Solarbaby> yeah that makes sense.. the alternative hardware would be a linksys nslu2 and I think that is about the same limitation 19:46 < Solarbaby> I like to use as much low spec power sipping devices as I can 19:46 < ecrist> if money isn't a problem, you could get a soekris box, throw freebsd on there and offload the crypto to a hardware card. 19:46 < ecrist> those are pretty low-power. 19:47 < Solarbaby> yeah money is an issue right now :( 19:47 < Solarbaby> I do have one of those Asus EEE Pc 1000H.. but that wont be the server.. it'll be the remote 19:48 < ecrist> if two connections is enough, I wouldn't worry about it 19:48 < Solarbaby> yeah any more then 2 connections and i'd start getting nervous whos doing what 19:51 < Solarbaby> I used to use SSH tunneling through Firefox for Coffee Shop surfing.. this is a bit more secure Im guessing? 19:51 < Solarbaby> probably because of the SSL 19:52 -!- s2r [n=dada@190.2.0.105] has joined ##openvpn 19:53 < s2r> Hi. I think I'm missing a route but I don't know which. 19:54 < s2r> I'm running an openvpn server on a w2k3 box with the default conf. exceptthe port number. 19:55 < s2r> the client connects but I can't ping anything. From the server I can't ping the client either and I don't see its mac address with arp -a 19:58 < simplechat> just as an odd thing: i'm trying to connect to another peer on openvpn 19:58 < simplechat> i get packets coming through for about a minute, then it just stops (100% drop rate) 19:58 < simplechat> openvpn says something about a push request, 19:59 < simplechat> Peer connection initiated with (ip address) 19:59 < simplechat> push request/reply 19:59 < simplechat> then packets just drop 19:59 < simplechat> and it just seems to be running in a loop 19:59 < s2r> I read something about a loop in the faq. 20:00 < simplechat> mm? 20:01 < ecrist> Solarbaby: no more secure, no 20:02 < simplechat> we are on the same external ip 20:02 < simplechat> could that cause issues? 20:03 < ecrist> simplechat: you need to setup NAT and proper routing in order to ping external devices to the VPN 20:04 < simplechat> ecrist, were both on the vpn 20:04 < simplechat> i'm pinging its vpn ip 20:04 < simplechat> and it works for a couple of minutes 20:04 < simplechat> then it dies and openvpn seems to be reconnecting 20:04 < simplechat> i see a peer connection, then it restarts 20:04 < ecrist> Solarbaby: it gives you the advantage of being able to use non-SOCKx-aware applications, however. 20:04 < s2r> ecrist doesn't openvpn on w2k3 add the routes automagically? 20:04 < ecrist> s2r: why would it do that? 20:05 < s2r> ecrist since it gets an ip address and you specify the network range for the vpn why wouldn't add the route? I already knows the range of ips. 20:06 < simplechat> something like http://openvpn.net/archive/openvpn-users/2007-05/msg00008.html 20:06 < vpnHelper> Title: [Openvpn-users] OpenVPN connection restarts a few seconds after first use (at openvpn.net) 20:06 < ecrist> simplechat: tcp or udp? 20:06 < simplechat> tcp 20:06 < ecrist> ack 20:06 < ecrist> no pun intended. 20:06 < ecrist> !tcp 20:06 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 20:07 < ecrist> simplechat: use UDP, unless you've a good reason not to 20:07 < ecrist> s2r: to ping hosts on the vpn, you need client-to-client 20:07 < s2r> ecrist I just want to connect to the server 20:08 < simplechat> so why exactly? 20:08 < ecrist> simplechat: read the link vpnHelper posted 20:08 < s2r> I can't ping it. I added a route 10.8.0.0/24 with 10.8.0.1 as gateway, doesn't work... 20:08 < simplechat> so it should work if i move over to udp? 20:08 < ecrist> s2r: you need client-to-client in your config 20:09 < ecrist> simplechat: yes, you have a better chance 20:09 < s2r> ecrist to ping the server as well? 20:09 < ecrist> s2r: you should be able to ping the VPN server IP (10.8.0.1) 20:10 < simplechat> gah 20:10 < simplechat> :( 20:10 < simplechat> i moved over to proto udp 20:10 < simplechat> its not being killed by the fw, and both sides are up 20:11 < simplechat> interfaces are made on both sides 20:11 < simplechat> they just fail horribly 20:11 < ecrist> 'just fail horribly' doesn't tell me anything 20:11 < simplechat> i have an ip address 20:11 < simplechat> but no packets get passed 20:11 < simplechat> 100% loss 20:11 < ecrist> what are you pinging? 20:11 < simplechat> the server 20:11 < ecrist> I need some output, 20:11 < ecrist> !configs 20:11 < vpnHelper> ecrist: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 20:12 < simplechat> give me a couple of seconds 20:12 < simplechat> i need to work out if its the init script thats bad or the config 20:12 < s2r> ecrist I can't ping 10.8.0.1 20:12 < ecrist> !configs 20:12 < vpnHelper> ecrist: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 20:14 < simplechat> ok, so you need client and server configs? 20:15 < ecrist> yes 20:15 < simplechat> ok 20:16 < simplechat> http://pastebin.ca/1274489 <-- Client 20:17 < simplechat> from the status log 20:17 < simplechat> TCP/UDP read bytes,418 TCP/UDP write bytes,4333 20:17 < simplechat> so it has a "connection" 20:18 < simplechat> and server -> http://pastebin.ca/1274492 20:20 < simplechat> ok, this is odd 20:20 < simplechat> does udp change the port used? 20:20 < simplechat> i just flushed iptables on the server, and now the link is up and working 20:20 < simplechat> and i'm yet to get a bad start 20:24 < ecrist> :\ 20:24 < ecrist> pastebin.ca doesn't seem to be routable for me. 20:24 < ecrist> routes seem to be broken at shawcable. 20:29 < krzie> should configs look fine 20:29 < simplechat> ouch 20:29 < krzie> errr 20:29 < simplechat> but yeah 20:29 < krzie> configs do look fine 20:29 < simplechat> ok, this is odd, is openvpn using any port other then 1194 udp? 20:30 < simplechat> krzie, thanks :) 20:30 < krzie> it can use any port you tell it to 20:30 < krzie> 53 is common if you dont have a dns on same box 20:30 < krzie> cause many firewalls let 53 udp out 20:30 < simplechat> mmmm. 20:30 < simplechat> i don't have dns on the same box 20:30 < simplechat> but i told it: 20:30 < simplechat> remote betacorp.net 1194 20:31 < ecrist> why do people use pastebin.ca over pastebin.com? 20:31 < simplechat> and with proto udp, shouldn't it connect on port 1194 udp? 20:31 < simplechat> and nothing else? 20:31 < krzie> ecrist ive had problems with .com before so i always use .ca 20:31 < ecrist> ah 20:31 < simplechat> atm i'm running watch iptables -Lv 20:31 < krzie> correct simplechat 20:31 < simplechat> and i'm seeing dropped packets coming through 20:31 -!- s2r [n=dada@190.2.0.105] has quit [Remote closed the connection] 20:31 < krzie> well there you go, its your firewall 20:32 < krzie> i wanna check something... 20:32 < krzie> !1918 20:32 < vpnHelper> krzie: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 20:32 < krzie> heh werd 20:32 < krzie> the 172 ips always catch me offguard 20:32 < simplechat> yeah 20:33 < simplechat> nbody ever actually uses it 20:33 < krzie> i never have and prolly never will use that block, lol 20:33 < simplechat> but yeah, heres the odd thing 20:33 < simplechat> it will accept any traffic from udp port 1194 both ways 20:33 < krzie> but its valid to use =] 20:33 < ecrist> krzie: that's the block I try to use for VPNs, as they hardly ever interfere with user's home networks. 20:33 < krzie> !logs 20:33 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:33 < simplechat> but atm its gottne all of one packet for it 20:35 < simplechat> wow 20:35 < simplechat> verb 6 is waaaay too much info 20:35 < simplechat> what is Wed Dec 3 13:32:26 2008 us=400903 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 20:36 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Nick collision from services.] 20:36 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 20:37 -!- s2r [n=dada@190.2.0.105] has joined ##openvpn 20:38 < simplechat> hmmm. 20:38 < simplechat> but then again, wtf is happening? Its saying that its connected via 1194, but no packets are being dropped outgoing, and udp packets on port 1194 are recieved incoming! 20:39 < simplechat> how does that even work? 20:44 < simplechat> ok 20:44 < simplechat> i'm completely confused 20:45 < simplechat> wtf is it doing not using the ports i set it? 20:49 < krzie> how long ago did i tell you to post your logs on pastebin? 20:53 < ecrist> krzie: *I* told him too as well... 20:54 -!- pickcoder [n=madmax@unaffiliated/pickcoder] has joined ##openvpn 20:55 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:55 < Dougy> hey all 20:56 < pickcoder> I've got an active route push configured but for some reason I can't get DNS queries to push through from Windows. I can ping the machine on the other side and I'm running shorewall. port 53 is open from loc->$FW and from $FW->NET. dhcp-option DNS <ip> is set 20:56 < krzie> ecrist, dunno... maybe he doesnt want help then 20:56 < Dougy> hey krzie :] 20:56 < pickcoder> ipconfig /all shows the right info, as does route print 20:57 < krzie> hey doug 20:57 < pickcoder> the machine I'm connecting to happens to also be the DNS server 20:57 < Dougy> krzie: i set up a freebsd test box 20:57 < Dougy> i remember why i liked it when i used it last time 20:57 < Dougy> very fun 20:57 < pickcoder> so it's not a return route problem 20:57 < krzie> pickcoder, is the nameserver listening on VPN_IP too? 20:57 * Dougy would convert his colo box to freebsd if he could 20:57 < pickcoder> hrm 20:57 < pickcoder> heh.. you know I didn't check 20:58 < pickcoder> hrm.. does it have to? 20:58 < Dougy> hmm 20:58 < pickcoder> I can ping the local IP 20:58 < Dougy> i need to make a logo for the forum 20:58 < pickcoder> and acess other services using the remote LAN subnet 20:59 < ecrist> Dougy: how goes 21:00 < Dougy> ecrist: eme in general or 21:01 < pickcoder> nslookup reports the right rDNS for the dns server but it won't do lookups for local domains 21:01 < Dougy> s/eme/me/ 21:01 < krzie> pickcoder, only for local domains? 21:03 < pickcoder> yup 21:06 < ecrist> krzie: did you get my invite? 21:06 < Dougy> krzie: wake up sleepy head 21:08 < Dougy> krzie: wake up sleepy head 21:11 < krzie> hehe my bad 21:12 < krzie> pickcoder, how does it know to only give responses to local machines for local domains? 21:12 < krzie> im guessing by IP 21:12 < krzie> and now your src ip is vpn_ip 21:13 < krzie> so let it know it can respond for those 21:15 < pickcoder> the resolver should look by domain 21:15 < pickcoder> but even setting the suffix for the TAP it doesn't work 21:15 < pickcoder> I just changed the dns dhcp option to the VPN IP 21:15 < pickcoder> same thing except rdns for the dns server stopped working 21:17 < pickcoder> I'm missing something small 21:19 < s2r> Can anybody please point me in the right direction to understand what routes are missing from the default installation to be able to ping/coonect to 10.8.0.1? 21:19 < pickcoder> transfer and recursion is enabled for the VPN subnet 21:21 < ecrist> s2r: look at !route 21:23 < krzie> !route 21:24 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:32 < pickcoder> ah.. acl internal wasn't set to the vpn subnet 21:32 < pickcoder> \o/ 21:33 * pickcoder beats IE into submission 21:36 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has left ##openvpn [] 21:36 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:36 < Dougy> oops 21:36 < Dougy> that was the wrong part 21:36 < Dougy> hah 21:36 < pickcoder> meh.. now port 80 won't connect on a local ip 21:37 * ecrist is sad. 21:37 < ecrist> now that that stupid botnet is back up, my spam intake has gone back up. 21:37 < pickcoder> spamhaus 21:38 < Dougy> spam fails 21:38 < ecrist> pickcoder: I've got plenty of spam controls, but I can see them *hitting* my mail server via graphs 21:38 < pickcoder> I run fail2ban on the mail gate for postfix 21:38 < ecrist> http://www.secure-computing.net/cgi-bin/mailgraph.cgi 21:38 < vpnHelper> Title: Mail statistics for juno.secure-computing.net (at www.secure-computing.net) 21:38 < pickcoder> people that upset my machine get blocked for a few days 21:39 * pickcoder is getting irritated with vpns 21:40 < pickcoder> crap now ssh doesn't work 21:40 < ecrist> I think I'm done for the day. night folks 21:40 < Dougy> me too 21:40 < Dougy> night ecrist 21:40 < Dougy> let me know what comes of that 21:41 < Dougy> krzie: freebsd questions 21:41 < Dougy> krzie: freebsd question* 21:41 < s2r> ecrist I tried adding a route specific to the ip client 10.8.0.6 mask 255.255.255.255 gw 10.8.0.1 and it didn't work. I tried also with a whole c class and 10.8.0.1 also as de gw and it didn't work either. 21:42 < pickcoder> s2r: is the device configured to be dhcp? 21:42 < s2r> the tap device on the host? yes. 21:42 < s2r> sorry, tun device. 21:43 < pickcoder> and openvpn is set to server 10.8.0.0 255.255.255.0 21:43 < s2r> yes 21:43 < pickcoder> is 10.8.0.1 active on the server? 21:43 < s2r> yes 21:43 < s2r> I do a ipconfig /all and it seems ok. 21:43 < pickcoder> you're 100% sure the vpn is established? 21:44 < pickcoder> what ip is your TUN? 21:44 < s2r> yes, the tcp connection was established and I got an ip address in the client side. 21:44 < pickcoder> what O/S on the client 21:44 < s2r> client xp and w2k3 server 21:45 < s2r> the tun on the server is 10.8.0.1 21:45 < pickcoder> so the routes for 10.8 didn't come up? 21:47 < s2r> client or server side? 21:47 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["leaving"] 21:47 < pickcoder> client 21:47 < pickcoder> did you check the client log? 21:49 < s2r> yes, here's a piece of the log, "route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'" 21:52 < krzie> that doesnt tell anything 21:52 < krzie> do this: 21:52 < krzie> !logs 21:52 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 21:53 < krzie> Dougy[RV|Away] you had a fbsd question for me? 21:53 < krzie> im back and forth idle and here 21:53 < jeev> you guys suggest my own dy ndns i want to run 21:53 < jeev> what's the best way ? 21:54 < pickcoder> meh.. back routes always kick me in the shin 21:56 < krzie> i dont follow you jeev 21:57 < jeev> i want to run my own dyndns.. not service, but for myself 21:57 < jeev> i dont want to have to rely on another company 21:57 < s2r> pickcoder, client's log. http://pastebin.com/d773a6f14 21:59 < krzie> jeev, oh have fun with that 22:01 < s2r> pickcoder, server's log. http://pastebin.com/d2a0bb648 22:02 < krzie> that is not verb 6 22:03 < pickcoder> jeev: you'd need a static dns server to update 22:04 < jeev> .. 22:04 < pickcoder> otherwise you'd still be moving target 22:04 < jeev> ;) 22:04 < jeev> i have many! 22:04 < jeev> its ok 22:04 < jeev> i'll just use one 22:04 < pickcoder> if it doesn't change often you can use a regular dns service 22:04 < pickcoder> I think I pay $5 a year for direcdns 22:05 < krzie> Wed Dec 03 01:37:41 2008 Route addition via IPAPI failed [adaptive] 22:05 < krzie> s2r: try this: 22:05 < krzie> !winroute 22:05 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up 22:05 < pickcoder> windows route problem 22:06 < pickcoder> that kicked me the other day on vista 22:06 < krzie> ild kick myself just for using vista :-p 22:06 < pickcoder> route-delay 2 and route-method exe helps 22:06 < pickcoder> I'm avoiding 22:06 < pickcoder> if I had my choice everyone would on KDE 22:07 < pickcoder> ~would be 22:07 < s2r> krzie, client side? or server? 22:08 < pickcoder> do I have to run a wins server to get samba and windows shares to pass through? 22:09 < pickcoder> I'd rather not go bridged 22:16 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Remote closed the connection] 22:17 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 22:26 < s2r> krzie tried what you suggested. 22:26 < s2r> same behaviour, at least this time I saw in the firewalls log the the icmp packet for the ping was permited. 22:31 < s2r> the address 10.8.0.1 is the one assigned to the server and 10.8.0.5 is the one assigned to the server but on the segment assigned to the client, am i right? 22:33 < krzie> ignore .0.5 exists 22:33 < krzie> read this to understand why 22:33 < krzie> !/30 22:33 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 22:35 < pickcoder> gah.. I can't get netbios to pass through 22:35 < s2r> thanks for your help, will read it tomorrow, too late here. :D got to work early. 22:35 < s2r> !topology 22:35 < vpnHelper> s2r: "topology" is it is possible to avoid the !net30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 22:37 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has joined ##openvpn 22:45 -!- s2r [n=dada@190.2.0.105] has quit [] 22:55 -!- pickcoder [n=madmax@unaffiliated/pickcoder] has quit ["011000100111100101100101"] 23:12 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 23:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] --- Day changed Wed Dec 03 2008 00:15 -!- franck [n=franck@tikiwiki/franck] has joined ##openvpn 00:15 < franck> Hi 00:16 < franck> I'm trying to establish 2 VPN, from my client to 2 sites, but they cancel each others in turn when both started 00:16 < franck> any help? 00:16 < ropetin> What client OS? 00:16 < franck> MAC 00:17 < ropetin> How are you starting the connections? 00:17 < franck> I use tunnelblik 00:17 < franck> tunnelblick 00:18 < ropetin> Hmmm, I'm not familiar with that (or Macs) 00:18 < ropetin> However, are they running on the same ports maybe? 00:18 < franck> each work nicely on their own, but if I start the other one, then it will drop the first vpn, then the first vpn will restablish itself and drop the other one, etc... 00:19 < franck> well both servers are using 1194 00:19 < franck> and I cannot change that 00:19 < franck> but I would have hope openvpn would make the difference with sourceip 00:21 < ropetin> krzie: can you run two connections on the same port? 00:25 < ropetin> Darn, where'd he go? :) 00:32 < krzee> no 00:32 < krzee> diff port 00:32 < krzee> err wait 00:32 < krzee> outbound to 2 on same port, yes 00:32 < krzee> but 2 servers on same box each needs diff 00:32 < krzee> are they using the same subnets? 00:32 < krzee> if 1 is 10.8.0.x other should be something like 10.8.1.x 00:33 < krzee> or whatever, different 00:33 < krzee> i also never got why people use tunnelblick 00:33 < krzee> i just put my openvpn command into a file after #!/bin/sh 00:33 < krzee> and name the file with .command 00:33 < krzee> turns it into clickable icon 00:34 < krzee> sits in a stacks with all my other shortcuts 00:34 < ropetin> Client is trying to connect to two servers, both on the same port 00:34 < krzee> needs to be 2 clients 00:34 < krzee> to diff servers 00:34 < krzee> same port dont matter 00:34 < ropetin> K, cool, thanks! 00:34 < krzee> np 00:35 < ropetin> franck: So port is good, what about subnet? 01:12 < reiffert> moin! 01:37 < ropetin> Sure is 02:03 < jeev> lol 02:04 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 02:11 -!- paruchuri [n=qvantel@61.16.248.247] has quit [Read error: 145 (Connection timed out)] 02:18 < ropetin> Additionally, I'm so tired it hurts :( 02:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:22 < ropetin> zzzzzzzzzzz :) 02:29 -!- CrummyGummy [n=Dude@41.208.46.2] has joined ##openvpn 02:41 < CrummyGummy> Hiya, I need to ping the clients of one vpn (10.8.0.6) from another vpn. The pings get as far as the second vpns server ip (10.8.0.1) and come back with destination host unreachable. I find this pretty wierd because 10.8.0.1 must know where 10.8.0.6 is. Any ideas what needs to be put in place? 02:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 03:00 < ropetin> CrummyGummy: they are both clients on the same server? 03:00 < CrummyGummy> no 03:01 < ropetin> So two clients, two servers, that then connect to the same subnet? 03:01 < ropetin> Or totally different subnets? 03:02 < CrummyGummy> different subnets per server. 03:02 < CrummyGummy> 10.14.0.6 must ping 10.8.0.6 03:03 < CrummyGummy> it gets as far as 10.8.0.1 and then gets "destination host unreachable. 03:03 < CrummyGummy> " 03:04 < ropetin> Presumably then it needs a route adding? 03:04 < ropetin> !route 03:04 < vpnHelper> ropetin: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 03:04 < ropetin> IT's always routes :) 03:04 -!- K_luffy [n=V3N@77.31.147.117] has quit [Read error: 60 (Operation timed out)] 03:04 * CrummyGummy looks 03:08 < CrummyGummy> could be this iroute thing. 03:10 < ropetin> Yup, or a variation thereof 03:18 < CrummyGummy> No, it would need to be the opposite, like an 'oroute'. The service doesn't know where to push the packets to. 10.8.0.0/24 via 10.8.0.2 dev tun4 exists but that doesn't seem to be enough. 03:18 < CrummyGummy> the server itself can ping down both interfaces. 03:20 < ropetin> You have the routes configured correctly on both servers? 03:23 -!- K_luffy [n=V3N@77.31.147.117] has joined ##openvpn 03:25 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 03:26 < CrummyGummy> I need to add the push route to the client that I can't ping. I don't think thats the problem though because it would give me no response, not "destination host unreachable." 03:29 < ropetin> You're saying it knows where to go, just can't get there? Rather than not knowing where to go? 03:31 < CrummyGummy> Something like that, it routes all the way from the one client to the server interface for the other client. It just can't get to past that other interface. 03:33 < ropetin> How are the two servers communicating? Over one of the VPNs, or on a local LAN? 03:34 < CrummyGummy> The two server services are on one physical server. 03:35 < ropetin> I'm confused now :) 03:35 < ropetin> I'll shut up! 03:36 -!- K_luffy [n=V3N@77.31.147.117] has quit [Read error: 60 (Operation timed out)] 03:36 -!- K_luffy [n=V3N@77.31.147.117] has joined ##openvpn 03:40 < CrummyGummy> No, don't do that. I'll draw a pic to explain. 03:43 < ropetin> :D OK 03:49 < CrummyGummy> http://ha.flashmedia.co.za/vpndiagram.png 03:49 < CrummyGummy> I can ping along the green lines but not the red. 03:51 < ropetin> There is something about not being able to ping the 'VPN' IPs 03:51 < ropetin> I forget exactly what it is, but the guys in here usually say 'it doesn't work, don't worry about why' 03:52 < ropetin> What about the routes on the actual server, not in openvpn, but just on the general machine 03:52 < ropetin> ? 03:53 < CrummyGummy> This is in place. 03:53 < CrummyGummy> 10.14.0.2 dev tun4 proto kernel scope link src 10.14.0.1 03:53 < CrummyGummy> 10.14.0.0/24 via 10.14.0.2 dev tun4 03:53 < ropetin> If krzie or ecrist were awake they would have you fixed in 2 mins 03:53 < CrummyGummy> I'm not sure what else to add. 03:53 < CrummyGummy> What time are they up? 03:54 < ropetin> All times of the day, I'm suprised krzie isn't awake 03:54 < ropetin> If we keep saying his name he might wake up... :D 03:54 < CrummyGummy> :) 03:54 < CrummyGummy> Well krzie *is* the guy on the bottom of that link you sent me. 03:54 < ropetin> I'm just really here to say 'check your routes' and 'wait for krzie and ecrist' :) 03:55 < CrummyGummy> Oh, right. 03:55 < ropetin> That's kind of a joke, but not totally. I'm new to this vpn thing, but the guys in here were good to me when I was having problems, so I'm trying to give back 03:56 < CrummyGummy> its admirable. 03:57 < ropetin> If I do it long enough I might figure it all out 03:57 < CrummyGummy> I generally forget to log on. Must remember to add it to my default channels. 04:00 < ropetin> :D 04:20 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 04:22 < CrummyGummy> ropetin: Heres and updated pic. 04:22 < CrummyGummy> http://ha.flashmedia.co.za/vpndiagram.png 04:22 < CrummyGummy> The green works, the red doesn't, breaks where solid becomes dotted. 04:33 -!- K_luffy [n=V3N@77.31.147.117] has quit [Read error: 145 (Connection timed out)] 04:33 -!- mRCUTEO [n=info@124.13.180.95] has joined ##openvpn 04:43 < ropetin> CrummyGummy: sorry, had to go do some real work (No fair!) 04:43 < ropetin> Have you tried the reverse direction and does it fail or work? I notice you're only red from left to right 04:49 < CrummyGummy> I don't control the other side 04:49 < ropetin> K 04:56 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [Read error: 104 (Connection reset by peer)] 05:03 -!- mRCUTEO [n=info@124.13.180.95] has quit [Read error: 110 (Connection timed out)] 05:12 -!- protocols [n=protocol@p5791FC53.dip.t-dialin.net] has joined ##openvpn 05:38 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 05:44 -!- _trine_Tenerife is now known as _trine 05:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:09 < franck> ropetin: thanks for the info, will look into it 06:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 06:31 -!- mRCUTEO [n=info@64.235.47.77] has joined ##openvpn 06:31 < mRCUTEO> pptp 06:31 < mRCUTEO> oppss 06:31 < mRCUTEO> sorry 06:36 < mRCUTEO> hiya all 06:36 < mRCUTEO> hi tjz 06:36 < mRCUTEO> :D 06:36 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 06:37 -!- yokyok [n=david@ppp-14.WLAN.FTG.panline.net] has quit [Read error: 60 (Operation timed out)] 06:42 < CrummyGummy> krzie: Hi, are you there? 06:45 -!- AukeF [n=auke@dhcp-121.wind.surfnet.nl] has quit [Remote closed the connection] 06:45 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 07:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:21 < ecrist> morning, folks 07:22 < mRCUTEO> morning ecrist 07:22 < ecrist> hi 07:23 < mRCUTEO> :) 07:24 < ecrist> CrummyGummy: check out !iroute 07:24 < ecrist> !iroute 07:24 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 07:27 < reiffert> CrummyGummy: is 10.1.0.2 one physical box? 07:32 * CrummyGummy sheepishly admits that the problem was a firewall rule 07:32 < CrummyGummy> thanks for the response though. Just found it now. 07:32 < ecrist> np 07:33 < reiffert> CrummyGummy: forwarding chain, filter table? -i tun0 -o tun1 and vice versa? 07:34 < CrummyGummy> No, there was no policy defined for the interface so it was falling through to reject. Stupid really. 07:35 < reiffert> I see. 07:36 < mRCUTEO> :D 07:37 < mRCUTEO> !ip 07:37 < vpnHelper> mRCUTEO: Error: "ip" is not a valid command. 07:37 < mRCUTEO> !ccd public ip 07:37 < vpnHelper> mRCUTEO: Error: "ccd" is not a valid command. 07:37 < mRCUTEO> very intelgent bo 07:37 < mRCUTEO> *bot 08:22 -!- mRCUTEO [n=info@64.235.47.77] has quit [] 08:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 09:00 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 145 (Connection timed out)] 09:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:07 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 111 (Connection refused)] 09:16 -!- dustybin [i=subx@microsoft.devilcode.net] has joined ##openvpn 09:16 < dustybin> what does 'set nameserver' mean? 09:20 -!- bartlm [n=bartlm+@p549183FE.dip0.t-ipconnect.de] has joined ##openvpn 09:21 < bartlm> Hi there 09:21 < ecrist> howdy 09:22 < bartlm> got one small problem with connecting two networks 09:22 < bartlm> everything is fine except the name resolution from one network to another 09:23 < bartlm> the clients behind the server which establishes the vpn-connection cant resolve the clients names from the local network 09:23 < ecrist> bartlm: you need to have access to those DNS records. If they're private, LAN-only records, you need to make that available to the VPN clients. 09:24 < bartlm> well it works perfect if its lets say a roadwarriors laptop 09:25 -!- Irssi: ##openvpn: Total of 50 nicks [0 ops, 0 halfops, 0 voices, 50 normal] 09:25 < bartlm> but what i did is connecting the networks from Office A and B 09:25 < bartlm> openvpn server runs in Office A 09:25 < ecrist> sounds like a topology problem 09:26 < bartlm> hm... 09:26 < bartlm> server in office B acts as a vpn-client 09:27 < ecrist> can the 'server' in office B resolve office A DNS ok? 09:27 < bartlm> yes he can 09:27 < ecrist> so, you need to point the other systems in office B to DNS server which can resolve office A names. 09:28 < bartlm> thats what i tried 09:28 < ecrist> it's not an OpenVPN thing, though 09:28 < bartlm> well but related somehow 09:29 < ecrist> indirectly. 09:29 < bartlm> openvpn itself doesent make any problems, so i thought i could ask something else ;-) 09:29 < ecrist> in the same way you could call the manufacturer of your ethernet cabling, blaiming them for the problem 09:29 < bartlm> Lol 09:29 < bartlm> Good idea 09:29 < ecrist> ;) 09:30 < ecrist> what I would suggest is to rund BIND on your office B server (vpn client) 09:30 < bartlm> Dont get me wrong. openvpn works perfect for my purposes 09:30 < ecrist> point all LAN (b) traffice DNS to that box, and forward appropriately 09:31 < bartlm> yep. that was exactly my idea and is exactly what i did... 09:31 < ecrist> ok, then there's is a misconfiguration in your DNS 09:31 < ecrist> I've got your exact setup where I work, and it works smoothly. 09:32 < bartlm> Sounds good. Then it can be fixed... 09:32 < bartlm> Ill recheck my DNS config... 09:35 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 09:38 < stephenh> you could also specify office A's dns server in office B's dhcp as a secondary dns server if office B's dns server is doing all lookups of internal and external hostnames for office B requests 09:39 < ecrist> IMHO, it would be better to make office B's server a slave for the private DNS of office A, that way name lookups will still occur if the VPN link is down, even though actual connections to those hosts will fail. 09:40 -!- dlewis [i=c7340d65@about/security/staff/dlewis] has joined ##openvpn 09:40 < bartlm> ecrist, that sounds good 09:42 < bartlm> Ill give that a try... 09:42 < bartlm> Ill let you know tomorrow if it worked 09:42 < bartlm> Thanks a lot! 09:42 < ecrist> np 09:43 < bartlm> cu 09:49 < reiffert> moin 09:49 -!- bartlm [n=bartlm+@p549183FE.dip0.t-ipconnect.de] has left ##openvpn ["Verlassend"] 09:50 < ecrist> I wonder how hard it would be to find a high-paying job in AU doing what I do... 09:53 < tjz> what kind of job? 09:53 < stephenh> au = australia? 09:54 < reiffert> ext4fs benchmark 09:54 < tjz> ya 09:54 < tjz> au = australia 09:54 < reiffert> http://www.phoronix.com/vr.php?view=13199 09:54 < vpnHelper> Title: [Phoronix] Real World Benchmarks Of The EXT4 File-System (at www.phoronix.com) 09:55 < tjz> vpnheler is a cool guy 09:59 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:59 < plaerzen> heya 10:04 < ecrist> hey plaerzen 10:04 < ecrist> come convert my unix accounts to LDAP for me 10:06 < dustybin> Im running tunnelblick openvpn client on os x, i can connect to the openvpn server, but i cannot access web pages 10:06 < dustybin> what might be causing this? 10:06 < ecrist> um, lots of things 10:06 < dustybin> here is my routing table: http://empire.ispeeds.net/~subx/Picture%202.png 10:07 < ecrist> !configs 10:07 < vpnHelper> ecrist: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 10:08 < ecrist> it's looking like you might be having IP conflicts, as well 10:08 < dustybin> bloody heck :( 10:08 < dustybin> ill paste the openvpn client config, hold on 10:08 < ecrist> we need server config, too 10:09 < dustybin> im running pfsense openvpn server 10:09 < ecrist> don't use pastebin.ca - that's not routing for me. 10:09 < ecrist> dustybin: so? 10:09 < dustybin> i can do a screen grab of it 10:10 < dustybin> this is the openvpn client config: http://paste.debian.net/22788/ 10:12 < ecrist> why are you using a VPN on a private subnet? 10:12 < dustybin> to secure my laptop / wireless 10:15 < ecrist> waiting for server config... 10:15 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: PatrickDK, justdave, krzie, tessier_, disco-, zigovr3, lilalinux, Dougy[RV|Away], pa, tarbo, (+33 more, use /NETSPLIT to show all of them) 10:16 -!- Irssi: ##openvpn: Total of 8 nicks [0 ops, 0 halfops, 0 voices, 8 normal] 10:16 -!- Irssi: ##openvpn: Total of 8 nicks [0 ops, 0 halfops, 0 voices, 8 normal] 10:17 -!- Netsplit over, joins: dlewis, reiffert, dustybin, mikkel, jfkw, cpm, randra, protocols, franck, tjz 10:17 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 10:17 -!- Netsplit over, joins: Solarbaby, kexman, PatrickDK, imbezol, no_maam 10:17 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:17 -!- Netsplit over, joins: AwayML, tessier_, lilalinux, PeterFA, ropetin, dvl, ikevin, acidchild, Pagautas, niekie (+8 more) 10:17 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 10:17 -!- Netsplit over, joins: disco-, Rienzilla, noriX, troy-, justdave, brutopia, pa 10:17 -!- Irssi: ##openvpn: Total of 52 nicks [0 ops, 0 halfops, 0 voices, 52 normal] 10:17 < dustybin> ecrist: http://empire.ispeeds.net/~subx/server1.png http://empire.ispeeds.net/~subx/server2.png 10:17 < dustybin> sorry about the screegrabs 10:18 < ecrist> first off, change to udp (from tcp) 10:18 < dustybin> ok 10:18 < ecrist> second, I'd recommend changing your address pool to 172.30.0.0/24 10:19 < dustybin> right ok 10:20 < ecrist> check redirect-gateway 10:20 < plaerzen> ecrist, too tired for LDAP right now. Maybe later. 10:20 < ecrist> plaerzen: bastard! 10:20 * plaerzen is. 10:21 < ecrist> dustybin: you need to configure the firewall to NAT traffic from 172.30.0.0 to any for the IP of the pfSense box. 10:21 < ecrist> plaerzen: only 3000 accounts or so, on 3 different systems. 10:21 < stephenh> if i want to reset my password on a cert, do i have to revoke first or can i just use build-key-pass with same cert name? 10:21 < ecrist> it's a scriptable thing, but last time I tried, my slapd crashed *really* hard. 10:21 < plaerzen> ecrist, hrm. $5 per account? 10:22 < ecrist> you're gonna pay me $5 per account? I'd have taken $3, but OK. 10:22 < plaerzen> :P 10:23 * ecrist starts writing a script 10:23 * plaerzen goes back to digg. 10:25 < stephenh> so revoke first or rerun build-key-pass? ;-p 10:32 < dustybin> ecrist: http://empire.ispeeds.net/~subx/Picture%201.png 10:32 < dustybin> ecrist: http://empire.ispeeds.net/~subx/Picture%202.png 10:32 < dustybin> ecrist: http://empire.ispeeds.net/~subx/Picture%203.png 10:32 < dustybin> ecrist: http://empire.ispeeds.net/~subx/Picture%204.png 10:33 -!- dlewis [i=c7340d65@about/security/staff/dlewis] has quit ["http://www.mibbit.com ajax IRC Client"] 10:33 < dustybin> if i try and access a webpage from my laptop, pfsense blocks as shown in picture 3 10:38 < ecrist> ok, in picture 1, you're not specifying an IP to NAT to. 10:39 < ecrist> dustybin: why not just use WPA2 on your WLAN? 10:41 < dustybin> ecrist: i am using WPA2, but that is crackable 10:41 < dustybin> this is more fun 10:41 < ecrist> in what current work? 10:41 < dustybin> home 10:41 < ecrist> WPA2 is not currently crackable 10:41 < dustybin> oh i thought it was using GPUs 10:41 < ecrist> no 10:41 < ecrist> not by a long shot 10:41 < dustybin> ohhhh 10:42 < dustybin> well im gonna try and get this working anyway, im bored 10:43 -!- tjz [n=tjz@bb121-7-20-25.singnet.com.sg] has quit [] 10:43 < ecrist> "only plain brute force techniques can be used against WPA/WPA2." (in reference to WPA/2 networks which use a pre-shared key 10:43 < dustybin> what IP address should i specify? the 192.168.2.0/24 network? 10:43 < dustybin> oh ok 10:44 < dustybin> 172.30.0.0/24 ---> 192.168.2.0/24 NAT ? 10:44 < ecrist> The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols. 10:44 < ecrist> dustybin: no, you need to NAT out on the VPN server's public IP 10:44 < dustybin> oh hell 10:44 < ecrist> ping krzee 10:45 < ecrist> got reply from Francis, he's going to discuss our A record idea with the 'group' 10:45 < ecrist> OpenVPN [T]echnologies (the company) is committed to operat[ing 10:46 < ecrist> ] and support[ing] openvpn.net and openvpn.org 10:46 < ecrist> quote from the email. 10:46 < krzee> hehe 10:48 < ecrist> I have a feeling we're going to be dealing with some inflated-head syndrom on their end. :\ 10:49 < krzee> http://failblog.files.wordpress.com/2008/11/fail-owned-homework-stripper-shovel-fail.jpg 10:49 < ecrist> ROFLMAO 10:59 -!- K_luffy [n=V3N@77.31.173.157] has joined ##openvpn 11:00 < krzee> !ad 11:00 < vpnHelper> krzee: Error: "ad" is not a valid command. 11:00 < krzee> !factoids search directory 11:00 < vpnHelper> krzee: "activedirectory" is http://amigo4life.googlepages.com/openvpn for the guide of how to auth against AD 11:01 < dustybin> i think one needs a degree in networking before one messes around with VPN 11:02 < ecrist> krzee: for the record, there's an ldap_auth script available, too. 11:03 < ecrist> dustybin: some knowledge is required, for sure. 11:03 < dustybin> indeed 11:03 < ecrist> what you're trying to do is not something I'd consider basic 11:04 < dustybin> to specify one address, would one use. 192.168.2.60/32 11:04 < dustybin> ecrist: basic!!! jeeeeze i would hate to find out what the complicated stuff involves LOL 11:04 < ecrist> that's CIDR notation, yes 11:05 < ecrist> dustybin: you don't want to know. 11:05 < dustybin> lol 11:05 < krzee> dustybin, especially cause one rarely wants to JUST setup a vpn 11:05 < ecrist> our network here routes for about 300 organizations across IPsec VPN, PVC over frame-relay, and the public internet 11:05 < dustybin> jesus 11:06 < dustybin> IP address overload? 11:06 < ecrist> plus, we have an OpenVPN setup for staff between all their homes, our colocation, and the office, which is on it's own subnet 11:06 < krzee> !google CIDR cheatsheet 11:06 < vpnHelper> krzee: CIDR SUBNET MASK CHEATSHEET & ICMP TYPE CODES: <http://www.oav.net/mirrors/cidr.html>; IPv4 CIDR notation cheat sheet | Samat Jain's personal home page: <http://samat.org/cheat_sheets/ipv4_cidr_notation>; CIDR Block Prefix: <http://www.internetsecurityguru.com/cidr.html> 11:06 < krzee> bbiaf 11:12 < ecrist> krzee: PR's been picked up by miwi, should be imported today I'm guessing. 11:12 < krzee> PR... 11:12 < krzee> oh right 11:12 < krzee> for the port 11:12 < krzee> so you got the tarball avail again on the link? 11:30 < ecrist> krzee: no, I've got a link to the svn repo 11:30 < ecrist> when I rebuilt the script for distribution via freebsd ports, I pulled all the logic out that did it's own little self-install 11:31 -!- niekie [i=niek@bergnetworks.com] has quit [Read error: 145 (Connection timed out)] 11:31 -!- dustybin [i=subx@microsoft.devilcode.net] has left ##openvpn [] 11:31 < ecrist> I've got to build some wrapper scripts for install now, so I just pointed the link to the repo page for now, until I get that done. 11:31 < ecrist> you're more than welcome to help, if you'd like. :) 11:36 -!- Irssi: ##openvpn: Total of 49 nicks [0 ops, 0 halfops, 0 voices, 49 normal] 11:37 < jeev> freebsd rules 12:08 -!- protocols [n=protocol@p5791FC53.dip.t-dialin.net] has quit ["Leaving"] 12:08 -!- Dougy[RV|Away] [n=doug@64.18.159.247] has quit [] 12:20 < krzie> wel the wrapper could be in shell right? 12:20 < krzie> cause ild be happy to build that for ya 12:20 < krzie> im not really a perl coder, i just ripped your code for the patch i made 12:21 < krzie> ild have a better chance coding it in C than perl 12:21 < krzie> even tho i did read the whole perl oreilly book a couple yrs back 12:21 < krzie> i then never did anything with it and forgot * 12:26 < ecrist> krzee: yeah, that can be a shell script 12:27 < ecrist> really, the import part is putting the stuff in a workable dir, and using a sed command to replace ~~~PREFIX~~~ in the script 12:28 < krzie> oh werd 12:28 < krzie> ild be happy to write that then 12:28 < ecrist> see https://www.secure-computing.net/trac/browser/trunk/ssl-admin/Makefile 12:28 < krzie> can you tell me in email what you expect it to accomplish? 12:28 < vpnHelper> Title: /trunk/ssl-admin/Makefile - SCN Open Source - Trac (at www.secure-computing.net) 12:28 < krzie> oh nice 12:28 < ecrist> it shows you what the freebsd stuff does 12:28 < ecrist> if we package the svn version, you get man pages and stuff, too. ;) 12:30 < krzie> so how bout, i do a case for OS 12:30 < krzie> if its linux, i put in /etc/openvpn/ssl-admin or something 12:30 < ecrist> that should work. 12:30 < ecrist> sure 12:30 < krzie> if its freebsd i put in /usr/local/etc/ssl-admin 12:31 < krzie> cool, i already have the check os case written 12:31 < krzie> for my dns-tunnel routing script 12:33 < ecrist> that way you can commit. 12:35 < stephenh> dumb question, it's not possible to have my customer boxes vpn back to me (for reporting) and for me to be able to connect to their inside networks if some of them have the same ip ranges, right? 12:36 < stephenh> it would be one way, like they would be able to get to my inside network but i wouldn't be able to get to their's, yes? 12:36 -!- edoceo [n=edoceo@98.247.254.241] has joined ##openvpn 12:37 < edoceo> On a Windows OpenVPN server my tun0 adapter keeps becoming 'Cable Disconnected' according to windows. OpenVPN service still running 12:37 < edoceo> Have to restart OpenVPN to "re-cable" the virtual adapter, anyone else seen this? 12:40 < ecrist> krzee: do you have control over the google command for vpnHelper? 12:49 < jeev> krzie 12:55 < krzie> whatchya mean? 12:56 < krzie> you mean can i turn it off? can i make it output less or more links? or did i lock its usage? 13:03 < ecrist> krzie: can you make it build searches through another engine? (letmegooglethatforyou.com) 13:03 < krzie> oh, gotchya 13:03 < krzie> no 13:03 < krzie> its specificly a google plugin 13:04 < ecrist> ok 13:18 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [] 13:39 < krzie> ecrist, would you send me an email saying what you expect the script to do? 13:40 < krzie> should it ONLY do what Makefile does? should it set variables in the script? 13:40 < krzie> etc 13:43 < ecrist> krzie: sure thing. I'll send an email now. 13:43 < ecrist> the krzie email address, or your other one? 13:43 < ecrist> or both? 13:44 < krzie> jeff@ should be fine 13:44 < ecrist> oki 13:44 < krzie> since i only expect to do it on my laptop 13:47 < PeterFA> How do I make the server chose a certain IP address when it starts for the tun device? 13:48 < ecrist> with the 'server' config option 13:48 < ecrist> email away 13:48 < PeterFA> ecrist, thanks. 14:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:33 < PeterFA> Does OpenVPN use an official protocol for VPN? 14:33 < PeterFA> If so what is it? 14:35 < krzie> SSL 14:36 < krzie> openSSL really 14:36 < PeterFA> Is it really just PPoE over SSL? 14:36 < krzie> negative 14:43 < kexman> hello 14:43 < kexman> i have set my openvpn log to verb 0 14:43 < kexman> and i still getting logs every minute 14:43 < kexman> the openvpn client is trying to connect 14:43 < kexman> but its on the local lan so it cant .... 14:43 < kexman> and it doesnt needs to 14:43 < krzie> do you want to stop it from retrying? 14:44 < kexman> but i dont know how do disable this ... if it doesnt finds it for X time ... then it should give up or increase the times between the trys or is there any already known solution for this ? 14:44 < kexman> krzie: well ... yeah that would be an idea 14:44 < kexman> its a windows service 14:44 < kexman> and no user interaction should be made 14:44 < krzie> post the config without comments on pastebin 14:44 < kexman> so it needs to do this on its own 14:44 < ecrist> you probably have retry-indefinite 14:44 < kexman> ecrist: i didnt put that in my config 14:45 < kexman> at least i dont remember 14:45 < kexman> ecrist: so what does that do ? 14:45 < kexman> it sets a number of retrys before giving up ? 14:45 < ecrist> um, it retries connecting indefinitely 14:45 < krzie> his is doing that already 14:45 < krzie> he seemed to want to stop it, but i dont think he meant that 14:45 < krzie> cause: 14:45 < kexman> what if it cant connect because of a net problem but i just want it to rety every 10 minutes or so 14:46 < kexman> this was every minute my hdd receives a write ... isnt that bad for a laptop ? 14:47 < kexman> any solution ? 14:48 < kexman> also how could i hide the tap adapter 14:48 < kexman> but still be able to tell it that it doesnt needs to read dns through the vpn ? 14:48 < kexman> i mean dont request dns over the vpn 14:50 < krzie> wasnt that you asking yesterday how to un-hide the tap adapter? 14:50 < krzie> and for this: 14:50 < krzie> <kexman> i mean dont request dns over the vpn 14:51 < krzie> use 2.1 and in redirect-gateway use bypass-dns 14:51 < krzie> can find it in the manpage (type !man to see it) under --redirect-gateway 14:52 < kexman> krzie: well i need dns for other vpn clients 14:52 < kexman> just not this one :) 14:52 < kexman> the thing is that windows can be set what dns settings to use 14:52 < kexman> but i need to see the adapter 14:53 < kexman> now i tought i make it visible 14:53 < kexman> make it the last usable dns (uses dns what gets from the openvpn server) 14:53 < kexman> and then hide it :) 14:53 < kexman> hehe 14:53 < kexman> since otherwise i cant set it in any order and it will be the first one 14:53 < kexman> which i dont want 14:53 < kexman> krzie: i am using 2.0.9 14:54 < PeterFA> Could I, in theory, remap all the routing and communication with OpenVPN? 14:54 < PeterFA> On the Internet. 14:59 < ecrist> PeterFA: yes 14:59 < ecrist> PeterFA: all OpenVPN is encap traffic over UDP or TCP 14:59 < ecrist> nothing different, really, than a GRE tunnel with some added features for authentication and routing 15:01 < PeterFA> ecrist, I thought so. Thanks for verifying. 15:02 * PeterFA wonders if DNS and Gateway (as in gateway protocol) servers should use VPN from one to another to reduce security weaknesses. 15:03 < ecrist> PeterFA: just use DNSSEC 15:04 -!- lilalinux is now known as lila_bratkartoff 15:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:22 < PeterFA> ecrist, hmm... thanks. 16:12 < ecrist> 16:24 -!- acidchild [i=ash@dubstep.7a69.co.uk] has quit [Read error: 104 (Connection reset by peer)] 16:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 16:41 * ecrist tires with his voip provider 16:42 -!- Gioacchino [n=Gioacchi@79.171.56.65] has joined ##openvpn 16:42 < ecrist> hi Gioacchino 16:42 < Gioacchino> hi 16:42 < Gioacchino> I have a problem with openvpn 16:42 < Gioacchino> in log it tell that the point to point connection is established 16:42 < ecrist> ok 16:42 < PeterFA> OpenVPN gets easier and easier as you understand it more and more. 16:42 < Gioacchino> but it not ping... 16:43 < ecrist> what's not ping 16:44 < Gioacchino> not ping either 10.0.0.2 ( openvpn ip of other machine ) or 192.168.1.22 local ip of other machine 16:44 < Gioacchino> Wed Dec 3 23:37:01 2008 /sbin/ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2 mtu 1500 16:44 < Gioacchino> Wed Dec 3 23:37:01 2008 UDPv4 link local (bound): [undef]:50500 16:44 < Gioacchino> Wed Dec 3 23:37:01 2008 UDPv4 link remote: [undef] 16:44 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:45 < Gioacchino> it mean that it is connected right ? 16:45 < Gioacchino> here is the tail on the other machien 16:45 < Gioacchino> Wed Dec 3 23:44:32 2008 Preserving previous TUN/TAP instance: tun0 16:45 < Gioacchino> Wed Dec 3 23:44:32 2008 UDPv4 link local (bound): [undef]:1194 16:45 < Gioacchino> Wed Dec 3 23:44:32 2008 UDPv4 link remote: 84.221.80.34:50500 16:46 < Gioacchino> also this mean it is connected right 16:46 < Gioacchino> ? 16:48 -!- Gioacchino [n=Gioacchi@79.171.56.65] has quit ["KVIrc 3.4.0 Virgo http://www.kvirc.net/"] 16:48 < krzie> bleh 16:48 < krzie> he was pinging wrong ip 16:58 < PeterFA> Is it safe to say that a properly implemented TLS environment is vulnerable to nothing more than physical violence? 16:58 < PeterFA> As in, I have to beat the crap out of a guy to compromise proper TLS? 16:59 < ecrist> ideally, yes 17:01 * PeterFA ponders of a non-volatile chip on the mother board which can hold a private key and be rewritable, which is first set by the motherboard manufacturer and is used to establish ppp links in dialup, in an effort to compensate any weakness in RADIUS authentication. 17:01 * ecrist thinks it would be pointless 17:02 < ecrist> anything that is rewritable can be compromised or used to impersonate something else. 17:03 < PeterFA> I just got an idea of using keys to sign and encrypt passwords so that they can be transmitted safely across lines so that RADIUS servers can work without any sort of imaginable time where something can be captured and reused. 17:03 < PeterFA> ecrist, well, the idea is to make it easy to get started with keys. 17:03 < ecrist> doesn't RADIUS use MD5 to hash passwords? 17:03 < PeterFA> ecrist, you can revoke it. 17:03 < ecrist> PeterFA: what do you mean by 'get started with keys?' 17:03 < PeterFA> ecrist, well, if I recall correctly, you have to chose between one of two protocols for transmitting a password. 17:04 < PeterFA> ecrist, maybe I'm jumping ahead of myself. I'm thinking about authentication for network access for APs and stuff. I remember there was a problem with storing either the password in raw form or encrypted. 17:04 < PeterFA> ecrist, you had to chose the right one for the situation. 17:05 < PeterFA> ecrist, but if you can sign a password and encrypt it, you can transmit that password and have it authenticated with confidence no matter who copies what. But, you have to have a key to start. 17:06 < PeterFA> ecrist, now if that key is compromised the mobo would be worthless... now I thought of using a key on the mobo like a MAC address because then the OS could just fetch it. Or maybe the OS should just be exclusively responsible and not involve the mobo at all. 17:06 < ecrist> what's the point in signed a password hash? 17:06 < PeterFA> I just want to get a secure key to start. 17:07 < ecrist> if the NV memory is rewritable, that key is worthless 17:07 < PeterFA> ecrist, so that it can be verified to come from the original person. 17:07 < ecrist> PeterFA: that's the *point* of a password 17:07 < ecrist> what happens when someone has more than one computer 17:07 < PeterFA> ecrist, well, what if the key is compromised? It would be revoked, unless you wanted to cover access with a device that authenticates. 17:08 < PeterFA> ecrist, I'm thinking in terms of paranoia. 17:08 < PeterFA> ecrist, trying to get something absolutely secure. 17:08 < krzie> !security 17:08 < vpnHelper> krzie: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 17:08 < PeterFA> I'll read them. 17:08 < ecrist> PeterFA: I think your idea is dumb. sorry 17:08 < krzie> what was his idea? i missed it 17:09 < PeterFA> ecrist, don't worry about it. I'm not a baby. I can handle straight-forward criticism. 17:09 < krzie> omg, using the MAC as a seed? 17:09 < PeterFA> krzie, no! 17:09 < ecrist> put a private key in VM memory on the mobo 17:09 < PeterFA> lol 17:09 < krzie> i wouldnt 17:09 < ecrist> to verify identity 17:09 < krzie> umm 17:10 < krzie> thats no better than using a cert 17:10 < krzie> both are "somthinbg you have" 17:10 < ecrist> -.- 17:10 < krzie> and when fully comprimised, both are jackable 17:10 < krzie> you could use a usb keychain with your certs on it 17:10 < PeterFA> krzie, ecrist is right. It was to try to solve a problem that I was thinking of when I thought of using certs and stuff in RADIUS authentication. 17:10 < PeterFA> And, assuming the user was just some random joe. 17:11 < ecrist> security should contain three tokens: 1) something you know, 2) something you have, and 3) something you are 17:11 < PeterFA> hmm. 17:11 < krzie> 2 of those 3 is generally good 17:11 < krzie> widely accepted as good 17:11 < ecrist> biometric access controls use all three, generally. 17:12 < ecrist> 1) proximity access card (have) 2) PIN (know) 3) hand/finger/retina/etc (are) 17:12 < krzie> yup 17:12 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 17:13 < ecrist> grr, I'm want to punch someone at our voip provider. 17:13 < ecrist> :\ 17:13 < PeterFA> I guess I'll need to read up more carefully on RADIUS access. 17:13 < krzie> ecrist, if they use asterisk theres likely a few ways to crash them 17:13 < PeterFA> I was thinking in terms of trying to close a problem I thought I read about from the FreeRadius site. 17:13 < krzie> if you're feeling very evil 17:14 < ecrist> krzie: all our incoming calls get a 'The number you have dialled is not allocated.' message. 17:14 < krzie> doh 17:14 < ecrist> they say it's something to do with an upstream rate center 17:14 < ecrist> we can make outgoing calls and can call amongst ourselves, but no incoming. 17:14 < ecrist> kinda bad for business. 17:15 < krzie> totally 17:15 < ecrist> I'm actually considering get 3 POTS lines and a Sangoma card and hooking it all up to a linux box with asterisk, though I'd prefer FreeBSD 17:15 < ecrist> s/get/getting/ 17:15 < krzie> freebsd runs ast 17:16 < krzie> freeswitch far outperforms ast btw 17:16 < ecrist> yeah, but Sangoma drivers are sketchy 17:16 < krzie> check with #freeswitch about card support 17:16 < ecrist> trust me, if I go that route, you'll be the first to know (whether youwant to or not) ;) 17:16 < krzie> i highly recommend freeswitch to asterisk 17:16 < krzie> hehe right on 17:20 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 17:23 < PeterFA> Is the open source world of PBX software taking off? 17:23 < ecrist> lol 17:24 < krzie> its been good for awhile 17:24 < krzie> well it was decent 17:24 < krzie> but it gets better and better 17:24 < PeterFA> That's good. 17:24 < krzie> and that freeswitch project impresses me more than any open source project ive seen 17:24 < PeterFA> Open source makes me feel powerful. 17:25 < krzie> constant improvements being made, very active devs, helpful community 17:25 < krzie> when i needed a lil help i went to their irc chan and asked, one of the leading devs helped me out 17:25 < plaerzen> oh, we use asterisk 17:26 < krzie> i used to help run a ITSP 17:26 < krzie> well i used to be 1/2 owner 17:26 < krzie> we used asterisk cause FS was still being made 17:26 < krzie> from experience i can say use FS if you have the choice 17:27 < plaerzen> it's actually a pretty cool setup. norstar PRI with bell DIDs integrated to asterisk for our polycom poe phones. Don't ask me much about it - our IT manager set it up. 17:27 < krzie> nice 17:28 -!- Cyllene [i=UNtQZrND@unaffiliated/cyllene] has joined ##openvpn 17:28 < plaerzen> I wish I knew more about it - I find it highly interesting how we can have a digital and analog system all working seamlessly. 17:29 < Cyllene> Hi. When trying to add an XP SP3 client, I get errors such as the following: 17:29 < Cyllene> Route: Waiting for TUN/TAP interface to come up... 17:30 < Cyllene> ... 17:30 < Cyllene> Warning: route gateway is not reachable on any active network adapters: 10.3.0.17 17:30 < Cyllene> Route addition via IPAPI failed [adaptive] 17:30 < krzie> !winroute 17:30 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up 17:30 < krzie> try #2 17:30 < Cyllene> krzie: I've tried both. 17:30 < krzie> that was specificly SP3 they were talkin bout 17:30 < krzie> try giving route-delay 30 17:31 < Cyllene> That's what I've done 17:31 < Cyllene> I have route-method exe and route-delay 30 17:32 < Cyllene> I've also tried ip-win32 netsh 17:33 < Cyllene> Nothing works 17:34 < krzie> !configs 17:34 < vpnHelper> krzie: "configs" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn. 17:34 < krzie> !learn configs as dont forget to include any ccd entries 17:34 < vpnHelper> krzie: Joo got it. 17:36 < Cyllene> krzie: May I PM you? 17:38 < krzie> you dont need to 17:38 < krzie> you'll get more help talkin in the channel 17:38 < krzie> theres a few people here that know a lot 17:38 < Cyllene> No, I need to send you the URL to the logs. 17:38 < krzie> sometimes i know the answer, sometimes they do 17:38 < krzie> sure if you want 17:39 < Cyllene> I need to go somewhere, I will return shortly. 17:39 < krzie> i said both configs 17:40 < Cyllene> Server too? You got it. 17:40 < Cyllene> done. 17:42 < krzie> whoa i never noticed you could use ns-cert-type client 17:44 < krzie> Wed Dec 03 18:35:04 2008 us=546000 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv ) 17:44 < vpnHelper> Title: OpenVPN FAQ (at openvpn.net) 17:45 < krzie> seen that in your logs...? 17:47 < PeterFA> In easy-rsa, when I execute the build-key script with say, ./build-key name, does the "common name" have to be the same as name? 17:47 -!- franck [n=franck@tikiwiki/franck] has quit [Read error: 110 (Connection timed out)] 17:48 < krzie> im sure the howto says 17:49 < PeterFA> krzie, the howto made me confused. It says to use a unique common name, but it doesn't say it has to match. 17:49 < PeterFA> Well, it didn't fail before. 17:50 < krzie> would it hurt something for them to match? 17:50 < PeterFA> krzie, I thought it would cause a problem if they didn't match. 17:50 < PeterFA> I guess it's just a filename. 17:50 < krzie> im not sure, but i dont see why you dont just make them match 17:50 < krzie> wouldnt you want the filename to be same as commonname? 17:51 < krzie> if not, making a CRL will be hard 17:51 < krzie> confusion 18:09 -!- K_luffy [n=V3N@77.31.173.157] has quit [Read error: 60 (Operation timed out)] 18:12 < PeterFA> Ugh, KVpnc is so confusing. 18:12 < PeterFA> The lingo doesn't at all match OpenVPN's lingo. 18:14 < Cyllene> krzie: Back 18:14 < Cyllene> Yes, I do see that in the logs. 18:22 < edoceo> Anyone seen on Windows where TAP adapter becomes 'Media Disconnected'? This happened to a server I operate a few days ago. 18:22 < edoceo> Have not been able to replicate 18:25 < krzie> i dont use windows, but ild think that would happen when the connection to vpn drops 18:26 < krzie> try connecting to vpn, then killing the other side and see if it replicates 18:27 < Cyllene> Any idea, krzie? 18:27 < krzie> yes, try one of the other 2 settings in the link openvpn gave you 18:27 < kexman> yo 18:27 < kexman> helloo 18:27 < kexman> krzie: hey i found out how to make my adapter hidden 18:28 < kexman> its easy 18:28 < kexman> and you can do it after installing the adapter 18:28 < kexman> and doing whatever you want with it :) 18:28 < kexman> and then you go to the regedit :P 18:28 < kexman> and regediti :p 18:28 < kexman> i searched for tap-win32 18:28 < krzie> i told you that yesterday 18:28 < krzie> that i believed it was a reg entry 18:28 < kexman> and there must ba a capabilities or something like that 18:28 < kexman> and you have to switch from 81 = visible to 89 = hidden 18:29 < kexman> krzie: yeah but i didnt found info about it yet 18:29 < kexman> only a hint :) 18:29 < kexman> then i searched 18:29 < kexman> found 18:29 < kexman> and did :) 18:29 < kexman> :)))) 18:30 < krzie> cool 18:30 < krzie> maybe you feel like putting something on the wiki for the next person? 18:30 < krzie> !wiki 18:30 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 18:31 < kexman> krzie: well i need first to test it :P 18:31 < kexman> couldnt test it yet 18:31 < kexman> tomorrow ill test it 18:31 < kexman> and remind me again :) 18:31 < kexman> please 18:31 < kexman> i tend to forget :P 18:31 < kexman> hehe :) sorry 18:31 < kexman> cool that openvpn has a wiki 18:31 < kexman> i love wikis 18:32 < kexman> they're such a lovely stuff :) 18:33 < krzie> ya we're talking to the openvpn guys about linking our forum, wiki, and irc chan on their page 18:34 < krzie> since they dont have any of those, and we're already running them 18:36 < krzie> in reality none of them are "mine" i just help with content, but i consider it "we" still ;] 18:41 < krzie> 1. Run regedit 18:41 < krzie> 2. Find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} 18:41 < krzie> 3. Look through each sub-key for one with a DriverDesc = "TAP-Win32 Adapter V8" 18:41 < krzie> 4. Set "Characteristics" = 0x89 18:41 < krzie> To show again, set it to 0x81. 18:41 < krzie> from: 18:41 < krzie> !google windows openvpn hide tap adapter 18:41 < vpnHelper> krzie: Re: [Openvpn-users] Hide the TAP device tray icon (on Windows): <http://openvpn.net/archive/openvpn-users/2004-10/msg00173.html>; RE: [Openvpn-users] Hide the TAP device tray icon (on Windows): <http://openvpn.net/archive/openvpn-users/2004-10/msg00159.html>; HOWTO OpenVPN Linux Server Windows Client - Gentoo Linux Wiki: <http://da.gentoo- 18:41 < vpnHelper> krzie: wiki.com/HOWTO_OpenVPN_Linux_Server_Windows_Client> 18:41 < krzie> the last link came up first for me 18:51 -!- lila_bratkartoff is now known as lilalinux 18:51 -!- lilalinux is now known as lila_bratkartoff 18:53 < krzie> !learn wintaphide as in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = "TAP-Win32Adapter V8". Set "Characteristics" = 0x89 18:53 < vpnHelper> krzie: Joo got it. 18:53 < krzie> !learn wintaphide as To show again, set it to 0x81 18:53 < vpnHelper> krzie: Joo got it. 18:54 < krzie> there! 19:03 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit [Remote closed the connection] 19:08 < ecrist> bitches 19:09 < ecrist> krzie: can you email me a copy of the google plugin, so I can write a plugin for the bot? 19:09 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 145 (Connection timed out)] 19:21 < krzie> sure 19:21 < krzie> although i cant till later 19:21 < Cyllene> Hey... so krzie... what happens if ip-win32 netsh,ipapi, and manual do not work? 19:22 < Cyllene> And the DHCP service is indeed started? 19:22 < krzie> dunno man, i dont use windows 19:22 < krzie> try the mail list if you tried all those 19:22 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 19:22 < krzie> !mail 19:22 < vpnHelper> krzie: "mail" is http://sourceforge.net/mail/?group_id=48978 19:22 < krzie> mention you tried whats in !winroute and everything from that link 19:23 < Cyllene> Ok 19:23 < Cyllene> Thank you 19:24 < krzie> np 19:37 -!- dougbrowne [n=Nappz@pool-98-113-137-227.nycmny.fios.verizon.net] has joined ##openvpn 19:40 -!- whaletales [n=Paul@87-127-190-18.static-adsl.entanet.co.uk] has joined ##openvpn 19:40 < dougbrowne> Hello, I am here to try and find a solution to the problem I have. I have ran openvpn in the past a few times with no problems, but this time, it seems the the server assigns every client the same IP and i can't reach the server from the inter IP but the external Ip works fine. The only thing I can possibly think of that is different is that this time client-to-client is enabled. I am running gentoo linux. I installed o 19:40 < dougbrowne> penvpn from source, not portage. It is running off a dedicated server at a datacenter. Thanks in advance for any help. 19:43 < edoceo> dougbrowne: post config to pastebin 19:44 < edoceo> Also, do you have unique cert for each client connecting? 19:44 < edoceo> I run similar setup to you and do not see this issue 19:48 < krzie> also set logs to verb 6 and look for errors 19:48 < krzie> or pastebin the logs 19:48 < krzie> im gunna take an early guess and say its firewall tho 19:55 < dougbrowne> Sorry, back. As for certs, yes seprate for each client 19:55 < dougbrowne> Ill pastebin my config 19:58 -!- SerajewelKS [i=devnull@wikipedia/Crazycomputers] has joined ##openvpn 19:59 < SerajewelKS> if a connection is lost due to a timeout from the other side, will the client re-lookup the hostname i give it with --remote or will it try to use the same ip again? 20:00 < dougbrowne> server.conf : http://rafb.net/p/AQlK4L47.html 20:00 < vpnHelper> Title: Nopaste - No description (at rafb.net) 20:00 < dougbrowne> Sorry for the wait again. 20:03 < krzie> SerajewelKS, that is configurable 20:03 < krzie> resolv-retry or something like that 20:03 < krzie> its in the manual 20:03 < krzie> !man 20:03 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:05 < SerajewelKS> krzie: ah, nice. it seems to be enabled by default too. 20:07 < dougbrowne> Also, I just tried starting with verb 6 and connecting, and I see no errors 20:12 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:12 < Dougy> hey 20:14 < krzie> oh my bad resolv-retry wasnt it 20:14 < krzie> im pretty busy so im in and out 20:14 < Dougy> sup krzie 20:17 * ecrist gloats in his IPv6 awesomeness. 20:21 < Dougy> hi ecrist 20:25 -!- kdavis3811 [i=4576958c@gateway/web/ajax/mibbit.com/x-9793624795475634] has joined ##openvpn 20:25 < kdavis3811> hello 20:25 < kdavis3811> i'm trying to set up a bridge with openvpn and getting stuck. 20:25 < kdavis3811> i'm trying to follow these instructions: 20:25 < kdavis3811> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 20:25 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 20:25 < kdavis3811> for bridge linux server 20:26 < kdavis3811> however, I am unable to find bridge-utils (even after i did an "apt-get install bridge-utils") 20:26 < krzie> i think it adds brctl or somethin like that 20:27 < kdavis3811> nor am I able to find the bridge-start and bridge-stop scripts 20:32 < krzie> why do you want to bridge anyways? 20:32 < krzie> 90% of the people that ask questions about bridging really want a routed setup 20:34 < kdavis3811> i need to access my network shares 20:35 < kdavis3811> i also need to access other subnets (which routed will do on its own, but routed wont allow me to access network shares easily) 20:36 < krzie> sure it will 20:36 < krzie> run a wins server 20:37 < krzie> you could surf by ip without it, but wins is recommended whether you use bridging or not 20:37 < krzie> for sharing the subnets, see this: 20:37 < krzie> !route 20:37 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 20:38 < kdavis3811> right 20:38 < kdavis3811> but, what if I have software that use broadcast to find servers on the intranet? 20:39 < kdavis3811> routing will "hide" those boxes if I used routing 20:39 < krzie> if you use custom software for that, then you have a good reason to use bridging 20:55 < Dougy> my back killsssssssssssssss 20:59 < jeev> jesus christ 20:59 < jeev> i'm fallini asleep and it's 7 20:59 < kexman> krzie: could you find where windows keeps Adapter bindings order ? :) 20:59 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 20:59 < kexman> krzie: sorry i was away ... i just saw what you wrote 20:59 < kexman> amazing :) 21:01 < krzie> yup its all in: 21:01 < krzie> !wintaphide 21:01 < vpnHelper> krzie: "wintaphide" is (#1) in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89, or (#2) To show again, set it to 0x81 21:01 < kexman> ya i know that 21:01 < kexman> but 21:01 < kexman> there is this freaking order of the devices 21:02 < kexman> windows will use the one that is on the top of that list 21:02 < krzie> i dunno dude, i dont even like or use windows 21:02 < kexman> you can reach it from the menus somehow 21:02 < kexman> but i bet it has a registry link too 21:02 < kexman> i mean one could set that there 21:02 < kexman> but amazing that this stuff is on the wiki and found so quick ... i googled for it for some time 21:11 < krzie> well i didnt toss it on the wiki yet, been pretty busy today 21:12 < krzie> but the wiki is open for public writing 21:23 -!- kdavis3811 [i=4576958c@gateway/web/ajax/mibbit.com/x-9793624795475634] has left ##openvpn [] 22:18 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 22:38 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 60 (Operation timed out)] 22:53 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 23:30 < ropetin> Evnin 23:48 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn --- Day changed Thu Dec 04 2008 00:00 < PeterFA> Thu Dec 4 16:58:51 2008 us=615110 TLS Error: cannot locate HMAC in incoming packet from... <-- what would cause this? 00:02 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 00:03 < ropetin> PeterFA: does it consistently happen or just once or twice? 00:03 < PeterFA> Consistently. 00:04 < PeterFA> ropetin, I try to connect and I get this error over and over again. 00:08 < ropetin> I just found indication that it could be because one side of the VPN is configured to use TLS, but the other side isn't 00:09 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 131 (Connection reset by peer)] 00:12 < PeterFA> Hmm... maybe you're right. The documentation, where ever hmac is found, refers to tls stuff. 00:13 < ropetin> Do you know if you've set tls in your config files? 00:13 < PeterFA> ropetin, I'm not using a config file for the client in this case, but the command line. 00:14 < PeterFA> ropetin, and in the command I see no reference to the ta.key file. 00:14 < PeterFA> So, I have to find the option to use it. 00:16 < ropetin> What OS are you using for the client? 00:16 < PeterFA> ropetin, Linux. 00:17 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:17 < PeterFA> Ah, got it. 00:17 < ropetin> Which is it? 00:37 -!- Netsplit over, joins: edoceo 00:37 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: oc80z, PatrickDK, krzee, PeterFA 00:57 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 01:37 -!- K_luffy [n=V3N@77.31.254.210] has joined ##openvpn 02:33 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 02:41 < troy-> is there a symbian client? 02:45 < troy-> never mind 02:51 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:29 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 03:34 -!- protocols [n=protocol@p5791FD9B.dip.t-dialin.net] has joined ##openvpn 03:38 -!- AukeF [n=auke@dhcp-121.wind.surfnet.nl] has joined ##openvpn 03:39 < krzee> !ssl-admin 03:39 < vpnHelper> krzee: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 04:09 -!- lila_bratkartoff is now known as lilalinux 04:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:17 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 04:28 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 04:40 -!- SerajewelKS [i=devnull@wikipedia/Crazycomputers] has quit [Read error: 60 (Operation timed out)] 05:07 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 05:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:12 -!- K_luffy [n=V3N@77.31.254.210] has quit [Read error: 60 (Operation timed out)] 05:15 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 05:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:40 -!- krunar [n=jbeckman@mandarin.spotify.net] has quit [Read error: 110 (Connection timed out)] 06:46 -!- masrawy [i=admin@freebsd-help.org] has joined ##openvpn 06:47 < masrawy> Anyone willing to setup openvpn on a server of mine for some fee? 06:57 -!- mRCUTEO [n=info@64.235.47.77] has joined ##openvpn 06:57 < mRCUTEO> hiya all :D 07:13 < krzee> masrawy, yes 07:19 < ecrist> morning 07:20 < krzee> mornin ecrist 07:20 < krzee> wanna take a look at my commits to svn? 07:21 < ecrist> sure, looking 07:21 < krzee> ill msg 08:22 -!- paruchuri [n=qvantel@61.16.248.247] has quit [Read error: 54 (Connection reset by peer)] 08:23 -!- paruchuri [n=qvantel@61.16.248.247] has joined ##openvpn 09:05 -!- mRCUTEO [n=info@64.235.47.77] has quit [] 09:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:30 -!- JuanDosSantos [n=chatzill@smail.realisator.ch] has joined ##openvpn 09:30 < JuanDosSantos> Hello 09:31 < JuanDosSantos> I have a little problem with openvpn, I hope somebody can help me 09:31 < JuanDosSantos> On Client side I get this error: 09:31 < JuanDosSantos> VERIFY ERROR: depth=0, error=self signed certificate: 09:32 < JuanDosSantos> TLS_ERROR: BIO read tls_read_plaintext error 09:32 < JuanDosSantos> I don't know what Kind of error this is.. 09:32 < JuanDosSantos> I think the certs.. 09:33 < JuanDosSantos> but..I have created it right 09:33 < JuanDosSantos> on client config tls-remove is CN name of remote certificate 09:40 < reiffert> !configs 09:40 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:40 < JuanDosSantos> ok 09:41 < reiffert> paste them to pastebin.com or pastebin.ca 09:41 < JuanDosSantos> yes 09:41 < reiffert> !learn configs as paste them to pastebin.com or pastebin.ca 09:41 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 09:41 < reiffert> vpnHelper: die now. 09:41 < vpnHelper> reiffert: Error: "die" is not a valid command. 09:42 < JuanDosSantos> http://pastebin.com/m43277256 09:42 < JuanDosSantos> this is server config 09:43 < reiffert> Please remove all the comments if possible to you. 09:44 < reiffert> grep -vE '^#' server.conf 09:44 < JuanDosSantos> ok 09:44 < JuanDosSantos> http://pastebin.com/mf3bd8e 09:44 < JuanDosSantos> this is client conf without comments 09:44 < reiffert> change dev tap to dev tun 09:44 < reiffert> in server.conf 09:44 < reiffert> and on client.conf as well. 09:45 < reiffert> and remove tls-remote jdossantos.dyndns.org 09:45 < JuanDosSantos> ok will try, here is server conf without comments 09:45 < JuanDosSantos> http://pastebin.com/m6b18abdb 09:45 < reiffert> in favour of adding: ns-cert-type server 09:45 < JuanDosSantos> ok I will try... 09:46 < reiffert> pleasedid you follow the official openvpn howto? 09:46 < reiffert> !howto 09:46 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:48 < JuanDosSantos> yes I do 09:48 < reiffert> You can safley remove auth SHA1 as it is the default 09:49 < reiffert> does it work? 09:49 < JuanDosSantos> no 09:49 < JuanDosSantos> now it doens't start 09:49 < JuanDosSantos> Thu Dec 4 16:46:32 2008 us=165457 ifconfig tun0 10.0.0.1 pointopoint 255.255.255.0 mtu 1500 09:49 < JuanDosSantos> SIOCSIFDSTADDR: Invalid argument 09:49 < JuanDosSantos> Thu Dec 4 16:46:32 2008 us=177345 Linux ifconfig failed: shell command exited with error status: 1 09:49 < JuanDosSantos> with tun 09:49 < reiffert> lemme look that up 09:50 < reiffert> oh, right: 09:50 < reiffert> remove 09:50 < reiffert> # 09:50 < reiffert> ifconfig 10.0.0.1 255.255.255.0 09:50 < reiffert> # 09:50 < reiffert> ifconfig-pool 10.0.0.10 10.0.0.20 09:50 < reiffert> and add: 09:51 < reiffert> server 10.8.0.0 255.255.255.0 09:51 < reiffert> sorry, server 10.0.0.0 255.255.255.0 09:51 < reiffert> we will care about the range afterwards. 09:51 < JuanDosSantos> ok 09:51 < reiffert> please paste your current server and client config files again. 09:53 < JuanDosSantos> server: http://pastebin.com/m1a2f007e 09:53 < reiffert> ns-cert-type server 09:54 < reiffert> tls-server <- wrong 09:54 < JuanDosSantos> ah..I have it on client.conf 09:54 < JuanDosSantos> ok will change 09:54 < reiffert> stop. 09:54 < ecrist> hammer time 09:54 < reiffert> for the client.conf it"s ok. 09:54 < reiffert> and remote the tls-server line from server.conf 09:55 < JuanDosSantos> ok 09:55 < JuanDosSantos> here is client conf: http://pastebin.com/m1edb0240 09:56 < reiffert> ns-cert-type server 09:56 < reiffert> ns-cert-type jdossantos.dyndns.org <- wrong 09:57 < reiffert> !howto 09:57 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:59 < reiffert> does it work? 10:01 < JuanDosSantos> ok wait 10:02 < JuanDosSantos> nope same error: VERIFY ERROR: depth=0, error=self signed certificate 10:02 < JuanDosSantos> on client site 10:03 < reiffert> allright, then please start over and follow the howto this time. 10:04 < reiffert> It's straight forward, comes with example server/client files and is very explanatory about creating the keys. 10:04 < JuanDosSantos> I have generated client certs on remote server. thats right? 10:04 < reiffert> yes. 10:04 < JuanDosSantos> ah ok 10:04 < JuanDosSantos> ok I will retry the howto 10:04 < JuanDosSantos> thanks for help 10:05 < JuanDosSantos> where I can pay the support and how much is it? 10:05 < reiffert> it's free support, enjoy it! 10:06 < JuanDosSantos> oh thank you 10:06 < JuanDosSantos> but how you can finance your project? 10:08 < reiffert> no idea. The openvpn author runs a company, see openvpn.net for details. 10:22 -!- whaletales [n=Paul@87-127-190-18.static-adsl.entanet.co.uk] has quit [Read error: 110 (Connection timed out)] 10:27 -!- et [n=et@feynman.fachschaft.physik.tu-darmstadt.de] has joined ##openvpn 10:30 < et> I guess i have to try my nat rules, but i'm kind of puzzled - i have a working vpn (i can ssh over it and ping in both directions, however the client can not ping itself - is that normal?), but reaching the outside doesn't work, the connections seem to hang 10:31 < et> route seems to be okay (via tun interface, however gateway is 10.8.0.5 while client is .6 and server is .1 - is this normal?) 10:33 -!- JuanDosSantos [n=chatzill@smail.realisator.ch] has quit ["ChatZilla 0.9.83 [Firefox 3.0.4/2008102920]"] 10:33 < et> traceroute shows me it goes over the server and to the outside (i get quite a few hops from the outside), but i can't ping and can't connect over http 10:37 < plaerzen> if you're trying to ping the virtual interface IP address - that won't work. 10:39 < plaerzen> I haven't used openvpn in a while - but from what I understand, the client can only communicate to the server and vice-versa via tun/tap adapters. clients can't see each other 10:41 < et> well, i mean the client itself - "ping $my_ip", but it's no problem it doesn't work ;) what i'm trying to do is to get the server to play NAT for me .. 10:46 < plaerzen> ah, I see. 10:46 < reiffert> et: show us your firewall settings. 10:50 < et> reiffert: http://pastie.org/331025 10:50 < et> if the second part is too long, i can flush and set special rules, but i didn't see any change 10:50 < et> eth1 is the "public" interface 10:51 < reiffert> please use -n as well 10:52 < reiffert> and insert tun0 to INPUT like .e.g. iptables -I INPUT -i tun0 -j ACCEPT 10:52 < reiffert> ping to same machine should work then. 10:52 < reiffert> and iptables -I FORWARD -i eth1 -o tun0 -j ACCEPT 10:53 < et> reiffert: http://pastie.org/331020 10:53 < et> sorry 10:53 < et> reiffert: http://pastie.org/331030 10:53 < et> this one 10:55 < et> ah. ping to same machine didn't work because the route for it is wrong 10:56 < et> with your two lines, NAT still doesn't seem to work (can't reach something on the outside ...) 10:57 < reiffert> Sorry, but I cant find my two lines back in your pasting. Please paste routing table as well. -n 10:58 < reiffert> however, gotta go and reach my flight, bbl 11:12 < et> http://pastie.org/331044 is the client routing table 11:13 < et> http://pastie.org/331037 is the server firewall settings and routing table 11:39 < ecrist> :\ 11:42 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Read error: 60 (Operation timed out)] 11:43 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 11:51 < ecrist> dvl: thanks for the link from your pages. 11:54 < dvl> ecrist: np. send beer. 11:54 < ecrist> can't. I drank it all. ;) 11:55 < dvl> damn 12:18 < PeterFA> Is it possible that an openvpn server could cause the router to stop routing all traffic when the router is a different machine than the openvpn server? 12:19 < PeterFA> I was setting up a vpn using openvpn last night and then the network on the remote system kicked out completely. I was working on a computer several thousand miles away. 12:19 < PeterFA> I was able to connect to the remote system, but then the router just stopped working. 12:19 < PeterFA> It wasn't instant, it took a few minutes. 12:46 -!- djdb [n=digitalb@djdb.dc.beltelecom.by] has joined ##openvpn 12:47 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Read error: 60 (Operation timed out)] 12:49 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 12:49 < djdb> Hi to everyone! Is it possible to have TCP-multisession connection between two openvpn implemented hosts? 12:54 < djdb> My ISP limits tcp with 512k bandwith per session, so, iven if I have 100Mbit\s channel I have low-speed openvpn connection ( 12:55 < cpm> possible? Sure. What's not possible? It'll be ugly. You can do ppp over tcp, and then do mlppp over the multiple ppp connections, with all the overhead, it'll probably suck. 12:56 * cpm doesn't think of 512K as low speed, he still lives in the land of T1s, 512K ain't all that bad. 12:59 < djdb> by this way, I can setun 2*x*openvpn's and load balance traffic with tc, but i' looking for native openvpn support (may be in patch-way) 13:08 < plaerzen> cpm, i am in the same boat. 5mbit is blazing 13:09 -!- protocols [n=protocol@p5791FD9B.dip.t-dialin.net] has quit ["Leaving"] 13:10 -!- franck [n=franck@tikiwiki/franck] has joined ##openvpn 13:10 -!- justdave [n=dave@unaffiliated/justdave] has quit ["kernel upgrade in progress, brb"] 13:18 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [] 13:24 -!- djdb [n=digitalb@djdb.dc.beltelecom.by] has quit ["\u0423\u0445\u043e\u0436\u0443"] 13:27 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 13:49 < PeterFA> How do I route through a point to point connection? 13:53 < krzee> te, to understand the ip layout see this: 13:53 < krzee> !/30 13:53 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:03 < PeterFA> Oh, I thought i was in ##linux for that last question. 14:04 < PeterFA> Anyways, my computer when I connect to an openvpn server using openvpn on both ends gets 10.8.0.5/6 for the p2p stuff while the server has 1/2. 14:04 < PeterFA> I cleared out ipp.txt and the ccd dir isn't enabled. 14:04 < PeterFA> Why are the ip addresses inconsistent? 14:06 -!- jfkw_ [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 14:06 -!- franck [n=franck@tikiwiki/franck] has quit [Read error: 110 (Connection timed out)] 14:11 < krzee> PeterFA, huh? 14:11 < krzee> 2 diff computers get .6? 14:11 < krzee> .6 is the normal 1st client 14:11 < krzee> as explained in !/30 14:14 < PeterFA> krzee, first of all, they don't get that netmask, unless that pool issue doesn't cause the netmasks to be set. They get /32. Now the openvpn server gets tun0 with 10.8.0.1 pointopoint 10.8.0.2, whereas the client gets 10.8.0.6 pointopoint 10.8.0.5 14:14 < PeterFA> So, like I said, inconsistent ip addresses. 14:14 < krzee> !/30 14:14 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:14 < PeterFA> krzee, it's not /30, it's /32 14:14 < krzee> can you ping after? 14:14 < PeterFA> krzee, if I ping the right ip addresses, yes. 14:15 < krzee> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 14:15 < krzee> inet 10.8.1.1 --> 10.8.1.2 netmask 0xffffffff 14:15 < krzee> thats how it works dude 14:15 < krzee> the rest is internal 14:15 < krzee> did you actually read !/30? 14:15 < PeterFA> krzee, so it's supposed to give /32, even though it hands them out from generating /30? 14:16 < krzee> check this out 14:16 < krzee> if you can ping across, it works 14:16 < PeterFA> Well, I'm trying to make it route to the subnet on the server. 14:16 < krzee> !route 14:16 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 14:16 < krzee> i wrote a howto for that :-p 14:16 < PeterFA> krzee, is it supposed to hand out inconsisten ip addresses? 14:16 < krzee> ill bbl, gotta go do my stuffs 14:16 < krzee> that isnt inconsistant! 14:17 < krzee> that is EXACTLY how openvpn does it 14:17 < krzee> as explained in !/30 14:17 < krzee> read it, understand it, or bypass it 14:17 < PeterFA> Where the server thinks it's connecting from 10.8.0.1 to 10.8.0.2 and my client thinks it's connecting from totally different iPs? 14:17 < krzee> READ !/30 14:17 < krzee> or stop asking questions if you dont wanna read the answers 14:18 < krzee> !/30 14:18 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:20 < krzee> if that wasnt consistent they would not have a page in the faq explaining it 14:20 < krzee> !topology 14:20 < vpnHelper> krzee: "topology" is it is possible to avoid the !net30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:21 < krzee> !forget topology 14:21 < vpnHelper> krzee: Joo got it. 14:21 < krzee> !learn topology as is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:21 < vpnHelper> krzee: Joo got it. 14:21 < krzee> and ill bbl 14:28 < PeterFA> The push option adds bogus entries into my routing table on my client. 14:28 < PeterFA> It adds the non-existent ip addresses. 14:28 < PeterFA> I really doubt the !/30 is intentional. 14:29 < PeterFA> I really doubt that it was fully thought through. 14:29 < PeterFA> I'm not complaining about the fact that you get /30, but that you get inconsistent ip addresses, which makes no sense and makes routing a pain as it adds bogus entries to the routing table. 14:30 < PeterFA> You know it's bogus if printing the table lags if it has to do look ups as opposed to when you tell it not to. 14:32 < krzee> it was a work-around for windows lameness 14:32 < krzee> and if you dont think it was intentional, LOL 14:32 < krzee> ya they accidently made it happen and wrote a FAQ about it 14:33 < krzee> *shrug* gooluck to ya, bbl for real this time 14:33 < PeterFA> krzee, it doesn't explain inconsistent ip addresses. 14:59 < PeterFA> Ugh... so it really is normal. 15:14 < ecrist> bitches 15:22 < PeterFA> Fortunately, I don't need to go from OpenVPN to OpenVPN. If I will use a different client for Windows than OpenVPN, can I disable the !/30 behavior (I know where to look in the documentation for this), and expect Windows clients to work? I just need a windows client to be accessible to the lan. 15:22 < PeterFA> The last part is to the servers subnet, in place or "lan" which is too vague. 15:28 < PeterFA> This !/30 work-around is mangling the routing tables on both sides. They try to route to the opposite subnets using the virtual ip addresses. 15:29 < PeterFA> Linux is fussy with routing information and won't let you use an ip address it doesn't know the route to. 15:30 < krzie> <PeterFA> krzee, it doesn't explain inconsistent ip addresses. 15:30 < krzie> they are NOT inconsistant 15:30 < krzie> inconsistant means they do not work the same way every time 15:30 < PeterFA> krzie, I know, I see that now. 15:30 < krzie> they are quite consistent 15:30 < krzie> and explained in the FAQ and the manpage 15:31 < PeterFA> I got that now. 15:31 < krzie> use 2.1 and topology subnet (as !/30 told you like 10 times) if you hate net30 so much 15:31 < ecrist> PeterFA: I feel the need to ask you what I have to ask a lot of folks in here. Can you please read the docs? 15:31 < krzie> for real tho 15:31 < krzie> especially when the exact location to your answer is given to you 15:32 < ecrist> I/we are willing to help you sort things out, but you've been pointed to the docs a number of times and you apparently refuse to read them. 15:32 < PeterFA> ecrist, I read it a while ago... I didn't notice the explanation to the virtual addresses used. I thought it meant that the ip addresses would match. 15:32 < ecrist> As such, I/we are not willing to be the 'easy way out.' 15:33 < krzie> i am, but i charge for it ;] 15:33 < PeterFA> And you seemed to only answer a question I didn't ask because you were talking about /30 when I saw /32 so it seemed irrelevant. 15:33 < krzie> but help is free 15:33 < krzie> and !/30 would have gavce you your answer if you bothered to read and try to understand it 15:34 < ecrist> my point here is that many others, krz[ei]e, and myself, have figured out how to do this without anyone else's help. we used the docs. 15:34 < krzie> and we're TOTALLY willing to help people in here 15:34 < krzie> but by helping them, we will point to the right spot in the docs 15:34 < PeterFA> krzie, well, it doesn't mention anything about the subnet masks that you will receive nor does it offer anything more after that it mentions the behavior of the virtual ip addresses like where to go for finding a workaround for this as the route and push directives depend on the virtual one, so it breaks configes and routing tables. 15:34 < ecrist> of course, otherwise I wouldn't be here. 15:35 < krzie> the workaround was in my !/30 command 15:35 < krzie> !/30 15:35 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 15:35 < krzie> or (#2) you can avoid 15:35 < krzie> this behavior with by reading !topology 15:35 < PeterFA> !topology 15:35 < vpnHelper> PeterFA: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 15:36 < PeterFA> krzie, I read that too. It's not a matter of avoiding the behavior, but using it in the context of routing. 15:36 < PeterFA> krzie, do you see what I'm trying to say? 15:36 < PeterFA> The behavior causes the routing tables, after following your howto, to produce routes that attempt to go through the virtual IP addresses, which go nowhere. 15:37 < PeterFA> So, the routing fails. 15:38 < PeterFA> Because "push route ... " or "route ..." will insert the ip address to what OpenVPN thinks the other computer has based on it's interface configuration, not what it's expecting the other to respond to, despite knowing what mode it's in. 15:39 < krzie> heh show me the config line 15:40 < PeterFA> One moment. 15:40 < krzie> actually, show me these: 15:40 < krzie> !configs 15:40 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:40 < krzie> !logs 15:40 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:40 < krzie> read those clearly 15:40 < krzie> verb must be 6, i want both configs 15:40 < krzie> with no comments 15:40 < PeterFA> Ok, one minute then. 15:42 < PeterFA> krzie, the client was being ran all from commandline options, is that ok? It's much more concise this way. 15:42 < krzie> lol 15:43 < krzie> any reason you dont want a config file? 15:43 < PeterFA> Normally I would use a config file, but this was to be temporary anyways. 15:43 < krzie> wait wait 15:43 < PeterFA> Because it was faster to type it in the commandline for something not persistent. 15:43 < krzie> why am i helping with a temporary setup 15:44 < PeterFA> When i get the server working the way I like it, it's going to have many clients connected to it. 15:44 < PeterFA> It's really a server set up. 15:44 < krzie> just make a client config 15:45 < PeterFA> Ok, that wont' take too long. 15:55 * ecrist wonders if PeterFA doesn't have some inane 'theory' degree... 15:56 < ecrist> a config file is only a parsed set of command line options. 15:59 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:01 < PeterFA> Server config: http://rafb.net/p/zw3Mvg58.html ; Client config: http://rafb.net/p/splBsi76.html ; log: http://rafb.net/p/3MKiHH76.html 16:01 < vpnHelper> Title: Nopaste - No description (at rafb.net) 16:02 < PeterFA> At the bottom of the log, I killed the client. 16:02 < PeterFA> Well, near the bottom. 16:03 < PeterFA> At line 132 the client was killed, but server was left running. 16:03 < krzie> whats in ccd 16:03 < PeterFA> krzie, nothing. 16:03 < krzie> what owns 192.168.1.0 ? 16:03 < krzie> which lan is that on, client or server? 16:03 < PeterFA> krzie, client. 16:04 < krzie> did you read !route? 16:04 < krzie> (im going with no) 16:04 < PeterFA> krzie, your page? 16:04 < krzie> i spent a lot of tyime on that, please read it 16:04 < PeterFA> krzie, the one you wrote? 16:04 < krzie> ya 16:04 < krzie> !route 16:04 < PeterFA> Maybe I missed the part where it works around this. 16:04 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 16:04 < krzie> you added the route right, you did NOT add an iroute 16:04 < krzie> i even drew a picture 16:05 < krzie> if for some reason you cant understand it tell me, but read it all! 16:05 < krzie> 10.0.0.x is the lan behind the server? 16:05 < PeterFA> Yes, that's behind the server. 16:06 < krzie> k you got it right except the iroute 16:06 < krzie> reading my doc will explain iroute in detail 16:06 < krzie> and after reading it you should be somewhat of a pro with when to use route, push route, iroute, ccd 16:06 < PeterFA> The client name is determined by what exactly what? The name of the relevant key file or the common name in the key? 16:06 < krzie> those should be the same, but common-name 16:07 < krzie> if those arent the same have fun when you go to make a CRL 16:07 < krzie> you wont have a clue whats going on 16:10 < PeterFA> Is there something I can add to a config file in ccd to let me know it was read? 16:10 < krzie> !ccd 16:10 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client 16:10 < krzie> it will show in logs that it was read 16:10 < PeterFA> krzie, oh. 16:13 < Dougy> ey yo 16:14 < PeterFA> "iroute 192.168.1.0 255.255.255.0" <-- added to ccd/peterf 16:15 < krzie> now kill and start the client 16:15 < PeterFA> Now, on the server I get this route: 192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 16:15 < PeterFA> I just did. 16:15 < krzie> !iroute 16:15 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:15 < krzie> iroute did NOT change your routing table 16:15 < krzie> the route command in config did 16:15 < krzie> and stop thinking openvpn is doing it wrong, you're just understanding it wrong 16:15 < PeterFA> Oh, I must have added that then earlier to day while fussing with it. 16:15 < krzie> if you switch to 2.1 and use !topology it will work how you expect 16:16 < krzie> and the route and push route in your server config are correct 16:16 < PeterFA> No... i didn't... ok, I am understand it more now. 16:16 < krzie> so now connect up 16:16 < krzie> and lets test some stuff 16:16 < krzie> can client ping 10.8.0.1? 16:16 < krzie> can server ping 10.8.0.6? 16:17 < krzie> dougy, hey wassup man 16:17 < PeterFA> krzie, both client and server can ping both of those IPs. 16:18 < krzie> ok 16:19 < krzie> now... 16:19 < krzie> can client ping an IP on 10.0.0.x? 16:19 * ecrist is buying a new(er) truck today 16:19 < ecrist> http://www.friendlychev.com/VehicleDetails/1119655554 16:19 < vpnHelper> Title: 2004 Chevrolet Silverado 1500 LS PKG Summit White Pickup Truck. A Chevrolet Silverado 1500 at Friendly Chevrolet Fridley MN (at www.friendlychev.com) 16:20 < krzie> damn man, nice 16:20 < Dougy> hey krzie 16:20 < PeterFA> It can ping 10.0.0.250 which is the server's ip on it's lan, but not 10.0.0.1 which is the router for the subnet. 16:22 < PeterFA> krzie, want to see a print of the server/client route tables? 16:22 < PeterFA> krzie, is that relevant? 16:22 < krzie> see bottom of !route 16:22 < PeterFA> !route 16:22 < vpnHelper> PeterFA: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 16:24 < krzie> no the routes are fine in client and server 16:24 < krzie> i know that from your configs 16:24 < krzie> now its other stuff we're looking at 16:24 < krzie> 10.0.0.1 is not the client itself, right? 16:24 < ecrist> PeterFA: do you have a working knowlegde in routing? 16:24 < krzie> err the server itself, i mean 16:25 < krzie> what ip on server LAN is the server on? 16:25 < PeterFA> ecrist, I have an understanding of it, I hope it's working. I've gotten lans to work, I made a router. 16:25 < krzie> hey eric, can you commit my ./configure script for me? 16:25 < PeterFA> krzie, 10.0.0.250 is the server's ip address, 10.0.0.1 is the router. 16:26 < krzie> its at www.doeshosting.com/code/configure in case you closed the msg window 16:26 < krzie> (@ecrist) 16:26 < krzie> PeterFA, ok the as it explains in !route (which i asked you nicely to read completely) 16:26 < krzie> 10.0.0.1 needs to know that 10.8.0.x routes to 10.0.0.250 16:26 < ecrist> krzie: sure can, I sent you structs on how to do it, though. 16:27 < krzie> ohhh, must have been after i left home 16:27 < ecrist> svn add <file> && svn commit <file> 16:27 < krzie> ahh i see 16:27 < ecrist> :_ 16:27 < krzie> ok il do it now then 16:27 < ecrist> :) rather 16:27 < PeterFA> krzie, I'm still trying to parse that bottom part. I thought I had set a route to where all 192.168.1.0 uses 10.0.0.250 as the gateway. 16:27 < krzie> im commiting from a server i run 16:27 < krzie> so i can do it now 16:27 < PeterFA> I'll check the router config. 16:27 < krzie> no no 16:27 < ecrist> ok, that is fine. I don't restrict commits from anywhere, as long an you use a valid login. 16:28 < krzie> PeterFA thanx for saying so, now i know i need to clarify that in my writeup 16:28 < krzie> ya i been commiting it all from same server 16:28 < krzie> on purpose in case i wanted to commit from remote (like now) 16:28 < PeterFA> krzie, don't try until I finally understand it. I read it before and I understood. 16:28 < krzie> PeterFA ya i dont have time to work on it right now 16:29 < krzie> but now i know it needs some work when i get a chance 16:29 < PeterFA> Well, thanks for writing it. It did help me out quite a bit before. I've gotten routing to work with it. 16:29 < krzie> Adding configure 16:29 < krzie> Transmitting file data . 16:30 < krzie> there we go eric 16:30 < krzie> it *should* work fine on *BSD/osx/linux now 16:30 < krzie> PeterFA np, glad to hear it 16:30 < krzie> the stuff in that writeup is commonly misunderstood, thats why i made the writeup 16:31 < krzie> before we could type !route we had to explain all that to multiple people / day 16:31 < krzie> (not fun) 16:33 < krzie> then after you add the route i told you, try that ping again 16:34 < krzie> <krzie> 10.0.0.1 needs to know that 10.8.0.x routes to 10.0.0.250 16:34 < krzie> (that one) 16:42 < PeterFA> krzie, I got it working, yeah, the route wasn't correct. I added a bad route to the router. It had no idea how to get to 10.8.0.x 16:43 < Dougy> hmm 16:43 < Dougy> ecrist: what kind of truck 16:45 < krzie> ok so now 16:45 < krzie> can the server ping an ip on clients lan? 16:45 < krzie> (you need a similar style route on client's router assuming the client is not the router for its LAN 16:45 < krzie> ) 16:46 < ecrist> http://www.friendlychev.com/VehicleDetails/1119655554 16:46 < vpnHelper> Title: 2004 Chevrolet Silverado 1500 LS PKG Summit White Pickup Truck. A Chevrolet Silverado 1500 at Friendly Chevrolet Fridley MN (at www.friendlychev.com) 16:46 < ecrist> Dougy: ^^^^^ 16:47 < ecrist> krzie: I'll test those scripts tomorrow... 16:48 < ecrist> I was thinking. we should change the FreeBSD stanza to force the user to use the ports tree. 16:48 < Dougy> hmm 16:48 < PeterFA> krzie, my client can ping the clients on the server's lan. 16:48 < Dougy> ecrist: how long does it take Francis to reply 16:48 < Dougy> roughly 16:48 < Dougy> and nice vehicle 16:48 < PeterFA> krzie, er, clarify, my client can ping the nodes on the server lan. 16:48 < ecrist> Dougy: usually a day. He said he has to talk to some other folks in the org, so it might be a while. why do you ask? 16:48 < krzie> PeterFA, right we moved on now, can the server ping nodes on client lan? 16:49 < PeterFA> krzie, I don't want it to. 16:49 < PeterFA> krzie, just a one way thing. 16:49 < jeev> what a nasty ass silverado 16:49 < krzie> then why push a route to the servers lan? 16:49 < krzie> take that out if you dont want clients accessing server lan 16:49 < ecrist> jeev: I like it. :P 16:49 < Dougy> ecrist: was just curious how long it'd take to hear back from them 16:49 < Dougy> im assuming you already have 16:49 < jeev> ecrist 16:49 < ecrist> no, I haven't. 16:49 < jeev> seriously 16:49 < Dougy> oh 16:50 < jeev> no joke, no insult 16:50 < jeev> that's what the lawnmower people use! 16:50 < Dougy> jeev: shut up 16:50 < jeev> the paint is wack 16:50 < Dougy> my only bone to pick with that truck is the color 16:50 < jeev> yea 16:50 < jeev> the grey thing 16:50 < Dougy> everything else is niec 16:50 < Dougy> nice 16:50 < Dougy> but its not my vehicle so its whatever 16:50 < PeterFA> krzie, I want the client to access server lan, but not the server lan accessing anything but the single client, not anything else on the client lan. 16:50 < ecrist> the crappy thing about buying used is you don't have a lot of choice on color. 16:50 < PeterFA> ecrist, yeah, but for the price it's worth it. 16:51 < ecrist> unless you folks want to donate $15,000, can it. :D 16:51 < ecrist> only thing I don't like is it's not Z71, but it has locking rear diff as an add-on. 16:51 < krzie> PeterFA so is it working how you want it? 16:51 < ecrist> so, I'm only out bigger tires and skid plates 16:51 < PeterFA> krzie, yes, just how I want it. 16:51 < krzie> PeterFA, COOL =] 16:51 < krzie> oops capslock 16:51 < PeterFA> krzie, yeah, thanks. 16:51 < krzie> not bad timing for it tho heheh 16:52 < jeev> i had a z66 avalanche 16:52 < jeev> 2003 16:52 < PeterFA> I got a nice 98' Crown Vic for like 8000 or so. 16:52 < jeev> now i have a LT 2007 16:52 < jeev> i dont care for higher end 16:52 < jeev> i dont care for leather anymore 16:52 < jeev> so stupid 16:53 < krzie> i dislike leather 16:53 < krzie> too hot 16:53 * Dougy does not have a vehicle 16:54 < krzie> but i also liv on a tropical island 16:54 < Dougy> damn.. 16:54 < Dougy> jeev: 16:54 < Dougy> webnx 16:54 < ecrist> bbl 16:54 < Dougy> Core i7 920, 3 GB RAM, 1 TB HDD, 10 MBPS unmetered 16:54 < Dougy> for $199 16:54 < Dougy> +35 for 6GB, +85 for 12 16:55 < PeterFA> Man, nmap across a VPN is so slow. :P 16:55 < krzie> heh 16:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:56 < Dougy> jeev: buy me it 16:58 < Dougy> man 16:59 * Dougy likes freebsd more by the day 16:59 < Dougy> Mem: 28M Active, 16M Inact, 26M Wired, 16M Buf, 1866M Free 16:59 < Dougy> wee 17:00 < Dougy> bbiaf 17:03 < krzie> ecrist, a friend is testing from svn on centos 17:03 < krzie> linux has a goofy hierarchy but i think i used dirs that will work on any default linux 17:13 < ecrist> man install (creates install dirs on fly) 17:13 < Dougy> hmm 17:13 < Dougy> install is nice 17:17 * Dougy wants to colo a freebsd server 17:23 < krzie> heh eric 17:23 < krzie> sed seems to work different in linux than BSD 17:23 < krzie> so my configure script is broken on linux 17:23 < krzie> but works on freebsd 17:23 < krzie> (which means it works on osx,and *bsd) 17:24 < krzie> ill google for a linux sed manpage 18:20 -!- NBrepresent [n=perry@bas1-toronto09-1279544106.dsl.bell.ca] has joined ##openvpn 18:20 < NBrepresent> krzie: you here? 18:28 < krzie> im busy, just ask your question 18:28 < krzie> theres a ton of people here that are very helpful 18:29 < Dougy> someone spoke 18:29 < Dougy> ohai 18:30 < Dougy> mind you i'm not one of those smart persons 18:31 < NBrepresent> sorry, it's just that last time i was here you were very helpful. anyway, i was the guy who was trying to get openvpn to connect to my workplace, and you said i didn't have enough config info... 18:31 < NBrepresent> I have more config info now from work which should help. 18:44 < NBrepresent> getting very close to success now, or it looks encouraging anyway: http://paste2.org/p/110922 18:45 < Solarbaby> Pre-Congrats NB.. you'll get it 18:46 < Solarbaby> I think I'll get mine setup the right way tonight.. a few days back I made it work on a Linksys OpenWrt Router with static keys, and that was easy.. now its time to tackle the right way.. which deffinately has a few more steps.. 18:51 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 18:51 < NBrepresent> Solarbaby: do you know what i can do to fix that last error "Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13)" ? 18:54 < NBrepresent> hmm, the error is about permissions, and it looks like vboxusers owns /dev/net/tun 18:55 < Solarbaby> are you using linux? 18:55 < NBrepresent> yes 18:55 < NBrepresent> i chmod'd tun to 777, we'll see whether that helps 18:56 < NBrepresent> new error: " Note: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)" 18:58 < NBrepresent> i think it worked! 18:58 < Solarbaby> :) 18:58 < NBrepresent> i read a forum post that suggested using sudo for the openvpn command 18:59 < NBrepresent> it's odd that chmod 777 didn't work, but sudo does 18:59 < Solarbaby> are you using ubuntu? 18:59 < NBrepresent> so... what do i do now to connect to the remote desktop? 18:59 < NBrepresent> yes 18:59 < Solarbaby> yeah I haven't set it up with ubuntu just yet.. I've been playing with it on my router only 19:00 < NBrepresent> the idea of a vpn is supposed to be that i'm on my work network now, right? i can't see any work shares... also, i still have to log on to the domain somehow. 19:00 * NBrepresent goes to google 19:01 < Dougy> !forum 19:01 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 19:01 < Dougy> forum what? 19:01 < Solarbaby> I read a pretty cool article the other day abut OpenVPN although it was written mostly from the Windows Server point of view 19:01 < Dougy> you both should join up 19:01 < Dougy> :p 19:02 < Solarbaby> sounds good thanks for the forum tip 19:03 < Dougy> forums are fun 19:03 < Solarbaby> I agree.. looks like this forum is new 19:03 < Dougy> it's newer 19:03 < Dougy> are you talking about the !forum one? 19:04 < Solarbaby> Douglas is this your forum? 19:04 < Dougy> ovpnforum? 19:04 < Solarbaby> Yes Sir 19:04 < Dougy> i own the domain yes 19:04 < Dougy> but all of us run it 19:04 < Solarbaby> good deal.. Im reading your OpenVPN Install Guide now 19:04 < Solarbaby> oh Okay 19:05 < Dougy> with a site like that, i don't like saying its mine or i own it 19:05 < Dougy> its the community's 19:05 < Solarbaby> hmm thats a small guide 19:05 < Dougy> i didn't do any documentation how itw orks 19:05 < Dougy> just how to get it on your server 19:05 < Dougy> feel free to add 19:05 < Solarbaby> nod.. thats a start ;) 19:06 < Solarbaby> I found some interesting guides.. I just need to spend 2 hours making them work for me 19:06 < Dougy> lol 19:06 < Dougy> mine took about 30 seconds 19:06 < Solarbaby> I was sorta hoping you wrote a guide yourself.. I've always wanted to be able to ask live questions while following a good guide 19:06 < Dougy> and i guess i could script up a bash script for lazy people 19:07 < Solarbaby> Dougy I plan to set this up on a Linksys router flashed with OpenWrt running OpenVPN 19:07 < Solarbaby> its installed.. just need to get the certs installed and working and that extra ultra secure stuff 19:08 < Dougy> I have a linksys router with ddwrt 19:08 < Dougy> never tried that stuff 19:08 < Solarbaby> I have that too 19:08 * Dougy has a vps externally 19:08 < Dougy> and a few colos 19:11 < Dougy> fun fun 19:11 * Dougy is waiting on another vps set up 19:11 < Dougy> that makes 3 vps's 2 colo 19:11 < Dougy> make sure to signup Solarbaby 19:11 * Dougy needs to get the word out about the forum 19:13 < Solarbaby> Dougy I'd enjoy being a member.. are there some people that love to help that check the forum daily? 19:13 < NBrepresent> Dougy: now that i've got the vpn working, how do i use remote desktop over the vpn? 19:13 < Solarbaby> NB you've got your choice of remote desktop software.. just use anything.. I guess VNC would be fine right? 19:14 < NBrepresent> yes, i've got remote desktop software, but how do i know which ip and port to connect to? 19:14 < NBrepresent> is it the same as the vpn? 19:14 < Solarbaby> seing as your further along then me.. ahiem! you'll have to figure it out 19:15 < NBrepresent> lol, fair enough... Dougy can you weigh in on this? 19:19 < Dougy> oh wait 19:19 < Dougy> who spoke 19:19 < NBrepresent> me 19:19 < Dougy> NBrepresent: that's icnredibly vague 19:19 < Dougy> just RDP to the client's LAN IP? 19:19 < Dougy> Solarbaby: I check it daily 19:19 < Dougy> krzie looks now and again and if you link him he usually hops right on it 19:19 < Solarbaby> sweet 19:20 < Solarbaby> I bookmarked it.. as soon as I've got my first question I'll sign in 19:20 < Solarbaby> or perhaps I'll post a howto 19:20 < Solarbaby> when I create mine 19:21 < Dougy> K 19:21 * Dougy just wants to spread it around 19:21 < Solarbaby> I'd like a OpenWrt OvenVPN expert to walk me through my install ;) 19:23 < Dougy> Post it, we do get random people on theren ow and again 19:39 -!- NBrepresent [n=perry@bas1-toronto09-1279544106.dsl.bell.ca] has left ##openvpn [] 19:55 < krzie> doing it on openwrt is like doing it on any other os once you get it installed 20:04 -!- jfkw_ [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 20:04 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 20:06 -!- tjz [n=tjz@bb116-15-60-168.singnet.com.sg] has joined ##openvpn 20:06 < Solarbaby> yeah I was hoping it would be just that way 20:13 < Dougy> hmm 20:13 < Dougy> i just got one of my really good friends a job interview where iwork 20:13 < Dougy> he beats the hell out of me though lmfao so that could be interesting 20:13 < Solarbaby> good going 20:14 < Solarbaby> well you can learn from him 20:14 < Solarbaby> that sounds great 20:15 < Dougy> lol 20:15 < Dougy> sounds great for him 20:15 < Dougy> me... im gonna have some battle scars 20:15 < Dougy> but on the bright side 20:15 < Dougy> he's going to owe me.. bigtime 20:15 < Dougy> :) 20:15 < Solarbaby> your not worried that hell outperform you and you'll have your job at risk ? 20:15 < Dougy> my job isn't going anywhere 20:15 < Solarbaby> right on 20:15 < Dougy> my boss would hire him m-f 9-5 20:15 < Dougy> i'm sat+sun 10-6 20:16 < Solarbaby> coool deal 20:16 < Dougy> nod 20:16 < Dougy> i'm 16 hes 25 20:16 < Dougy> 22* 20:16 < Dougy> so 20:16 < Dougy> if he owes me a favor that's a good thing 20:16 < Dougy> lol 20:16 < Solarbaby> your 16 and your already this good at openvpn? thats pretty amazing 20:17 < Dougy> blah openvpn is one thing 20:17 < Dougy> i'm a datacenter tech 20:17 < Dougy> that's the wicked part 20:17 < Solarbaby> I've never worked at a datacenter, but i'd like too 20:17 < Dougy> i love it 20:17 < Dougy> i dont do much but when i do 20:17 < Dougy> it's just so kick ass 20:17 < Dougy> lol 20:18 < Solarbaby> thats inspiring 20:18 < Dougy> i would wager to say 20:18 < Dougy> out of 16 hours on the weekend 20:18 < Dougy> i do.. twenty minutes of work? 20:18 < Dougy> on average 20:18 < Solarbaby> how did you convince a company that you being 16 years old were capable of not screwing it all up? 20:18 < Dougy> heh 20:18 < Dougy> i got this job in july 20:18 < Dougy> (i was 15) 20:19 < Solarbaby> <walking in> Hi Im a 15 year old genius.. you should hire me because I'll charge 1 dollar an hour less then the next guy 20:19 < Dougy> loooooool 20:19 < Dougy> no 20:20 < Dougy> i started talking to the owner of this company when i was 14 20:20 < Dougy> got to know him 20:20 < Dougy> it's hilarious how i got my job 20:20 < Dougy> i sent him a msg on aim 20:20 < Dougy> "i need a job." 20:20 < Dougy> his answer: "want one?" 20:20 < Dougy> lmfao 20:20 < Solarbaby> I like that 20:20 < Dougy> me too 20:20 < Dougy> my boss is pretty awesome 20:21 < Dougy> :p 20:23 < dvl> anyone running OpenVPN on their Mac? 20:24 < Dougy> hey dvl 20:25 < krzie> i have, but not with tunnelblick 20:25 < dvl> gidday dougbrowne 20:25 < krzie> i just start it with a shell script named something.command 20:25 < krzie> that makes it clickable 20:25 < dvl> krzie: good, I wasn't planning on a gui. 20:25 < krzie> tossed it in stacks, and booya 20:25 < dvl> OK, it's installed. 20:26 < krzie> on osX is just like installing it on any unix 20:26 < dvl> well, it is unix. 20:26 < dvl> I installed via macports. 20:26 < dougbrowne> Hello 20:26 < dougbrowne> SOmeone hilight me? 20:26 < Dougy> dougbrowne: i think dvl accidently did 20:26 < dougbrowne> Oh ohk 20:26 < Dougy> dvl is a tabber methinks 20:27 < krzie> whats the macports version at? 20:27 < dvl> eh? 20:27 < dvl> tabber? 20:27 < krzie> what ovpn version did it install 20:27 < dvl> oh, 1.6.0 20:27 < krzie> ya you hit tab and highlighted dougbrowne instead of dougy 20:28 < dougbrowne> Ah, I see. 20:28 < krzie> you sure macports installed openvpn 1.6? 20:28 < krzie> i think you meant macports 1.6 20:28 < krzie> i just wanna know what version openvpn 20:28 < dvl> ---> Installing openvpn 1.6.0_0 20:28 < dvl> ---> Activating openvpn 1.6.0_0 20:28 < dvl> ---> Cleaning openvpn 20:28 < dvl> [dlangil@macbook:~] $ 20:28 < krzie> thats terriblke 20:28 < krzie> remove it and instalkl from source 20:29 < krzie> openvpn1 is years old 20:29 < krzie> 2.0.9 is like 2 yrs old and is the stable branch 20:29 < krzie> 2.1 is dev branch but is quite stable 20:30 < dvl> and 1.6.0 is vuln. 20:30 < krzie> ovpn 1.x doesnt support most features 20:31 < Dougy> jesus 20:31 < Dougy> openvpn 1.x 20:31 < Dougy> havent seen that in ages 20:32 < Dougy> mac fails yet again 20:33 < dvl> https://trac.macports.org/ticket/4660 they are trying... 20:33 < vpnHelper> Title: #4660 (UPDATE OpenVPN 2.0.2) - MacPorts (at trac.macports.org) 20:33 < tjz> i never trust yum install anymore.. 20:33 < tjz> better install from source.. 20:33 < dvl> wait, there is an openvpn2 I think. 20:34 < krzie> macports is cool 20:34 < dvl> yes, openvpn2 2.0.9 20:34 < krzie> but i dont install many apps from it 20:34 < krzie> ok 2.0.9 is cool 20:34 < krzie> unless you specificly need something thats in 2.1 20:35 < dvl> thank you for pointing this out to me (1.6...) 20:35 < krzie> np 20:37 < Dougy> tjz: why 20:38 < dvl> krzie: yes, I use ports on FreeBSD whenever I can, so using it on MacPorts is a good fit. 20:39 < krzie> i use fbsd ports a lot 20:39 < krzie> i use macports on occasion 20:39 < krzie> cause fbsd ports is updated more often 20:40 < dvl> 2.x takes longer to install. 20:40 < dvl> only now finishing OpenSSL install 20:40 < dvl> and fetching 2.0.9 20:43 < dvl> krzee: on your mac, where is openvpn? 20:44 < dvl> oh wait, openvpn2, bad bad bad. 20:44 < dvl> $ openvpn2 --version 20:44 < dvl> OpenVPN 2.0.9 i686-apple-darwin9.5.0 [SSL] [LZO] built on Dec 4 2008 20:44 < dvl> Developed by James Yonan 20:44 < dvl> Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net> 20:47 < PeterFA> http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html <-- in example one, it says that this example uses no security... does that mean the VPN is not encrypting? 20:47 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 20:49 < dvl> krzie: where do you put your keys on mac? 20:52 < Solarbaby> should I run openvpn on port 80? 20:53 < tjz> -_-" 20:53 < tjz> why port 80 20:53 < tjz> there are many other ports to use.. 20:53 < Solarbaby> just in case I wanna access it from a coffee shop or somewhere where the ports are blocked I suppose 20:54 < PeterFA> I hope I won't get jumped for this: but can I use just user/pass authentication for a low-security OpenVPN get-up? 20:55 < dvl> friends don't let friends do stupid things. 20:55 < Solarbaby> plain text passwords and everything 20:55 < PeterFA> Well, I would hope there is a trading of public keys. 20:56 < PeterFA> Like in an shttp connection. 20:56 < Solarbaby> you could just open up your routers firewall and expose your network to the entire internet.. and password protect your network shares :) 20:56 < Solarbaby> just kidding dont listen to me i'm being an asshole 20:56 < PeterFA> This is for a bunch of trivial and short term connections from customers so we can access their computers. 20:57 < dvl> Sounds like you should treat your customers better. :) 20:57 < Solarbaby> I like that comment the best 20:57 < dvl> PeterFA: seriously, if that's all you need, what about some commercial solutions? 20:57 < PeterFA> The idea is that if we had to install certs and such, then they'd get annoyed and things would be slow in getting set up. 20:57 < dvl> Like PCAnywhere or something? 20:58 < Solarbaby> lets get some port recommendations going around.. who likes to run OpenVPN on which unusual ports? 20:58 < dvl> Don't expect your users to install OpenVPN. 20:58 < PeterFA> dvl, because they cost money, and I like OpenVPN, plus I can connect with a secure connection using certs when I want. 20:58 < PeterFA> dvl, they'll use a client to connect. 20:58 < dvl> PeterFA: a client? what do you mean a client? 20:59 < dvl> anyways, I have real stuff to do. 20:59 < PeterFA> dvl, not OpenVPN. 20:59 < PeterFA> Look, if you don't know how to do it, then fine. 20:59 < dvl> PeterFA: I suggest you try the mailing lists. 21:00 < Solarbaby> PeterFA OpenVPN was designed with security in mind.. and what your asking for is less 21:00 < Solarbaby> PeterFA you could just setup a static key, but that isn't really what your asking for either 21:00 < PeterFA> I know, I've gone ahead and gone through all the cert stuff, getting that put into place. 21:01 < dvl> http://www.viscosityvpn.com/ 21:01 < vpnHelper> Title: Viscosity - OpenVPN Client for Mac (at www.viscosityvpn.com) 21:01 < dvl> That looks interesting. 21:01 < dvl> But not what I want. 21:01 < PeterFA> Solarbaby, think about having a customer with a computer problem calling you up and you have to walk them through the vpn so you can get working? 21:01 < PeterFA> Solarbaby, you can't tell them a cert over the phone. 21:02 < Solarbaby> PeterFA there are some really nice web browser java scripts that do that sort of thing.. probably not free, but you might find one for free if your lucky 21:04 < Solarbaby> should I setup OpenVPN on port 443? 21:04 < dvl> Trying tunnelblick 21:04 < Solarbaby> Hmmm so many choices I could go blind 21:05 < dvl> Solarbaby: what is wrong with the default port? 21:05 < Solarbaby> I dunno.. just in case im on a network where that sort of thing is blocked.. I thought it might be nice to be different 21:05 < Solarbaby> the invisible OpenVPN session ya know? 21:06 < dvl> I'd get it going and installed first. Then worry about running. 21:06 < Solarbaby> yeah good point.. 21:06 < Solarbaby> the sound of sanity rings in your voice 21:06 < dvl> That's years of experience. 21:06 < Solarbaby> I'm glad your here 21:06 < dvl> My sex life is older than most of you. Some of you put together. 21:07 < Solarbaby> alright.. I give.. how old are you? 21:08 < Solarbaby> 34 here 21:08 < dvl> Solarbaby: I'm 48. 21:09 < dvl> and yes, my sex life is older than you. 21:09 < Solarbaby> You got into computers back in AT days 21:09 < Solarbaby> I began with the Comodore 64 21:09 < dvl> hello no. before that. 21:09 < Solarbaby> history doesn't document pre AT days very well.. sorry :) 21:10 < Solarbaby> Computers were just too large back then.. and noisy 21:11 < tjz> i have no sex life 21:11 < tjz> lol 21:12 < Dougy> http://www.webhostingtalk.com/showthread.php?p=5438761#post5438761 21:12 < vpnHelper> Title: VPN install & config on CentOS 5 - Web Hosting Talk - The largest, most influential web hosting community on the Internet (at www.webhostingtalk.com) 21:13 < Dougy> so guys 21:13 < Dougy> i sent 25000 texts to my gf last month 21:13 < Dougy> rofl 21:14 < Solarbaby> tjz: I've got a url for you and your sex life http://www.virtualhosting.com/blog/2008/25-coolest-robots-that-you-can-have-sex-with/ 21:14 < vpnHelper> Title: 25 Coolest Robots That You Can Have Sex With | Virtual Hosting Blog (at www.virtualhosting.com) 21:14 < troy-> Dougy, thats 833 per day.. 21:14 < tjz> llollolo!! 21:14 < Solarbaby> Hahahaha! 21:14 < Dougy> troy-: and we talk on the phone too 21:14 < Dougy> about an hour a day maybe 2 21:14 < Dougy> plus aim 21:15 < troy-> have you actually met her? 21:15 < Dougy> yes you douche bag 21:16 < troy-> so she isnt really a 43 year old man? 21:16 < Dougy> yes 21:17 < Dougy> troy-: http://www.upload3r.com/serve/011208/1228176768.jpg 21:23 < dvl> I've got Net! 21:23 < dvl> woooo! 21:25 < dvl> And, what's better, passphrase. Yes, using tunnelblick. 21:25 < simplechat> dvl, ? 21:26 < dvl> simplechat: My certificate on my laptop is passphrased. Thus, if the laptop is stolen, the cert is useless without knowing the passphrase. 21:26 < dvl> "Something you have, something you know" 21:26 < simplechat> hmmm 21:27 < simplechat> whats the point? compared to just luksing the laptop 21:27 < simplechat> and being done with it 21:29 < troy-> Dougy, not bad 21:29 < Dougy> troy-: she's a big girl hah 21:30 < troy-> weights over 130? 21:30 < Dougy> she's 6'1 21:30 < Dougy> lol 21:30 < Dougy> so obviously yes 21:30 < Dougy> more like 160 21:30 < Dougy> probs 21:30 < troy-> crazy, doesnt look it 21:30 < Dougy> i know 21:30 < Dougy> lol 21:30 < Dougy> let me get a pic of her thats not so good from hallowen 21:31 < Dougy> http://photos-c.ak.fbcdn.net/photos-ak-snc1/v375/158/42/506597984/n506597984_1661146_2400.jpg 21:31 < Dougy> left 21:31 < Dougy> no she's not as fat as that makes her look 21:31 < Dougy> lol 21:31 < troy-> big.. 21:31 < troy-> how old? 21:31 < Dougy> 16 21:32 < troy-> very big.. 21:32 < Dougy> yeah 21:32 < Dougy> lol 21:32 < Dougy> not fat, just.. big 21:32 < troy-> big 21:32 < Dougy> yes 21:32 < Dougy> but not fat 21:32 < troy-> yes, big 21:32 < Dougy> lol 21:32 < Dougy> shes my heighty 21:32 < Dougy> height 21:32 < Dougy> but 21:33 < Dougy> troy-: http://photos-g.ak.fbcdn.net/photos-ak-sf2p/v361/158/42/506597984/n506597984_1510398_1283.jpg 21:33 < Dougy> notice the lack of me? 21:33 < Dougy> lo 21:33 < Dougy> l 21:34 < dvl> simplechat: luksing? 21:35 < dvl> simplechat: the point being, someone steals your laptop, powers it up, bang, into your VPN. 21:37 < simplechat> dvl, yeah, luks as in full hard disk encryption 21:37 < simplechat> its an option with all debian/ubuntu/fedora/etc. installs 21:37 < simplechat> just go "Encrypt hard drive", shove in your passphrase and your done 21:37 < simplechat> laptop won't boot past grub without the pswd 21:38 < PeterFA> I just implemented the weakest security ever. I made an authentication script that always returns 0 21:38 < PeterFA> It's shut down now, of course. 21:42 < dvl> simplechat: Sorry, I don't do Linux. ;) 21:44 < PeterFA> Is there a utility that authenticates a user/pass against a UNIX user/pass system? 21:46 < dvl> PeterFA: http://tinyurl.com/5pea5s 21:46 < vpnHelper> Title: Let me google that for you (at tinyurl.com) 21:47 < dvl> damn vpnHelper 21:47 < PeterFA> lol. 21:47 < dvl> Third hit looks promising 21:48 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["leaving"] 21:52 < PeterFA> Thanks. 22:11 < simplechat> dvl, ouch, why not? 22:55 < Solarbaby> this is a good channel 22:58 -!- jaek [n=jaek@c-71-198-7-158.hsd1.ca.comcast.net] has joined ##openvpn 22:59 < jaek> i'm running vpnc on my laptop and am wondering if it routes all traffic thru to the other end, or if it selectively only routes known internal traffic thru 23:09 < simplechat> route -n 23:09 < simplechat> jaek, 23:09 < simplechat> or traceroute 23:09 < jaek> ah indeed 23:09 < jaek> thanks 23:13 < simplechat> mtr is very good 23:16 < Solarbaby> when creating the server.key do I need to setup a challenge password? 23:18 < Solarbaby> dvl this is your time to shine 23:22 < Solarbaby> I was just wondering if the challenge password had to be a really complex password or not 23:24 < simplechat> Solarbaby, this is assuming someone takes over your server 23:24 < simplechat> to protect the key 23:24 < simplechat> just remember that on every startup you'll have to enter it 23:24 < Solarbaby> thats icky 23:25 < Solarbaby> so the best thing to do is to press . (enter) to abort that option? 23:26 < Solarbaby> im guessing yes 23:26 < Solarbaby> Thanks 23:31 < simplechat> yeah --- Day changed Fri Dec 05 2008 00:10 < reiffert> moin 00:56 < reiffert> dvl: using tunnelblick? 00:57 < reiffert> dvl: then you might want to apply the 2nd patch from http://code.google.com/p/tunnelblick/issues/detail?id=8#c10 00:57 < vpnHelper> Title: Issue 8 - tunnelblick - Google Code (at code.google.com) 01:33 < Solarbaby> I guess when a howto seems too simple to be true it is :( 02:16 < ropetin> :D 02:47 < reiffert> referring to the openvpn howto? 03:04 -!- JuanDosSantos [n=chatzill@smail.realisator.ch] has joined ##openvpn 03:04 < JuanDosSantos> Hello 03:05 < JuanDosSantos> I was here yesterday 03:05 < JuanDosSantos> now my connection works 03:05 < JuanDosSantos> but a little question 03:05 < JuanDosSantos> how I can reserve ip address for a vpn client? 03:05 < JuanDosSantos> like mac address reserv in dhcp 03:06 < simplechat> theres a file on the server which stores a mapping of key name to ip address 03:06 < simplechat> just add a line there 03:07 < JuanDosSantos> Do You mean ipp.txt? 03:08 < JuanDosSantos> ifconfig-pool-persist /etc/openvpn/ipp.txt 03:09 < simplechat> yeah 03:09 < simplechat> thats it 03:10 < JuanDosSantos> but in that file I have: arosario.dyndns.org,10.0.0.4 03:10 < JuanDosSantos> but the ip address is 10.0.0.6 03:10 < JuanDosSantos> for arosario.dyndns.org 03:11 < JuanDosSantos> and not 10.0.0.4 03:11 < JuanDosSantos> the file is owned root:root 03:11 < JuanDosSantos> daemon is runing after the lunch as nobody 03:12 < simplechat> hmmm. 03:12 < JuanDosSantos> maybe i must chmod it o+w 03:12 < simplechat> try chmodding it? 03:12 < simplechat> i have the same issue, actually 03:12 < simplechat> with the ips mismatching 03:12 < JuanDosSantos> ok wait.. 03:13 < JuanDosSantos> ok now it has actual ip..but I don't know if now is fixed 03:14 < JuanDosSantos> because..after that I can add hostname in hosts wirh the ip address 03:14 < simplechat> how did you do that? 03:15 < JuanDosSantos> I build a script that reads from ipp.txt, format it and put it in /etc/hosts 03:15 < JuanDosSantos> so I can work with hostname 03:16 < JuanDosSantos> else It will get external ip from hostname..not the vpn ip 03:16 < simplechat> yeah 03:16 < simplechat> but does your ipp.txt synch? 03:16 < simplechat> how did you get it to sync? 03:17 < JuanDosSantos> i dont know 03:17 < JuanDosSantos> maybe with cronjob 03:17 < JuanDosSantos> ore daemon 03:17 < JuanDosSantos> or 03:17 < simplechat> ?? 03:17 < JuanDosSantos> while(1) 03:17 < simplechat> no, like how did you get ipp.txt to have the actual values of the ip 03:17 < JuanDosSantos> aha 03:17 < JuanDosSantos> you mean 03:18 < JuanDosSantos> if a vpn client connects, it doesnt write the ip address in ipp.txt?? 03:18 < simplechat> like atm i have a whole bunch of hosts which have ips that arn't what they actually should be 03:18 < simplechat> or rather it gets the wrong ip 03:18 < JuanDosSantos> aha 03:18 < JuanDosSantos> thats not good 03:18 < JuanDosSantos> maybe 03:18 < simplechat> like say the ip address of my tun is .6 but whats in ipp.txt is .4 03:18 < JuanDosSantos> can I add fix ip adress in client.conf? 03:18 < simplechat> yeah, but whats the point? 03:19 < JuanDosSantos> ye same problem for me 03:19 < simplechat> you just fixed it 03:19 < JuanDosSantos> I don't fixed it 03:19 < JuanDosSantos> I don't know if it works 03:19 < JuanDosSantos> I have chmod o+w /etc/openvpn/ipp.txt 03:19 < JuanDosSantos> I must wait until client reconnects 03:19 < JuanDosSantos> to see if it works 03:20 < reiffert> it will work. 03:20 < simplechat> reiffert, so that will get everything to properly synch? 03:21 < simplechat> uh, i have init trying to stop openvpn, but its stuck and not really responding 03:21 < reiffert> Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations be- 03:21 < reiffert> tween a common name and IP address. They do not guarantee that the given common name will always receive the 03:21 < reiffert> given IP address. If you want guaranteed assignment, use --ifconfig-push 03:21 < simplechat> is it ok to just kill the ip? 03:21 < simplechat> *kill the process 03:21 < simplechat> reiffert, ? 03:21 < reiffert> it's dead jim. 03:21 < simplechat> suggestions only? 03:22 < simplechat> oh 03:22 < reiffert> simplechat: just quoting the manpage. 03:22 < simplechat> i'm an idiot 03:22 < simplechat> i'm a complete and utter idiot 03:22 < JuanDosSantos> so --ifconfig.push in client.conf? or what? 03:22 < simplechat> i'm connected via the vpn for ssh 03:22 < simplechat> so when i killed the vpn, ssh now no longer exists 03:22 < reiffert> JuanDosSantos: the client pulls, the server pushes. 03:22 < reiffert> simplechat: you're an idiot. 03:23 < simplechat> that i am 03:23 < reiffert> :) 03:23 < simplechat> i'm used to just doing nromal connection 03:23 < simplechat> (from outside the vpn) 03:23 < simplechat> forgot that i moved it inside 03:23 < reiffert> Well, start the vpn and your running ssh connection will survive. 03:23 < simplechat> yeah, just did 03:23 < simplechat> its all nice 03:23 < JuanDosSantos> reiffert: so an ip range? 03:23 < reiffert> JuanDosSantos: sorry? 03:23 < simplechat> now my issue is still that i'm being assigned 172.16.0.6 even though in ipp.txt i'm assigned 172.16.0.4 03:24 < JuanDosSantos> ifconfig-push 10.0.0.1 10.0.0.50 03:24 < JuanDosSantos> is that the allowed ip range for cleint? 03:24 < reiffert> JuanDosSantos: why not read it up in the manpage yourself, so you at least knwo what you are doing? 03:25 < reiffert> we could of course stay guessing and add have trys with random arguments. 03:25 < simplechat> lol 03:25 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 03:25 < reiffert> !man 03:26 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:26 < reiffert> !betaman 03:26 < vpnHelper> reiffert: "betaman" is http://www.openvpn.net/man-beta.html 03:26 < reiffert> !howto 03:26 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:26 < simplechat> yeah, i'm reading through the man now 03:26 < simplechat> its just a couple of small wtf's to fix up 03:27 < JuanDosSantos> the problem is i don't know the parm..so I can't use man page 03:30 < JuanDosSantos> So You mean that I ned a option in client.conf to set ip address manualy? 03:30 < JuanDosSantos> I don't know the option for that 03:32 < JuanDosSantos> because 03:33 < JuanDosSantos> I read the sample client.conf 03:33 < JuanDosSantos> there is no comment about this 03:34 < JuanDosSantos> I find ifconfig_pool_local_ip 03:34 < JuanDosSantos> but is for server 03:35 < JuanDosSantos> Is it ifconfig 10.0.0.2 for client.conf? 03:37 < JuanDosSantos> Can nobody help me? 03:40 < JuanDosSantos> so is ifconfig-push Client-IP Server-IP ?? in client.conf 03:44 < et> i have the problem that i can connect over the vpn fine, but not use the vpn server as a NATing router to reach the net - connections seem to hang. http://pastie.org/331044 is the client routing table http://pastie.org/331037 is the server firewall settings and routing table 03:48 < simplechat> et, what is the server? linux/win? 03:49 < et> server is linux, client is mac os x 03:56 < simplechat> et, did you tell the server to foreward ipv4 packets? 03:56 < et> yes 03:56 < simplechat> also can you flush iptables and see if that works better? 03:56 < simplechat> (just to make sure its accepting everything thats coming through FOREWARD) 04:04 < et> well, if i flush it, it's not going to accept anything ;) but when i for example do iptables -I FORWARD -j ACCEPT (so it accepts everything) nothing changes 04:35 < ropetin> I know I'm late to teh party, but did you do the redirect-gateway thing in the server config? 04:36 < et> it's for the client config, no? (unless you generally want to push it) - and no, since i don't want to route all the traffic 04:36 -!- AukeF [n=auke@dhcp-121.wind.surfnet.nl] has quit [Read error: 110 (Connection timed out)] 04:37 < et> route 208.79.211.64 255.255.255.192 # this is in my client config for testing 04:37 < et> (whatsmyip.org ;)) 04:38 < ropetin> Going by what simplechat asked you earlier you did the ip_forward thing, and the MASQUERADE thing in Iptables? 04:40 < simplechat> an odd question, what do i do when my ips in ipp.txt are different from the ips that i actually have 04:40 < et> yes 04:42 < ropetin> simplechat: I guess the question is, does it work as is? 04:43 < simplechat> ropetin, work, yes, but the ips are wrong 04:43 < simplechat> the vpn itself works fine, but the ips it gives me are wrong for every host 04:45 < ropetin> Hmmm, you may be on to something then 05:12 -!- mRCUTEO [n=info@124.13.180.217] has joined ##openvpn 05:18 < mRCUTEO> hi all 05:18 < mRCUTEO> evening 05:42 -!- mRCUTEO [n=info@124.13.180.217] has quit [] 05:51 -!- jaek [n=jaek@c-71-198-7-158.hsd1.ca.comcast.net] has quit [Remote closed the connection] 06:41 < ecrist> morning, peeps 06:49 < ecrist> holy crap krzee - going to town with ssl-admin, aren't you. 07:08 -!- JuanDosSantos [n=chatzill@smail.realisator.ch] has quit ["ChatZilla 0.9.83 [Firefox 3.0.4/2008102920]"] 07:24 < Solarbaby> im starting to feel sorry for myself.. spent a whole day trying to get openvpn working.. with no sucess 07:25 < Solarbaby> stupid me 07:28 < tjz> hmm 07:28 < tjz> just like when i started 07:29 < tjz> what server r u using? 07:29 < Solarbaby> OpenWrt White Russian 07:30 < Solarbaby> figured I might as well put it on a router 07:45 < Solarbaby> tjz: too bad it's gotta be this way 07:56 < tjz> oh 07:56 < tjz> i never heard of that OS.. 07:56 < Solarbaby> its just another linux deal.. I guess I'll just install it on my ubuntu laptop for the time being 07:56 < ecrist> Solarbaby: tolk to the OpenWRT folks. you'll have your best luck there. 07:57 < Solarbaby> my problem is I dunno how to configure my openvpn.conf 07:57 < Solarbaby> i know that has to be it 07:57 < ecrist> !howot 07:57 < vpnHelper> ecrist: Error: "howot" is not a valid command. 07:57 < ecrist> !howto 07:57 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:58 < Solarbaby> another howto makes me feel like I wanna vomit.. but thanks Im sure its got all the answers 08:01 < ecrist> you don't have to read the howto, but read some of the documentation. 08:30 -!- odiumx [n=odium@66.238.175.150.ptr.us.xo.net] has joined ##openvpn 08:32 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 08:34 -!- CrummyGummy [n=Dude@41.208.46.2] has quit ["leaving"] 09:30 < plaerzen> morning ovpn 09:46 < ecrist> how goes, plaerzen ? 09:47 < ecrist> my new truck got towed away this morning. :( 09:48 < reiffert> breakdown or no parking zone? 09:49 < ecrist> no, we don't have draconian parking laws here in Minnesota like folks do, elsewhere. 09:50 < ecrist> it had a problem with 4x4 system, I went to start it this AM, and it wouldn't. so, they towed it back to dealership to fix it. 09:55 < plaerzen> oh, it goes pretty well. I finished unpacking into my new apartment 2 blocks from work downtown last night 09:55 < plaerzen> what 4x4 do you have ecrist ? 09:56 < plaerzen> I will probably be looking to buy one in the coming year or so 10:05 < ecrist> http://www.friendlychev.com/VehicleDetails/1119655554 10:05 < vpnHelper> Title: 2004 Chevrolet Silverado 1500 LS PKG Summit White Pickup Truck. A Chevrolet Silverado 1500 at Friendly Chevrolet Fridley MN (at www.friendlychev.com) 10:08 -!- tjz [n=tjz@bb116-15-60-168.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 10:09 < ecrist> I hate moving. Hopefully yours went smoothly 10:11 < plaerzen> yeah, for the most part 10:11 < plaerzen> I also hate moving. But eh, I like my new location 10:12 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Read error: 60 (Operation timed out)] 10:12 < ecrist> I wanted to move closer to work, but then I engineered the office so we can all work from home. That's what I do now. 10:12 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 10:12 < plaerzen> that would be nice. 10:14 < plaerzen> I have to do things like office moves, workstation imaging, deskside support, etc 10:14 < ecrist> I go in to the office twice a week to do 'hands-on' admin work, but I'm home Wed through Fri 10:14 < ecrist> we're a small office, only 11 people, including contractors. 10:15 < plaerzen> ah, yeah. That would be nice. 110 people here. 10:15 < ecrist> ick 10:16 < ecrist> sometimes I wish I had a larger user-base, then I punch myself and realize I've got it good. Users suck. 10:16 < plaerzen> Mine aren't so bad - we're an engineering firm so most of them are at least intelligent. 10:16 < ecrist> windows shop? 10:18 < plaerzen> depends how you define "shop". All our workstations are of course windows xp/vista. All our servers are RHEL / FC 10:21 < plaerzen> ugh, speaking of imaging. Got 5 new workstations in today. 11:15 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 11:16 < jeev> wow 11:16 < jeev> someone flooded the crap out of my asterisk server 11:16 < jeev> with registration attempts 11:18 < ecrist> I've decided the Japanese are fucking *weird* 11:18 < ecrist> http://root.servergirl.net/ 11:18 < vpnHelper> Title: root.servergirl.net (at root.servergirl.net) 11:20 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 11:23 < jeev> lol 11:23 < jeev> is it safe 11:35 < ecrist> yeah,just weird 11:36 * ecrist marvels at the hotness of Kina Grannis (http://kinagrannis.com) 11:36 < vpnHelper> Title: kina grannis dot com (at kinagrannis.com) 12:03 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 12:55 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit ["asdf"] 13:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:36 < plaerzen> Ugh, not looking forward to the weekend. 13:37 < ecrist> sorry to hear that 13:38 < plaerzen> yeah. I'll live 14:38 < tessier_> plaerzen: Why not? 14:43 < plaerzen> Ah, I just moved. I spent like $2k on this move and I haven't gotten my damage deposit from my old place yet so I'm broke. If I had cash I'd totally go out to the rockies or something or spend time with friends. But I'm broke. So, going to probably just come into work and be emo. 14:46 < ecrist> holy hell: http://www.macenstein.com/images/2008/mg_2008/2008_05/mg_may_2008_02.jpg 14:52 < plaerzen> ecrist, doable. 15:35 -!- heirrook [n=heirrook@24-158-23-135.static.dlth.mn.charter.com] has joined ##openvpn 15:36 < heirrook> I am seeking advice for my problem. I am trying to make it so I can only access my ssh when on my vpn. I can ping the machine fine, but when I modify hosts.allow to include only the tun adapter ip, it won't let me in. 15:37 < heirrook> I tried following the guide for accessing samba on the howto, as it seems similar in concepts, but I am still not having any luck. 15:41 < heirrook> Which by the way, I can access samba just fine, although it has no restrictions on ip access as of right now. 15:44 -!- heirrook [n=heirrook@24-158-23-135.static.dlth.mn.charter.com] has left ##openvpn ["Leaving"] 15:44 -!- heirrook [n=heirrook@24-158-23-135.static.dlth.mn.charter.com] has joined ##openvpn 16:00 < ecrist> heirrook: duluth, MN eh? 16:00 < heirrook> yes 16:00 < ecrist> <- Minneapolis 16:00 < heirrook> I'll be in St. Paul withing the year 16:00 < heirrook> within 16:00 < ecrist> not a fan of the north shore? 16:01 < heirrook> I love Duluth, my girlfriend is going to grad school at St. Kates there. I am finishing my computer science degree at UMD and then joining her for her last year 16:01 < ecrist> heirrook: as far as your problem goes, your hosts.allow needs to include the entire VPN subnet, not just the local tun adapter 16:02 < heirrook> so if tun ip is 192.168.10.6 then I would do 192.168.10.0/24 ? 16:02 < ecrist> unless you're going to NAT to the tun adapter all traffic coming in from the VPN, which would be wonky anyway 16:02 < ecrist> yes 16:03 < heirrook> Perfect, I'll give that a shot 16:07 -!- odiumx [n=odium@66.238.175.150.ptr.us.xo.net] has quit ["Leaving"] 16:11 -!- bandini [n=bandini@host238-26-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 16:27 -!- heirrook [n=heirrook@24-158-23-135.static.dlth.mn.charter.com] has quit [Read error: 110 (Connection timed out)] 16:28 -!- lilalinux is now known as lila_keller 16:30 -!- heirrook [n=heirrook@24-158-23-135.static.dlth.mn.charter.com] has joined ##openvpn 16:54 < heirrook> ecrist:I tried putting in my hosts.allow both 192.168.10. and also tried the 192.168.10.0/24, neither worked out 16:56 -!- bandini [n=bandini@host238-26-dynamic.20-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:58 < heirrook> I don't know if this means anything but although I can ping other machines on my network fine from the computer connected to the vpn, I can't due the opposite, i.e. I can't ping my computer connected to vpn from the others on the local network 17:04 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 17:33 -!- lila_keller is now known as lilalinux 18:01 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 18:04 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:04 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:05 < Dougy> hey everyone 19:05 < Dougy> anyone here awake thats familiar with openvpn+bsd 19:05 < Dougy> ahha i got it 19:07 < Dougy> bbl 19:07 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit [Client Quit] 19:09 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:09 < Dougy> man 19:09 < Dougy> screen is epic 19:09 < Dougy> I have two computers viewing the same thing at once 19:10 < Dougy> Ok, question 19:10 < Dougy> If I want to add a second err.. second client to a vpn 19:10 < Dougy> do i need to rebuild all the client certs and the dh? 19:10 < Cyllene> Dougy: No. 19:10 < Dougy> what do i need to do/ 19:11 < Cyllene> Is you use TLS, you need to generate a certificate from a certificate authority that you create. 19:11 < Cyllene> Basically, you need to have a common CA for all clients and servers. 19:11 < Cyllene> The certs will be generated from the CA, which is how the server will authenticate you. 19:11 < Dougy> right 19:12 < Dougy> but to add in client2 what do i need to rebuild, i know just making new certs wont fix it 19:12 < Cyllene> Check in /usr/local/share/doc/openvpn/easy-rsa/2.0 (don't quote me on that) and there will be a bunch of scripts in there to help you out. 19:12 -!- mRCUTEO [n=info@118.100.169.151] has joined ##openvpn 19:13 < Dougy> i know where they are 19:13 < Dougy> i guess you're not understandign what i'm asking 19:14 < Cyllene> You just generate a new cert from the CA. 19:14 < Cyllene> Adding new clients should not affect existing clients. 19:14 < Cyllene> No need to regenerate anything. 19:27 -!- mRCUTEO [n=info@118.100.169.151] has quit [] 19:33 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 19:35 < Dougy> bb.l 19:35 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has left ##openvpn [] 19:39 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 19:45 < krzee> heirrook, 19:45 < krzee> !route 19:45 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 19:45 < reiffert> moin! 19:45 < krzee> moin! 19:45 < reiffert> I was about to teach vpnHelper something, but I've allready forgotten about it ... did you catch it in the logs? 19:45 < krzee> hehe im gunna say that to my german neighbor next time i see him 19:46 < krzee> was it the addition to !configs ? 19:46 < reiffert> I guess it was something about where to put all the paste stuff ... yeah, !configs sounds like it 19:47 < krzee> ya 19:47 < krzee> it said please pastebin them already 19:47 < krzee> and theres also !pastebin 19:47 < reiffert> ah well it could help people to have sex and show an URL or two. 19:47 < krzee> !pastebin 19:47 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 19:48 < reiffert> !configs 19:48 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:48 < reiffert> just put pastebin.com and .ca there. 19:48 < reiffert> or something wher you can upload files. 19:49 < krzee> if someone doesnt understand what "please pastebin them" means, just type !pastebin 19:49 < reiffert> so what about your german neighbout, does she look good? 19:49 < krzee> hahah nah hes pretty big 19:49 < krzee> (he) 19:49 < krzee> but most german girls ive seen do 19:51 < reiffert> btw .. there was a guy who was using tun... he liked to constrain the ip range of the clients... how to do that? 19:51 < krzee> constrain? 19:51 < krzee> like set a static for a client? 19:51 < reiffert> s,constrain,limit, 19:51 < krzee> thats the server statement 19:52 < krzee> when you give the server statement, you must give it an ip range to use for clients 19:52 < krzee> and server takes first ip in the range 19:52 < reiffert> well .. how about: --server netip netmask and then have clients from the ip range 10 .. 20? 19:52 < krzee> in fact thats all the server statement even is 19:52 < krzee> the range needs to be a subnet 19:53 < krzee> 10-20 doesnt fall into a subnet 19:53 < reiffert> ah well ... 19:53 < krzee> BUT 19:53 < krzee> he COULD do this: 19:53 < reiffert> server still expands to ifconfig-pool 10.8.0.4 10.8.0.251 19:53 < krzee> use 2.1 with topology subnet, and use statics 19:53 < krzee> so like: 19:53 < krzee> !topology 19:53 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 19:53 < krzee> !static 19:53 < vpnHelper> krzee: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 19:53 < reiffert> what I mean is: 19:54 < reiffert> Is there really *any* advantage when specifying --server netip mask and having a different ifconfig-pool range? 19:54 < krzee> server implis its own ifconfig-pool iirc 19:55 < krzee> implies 19:55 < krzee> lets check tho 19:55 < krzee> !man 19:55 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:55 < reiffert> lets paste. 19:55 < krzee> (thats how i find the manual every time) 19:55 < reiffert> For example, --server 10.8.0.0 255.255.255.0 expands as follows: 19:55 < reiffert> mode server 19:55 < reiffert> tls-server 19:55 < reiffert> push "topology [topology]" 19:55 < reiffert> if dev tun AND (topology == net30 OR topology == p2p): 19:55 < reiffert> ifconfig 10.8.0.1 10.8.0.2 19:55 < reiffert> ifconfig-pool 10.8.0.4 10.8.0.251 19:55 < krzee> ahh your inet is faster 19:55 < reiffert> route 10.8.0.0 255.255.255.0 19:55 < reiffert> if client-to-client: 19:56 < reiffert> push "route 10.8.0.0 255.255.255.0" 19:56 < krzee> ya exactly what i thought 19:56 < reiffert> else if topology == net30: 19:56 < reiffert> push "route 10.8.0.1" 19:56 < reiffert> if dev tap OR (dev tun AND topology == subnet): 19:56 < reiffert> ifconfig 10.8.0.1 255.255.255.0 19:56 < reiffert> ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 19:56 < reiffert> push "route-gateway 10.8.0.1" 19:56 < reiffert> I enter: man openvpn 19:56 < krzee> so giving a ifconfig-pool with a --server is retarded i believe 19:56 < krzee> that works too, but i run 2.1 and usually use 2.0 manual for helping 19:56 < krzee> cause more use 2.0 than 2.1 19:57 < reiffert> nah, I was running 2.1 with 2.0 manpage and that sucked sooo much, that I was updating the manpage recently :) 19:57 < reiffert> Allright, when I look upon the example I get the idea that limiting the ip range doesnt make any sense at all. 19:58 < krzee> right 19:58 < krzee> the ip range is limited by server statement 19:58 < reiffert> yep. 19:58 < krzee> doesnt HAVE to be 255.255.255.0 19:58 < reiffert> sure. 19:58 < reiffert> I got it 19:58 < krzee> could be 10.8.0.128 255.255.255.128 19:58 < krzee> or whatev 19:58 < krzee> werd 19:58 < krzee> im gunna head out 19:58 < krzee> got a friend from usa visiting 19:58 < krzee> and 2 girls waiting =] 19:59 < reiffert> have fun! 19:59 < krzee> thx =] 19:59 < reiffert> and take some pics for me 19:59 < heirrook> krzee: thank you for the link 20:01 < heirrook> krzee: I see that you just left here but I will just say in case anyone else saw my problem, I believe I have done routing correctly, my config is here http://pastebin.com/d6c898604 20:02 < heirrook> maybe it is wrong though............. 20:03 < reiffert> the push route 192.168.10.0 is too much and should work by the server line. 20:04 < heirrook> rieffert: i'll take that out thanks 20:05 < reiffert> the route 192.168.22.0/24 should be too much as well, as the server has a local ip from the net as well. 20:06 < heirrook> rieffert: so it must have been the client-to-client line that I added that allowed me to see the other computers from the one that was connected from a remote location to the vpn 20:07 < reiffert> hierrook: sounds like it. 20:07 < heirrook> I added the push route stuff at the same time as the client-to-client. before that I was unable to ping any of the computers on my home network when connected through vpn 20:08 < jeev> anyone use fail2ban ? 20:08 < reiffert> adding more than one thing at a time sounds so ok when you allready know about whats going on. 20:08 < heirrook> maybe i'll have to read that routing article several more times, i obviously must not get the idea of it if I am just adding redundant configs 20:08 < reiffert> jeev: no, I was changing the port. 20:08 -!- dcolish_ [n=dcolish@pdpc/supporter/sustaining/dcolish] has joined ##openvpn 20:09 < jeev> huh 20:09 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 20:09 < jeev> ? 20:09 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 20:09 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 20:09 < reiffert> jeev: fail2ban is ssh I ban you for too many login attempts? 20:10 < dcolish_> i'm setting up an openbsd fw that is also my openvpn server. i want to support failover between the two. am i better off load balancing the vpn servers on the client or can i just use the carp interface as the vpn listen address? 20:11 < jeev> or other things 20:11 < jeev> i set up asterisk ones on it 20:12 < jeev> anyway 20:12 < jeev> my asterisk got flooded for 3 minutes in the morning 20:12 < jeev> registration attempts and shit, enough to disrupt communication with the other internal asterisk 20:12 < jeev> but fail2ban shoudl help nw 20:12 < jeev> now 20:13 < reiffert> dcolish_: the latter sounds like it. 20:13 -!- heirrook [n=heirrook@24-158-23-135.static.dlth.mn.charter.com] has quit ["Leaving"] 20:16 -!- heirrook [n=heirrook@24-158-23-135.static.dlth.mn.charter.com] has joined ##openvpn 20:30 -!- dcolish_ [n=dcolish@pdpc/supporter/sustaining/dcolish] has quit ["outta here"] 20:42 -!- dcolish [n=dc0lish@pdpc/supporter/sustaining/dcolish] has joined ##openvpn 20:43 < dcolish> If I am going to use client server load balancing, does each server need its own network? 20:43 < dcolish> ie: server 1 10.8.0.0, server 2 10.8.0.1, both push the same routes? 21:46 < simplechat> uh, you really don't wan to do that 21:46 < simplechat> either split the address space 21:46 < simplechat> so one gets 10.8.0.1 ->10.8.0.127 and the other one gets the rest 21:46 < simplechat> or split it into subnets 21:46 < simplechat> subnets are the best 21:57 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 21:59 < dcolish> simplechat: i was wondering if ifconfig-pool is similar but it doesnt look like it 22:26 -!- heirrook [n=heirrook@24-158-23-135.static.dlth.mn.charter.com] has quit [Read error: 110 (Connection timed out)] 22:30 -!- dcolish [n=dc0lish@pdpc/supporter/sustaining/dcolish] has quit ["Outta Here"] 22:35 -!- tjz [n=tjz@bb121-7-65-125.singnet.com.sg] has joined ##openvpn 22:35 * tjz step in.. 22:36 < simplechat> yo? 22:36 < tjz> ^_^ 22:37 < ecrist> oy 22:38 < tjz> ooooy 22:38 < ecrist> oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooyyyyyyyyyyyyyyyyyyyyyyyyyy!1 22:40 < simplechat> oi vey! 22:53 < ecrist> bitch 22:53 < ecrist> :) 22:57 < tjz> lozl 22:57 < ropetin> ? 22:57 < ropetin> :D 23:53 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] --- Day changed Sat Dec 06 2008 01:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:19 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:57 < Solarbaby> Im starting to believe that someone like me getting OpenVPN working is just a fading dream 01:59 < Solarbaby> if anyone can make sense of this lemme know http://pastebin.com/m61812746 02:03 < tjz> look like a stranger to me.. 02:03 < tjz> is wrt a linux OS? 02:03 < Solarbaby> yeah sorta 02:04 < Solarbaby> not a very complete one because its built very tiny 02:05 < Solarbaby> I'd hate to give up making this work from my router.. but im getting there 02:06 < ropetin> Solarbaby: I know people have had luck with Openvpn on their routers in the past. Lemme take a look... 02:06 < Solarbaby> Thanks!! 02:08 < ropetin> Dumb question, but what are we trying to use openssl for? 02:08 < Solarbaby> openssl is being used to create my certs 02:09 < ropetin> Excellent answer! 02:09 < Solarbaby> ;) 02:09 < ropetin> I'm thinking something is wrong with the command, rather than any major issue, but I don't have much experience with it 02:09 < ropetin> Where did you get the example from? 02:10 < Solarbaby> http://www.hendlsofen.de/WRT54GL/eng/WRT54GL_OpenVpn.html 02:10 < vpnHelper> Title: installation and configuration of OpenVPN Server with OpenWRT White Russian (at www.hendlsofen.de) 02:11 < Solarbaby> btw even if you can't help me, thanks for trying.. 02:12 < ropetin> Does the server.csr file exist? 02:12 < Solarbaby> ca.crt ca.key demoCA dh.pem server.csr server.key 02:12 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has joined ##openvpn 02:13 < Mahmoud> any one here creating and signing certficiates manually without using eazyrsa bash script? 02:14 < ropetin> Solarbaby: how did that 'echo "01"...' command work out for you? 02:15 < Solarbaby> it didn't give me any errors 02:15 < Solarbaby> i mean.. i typed it it went fine 02:15 < ropetin> DOes that serial file exist? 02:15 < Solarbaby> I haven't checked 02:15 < ropetin> Lemme know! 02:16 < Solarbaby> in the file serial it just sez 01 02:16 < ropetin> Perfect, OK... 02:17 < ropetin> When you created all the certs, did you fill out all the required info? 02:17 < Solarbaby> Yes 02:17 < ropetin> I've had problems in the past if I don't fill out a section (dept lets say) the cert is messed up 02:17 < Solarbaby> I gave a bogus email adress.. but it wouldn't know that I'd hope 02:17 < ropetin> K 02:17 < ropetin> Nope, it wouldn't 02:18 < simplechat> Solarbaby, it just fills it out in the certificate 02:18 < simplechat> Mahmoud, i just use the easyrsa scripts 02:20 < Solarbaby> maybe my /etc/ssl/openssl.cnf file has something it doesn't like? 02:20 < ropetin> As long as they data matches 02:21 < Solarbaby> I dont know if the data matches or not.. I haven't changed that file 02:21 < ropetin> I just read something that suggests the config file doesn't have the appropriate entries for the ca file creation 02:21 < ropetin> What you would need in there though escapes me 02:22 < Solarbaby> should I create the certs on another computer? 02:22 < Mahmoud> simplechat, i'd like to create my own CA without playing with easywhatever. understanding single stanrdard tool better than memorizing multiples.. trying to learn it now, and want to know if any one here is doing same as I plan or not 02:22 < ropetin> Mahmoud: Solarbaby is, but we're having issues :) 02:22 < simplechat> Mahmoud, is there any point? 02:23 < ropetin> You could do Solarbaby, that might be an option, then copy them across 02:23 < Solarbaby> ropetin: if i go that route.. do you have any simple to read failsafe howto to create the certs? 02:24 < Solarbaby> i have windows and ubuntu at my disposal 02:24 < ropetin> !certs 02:24 < vpnHelper> ropetin: "certs" is (#1) use !easy-rsa-unix for easy-rsa, or (#2) use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs 02:24 < ropetin> That might help 02:24 < Solarbaby> heh.. which one? 02:25 < ropetin> !ssl-admin | Solarbaby 02:25 < vpnHelper> ropetin: Error: "ssl-admin" is not a valid command. 02:25 < ropetin> !ssl-admin 02:25 < vpnHelper> ropetin: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 02:25 < ropetin> Why can't we pipe output?! No fair! 02:25 < ropetin> krzie: wanna add piping? :D 02:26 < Solarbaby> Thanks ropetin 02:28 < ropetin> NP, lemme know if it works. I try my best to help out in here, but really I know less than most people asking questions! 02:28 < ropetin> I'll give you my stock answer, "Change to UDP, and if that doesn't work, it'll be your routes" 02:29 < simplechat> ropetin, what is it about udp thats so nice? 02:29 < simplechat> also what udp ports are there that are needed? 02:30 < Solarbaby> udp is flexible 02:30 < stephenh> http://sites.inka.de/~bigred/devel/tcp-tcp.html 02:30 < vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de) 02:30 < Solarbaby> tcp is not 02:30 < ropetin> The link stephenh sent is the important one 02:30 < ropetin> Makes a lot of sense, if you think about it 02:31 < simplechat> yeah 02:32 < simplechat> i've read that link before 02:32 < simplechat> and i'm on udp now, and liking it 02:32 < simplechat> my only issue was with the ports having issues 02:32 < stephenh> issues? 02:32 < simplechat> yeah 02:32 < simplechat> both sides only need port 1194 02:32 < simplechat> all good, yeah? on udp 02:32 < simplechat> i make a rule to allow all udp port 1194 to flow 02:33 < simplechat> then i start it up, and the network fails 02:33 < simplechat> flush the rule and its all good 02:33 < stephenh> never seen that one before 02:34 < simplechat> hmmm. 02:34 < simplechat> so your sure it doesn't use any extra ports? 02:34 < stephenh> nope. 02:34 < stephenh> well, yes i'm sure that no it doesn't 02:34 < simplechat> lol 02:34 < simplechat> ok then 02:34 < simplechat> i'll keep trying 02:38 < simplechat> gah 02:38 < simplechat> just updated my fw conf and killed the vpn again 02:38 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 02:41 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 02:43 < ropetin> Nice simplechat :) 02:43 < simplechat> that wasn't nice 02:43 < simplechat> but yeah 02:43 < simplechat> thats my issue 02:43 < simplechat> it seems to need a port other then 1194 02:45 < ropetin> Nope, definitely not. Although could you maybe use TCPDump or something similar to sniff the traffic and see what's going where? 02:48 < simplechat> its a secced server, so i can't tcpdump without doing quite a bit of foobaring around 02:49 < simplechat> (don't have netraw caps, so i need to restart it and stop it before it locks itself down, let myself have the caps, then tcpdump then drop it again) 02:49 < simplechat> so that part sucks 02:49 < simplechat> atm i don't have any outgoing traffic in port 1194 udp 02:50 < ropetin> Your VPN is up? 02:50 < simplechat> and i am getting traffic with dport 1194 udp, but not much 02:50 < simplechat> not really 02:50 < ropetin> :) 02:50 < simplechat> i have an ip address but all traffic is dropped 02:51 < simplechat> and the dropped counter is steadily increasing 02:51 < simplechat> (i'm pinging the server) 02:51 < Solarbaby> ecrist: i can't download your script 02:51 < simplechat> ropetin, so any ideas? 02:54 < simplechat> cause on the list of things that sucks, this does 02:57 < ropetin> Well I don't have any ideas other than the sniff thing I mentioned, try a different port maybe? 02:57 < simplechat> hmmm. 02:57 < simplechat> k 02:58 < simplechat> yeah 02:59 < simplechat> i'm back to just accepting all udp traffic 02:59 < simplechat> sucks but not that badly 02:59 < ropetin> So if you move to, lets say, udp port 1234, it does the same thing? 03:05 < simplechat> yeah 03:06 < simplechat> i think its something about the specifics of the packets that are sent 03:08 -!- paruchuri [n=qvantel@61.16.248.247] has quit ["Ex-Chat"] 03:09 < ropetin> In which case you're on your own :) 03:11 < simplechat> lol 03:11 < simplechat> thanks 03:13 < ropetin> :P 03:20 -!- edoceo [n=edoceo@98.247.254.241] has quit [Remote closed the connection] 03:20 -!- edoceo [n=edoceo@98.247.254.241] has joined ##openvpn 03:37 -!- vramesh [n=vramesh@c-98-212-205-165.hsd1.il.comcast.net] has joined ##openvpn 03:38 < vramesh> hi, I'm trying to set up an openvpn server 03:38 < vramesh> and having trouble sourcing the vars file 03:39 < ropetin> vramesh: what's the actual error/problem you're having? 03:39 < Solarbaby> ropetin: i re-wrote the ssl.cnf and got the certs to sign 03:40 < Solarbaby> ropetin: taking a breather ;) 03:40 < ropetin> Wooohoo you go Solarbaby! 03:40 < Solarbaby> ropetin: i also documented it 03:40 < ropetin> You should note down what you had to do, and add it to the Wiki, so other people can avoid the same pitfalls 03:40 < ropetin> Great minds think alike! 03:41 < Solarbaby> absolutely.. I love searching the google for "name your forum & solarbaby" 03:41 < vramesh> ropetin: http://pastebin.com/f799e339 03:41 < vramesh> thats what i get when i source vars 03:42 < ropetin> vramesh: I'm afraid I'm going to be no help on that :( Never used easy-rsa 03:42 < ropetin> Hehhe, if I search for my name it's mostly 'I'm having dumb problem XXXX, how can I fix it?' 03:42 < ropetin> :D 03:43 < Solarbaby> I did some stuff on mythtv 03:43 < Solarbaby> and some xbox media center stuff too 03:43 < vramesh> well, i'm not attached to easyrsa 03:43 < vramesh> i have openssl installed, i can create the certs manually, i just need to know what to do 03:46 < ropetin> vramesh: in which case Solarbaby is your (wo)man, (s)he just went through that exact issue :) 03:46 < vramesh> :) 03:51 < Solarbaby> ropetin: im not so sure about this next step.. not sure what they mean by NameOfTheClient 03:51 < Solarbaby> The next 2 commands have to be used for each client: openssl req -nodes -new -keyout NameOfTheClient.key -out NameOfTheClient.csr; 03:51 < Solarbaby> openssl ca -cert ca.crt -keyfile ca.key -out NameOfTheClient.crt -in NameOfTheClient.csr; 03:52 < Solarbaby> so I typed in solar1 thinking I was making a key that I would put on my laptop.. and I get this error 03:52 < Solarbaby> writing new private key to 'solar1.key' 03:52 < Solarbaby> ----- 03:52 < Solarbaby> unable to find 'distinguished_name' in config 03:52 < Solarbaby> problems making Certificate Request 03:52 < Solarbaby> 1551:error:0E06D06C:lib(14):func(109):reason(108):NA:0:group=req name=distinguished_name 03:57 < ropetin> Hmmm, that's what I would have done as well 03:57 < ropetin> Maybe it needs a fully qualified domain name?! 03:57 < ropetin> Or it could be another issue with that configu file :) 03:57 < Solarbaby> as the name of the cert? 03:58 < Solarbaby> can I bypass this whole stage? 03:58 < Solarbaby> just use the certs its already made? 03:59 < Solarbaby> I already have server.key 04:01 < Solarbaby> well Im sure the answer is no 04:02 < ropetin> No, because the client needs one as wel 04:02 < ropetin> l 04:12 -!- paruchuri [n=paruchur@61.16.248.247] has joined ##openvpn 04:19 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:21 < Solarbaby> this is not a fun puzzle 04:22 < Solarbaby> think I got it 04:23 < Solarbaby> had to add [Solar] to the ssl.cnf file 04:31 < Solarbaby> I'm probably going to have to do this whole thing over again to add passwords to my keys.. who thinks thats necessary? 04:35 -!- J-23 [n=zelazko@unix.net.pl] has joined ##openvpn 04:35 < J-23> Hi! 04:35 < J-23> Is it possible to setup OpenVPN without creating TAP interface? (no root access) 04:51 < ropetin> J-23: I'm pretty sure the short answer is no 04:51 < J-23> thanks. 04:51 < ropetin> There may be a longer answer ,but I'd stick with no 04:51 < ropetin> :D 04:58 < Solarbaby> wow I think it works 04:59 < Solarbaby> thats just amazing.. Ok.. so back to the older question which may make me redo the certs.. which is ok if its necessary.. should I create a password for the key or not? I skipped it before because I figured for testing in any case it shouldn't be password protected.. but for the long run I dunno 05:18 < Solarbaby> I think the password deal is going to be a big bother 05:19 < Solarbaby> ropetin: im so excited it seems to work! I'll need to test it tomorrow using a forign network 05:20 < Solarbaby> Thanks to everyone who gave me some help.. I do feel better now 05:21 -!- vramesh [n=vramesh@c-98-212-205-165.hsd1.il.comcast.net] has left ##openvpn [] 06:10 < ropetin> :D 06:10 < ropetin> NP! 06:16 < Solarbaby> it's weird I had it working before the reboot .. Scratching Head 06:16 < Solarbaby> I actually did the reboot to make sure everything was good to go 06:16 < Solarbaby> glad I did 06:19 < Solarbaby> it needs all kinds of configuring.. there are errors.. but it connects so thats good 06:27 < Solarbaby> I never realised this would become a long term project.. hehe 06:54 -!- TheMahmoud [n=foo@unaffiliated/mahmoud] has joined ##openvpn 06:59 -!- TheMahmoud [n=foo@unaffiliated/mahmoud] has quit [Read error: 60 (Operation timed out)] 07:08 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has quit [Read error: 110 (Connection timed out)] 07:10 -!- lilalinux is now known as lila_einkaufen 07:15 -!- ikevin [n=kevin@ANancy-256-1-118-159.w90-33.abo.wanadoo.fr] has quit [Read error: 60 (Operation timed out)] 07:26 -!- lila_einkaufen is now known as lilalinux 07:29 -!- ikevin [n=kevin@ANancy-256-1-118-159.w90-33.abo.wanadoo.fr] has joined ##openvpn 07:57 < AwayML> has anyone managed to get the tab/br interfaces to work correctly on a mac? (as the server, obviously...) 08:19 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 08:23 -!- dougbrowne [n=Nappz@pool-98-113-137-227.nycmny.fios.verizon.net] has quit ["Leaving"] 08:26 -!- lilalinux is now known as lila_einkaufen 08:27 -!- lila_einkaufen is now known as lilalinux 08:37 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: justdave, krzie, tessier_, disco-, zigovr3, lilalinux, masrawy, pa, paruchuri, tarbo, (+25 more, use /NETSPLIT to show all of them) 08:39 -!- Netsplit over, joins: ikevin, J-23, paruchuri, edoceo, tjz, kexman, ropetin, Pagautas, justdave, et 08:39 -!- masrawy [i=admin@freebsd-help.org] has joined ##openvpn 08:39 -!- Netsplit over, joins: PeterFA, Cyllene, reiffert 08:39 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 08:39 -!- Netsplit over, joins: Solarbaby, imbezol, no_maam, AwayML, tessier_, lilalinux, dvl, zigovr3, tompaw, _trine (+3 more) 08:39 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 08:39 -!- Netsplit over, joins: disco-, Rienzilla, noriX, troy-, brutopia, pa 08:46 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: justdave, krzie, tessier_, disco-, zigovr3, lilalinux, masrawy, pa, paruchuri, tarbo, (+25 more, use /NETSPLIT to show all of them) 08:48 -!- Netsplit over, joins: ikevin, J-23, paruchuri, edoceo, tjz, kexman, ropetin, Pagautas, justdave, et 08:48 -!- masrawy [i=admin@freebsd-help.org] has joined ##openvpn 08:48 -!- Netsplit over, joins: PeterFA, Cyllene, reiffert 08:48 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 08:48 -!- Netsplit over, joins: Solarbaby, imbezol, no_maam, AwayML, tessier_, lilalinux, dvl, zigovr3, tompaw, _trine (+3 more) 08:48 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 08:48 -!- Netsplit over, joins: disco-, Rienzilla, noriX, troy-, brutopia, pa 09:42 -!- Solarbaby [n=Dave@70-41-208-166.cust.wildblue.net] has left ##openvpn [] 11:10 -!- tjz [n=tjz@bb121-7-65-125.singnet.com.sg] has quit [] 13:56 -!- bandini [n=bandini@host238-26-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 13:59 -!- ikevin_ [n=kevin@ANancy-256-1-88-32.w90-26.abo.wanadoo.fr] has joined ##openvpn 14:05 -!- ikevin [n=kevin@ANancy-256-1-118-159.w90-33.abo.wanadoo.fr] has quit [Read error: 145 (Connection timed out)] 15:04 -!- bandini [n=bandini@host238-26-dynamic.20-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:18 < ecrist> krzie: ssl-admin has been updated in ports tree 15:49 < krzie> sweet 15:50 < krzie> i didnt think bout the configure script, thats ok in ports tree? 15:50 < krzie> make in ports runs that or he modded it to work? 16:46 -!- dotCOMmie [i=tox@glitchinthe.net] has joined ##openvpn 16:48 < reiffert> moin 16:49 < krzie> moin 16:51 < reiffert> How are you? 16:58 < krzie> im doin really good 16:58 < krzie> had a CRAZY weekend 16:59 < krzie> well i guess its still the weekend, but it feels like it should be over 16:59 < krzie> lol 17:03 -!- mRCUTEO [n=info@124.82.97.71] has joined ##openvpn 17:03 -!- edoceo [n=edoceo@98.247.254.241] has quit [Read error: 104 (Connection reset by peer)] 17:22 -!- mRCUTEO [n=info@124.82.97.71] has left ##openvpn [] 17:22 -!- mRCUTEO [n=info@124.82.97.71] has joined ##openvpn 17:22 < mRCUTEO> morning all 17:27 < krzie> mornin 17:39 < dotCOMmie> Hello, I'm trying to setup a brindging vpn and I'm a bit confused on how things are supposed to look on the client side. Should have an extra route entry and an active tap device on the client? 17:40 < dotCOMmie> (I'm following this howto: http://wiki.openwrt.org/OpenVPNHowTo ) 17:40 < vpnHelper> Title: OpenVPNHowTo - OpenWrt (at wiki.openwrt.org) 17:41 < krzie> first things first 17:41 < krzie> why do you want bridging? 17:41 < krzie> with bridging you shouldnt need a route entry because you put your client on the same subnet as the server 17:42 < krzie> but 90% of bridging questions come from people who should be using routed setup 17:42 < krzie> so please explain your goal 17:43 < dotCOMmie> Ok, I want to be able to be able to route my traffic through my home connection when I'm traveling 17:43 < krzie> any reason you need protocols that use MAC address as opposed to IP address? 17:43 < dotCOMmie> Both access machines on internal network and use the inet connection from home so that my traffic can't be sniffed on unsecure networks 17:44 < dotCOMmie> not really. it'd be mostly be ip stuff http, imap, ssh.. 17:44 < krzie> ok, you was a routed tun setup 17:44 < krzie> this will get you started: 17:44 < krzie> !sample 17:44 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 17:44 < krzie> if you want to share LAN machines: 17:44 < krzie> !routed 17:44 < vpnHelper> krzie: Error: "routed" is not a valid command. 17:44 < krzie> !route\ 17:44 < vpnHelper> krzie: Error: "route\" is not a valid command. 17:44 < krzie> grrr cant spell 17:44 < krzie> !route 17:44 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 17:44 < krzie> and for the default route: 17:45 < krzie> !def1 17:45 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:45 < krzie> and to understand all that stuff, 17:45 < krzie> !man 17:45 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:45 < krzie> that is everything you need to know =] 17:48 < dotCOMmie> I'll give that a shot, thanks 17:48 -!- mRCUTEO [n=info@124.82.97.71] has quit [Nick collision from services.] 17:48 -!- mRCUTEO [n=info@64.235.47.77] has joined ##openvpn 17:54 < krzie> np 17:54 < krzie> with a bridging setup youd be tunneling ethernet frames over ip 17:55 < krzie> this way you just tunnel IP over IP 17:55 < krzie> less overhead for each packet 17:55 < dotCOMmie> gotcha 17:57 * mRCUTEO never successfully do bridging tunelling :-( 17:57 < mRCUTEO> :D 17:57 < krzie> ive done it, but it was awhile back 17:58 < krzie> the openvpn side is easy, most people run into problems with the OS side of it 17:58 < mRCUTEO> yes you're absolutelt right kreg 17:58 < krzie> (well, i mean most people who run into problems, thats where they run into the problems) 17:58 < mRCUTEO> *krzie 17:59 < mRCUTEO> i have no problem using ubuntu OS but YES YES YES problem using redhat/centos/fedora and all looklike redhat OS :) 17:59 < krzie> i did it in freebsd and windows a few yrs ago 17:59 < krzie> before i fully understood ovpn 18:00 < mRCUTEO> i have successfuly bridge the and client can connect to it, but i can't make internet access to work in the client.. 18:00 < krzie> now i know theres rarely a time where bridging is > routed 18:06 < krzie> you've tried changing default route to the server's router? 18:06 < krzie> it should be on the same lan, and should NAT just like its on the lan (assuming the servers lan is behind a NAT) 18:06 < krzie> is my assumption correct? 18:09 < mRCUTEO> :) 18:09 < krzie> (assuming the servers lan is behind a NAT) 18:09 < krzie> is the server on a LAN which is behing a NAT? 18:09 < mRCUTEO> ic 18:09 < krzie> or not... 18:10 < mRCUTEO> yerp its on LAN 18:10 < krzie> ok cool 18:10 < mRCUTEO> behind nat 18:10 < krzie> then that should work 18:10 < krzie> cause client is on same subnet 18:10 < mRCUTEO> what if the client putside the LAN? 18:10 < krzie> so if it has same default route as other machines on the LAN it should work fine 18:10 < krzie> the client is inside the lan after bridging 18:11 < krzie> thats what bridging does 18:11 < mRCUTEO> ic 18:11 < krzie> and it should only be used when you need a protocol that uses MAC addresses to communicate 18:11 < krzie> to me SMB sharing isnt a good enough reason cause you should just run a WINS server instead 18:11 < mRCUTEO> :) 18:12 < mRCUTEO> krzie: is there a way to make my client IP as public ip instead of 10.8.0.0 local shows in the client ifconfig? 18:13 < mRCUTEO> i configured port forwarding to 10.8.0.0 and ifconfig-push IP but still it shows local 10.8.0.0 :) 18:18 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: imbezol 18:19 -!- Netsplit over, joins: imbezol 18:20 < krzie> dude 18:20 < krzie> your bridge setup, right? 18:21 < krzie> or are you doing routed now? 18:22 < krzie> mRCUTEO...? 18:37 < mRCUTEO> sorry i got dc 18:37 < mRCUTEO> yerp routed 18:37 < mRCUTEO> yes bridge is setup 18:37 < mRCUTEO> i created br0 18:37 < mRCUTEO> and attach tap0 to it 18:37 < mRCUTEO> and set the IP range 18:38 < mRCUTEO> but it didnt work 18:38 < mRCUTEO> so i go using routed now 18:38 < krzie> <mRCUTEO> yerp routed 18:38 < krzie> <mRCUTEO> yes bridge is setup 18:38 < krzie> oh ok 18:38 < krzie> so now its routed 18:38 < mRCUTEO> yes 18:38 < mRCUTEO> and if i change the pool ip to my /24 public ip it didnt work 18:39 < mRCUTEO> i have to use 10.8.0.0 instead and setup iptables for forwarding 18:39 < krzie> you have the public ips to waste? 18:39 < mRCUTEO> yes 18:39 < krzie> you will waste 2 on overhead 18:39 < mRCUTEO> i have /24 18:39 < mRCUTEO> okay 18:39 < krzie> waste another on the server 18:39 < mRCUTEO> im ready to waste 5 :) 18:39 < krzie> and then if you use topology subnet you dont waste anymore 18:40 < krzie> ok then the server already has the ips allocated to it? 18:40 < mRCUTEO> yes 18:40 < krzie> like all the public ips are on the server? 18:40 < mRCUTEO> yes 18:40 < krzie> directly (shows up in its ifconfig) 18:40 < mRCUTEO> yes its eth0 - eth0:0 18:40 < mRCUTEO> with virtual alias 18:40 < krzie> many virtual aliases im sure you mean 18:41 < mRCUTEO> yes 18:41 < mRCUTEO> i have 6 IP attached to the virtual ethernet now 18:41 < krzie> so pick a subnet 18:41 < krzie> and put it in server statement 18:41 < mRCUTEO> okay 18:42 < mRCUTEO> let say 255.255.255.0 18:42 < krzie> while using topology subnet with 2.1 on both sides 18:42 < krzie> you cant use a /24 18:42 < mRCUTEO> ic 18:42 < krzie> unless you have more than that in public ips 18:42 < mRCUTEO> so over /27 18:42 < mRCUTEO> lets say /27 18:42 < krzie> ild keep it small, but do whatever you want 18:42 < krzie> play with it 18:43 < mRCUTEO> ok 18:43 < krzie> also theres been discussion bout this on the mail list 18:43 < mRCUTEO> can you give me the url 18:43 < mRCUTEO> :) 18:44 < krzie> im sure google would give me the same answers as you 18:44 < krzie> and im busy 18:44 < mRCUTEO> okay krzie :) just give a lil on search will ya? 18:44 < krzie> if you dont find it by the time im on the nick krzee i can check my mail list archives for you 18:44 < mRCUTEO> *lil hint 18:45 < mRCUTEO> oh okay :-) thanks 18:57 -!- Blime [n=blime@c-24-125-134-53.hsd1.va.comcast.net] has joined ##openvpn 18:58 < Blime> Hello all, IO 19:00 < Blime> I'm having an issue with EasyRSA, trying to create a ca to get started with openvpn. I'm using Ubuntu 8.10 and the openvpn version I installed with apt. I've modified vars and do /usr/share/doc/openvpn/examples/easy-rsa/2.0$ sudo ./clean-all 19:00 < Blime> And then I am told "Please source the vars script first (i.e. "source ./vars")" 19:01 < mRCUTEO> try . ./vars 19:02 < mRCUTEO> when you clean all that mean you deleting all 19:02 < Blime> ":/usr/share/doc/openvpn/examples/easy-rsa/2.0$ . ./vars" outputs "NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/cert/keys" 19:02 < mRCUTEO> okay 19:03 < mRCUTEO> so do you sure you want to delete all previus key? 19:03 < mRCUTEO> if you do then ./clean-all 19:03 < mRCUTEO> next 19:03 < Blime> i haven't been able to create any keys thus far 19:03 < mRCUTEO> ./build-ca 19:03 < mRCUTEO> 1) . ./vars 19:03 < mRCUTEO> 2) ./build-ca 19:04 < mRCUTEO> and it doesnt work try chmod 755 vars 19:04 < mRCUTEO> and make sure you edit vars 19:04 < Blime> edited properly 19:04 < Blime> is 755 out of the box 19:05 < mRCUTEO> okay whats the messages show after you do 1) and 2) above 19:05 < Blime> ":/usr/share/doc/openvpn/examples/easy-rsa/2.0$ . ./vars" outputs "NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/cert/keys" 19:05 < Blime> ./build-ca gives 19:05 < Blime> Please edit the vars script to reflect your configuration, then source it with "source ./vars". Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run "./clean-all". Finally, you can run this tool (pkitool) to build certificates/keys. 19:06 < mRCUTEO> hmm 19:06 < Blime> thanks for your help so far, mRCUTEO 19:07 < mRCUTEO> okay np 19:08 < Blime> sudo . ./vars 19:08 < Blime> sudo: .: command not found 19:08 < mRCUTEO> ahax 19:08 < Blime> is that anything? 19:08 < mRCUTEO> thats the prob 19:09 < mRCUTEO> seems you cant run it as sudo user 19:09 < mRCUTEO> sudo cant see the dir 19:09 < mRCUTEO> try run source 19:09 < mRCUTEO> sudo source /usr/share/doc/openvpn/examples/easy-rsa/2.0$ 19:09 < Blime> sudo: source: command not found 19:10 < mRCUTEO> hmm something to do with your sudo config 19:10 < mRCUTEO> mine works okay 19:10 < Blime> brand new install 19:10 < mRCUTEO> hmm 19:10 < mRCUTEO> are you login as admin user now? 19:10 < mRCUTEO> i mean the fist user of ubuntu? 19:10 < Blime> yes. first and admin. i can have a debian machine ready in a few minutes for true root access 19:11 < Blime> but i gave up on this with debian an hour ago 19:11 < mRCUTEO> Blime 19:11 < mRCUTEO> try moving the file to easy-rsa folder 19:11 < Blime> the vars file? 19:11 < mRCUTEO> instead of /usr/share/doc/openvpn/examples/easy-rsa/2.0$ try /usr/share/doc/openvpn/examples/easy-rsa/ 19:11 < Blime> kk 19:11 < mRCUTEO> all the files 19:11 < dvl> OpenVPN just keeps running. 19:12 < mRCUTEO> kill it dvl :D 19:12 < Blime> i hope this is enough..... /usr/share/doc/openvpn/examples/easy-rsa/2.0$ sudo cp * .. :-) 19:12 < dvl> ps auwx | grep mRCUTEO 19:13 < mRCUTEO> LOL dvl 19:13 < dvl> kill -TERM `cat /var/run/mRCUTEO` 19:13 < mRCUTEO> yerp Blime 19:13 < dvl> damn... 19:13 < dvl> kill -KILL `cat /var/run/mRCUTEO` 19:13 < mRCUTEO> lol.. dvl 19:13 < dvl> kill -KILL `cat /var/run/init` 19:13 < mRCUTEO> double lol 19:14 < dvl> killall -KILL IRC 19:14 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 104 (Connection reset by peer)] 19:14 < mRCUTEO> Blime: so you will have the file now look : /usr/share/doc/openvpn/examples/easy-rsa 19:15 < mRCUTEO> or if it doesnt work try create an easy-rsa file in the root dir of openvpn and put all your config file to the easy-rsa which is in the openvpn root folder 19:15 < mRCUTEO> i have the same problem with you Blime back 3 months ago when im installing openvpn in ubuntu dapper drake 19:16 < mRCUTEO> hope this help 19:16 < dvl> I'm running all my Nagios checks over the VPN, and *none* of them have burped since I started up the VPN about a week ago.... 19:16 < Blime> yeah, i'm an hour away from giving up 19:16 < dvl> Why wait? Give up now. 19:16 < dvl> Spend the hour doing something more fun. 19:16 < Blime> mmm 19:16 < mRCUTEO> something fun like wat dvl ?:P 19:17 < Blime> are there any alternatives to easyrsa? 19:17 < mRCUTEO> there must be but somehow easy-rsa is the easiest tool for creating cert and compatible with openvpn 19:17 < dvl> Blime: it is what I use 19:18 < Blime> oh man /cry 19:18 < dvl> http://www.freebsddiary.org/openvpn-easy-rsa.php 19:18 < vpnHelper> Title: The FreeBSD Diary -- Creating your own Certificate Authority (at www.freebsddiary.org) 19:18 < dvl> That's what I wrote up and what I use. 19:18 < mRCUTEO> :D 19:18 < Blime> dvl: thanks, i haven't seen that tutorial yet 19:20 < dvl> Blime: I wrote it. Any questions, you know where I am. 19:21 < Blime> thank you, gonna prep a quick debian machine and try it out 19:22 < dvl> Works for me. Created 5 certs so far 19:22 < Blime> i have two networks routing data to each other over a simple openvpn link using that secrets file 19:22 < Blime> but i am looking to add a third network and want to up some of the complexity 19:25 < krzie> <Blime> are there any alternatives to easyrsa? 19:25 < krzie> !ssl-admin 19:26 < vpnHelper> krzie: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 19:26 < krzie> written by ecrist 19:26 < krzie> recently modded by me to work on other os's, i need to fix the linux part tho 19:26 < krzie> cause seems GNU sed is diff than BSD sed 19:26 < krzie> so my configure script breaks 19:26 < krzie> should be very simple to see the configure script and mod the Makefile by hand tho 19:27 < krzie> its only like 3 lines to mod 19:27 < Blime> krzie: thanks, if i have have continuous issues with easyrsa, i'll look into this 19:27 < krzie> ssl-admin comes with a nice lil interface 19:34 < mRCUTEO> ahax nice interface :D 19:34 < mRCUTEO> i like nice interface 19:40 < dotCOMmie> krzie: I got it working, thanks 19:41 < dotCOMmie> just gotta iron out some tiny things 19:45 < krzie> np 19:47 < dotCOMmie> It seems to be using the wrong dns server though 19:47 < dotCOMmie> it does not resolve the names of the machines on my local network (in which the server is in) 19:48 < dotCOMmie> do I need to write a script to change the dns server to use that of the openvpn server? 19:49 < dotCOMmie> push optionn is what I'm looking for? 19:59 -!- mRCUTEO [n=info@64.235.47.77] has quit [] 20:01 < krzie> dotCOMmie, you using 2.1 or 2.0? 20:04 < dotCOMmie> server is 2.0 client is 2.1 20:05 < dotCOMmie> I think I can make it work with foreign_option 20:11 < krzie> if you make both 2.1 you can add bypass-dns to the redirect-gateway command 20:11 < krzie> because the client likely is set to use its LAN dns server, but you're redirecting * through the vpn 20:12 < krzie> 2.1 has an option to not route the dns server through the vpn 20:12 < krzie> otherwise, you can manually add a bypass route for the dns server 20:13 < krzie> if you go with the last option, it would be a push route in server config or just route in client config 20:17 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:24 < dotCOMmie> that seems over complicated. All I need is to use the dns server of the openvps server I can just change the resolve.conf with a post up script 20:26 < et> dotCOMmie: client OS? 20:27 < dotCOMmie> debian 20:28 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:28 < Dougy> Hey 20:28 < krzie> that will work too 20:28 < Dougy> ey yo @ krzie 20:28 < krzie> just make sure your server has dns listening on vpn ip 20:28 < krzie> wassup doug 20:29 < Dougy> nm 20:29 < Dougy> on phone with interserver tech 20:48 < krzie> sounds fun 20:48 < Dougy> no 20:48 < Dougy> the guy working overnight knows somewhere between how to plug in a power cable and how to hook up a monitor 20:48 < krzie> i once worked the NOC late shit 20:48 < krzie> shift* 20:48 < Dougy> hah 20:49 < Dougy> nice typo 20:50 -!- Solarbaby [n=Dave@70-41-208-166.cust.wildblue.net] has joined ##openvpn 20:52 < Dougy> krzie: this is boring 20:52 < Dougy> i should just roll out of bed, take the train down there 20:53 < Dougy> and go fix it myself 20:53 < Dougy> -.- 20:53 < Solarbaby> Dougy you should come over here too and fix this 20:53 < Solarbaby> I'll share my beer with you 20:58 < Dougy> i'm 16 20:58 < Dougy> bad move 20:58 < Solarbaby> damnit its only beer 20:58 < Solarbaby> if I had marijoewanna i'd share that too 20:58 < Dougy> lol 20:58 < Dougy> i dont do beer 20:58 < Dougy> doesn't taste good 20:59 * Dougy is 100% straight edge 20:59 < Solarbaby> some beer tastes good and some taste like someone pissed in your glass 20:59 < Dougy> thats exactly how i describe the taste of beer 20:59 < Dougy> piss 20:59 < Solarbaby> Dougy: I am glad to hear that your doing good by yourself 20:59 < Dougy> how so 20:59 < Solarbaby> you said it all 21:00 < Dougy> what do ypu mean 21:00 < Dougy> s/ypu/you 21:00 < Solarbaby> I think some comments dont translate to text as well as they would have been said in person 21:00 < Solarbaby> just glad your doing whats right for you 21:01 < Dougy> ah 21:01 < Dougy> man 21:01 < Dougy> i feel like shit 21:01 < Dougy> ugh 21:19 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Changing server"] 21:31 -!- Blime [n=blime@c-24-125-134-53.hsd1.va.comcast.net] has left ##openvpn [] 21:39 -!- Blime [n=blime@c-24-125-134-53.hsd1.va.comcast.net] has joined ##openvpn 21:46 -!- tjz [n=tjz@bb121-7-65-125.singnet.com.sg] has joined ##openvpn 21:49 < tjz> ohhhhhhhhhh... 21:49 * tjz step in 21:54 * ropetin steps off 21:56 < Blime> in creating my own CA and generating keys, i just ran ./build-key-server myserver.example.com 21:56 < Blime> it's asking for a challenge password.... what is this? 21:58 < Blime> and can it be left blank? 21:58 < ropetin> Yes it can 21:58 < Blime> ropetin: thanks 21:59 < ropetin> NP :D 22:42 -!- vramesh [n=vramesh@mobile204-245.near.uiuc.edu] has joined ##openvpn 22:42 < vramesh> hi! 22:42 < vramesh> i got my openvpn server set up with a bridged setup on the server side 22:42 < vramesh> however i am unable to get to any windows shared on the server's subnet 22:44 < ropetin> vramesh: how are you accessing the shares, by name or by IP? 22:44 < vramesh> well, by both 22:44 < vramesh> it doesnt matter 22:44 < vramesh> either way it doesnt work 22:45 < ropetin> And can you ping at least, to show you have network connectivity? 22:45 < vramesh> no i can't 22:45 < ropetin> So it's a routing issue maybe? 22:45 < vramesh> wierd thing is i can ping all my other machines in the subnet 22:45 < vramesh> its just the windows one 22:45 < vramesh> that I can't ping 22:46 < ropetin> Ahhh, so maybe it's just that they are configured to reject ping requests? 22:46 < vramesh> sound like a firewall issue 22:46 < vramesh> ? 22:46 < vramesh> possibly 22:46 < vramesh> i havent messed with the settings on the windows box i'm trying to access 22:46 < ropetin> Can you ping the other way, FROM the Windows boxes? 22:47 < vramesh> to the client machine? 22:47 < vramesh> no 22:47 < vramesh> oh wow 22:47 < vramesh> thats wierd 22:48 < vramesh> its only from my windows box that i can't ping the other way 22:48 < vramesh> hmm, so this is clearly a windows server configuration issue 22:48 < ropetin> :) 22:48 < ropetin> Weird indeed 22:48 < vramesh> I've turned off windows firewall 22:49 < vramesh> still no luck 22:49 < vramesh> i'm trying to access a server 2008 machine 22:50 < vramesh> but when i'm within the nat, i can access the shares 22:51 < vramesh> and the accessing by name should work as well, i'm running an internal dns 22:55 < vramesh> btw, is it bad to have the vpn's subnet be the same as my internal nat's subnet 22:55 < vramesh> if they're both 192.168.1.0 22:58 < simplechat> yes 22:58 < simplechat> very 22:58 < simplechat> vramesh, move the vpn to something else 22:58 < simplechat> or you'll have issues 22:58 < vramesh> ok 22:58 < vramesh> that might be the problem 22:58 < vramesh> thanks 22:59 < simplechat> tis k 23:13 -!- vramesh [n=vramesh@mobile204-245.near.uiuc.edu] has quit [Read error: 54 (Connection reset by peer)] 23:20 -!- vramesh [n=vramesh@mobile204-245.near.uiuc.edu] has joined ##openvpn 23:20 < vramesh> simplechat: when i changed the subnet, i couldnt access any of my machines 23:22 < vramesh> also, is there any preference to udp over tcp 23:24 < ropetin> UDP, UDP, UDP :) 23:24 < ropetin> !routes 23:24 < vpnHelper> ropetin: Error: "routes" is not a valid command. 23:24 < ropetin> !route 23:24 < vpnHelper> ropetin: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 23:25 < ropetin> Check the bottom of that page, does it relate to you at all? 23:28 < ecrist> evening bitches. 23:29 < ropetin> You must be talking to simplechat... 23:29 < ropetin> :D 23:29 -!- paruchuri [n=paruchur@61.16.248.247] has quit [Remote closed the connection] 23:42 < simplechat> vramesh, what? 23:43 -!- vramesh [n=vramesh@mobile204-245.near.uiuc.edu] has quit [Read error: 104 (Connection reset by peer)] 23:45 * ecrist goes to bed. 23:45 -!- Blime [n=blime@c-24-125-134-53.hsd1.va.comcast.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.4/2008111318]"] --- Day changed Sun Dec 07 2008 00:08 -!- tjz [n=tjz@bb121-7-65-125.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 00:44 -!- vramesh [n=vramesh@mobile204-245.near.uiuc.edu] has joined ##openvpn 00:44 < vramesh> hi, i can't seem to access my within my nat after i changed my the vpn subnet 00:45 < vramesh> the wierd thing is even if i change it back to what it was before, i can't ping any machines in my nat 00:45 < vramesh> here is my config file: http://pastebin.com/m2fa02c39 00:45 < vramesh> ropetin: any advice? 00:53 < ropetin> vramesh: DId you make any changes to Iptables with the old subnet? 00:54 < vramesh> what kind of changes 00:54 < ropetin> Thats the question :) 00:54 < vramesh> nothing special 00:54 < vramesh> this is on openbsd 00:55 < vramesh> i pass all for udp 1194 to the vpn server 00:55 < vramesh> which is on 192.168.1.1 00:56 < vramesh> ropetin: I'm not sure what else it could be, i thought i had it working, but when i changed the subjet to not be 192.168.1.*, it just stopped 00:57 < ropetin> The subnet should be different for the VPN, so that's a good thing 00:57 < ropetin> Did you leave it in the same range, or change it to something wildly different, like a 172.16.x.x? 00:59 < vramesh> its now a 192.168.2.* 00:59 < vramesh> should it be completely different 01:00 < vramesh> am I pushing routes properly in my config file? 01:00 < ropetin> It shouldn't matter really 01:00 < ropetin> Lemme take a look 01:00 < vramesh> http://pastebin.com/m2fa02c39 01:01 < ropetin> The redirect-gateway line says 'send all my traffic over the VPN' I think, is that what you want? 01:01 < vramesh> yes 01:01 < ropetin> Do the DNS and WINS server settings get applied correctly? 01:01 < vramesh> yes the dns server gets applied properly 01:01 < vramesh> but i can't even ping the ip within my nat 01:02 < ropetin> NAT? 01:03 < vramesh> yes the subnet behind the vpn server 01:03 < vramesh> 192.168.1.* 01:03 < ropetin> Ahhh, ok, yup 01:04 < ropetin> I killed my OpenVPN install (we not OpenVPN, the whole server) so I can't really check or test anything. However, this is the URL I used to set up my 'route all traffic through OpenVPN', maybe you can use it as a guide? 01:04 < ropetin> http://www.wains.be/index.php/2008/07/18/openvpn-routing-all-traffic-through-the-vpn-tunnel/ 01:04 < vpnHelper> Title: Sébastien Wains » OpenVPN : routing all traffic through the VPN tunnel (at www.wains.be) 01:41 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has joined ##openvpn 02:14 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 104 (Connection reset by peer)] 02:15 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 02:15 -!- ikevin [n=kevin@ANancy-256-1-88-32.w90-26.abo.wanadoo.fr] has joined ##openvpn 02:15 -!- ikevin [n=kevin@ANancy-256-1-88-32.w90-26.abo.wanadoo.fr] has quit [Connection reset by peer] 02:16 < vramesh> is there a way to not have openvpn act as a dhcp server 02:16 < vramesh> and just point to my own dhcp server 02:16 < reiffert> !howto 02:16 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:53 -!- vramesh [n=vramesh@mobile204-245.near.uiuc.edu] has quit [Read error: 104 (Connection reset by peer)] 02:56 < J-23> does OpenVPN look for certificates/keys in easy-rsa dir or I need to set full path to them in config? 02:58 < ropetin> J-23: Full path will always work! 02:59 < J-23> ok. 03:05 < simplechat> J-23, takes . first 03:06 < simplechat> so if your in /etc/openvpn/openvpn.conf 03:06 < simplechat> if you shove your keys/etc in /etc/openvpn they'll be found there 03:15 < J-23> yeaaa, it works! 03:16 < ropetin> :D 03:24 < J-23> but OpenVPN configuration under Windows is terribly hard. 03:27 < ropetin> J-23: When I tried it, I used OpenVPN GUI, and just used the same config file I used under Linux, maybe you could try that? 03:31 < J-23> does installer from openvpn.net contain GUI? 03:34 < J-23> argh, nvm 03:35 < ropetin> I don't believe so, no 03:35 < J-23> but where should I put config and keys? 03:35 < J-23> "OpenVPN GUI is now packaged in the Windows installer." in beta version 03:35 < ropetin> oo excellent :) 03:36 < ropetin> I belive I put them in prog files\openvpn\config 03:36 < ropetin> I just followed the directions anyway 04:17 -!- tompaw [n=tompaw@slave12.tesserakt.eu] has left ##openvpn [] 04:29 -!- Solarbaby [n=Dave@70-41-208-166.cust.wildblue.net] has quit [Read error: 104 (Connection reset by peer)] 04:35 < simplechat> J-23, ouch, windows user 04:36 < ropetin> simplechat: what's wrong with Windows for VPNing? 04:39 < simplechat> ropetin, nothing more then whats wrong with windows generally. its slow, doesn't have version control/package managers/actual packages its virus ridden and is just generally badly designed 04:40 < simplechat> just ask anybody whose had to support any number of the things :) 04:40 -!- vramesh [n=vramesh@c-98-212-205-165.hsd1.il.comcast.net] has joined ##openvpn 04:40 -!- J-23 is now known as J-23__ 04:40 < ropetin> simplechat: I used to support 150 of the things, all on my own. The only nightmare I had was Windows XP SP3 which killed 7 PCs until it was uninstalled. I'm a huuuuge Linux fan, but I give Windows it's due 04:41 < simplechat> hmmm. XP is nice enough, i've used it for awhile 04:41 -!- J-23__ is now known as J-23 04:41 < simplechat> but yeah, i've seen more of the inside of windows then i'd ever want to again, and its more of a hack then anything. 04:41 < ropetin> We wouldn't have Linux on our home PCs, if it wasn't for Windows (or at least MS making home computing ubiqutous) 04:41 < ropetin> SPL? 04:41 < simplechat> linux is about the same, but there better designed hacks 04:41 < simplechat> SP2 04:41 < ropetin> :S 04:41 < simplechat> like the registry just sucks as a design 04:42 < simplechat> for what its built for it just utterly fails 04:42 < ropetin> simplechat: It's a nice idea, badly abused by software developers (including MS, natch) 04:42 < simplechat> if they could replace it out with a proper database, it would help the speed issues (which are major), but its not going to help with the random keys that float around 04:42 < simplechat> because windows doesn't have software packages in any sort of form 04:43 < ropetin> Exactly, thats' the problem, keys that don't seem to relate to anything, but you can't whack them, just in case it breaks your mouse, or soemthing 04:43 < simplechat> yeah 04:43 < ropetin> simplechat: MSI? 04:43 < simplechat> i mean, something like a segmented db would be perfect 04:43 < simplechat> shove a schema in your package, build it on install, back it up on uninstall (for if you ever need it again) 04:43 < ropetin> Or just independent flat text config files for each app? :D 04:43 < simplechat> ropetin, doesn't actually work 04:43 < simplechat> compare a .deb to a msi 04:44 < simplechat> .deb just lists off whatever it is that it needs as dependancies, has the code, the data and not much else. Assuming nothing is bad, things can be installed/uninstalled quite nicely 04:44 < ropetin> Oh, I'm with you, I would KILL for apt on Windows, imagine upgrading 150 PCs simply by doing 'apt-get install upgrade' on them, wonderful! 04:44 < simplechat> or having it done automatically 04:45 < simplechat> like a windows repository would be an awesome project 04:45 < simplechat> esp if you can sell stuff with it 04:45 < ropetin> However, all the developers would have to work together, which obviously in a competative for profit environ doesn't work 04:45 < simplechat> just the fact that everything needs its own autoinstaller, etc. just fails 04:45 < simplechat> ropetin, just repurpose .deb 04:45 < simplechat> if MS lays it down as a standard, and it saves devs work, there not going to push away that much 04:45 < ropetin> simplechat: get programming on it then ;) 04:46 < simplechat> ropetin, i don't have any windows boxes, and theres no money in it 04:46 < ropetin> Doh! 04:46 < simplechat> more theres no money in it :) 04:46 < ropetin> But you've just hit the nail on the head, no money 04:46 < simplechat> yeah 04:46 < simplechat> its just one of the failures of windows :) 04:46 < simplechat> not counting the utterly stupid, like lmhashes 04:46 < ropetin> We should all just use BeOS :D 04:46 < simplechat> lmhashes are the most utterly stupidly designed things every concieved by a person 04:47 < simplechat> and they are a ms only invention :) 04:47 < ropetin> lmhashes? Password thinkg? 04:47 < simplechat> yeah 04:47 < ropetin> That can be hacked in about 0.3 seconds? 04:47 < simplechat> yep 04:47 < simplechat> because they just fail utterly 04:47 < simplechat> they only take one case of alphas, they restrict the char set 04:47 < simplechat> max out at 8 chars 04:48 < simplechat> unsalted, etc. 04:48 < ropetin> I don't know if it's the same thing, but I liked the way on Windows 98 you could guess network share passwords just by trying one letter until it works, then trying the second letter until one works, then so on 04:48 < simplechat> so they are worse then the origional salted md5's unix was using before windows was around 04:48 < simplechat> > 04:48 < simplechat> ? 04:48 < simplechat> meh 04:48 < simplechat> its just that they take a nice standard which has worked for years, and make something that works much worse 04:49 < ropetin> :D 04:49 < simplechat> when it would be cheaper for them to just use the already existing codebase and run with it 04:49 < ropetin> DIdn't they get in trouble for reusing TCP code from some BSD? 04:49 < ropetin> Use standards, rather than someones code 04:49 < simplechat> that was in licence, but funny 04:49 < ropetin> :D 04:49 < simplechat> cause its bsd licence 04:49 < simplechat> it was just funny 04:49 < ropetin> :D 04:50 < simplechat> but i mean, not failing would be a good start 04:51 < simplechat> but meh :) 04:51 < simplechat> ropetin, what sort of dues would you give windows though? 04:52 < ropetin> As I mentioned, it has made stndardized home computing (not gaming) available to the public 04:52 < vramesh> grr, 04:53 * vramesh is still unable to ping even his vpn sever 04:53 < ropetin> With MSDOS and by extension Windows, I fully believe we would still be stuck in the model of having specific software (OS/App etc) per manufacturer 04:53 < simplechat> says who? 04:53 < ropetin> vramesh: which IP are you trying to ping, the VPN IP or the actual IP? 04:53 < vramesh> the vpn ip 04:54 < ropetin> Try the regular IP 04:54 < ropetin> Says who? Me. See, up there, if you scroll a bit 04:54 < ropetin> It's totally my belief 04:54 -!- Solarbaby [n=Dave@70-41-208-166.cust.wildblue.net] has joined ##openvpn 04:54 < simplechat> ropetin, hw standards have been around for a looong time, and sw will run on basically any hw that meets spec 04:54 < ropetin> simplechat: how old are you? 04:54 < Solarbaby> I would have never even imagined configuring openvpn would lead to so many issues 04:54 < simplechat> ropetin, 18, why :) 04:55 < Solarbaby> Bah.. just when I think im getting close.. and I have to be pretty damn close by now 04:55 < simplechat> Solarbaby, complex things are complex :) 04:55 < simplechat> its like saying that you didn't know that trying to rebuild a car would be so difficult 04:55 < Solarbaby> simplechat: you are as right as right can be 04:55 < ropetin> Hehhe, well go back to 1982, when each manufacturer made their own hardware, with their own OS (if you can call it that) and each piece of software had to be custom written 04:55 < vramesh> ropetin: well, without the vpm client turned on it works, but with it on, it doesn't which makes sence, since i'm forwarding traffic through the vpn 04:55 < simplechat> your used to see it all together working as a unit, your not used to seeing how everything fits together 04:55 < simplechat> ropetin, that was before standardisation. Remember that the Pc clones only ran dos because ibm had a deal with ms 04:56 < ropetin> vramesh: the guys in here say the VPN IP isn't pingable, I don't know why, and it seems technical, but that's what they say :D 04:56 < simplechat> who then bought the software from another company 04:56 < simplechat> :) 04:56 < Solarbaby> yeah.. pretty much 04:56 < ropetin> simplechat: exactly my point! MS made the deal with MSDOS that standardized! 04:56 < simplechat> ropetin, in short, the HAL happened, hardware started to become standardised 04:56 < simplechat> ropetin, nah the PC was the hw standard 04:56 < simplechat> it was cloned enough times that it was a nice thing for everything to run on 04:57 < ropetin> But if MS hadn't written MSDOS for it, and they hadn't made the deal with IBM it wouldn't be standardized 04:57 < simplechat> MS didn't write msdos 04:57 < simplechat> ms bought dos 04:57 < simplechat> and then resold it to IBM 04:57 < simplechat> who left a loophole in the contract allowing ms to retain claim to the software 04:58 < ropetin> OK, let me rephrase, if MS hadn't /purchased/ and then /resold/ MSDOS...... 04:58 < ropetin> Point stands 04:58 < vramesh> ropetin: if it isn't pingable, how can i get to any subnet on the vpn server side? 04:58 < simplechat> then os/2 or a unix would be the standard 04:58 < simplechat> the PC was the main thing 04:58 < ropetin> vramesh: I'm just a poor innocent user, the underneath whirrings of openvpn are beyond me 04:59 < simplechat> unix was running on plenty of mainframes, etc. and there were plenty of other nice os's out there 04:59 < simplechat> ropetin, windows itself could have run on a couple of different arches up until NT 04:59 < vramesh> simplechat: acctually, nt was teh first ms os targetted for multi platforms 04:59 < ropetin> simplechat: true, and technically it still does on the XBox, it's version of NT for PowerPC if I remember 05:00 < simplechat> hmmm. 05:00 < ropetin> And of course Windows Mobile on whatever phone hardware it can 05:00 < vramesh> simplechat: thats why they had to cut back the number of priviledge levels they used in nt 05:00 < simplechat> vramesh, that might be true, that they were doing that in case intel failed 05:00 < vramesh> otherwise dave cutlesr woudl have had it his way and rwrittend vms 05:00 < vramesh> rewritten* 05:00 < ropetin> I'm not arguing for or against Windows being 'good', just that people need to give it its dues 05:01 < simplechat> ropetin, the only reason windows is still here is because trey is a very good buisinessman 05:01 < simplechat> not that he's a good programmer, or that windows is actually any good 05:02 < simplechat> i mean, ms has screwed over every partner they've had 05:02 < ropetin> Whatever works really, it's business after all 05:02 < simplechat> yeah 05:02 < simplechat> its just you can't say that its "dues" because its been there for the last few years 05:02 < simplechat> its been there because its been forced there 05:02 < simplechat> not because its the best tool for the job 05:03 < ropetin> If I want an OS I can hack and play with, I'm going with Linux, FreeBSD, or whatever. If I want an OS I can play the latest game on (and have to resintall once every 6 months) I'll go with Windows 05:03 < simplechat> and why is that? 05:03 < simplechat> because windows had the loophole in the contract for the PC, which was a success. They were in a position to dictate standards and they did 05:04 < simplechat> they had enough lock in to stop people from leaving there system, so people didn't 05:04 < ropetin> Because the latest game is only available on Windows, in 95% of cases. You can argue that is bad, and if people made games for Linux, Linux would be better and people would play games on it. But it's catch 22, they won't make games for Linux, without enough people using Linux, but people won't use Linux because they can't play games 05:04 < simplechat> and since pc's sold very well, microsoft got a pretty penny out of some very very VERY illegal licencing contracts to vendors 05:04 < simplechat> but there big enough that antitrust suits really arn't going to hurt them 05:04 < ropetin> illegal or immoral? There is a difference! 05:04 < simplechat> illegal 05:04 < simplechat> with msdos, for example, version 5 i think 05:05 < simplechat> they were in trade talks with a software company about licencing there compression tech 05:05 < simplechat> got specs under NDA 05:05 < simplechat> broke NDA 05:05 < simplechat> implemented it in msdos 05:05 < simplechat> then bankrupted the other company before they could sue (civil court because its patent infringement) 05:05 < simplechat> thats perfectly illegal 05:05 < simplechat> but they were screwed with it 05:05 < ropetin> I don't know enough to comment on that, so I won't 05:06 < simplechat> they do this quite a few times 05:06 < simplechat> try reading up on there tactics 05:06 < vramesh> simplechat: i acctually disagree, I generally don't do development on windows, but they've survived, because, they do things well 05:06 < ropetin> If it's true, it's bad, but I'd argue that is breaking an NDA illegal, or just opens you up to being sued? 05:06 < simplechat> things like squeezing hw vendors with discounts so long as they only sell ms products 05:06 < simplechat> (antitrust suits basically came from that) 05:07 < simplechat> its illegal, no strings attached 05:07 < ropetin> I.e. can I go to jail for breaking NDA, or can the company just sue me, or otherwise 'hurt me', per the details fo the contract? 05:07 < simplechat> they've done worse, its just been a long time since i've seen it 05:07 < vramesh> comparing linux os design to the nt kernel is like comparing a well a fat guy to a hot model 05:07 < simplechat> ropetin, its civil, not criminal 05:07 < simplechat> its like if you pirate movies/etc. its a civil issue, not criminal 05:07 < simplechat> like patents, concidentally, which they also have issues with 05:07 < ropetin> Hokay, again I don't know enough. IANAL, just a LUSER :) 05:08 < ropetin> vramesh: Linux kernel is the model or the fattie? 05:08 < simplechat> vramesh, i've done some dev on both, and know people who have been doing it for a long time and basically hate it 05:08 < simplechat> whoever designed win32 really had issues 05:08 < simplechat> (look at the hacks wine has to do to maintain bug for bug comptability) 05:09 < simplechat> ropetin, i'm just impressed by these guys 05:09 < simplechat> from a buisiness perspective 05:09 < simplechat> not a moral standing 05:10 < ropetin> :D OK 05:10 < simplechat> cause the guy is an insane buisinessman 05:10 < simplechat> balls of steel 05:10 < ropetin> The best kind! 05:10 < vramesh> ropetin:linux kernel is the fattie 05:11 < vramesh> its probably the most inelegant thing i've ever worked with 05:11 < ropetin> vramesh: maybe because it tries to do so much? 05:11 < simplechat> when you can go up to IBM, who you depend on for your future sucess and basically fuck them over 05:11 < vramesh> no 05:11 < simplechat> that takes balls 05:11 < vramesh> ropetin: its because its not well architected 05:11 < ropetin> Hehhe, ok 05:11 < simplechat> (over OS/2, they had a partnership which ms used to kill OS/2) 05:11 < simplechat> vramesh, linux ain't pretty at the core 05:11 < simplechat> but its nice around the edges :) 05:11 < vramesh> iits just a blob of code, 05:11 < simplechat> which is what you can say for most chicks :) 05:12 < simplechat> (the good ones, anyway) 05:12 < ropetin> I'll leave that one there! 05:13 < simplechat> ropetin, the core of the person (blood/guts/etc) is crap (literally), but on the outside its beutiful :) 05:13 < simplechat> nice analogy to linux, yeah? 05:13 < ropetin> Hmmm 05:15 < vramesh> no, when you need for things to work the microkernel architecture of nt is amazingly flexible 05:15 < vramesh> they basically took a mircokernel architecture and put it into kernel space 05:21 < vramesh> hmm would I have issues if i was using different versionf ot the client and server 05:21 < vramesh> ? 05:22 < ropetin> Which v are you on? 05:26 < vramesh> 2.1 05:26 < ropetin> Thats the latest, should work fine 05:29 < simplechat> vramesh, they have done a few nice things 05:29 < simplechat> and nt could have actually been good 05:29 < simplechat> but they never seem to make anything that actually works 05:30 < vramesh> simplechat: what do you mean, what doesn't work in windows? 05:31 < vramesh> greaphics support is great, wireless/networking is great/file sharing scales from simple homes users to corporations that us MS DFS 05:31 < vramesh> AD is far better than trying to hack up kerberos and ldap together 05:32 < vramesh> the fact is, they have all the features and they make it easy to use 05:32 < simplechat> vramesh, the stuff that i know fails miserably: the registry, packages, IIS (very badly), any/all security, there scalability (sharepoint fails very hard when it gets big), windows netgroups (they don't sync, it sucks when it gets big), not having a package manager really sucks, not being able to deal with repositories suck 05:32 < simplechat> they have most drivers yes, including the insane hackjobs (foxconn, i'm looking at you) 05:33 < simplechat> which really don't work, but they work with what windows expects and hence they "work" 05:33 < simplechat> vramesh, they don't have "all the features" 05:33 < simplechat> hell, windows doesn't even have a proper shell 05:33 < ropetin> PowerShell? 05:33 < vramesh> iis, is far better than anything the open source community has made 05:33 < simplechat> the guy who wrote the Z shell, i think spoke up at a powershell conf 05:33 < simplechat> that windows was running 05:33 < vramesh> i'm not saying its the best web server in the world 05:33 < simplechat> vramesh, your kidding me? 05:33 < vramesh> but, its far better than teh apache standard 05:33 < simplechat> you are kidding me? 05:34 < simplechat> have you used IIS properly, vs. lighttpd or any of the rest? 05:34 < vramesh> actually, running a virtual machine and running legitimate code on top of the clr is far better than running some hacked up php garbage 05:34 < simplechat> virtual machines are nice enough, java is nice when it comes to these things 05:34 < vramesh> java is a pos 05:35 < simplechat> as a concept its good 05:35 < vramesh> it doesnt match up to the tool that ms has 05:35 < simplechat> just the implementation had too much fail 05:35 < vramesh> look at how much c# has developed 05:35 < vramesh> it doesnt 05:35 < simplechat> its on OO like its H 05:35 < vramesh> whats bad about iis 05:36 < vramesh> the fact that it runs on the clr makes it 100 times more powerful as a tool 05:36 < vramesh> all the compilers are jit 05:36 < simplechat> well, to begin with i've had IIS completely die after a couple of hundred requests 05:36 < simplechat> it runs very slowly 05:36 < vramesh> so it can do runtime profiling and optimization on the fly 05:36 < vramesh> ?? 05:36 < simplechat> lighttpd will max out a gigE link on a p4 05:36 < vramesh> compared to what 05:36 < vramesh> its an enterprise server 05:36 < simplechat> yeah 05:36 < simplechat> lighty runs efficiently 05:36 < vramesh> i don't see apache doing any better 05:36 < simplechat> windows doesn't have anything to match libevent 05:37 < vramesh> yes, but its serves like html 05:37 < vramesh> and thats it 05:37 < simplechat> nah 05:37 < simplechat> fastcgi :) 05:37 < vramesh> simplechat: cgi is a pos 05:37 < simplechat> something iis only just worked out :) 05:37 < simplechat> vramesh, lol 05:37 < simplechat> fastcgi != cgi 05:37 < vramesh> it starts up a new interpreter for each instance 05:37 < simplechat> no 05:37 < simplechat> thats cgi 05:37 < vramesh> it's slower than everything else 05:37 < vramesh> even with fastcgi 05:37 < simplechat> no 05:37 < simplechat> thats utterly ignorant 05:38 < vramesh> what languages are you talking about in fascgi 05:38 < vramesh> because, you can do that for interpreted languages but not for compiled ones 05:38 < vramesh> it doesnt gain any speed 05:38 < simplechat> fastcgi/etc (theres plenty of nice protocols to do that, and lighty as a server to rails is very good) run one server which responds to requests from lighttpd 05:38 < simplechat> they spawn when more are needed, killed when there not 05:38 < simplechat> they let you scale well 05:38 < simplechat> because linux can actually multitask :) 05:38 < vramesh> ??? 05:38 < vramesh> wtf are you talking about 05:39 < simplechat> vramesh, you don't know how fastcgi works? 05:39 < simplechat> the basic idea is this 05:39 < vramesh> windows has mx n scheduling support 05:39 < simplechat> lol 05:39 < vramesh> it has better support than linux will every have in multitasking/threading 05:39 < vramesh> not to mention, libevent is not even close to windows libraries 05:39 < simplechat> vramesh, i'd google that 05:40 < vramesh> all of the windows libraries are asynchronous 05:40 < simplechat> then if you want to support it, i'll accept that thats your point 05:40 < vramesh> tell me something 05:40 < simplechat> because otherwise your going to school yourself very badly 05:40 < vramesh> how do you wait for multiple objects in posix 05:40 < vramesh> ? 05:40 < vramesh> oh thats right you cant 05:40 < vramesh> you can only call joins on a single thread 05:40 < vramesh> don't even mess with asynchronous architecture 05:40 < simplechat> your not getting this, lol 05:40 < vramesh> msft practically invented it 05:41 < vramesh> what am i not getting 05:41 < simplechat> to put things in perspective, you can shove linux on a 256 core machine and it'll use them very well, because it can multitask 05:41 < simplechat> its had an o(1) schedular for a long time 05:41 < simplechat> windows is nothing like that 05:41 < simplechat> i've had my computer run on a load average of 15 and its still responcive 05:41 < vramesh> an o(1) schedular doesnt mean anything if it makes bad decisiions 05:41 < simplechat> now for the layman, it means that my computer is trying to do 15 things at once 05:41 < vramesh> i can pick any process at random too 05:41 < simplechat> it makes very good decisions 05:42 < simplechat> it seperates IO seeking programs from crunching programs, and interupts those that crunch when io is avaliable 05:42 < vramesh> yes, and i suppose thats whay they replaced it 05:42 < simplechat> it does all this cool stuff :) 05:42 < simplechat> vramesh, its better then anything windows has every had 05:42 < simplechat> *ever 05:42 < simplechat> try loading a windows box 05:42 < vramesh> linux doesnt have prioritized io last time i cheked 05:42 < simplechat> vramesh, do you know anybody at akamai? or any other service? 05:42 < vramesh> although that might have changed 05:42 < simplechat> thats rolled out windows and linux servers? 05:43 < simplechat> like on a semimassive scale 05:43 < vramesh> ?? how big of a multi core are we talking 05:43 < simplechat> not core, scale 05:43 < vramesh> because, the nt kernel + rpc allows for a completely distributed architecure 05:43 < simplechat> like actually used windows boxes 05:43 < simplechat> stressed them for an application 05:43 < simplechat> vramesh, no, it doesn't 05:44 < vramesh> yes it does 05:44 < simplechat> really? 05:44 < simplechat> and how exactly would you do that? 05:44 < vramesh> would you do what? 05:45 < simplechat> your issue is basically that you don't have any actual points, and your not addressing the ones that i've given you 05:45 < simplechat> if your not going to do that then i'm going to go back to work :) 05:45 < vramesh> first of if youre talking about large parallel clusters, more of it matters on the api/libraries than the os 05:45 < simplechat> nah 05:45 < simplechat> it doesn't 05:46 < vramesh> if youre talking about how well the os scales across a distributed clusted 05:46 < simplechat> no 05:46 < simplechat> windows can't scale if you load it 05:46 < vramesh> windows is naturally distributed dues to is kernel/rpc srchitecture 05:46 < simplechat> it won't go above 50% without thrashing very badly (because it has no proper scheduler) 05:46 < simplechat> and its not naturally distributed 05:46 < vramesh> you keep saying this, but i've has no problems with it 05:46 < simplechat> :) 05:47 < vramesh> what is wrong with the schedular 05:47 < vramesh> ? 05:47 < simplechat> a little exersise for you 05:47 < simplechat> get your computer, running windows or whatever 05:47 < simplechat> now run apache, pound, lighttpd, mysql, postgresql, memcached with 3/4 of the avaliable ram, and the related apps 05:48 < simplechat> (so run php/python with fastcgi, with about 16/32 fastcgi instances) 05:48 < simplechat> now stress it past 1 05:48 < simplechat> and see your latencies 05:48 < simplechat> having done something similar, i can tell you that the minute you hit about 50-60%, your latencies go off exponentially until the machine dies 05:49 < simplechat> (50-60% of actual utilisation) 05:49 < simplechat> on the other hand, you can push a linux box to 100% pretty nicely 05:49 < vramesh> you see i solve all of these problems by not doing that. i run iis on top opf the clr, which gives me access to all the .net languages a lagitimate compiler, with actual usable languages unlike php 05:49 < simplechat> who would use php? 05:49 < simplechat> you can write fastcgi apps in whatever you want 05:49 < simplechat> its a standard 05:50 < vramesh> and i'm telling you,if i write a fastcgi app in c++ 05:50 < simplechat> your more then welcome to 05:50 < simplechat> there are api's around, iirc 05:50 < vramesh> its going to restart a new instance of my application each request 05:50 < simplechat> you can write fastcgi apps in javascript now 05:50 < vramesh> it has too 05:50 < vramesh> with vms 05:50 < simplechat> no 05:50 < simplechat> its not 05:50 < vramesh> it can initialize it once 05:50 < simplechat> it really doesn't 05:50 < vramesh> but with a compiled app 05:50 < vramesh> it really cant 05:50 < simplechat> and its a pretty standard thing 05:51 * ropetin checks back in 05:51 < vramesh> that doesnt make any sense, 05:51 < simplechat> in a "Welcome to the web past 1980" sort of sense 05:51 < ropetin> Are you kids still at it?! :) 05:51 < simplechat> its a server 05:51 < simplechat> it starts up 05:51 < simplechat> takes a request, services it then sends it back 05:51 < vramesh> the whole point of fastcgi is to reduce the vm start up times of interpreted languages 05:51 < simplechat> my setup on one of my servers runs lightty and a set of php fastcgi instances 05:51 < simplechat> vramesh, it does it by not starting them up :) 05:51 < vramesh> it will not change the runtimes of a c++ cgi app 05:51 < simplechat> vramesh, you don't know what your talking about. sit down and listen. 05:52 < vramesh> obvoisly you're mislead, 05:52 < simplechat> when i send a request to my site, lighttpd takes it from its epoll loop (so its never waiting on anything, and it runs very fast at this), and writes it to a unix socket connected to a fastcgi server 05:52 < simplechat> so it takes the request, parses it, and sends the data to the server 05:53 < simplechat> now it has a buffer of requests to send to that server 05:53 < simplechat> and when it gets too big it spawns another instance (who then takes the slack, they round-robin between themselves) 05:53 < vramesh> i'm well aware of how ipc works 05:53 < simplechat> each server stays in memory 05:53 < vramesh> when what gets two big 05:53 < vramesh> ? 05:53 < simplechat> they don't shut down until load drops 05:53 < simplechat> then it drops back to 1 05:53 < simplechat> the buffer 05:53 < simplechat> because these things run very nicely on multicore machines :) 05:54 < simplechat> the buffer in terms of requests requiring servicing 05:54 < vramesh> ?? multi core has nothing to do with it here 05:54 < simplechat> they do NOT start every instance 05:54 < simplechat> it is NOT cgi 05:54 < vramesh> ok 05:54 < simplechat> ok? 05:54 < vramesh> list to me here 05:54 < simplechat> that just grates 05:54 < vramesh> if i write a c++ cgi app 05:54 < simplechat> because its wrong 05:54 < vramesh> what does that mean 05:54 < vramesh> ? 05:54 < simplechat> *fastcgi 05:54 < simplechat> cause cgi has issues 05:55 < vramesh> well 05:55 < vramesh> no fastcgi is compatible with cgi 05:55 < simplechat> interface specs maybe 05:55 < simplechat> but there is no teardown 05:55 < simplechat> i work with these things for a living :) 05:56 < simplechat> and they just don't do what you say they do 05:56 < vramesh> i understand 05:56 < vramesh> but you're aware of how cgi works 05:56 < vramesh> ? 05:56 < vramesh> right 05:56 < vramesh> ? 05:56 < simplechat> i also use linux servers because windows servers just plain sucks under load 05:56 < vramesh> when a request comes in youre applications gets called 05:56 < vramesh> it hands back a page 05:56 < simplechat> we have them for streaming flash, but they cost quite a bit more then linux servers because they can't take the load 05:56 < simplechat> i know how cgi works 05:56 < vramesh> and problem solved 05:56 < simplechat> lol 05:56 < vramesh> thats the magic of cgi 05:56 -!- bandini [n=bandini@host155-6-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 05:56 < simplechat> i also know how iis just fails 05:56 < vramesh> it doesnt matter, what language its in, because, it just calls the applications 05:57 < simplechat> yeah 05:57 < vramesh> since fast cgi has to emulate this 05:57 < simplechat> and at this point your incoherant 05:57 < vramesh> you can avoid vm start up times for interpreted languages 05:57 < simplechat> fastcgi != cgi 05:57 < vramesh> but you cant reuse an instance of a compiled program 05:57 < simplechat> your arguing against reality 05:57 < simplechat> this can't end well on your part 05:57 < vramesh> onece its used once, its tainted 05:57 < vramesh> thats not how it works 05:57 < simplechat> lol 05:57 < vramesh> for compiled apps you spawn a new instance 05:58 < simplechat> ropetin, is this chan logged? 05:58 < simplechat> vramesh, no, because you are writing a fastcgi app 05:58 < simplechat> and a fastcgi app isn't a cgi app 05:58 < simplechat> and until you get that, i'm not going to respond 05:59 < ropetin> simplechat: I don't know 05:59 < simplechat> ropetin, damn, i'm just wondering if i should shove this on bash 05:59 < vramesh> i get that, 05:59 < vramesh> thats not the problem 05:59 < simplechat> vramesh, there is no problem, thats your problem 05:59 < simplechat> you can't argue against reality 06:00 < vramesh> its not reality, i'm just sick of new kids thinking that linux is the best thing to ever happen 06:00 < vramesh> its the exact opposite 06:00 < simplechat> vramesh, i've worked quite a bit on both linux and windows 06:00 < vramesh> people just choose to ignore everything that doesn work 06:00 < simplechat> linux > windows for basically everything 06:00 < vramesh> for what 06:00 < vramesh> wireless drivers 06:00 < vramesh> no 06:01 < vramesh> graphics drivers no 06:01 < vramesh> distribution 06:01 < vramesh> no 06:01 < simplechat> scroll up a bit 06:01 < vramesh> what distributed file system does linux/OSS offer 06:01 < simplechat> and you'll see me explain why windows is good in those areas 06:01 < simplechat> even though it sucks 06:01 < vramesh> that compares with dfs 06:01 < vramesh> ? 06:01 < vramesh> nothing 06:01 < simplechat> vramesh, gfs is what google uses, under linux 06:01 < vramesh> gfs 06:01 < simplechat> and thats pretty damn distributed 06:01 < vramesh> offers no security 06:01 < vramesh> absolutely no security 06:01 < simplechat> considering that it deals with a couple of PB of data around the world 06:02 < simplechat> lol 06:02 < simplechat> your an idiot :) 06:02 < vramesh> the only thin that comes close is afs 06:02 < vramesh> ?? 06:02 < simplechat> really, i can't phrase that better 06:02 < vramesh> do you know what gfs is 06:02 < simplechat> yes 06:02 < vramesh> do you know what afs and dfs is 06:02 < vramesh> ok then explain to me how gfs is different than afs and dfs 06:02 < simplechat> gfs works well in practice? 06:02 < vramesh> no it doesnt 06:03 < vramesh> because, its a research filesystem for google internal use 06:03 < simplechat> i have some friends at google that would smack you for saying that :) 06:03 < vramesh> theres no security on it 06:03 < simplechat> considering they have quite a bit of data on it 06:03 < simplechat> :) 06:03 < vramesh> i understand that 06:03 < vramesh> but its completely teh opposite of wehat you said 06:03 < vramesh> its not practical 06:03 < simplechat> ? 06:03 < vramesh> because it has no security 06:03 < simplechat> compare ext3 or reiser to ntfs 06:03 < vramesh> its and internal file system 06:03 < simplechat> compare really any modern fs to ntfs 06:04 < vramesh> ntfs is journalsed 06:04 < simplechat> yeah, and? 06:04 < vramesh> atomix 06:04 < simplechat> everything is 06:04 < simplechat> and its not 06:04 < vramesh> suports streams 06:04 < simplechat> everything does 06:04 < vramesh> no it doesnt 06:04 < simplechat> vramesh, http://en.wikipedia.org/wiki/Comparison_of_file_systems read 06:04 < vpnHelper> Title: Comparison of file systems - Wikipedia, the free encyclopedia (at en.wikipedia.org) 06:04 < vramesh> not to mention ntfs has a large uppoer bound 06:04 < simplechat> compare ZFS to ntfs 06:04 < simplechat> and try to say that ntfs comes close 06:04 < simplechat> in any way 06:04 < vramesh> zfs isn't linux 06:04 < simplechat> you can run it under fuse 06:05 < simplechat> :) its foss and it runs nicely 06:05 < vramesh> thats not a real file system 06:05 < simplechat> and its not windows 06:05 < vramesh> no its corporate 06:05 < simplechat> wtf? 06:05 < vramesh> i met the guy that wrote it 06:05 < vramesh> jeff bonwick 06:05 < vramesh> iintroduced him at a conference 06:05 < vramesh> do don't tell me about zfs 06:05 < simplechat> uh 06:05 < simplechat> so compare zfs to ntfs 06:05 < simplechat> zfs is working now 06:05 < simplechat> i know a couple of companies that use them quite a bit internally 06:05 < simplechat> take smugmug as an ex 06:06 < vramesh> http://www.acm.uiuc.edu/conference/2008/video/UIUC-ACM-RP08-Bonwick.avi 06:06 < simplechat> *zfs quite a bit internally 06:06 < vramesh> go watch that 06:06 < simplechat> for what? 06:06 < vramesh> so you understand filesystems 06:06 < simplechat> yeah 06:06 < simplechat> i know what zfs is, what it can do and why its so utterly cool 06:06 < vramesh> and you just jumbed from distributed filesystems to local filesystems 06:06 < simplechat> and i know what ntfs is and can do 06:07 < simplechat> vramesh, gfs beats dfs anyday 06:07 < simplechat> and its in use now 06:07 < simplechat> and it works brilliantly 06:07 < vramesh> you don't understand 06:07 < simplechat> so linux 1, ms 0 06:07 < vramesh> what dfs is 06:07 < simplechat> lighty runs well on any hardware, iis doesn't 06:07 < simplechat> linux 2 ms 0 06:07 < simplechat> windows has that insanely broken security that its not funny 06:07 < vramesh> dfs is a global distributed filesystem 06:07 < simplechat> linux 3 ms 0 06:07 < simplechat> good for it 06:07 < vramesh> it doesnt compare with gfs 06:07 < simplechat> name a company that has deployed it, and what it was used for? 06:07 < vramesh> its not even int he same class 06:07 < simplechat> where another fs wasn't appropriate? 06:08 < simplechat> so just to reacap, linux has packages, ms doesn't 06:08 < vramesh> any company that needs a distributed filesystem will go for afs or dfs 06:08 < simplechat> linux 4 ms 0 06:08 < vramesh> morgan stanley uses afs 06:08 < simplechat> linux has repositories, so you can push updates easily 06:08 < simplechat> linux 5 ms 0 06:08 < simplechat> linux has a shell, windows doesn't (and got owned pretty badly by this point by the owner of zsh) 06:08 < vramesh> dfs is at every large institution 06:08 < simplechat> linux 6 ms 0 06:08 < simplechat> mit uses afs 06:08 < vramesh> universities use it 06:09 < vramesh> yes 06:09 < vramesh> whats youre point 06:09 < vramesh> thats what i just said 06:09 < vramesh> they would use afs or dfs 06:09 < simplechat> that linux is better then windows is basically every way? 06:09 < vramesh> no that mit uses afs 06:09 < vramesh> mit/umish 06:09 < vramesh> large institutions use afs or dfs 06:09 < vramesh> gfs isn't related 06:10 < simplechat> do you know the difference between samba and ext3? 06:10 < vramesh> its an internal file system that has no security 06:10 < simplechat> you have no idea, do you? 06:10 < vramesh> samba is a protocol you idiot 06:10 < simplechat> and what do you think afs & the rest are? 06:11 < vramesh> its not a file system 06:11 < simplechat> its like a nfs share 06:11 < simplechat> sure its called the network file system 06:11 < simplechat> but the actual disk is storing stuff in ex3 06:11 < simplechat> *ext3 06:11 < simplechat> what people share stuff across the network really isn't relevent 06:11 < vramesh> except youre missing one key point 06:11 < simplechat> except that afs works nicely 06:11 < vramesh> dfs afs 06:11 < vramesh> provide a single namespace 06:12 < simplechat> ext3 is better then ntfs, in basically every conceavable way 06:12 < simplechat> and zfs is better then ntfs 06:12 < vramesh> i'm laught so hard at the etx comment 06:12 < vramesh> you've never taken a look at ext have you 06:12 < simplechat> vramesh, i've gone from laughing to just being damn sad 06:12 < vramesh> an acctual inode storage fs will never beat ntf in performance 06:12 < simplechat> you don't know what you don't know 06:13 < vramesh> simplechat: go to college and learn something 06:13 < vramesh> then we'll talk 06:13 < simplechat> http://osdir.com/ml/file-systems.ext2.devel/2005-07/jpgGjKjgFTKoJ.jpg 06:13 < vramesh> because you're obviously misguided 06:13 < simplechat> no, more you just don't know whats happening 06:13 < simplechat> compare the performance of zfs with ntfs 06:13 < vramesh> and what does this show me 06:13 < vramesh> ? 06:13 < vramesh> nothing 06:14 < vramesh> not to mention 06:14 < simplechat> linux actually scales :) 06:14 < vramesh> that benchmarks are completely input based 06:14 < vramesh> so that showed me nothing 06:14 < vramesh> ntfs wasnt even on ther 06:14 < vramesh> first 06:14 < simplechat> i mean, seriously, how many places run windows on distributed apps? 06:14 < simplechat> things that they pay for? 06:14 < vramesh> everyone who cant afford to fail 06:15 < vramesh> runs windows 06:15 < simplechat> because just to give you a slight hint, whilst i was at a nice little multibillion dollar company that started with A 06:15 < simplechat> they run linux everything, because it doesn't fail 06:15 * bandini rolls his eyes 06:15 < simplechat> and the only windows servers they were running was because they couldn't get a linux server to stream wmp 06:15 < vramesh> if youre talking about google, 06:15 < vramesh> theyre a bunch of wankers 06:15 < vramesh> they throw money at the problem 06:15 < simplechat> vramesh, goes google start with A? 06:16 < vramesh> and theyre servers fail all the time 06:16 < simplechat> and once they find something to fix it, there going to shut down there windows nodes because they cost money 06:16 < vramesh> they just reboot them all the time 06:16 < simplechat> they can't be loaded like linux nodes 06:16 < simplechat> and they just generally cost more per performance unit 06:16 < vramesh> google has always taken the brute force apporach 06:16 < simplechat> its not worth it 06:16 < vramesh> vs the elegant one 06:16 < simplechat> <simplechat> vramesh, goes google start with A? 06:16 < simplechat> bandini, yeah, i know, sad, isnt' it 06:16 < simplechat> vramesh, you should read there whitepapers 06:16 < simplechat> they do some beutiful work :) 06:17 < vramesh> i do read their papers 06:17 < vramesh> and google is a disgrace 06:17 < simplechat> but just to recap, windows sucks when your deploying it and look at it objectively 06:17 < simplechat> and this is coming from a company that makes its money doing things very efficiently 06:18 < vramesh> this is just hilarious, because i was in youre shoes 3 years ago, when i found tried linux for the first 06:18 < simplechat> lol 06:18 < simplechat> you were interning at MIT working for the big A? 06:18 < simplechat> its sweet, they have an office just down the road :) 06:19 < simplechat> vramesh, i'm not a fanboi, but i have seen the stats 06:19 < vramesh> clearly misread 06:19 < simplechat> i've seen people smarter then me crunch the numbers on it, and i know which is better 06:20 < simplechat> vramesh, learn about fastcgi, lighty & the rest 06:20 < simplechat> in terms of performance, anything beats IIS, you live with it, its like the security issues 06:20 < vramesh> learn about systems architecure 06:20 < simplechat> am doing 06:20 < vramesh> you obvously know nothing about distributed systems 06:20 < simplechat> i do 06:20 < vramesh> explains why youre so mislead 06:21 < simplechat> vramesh, and you don't know how to conceded 06:21 < simplechat> *concede 06:21 < simplechat> i've beaten you on every point that you've made 06:21 < simplechat> but you just keep changing the subject 06:21 < vramesh> i do when i im wrong 06:21 < vramesh> only in your mind kid 06:21 < simplechat> then why is it that when i give you something you can't refute, you change the subject? 06:21 < vramesh> you obously havent paying attention the entire conversation 06:22 < simplechat> just reading my scrollback 06:22 < simplechat> one sec 06:22 < vramesh> i have been refuting 06:22 < vramesh> you changed the subject 06:22 < vramesh> we were talking about distributed file systems 06:22 < vramesh> and you went to local file systems 06:22 < simplechat> in the beginning: 06:22 < simplechat> powershell is not a shell, its not and ms got owned on that (google it if you want to be sure) 06:22 < simplechat> you changed the subject 06:23 < simplechat> iis does beat apache, just profile them in terms of features/etc. 06:23 < simplechat> you changed the subject 06:23 < bandini> guys, can you take it to /msg please? 06:23 < vramesh> i've got better things to do anyway 06:23 < simplechat> bandini, can i just own this guy and be at peace? 06:23 < simplechat> he's better then the standard ms trolls :) 06:24 < vramesh> first, i'm not a ms troll 06:24 < vramesh> i'm not a ms fan 06:24 < simplechat> i'd say you are 06:24 < vramesh> i dont like everything ms does 06:24 < vramesh> a majority of times, their designs and principles are far better than what i've seen in the open source community 06:25 < simplechat> you argued with a straight face that windows scales better then linux 06:25 < simplechat> thats a ms troll 06:25 < vramesh> it does 06:25 < vramesh> thats a fact 06:25 < simplechat> vramesh, try it 06:25 < simplechat> i have, it doesn't 06:25 < vramesh> whatd id you try it on 06:25 < vramesh> ? 06:25 < simplechat> its a very easy point 06:25 < vramesh> no, explain your experience 06:26 < vramesh> i'd love to here it and tell you what you did wrong 06:26 < simplechat> vramesh, not me personally, it was on the windows streaming servers vs. the rest of the cdn 06:26 < vramesh> so you havent tried 06:26 < vramesh> it 06:26 < simplechat> when lbing between the two, on identical hw the windows server can take 50% of the traffic the linux servers do before buckling 06:26 < vramesh> so you dont know 06:26 < simplechat> no, i was just part of the lbgroup using that data 06:26 < vramesh> again so you dont know 06:27 < simplechat> yes, i do 06:27 < vramesh> because you werent doing this 06:27 < simplechat> again, i was part of the lbgroup 06:27 < simplechat> we did the stat testing to show this 06:27 < vramesh> grow up kid 06:27 < simplechat> vramesh, lol 06:27 < simplechat> your arguing against reality 06:27 < simplechat> actually try it sometime 06:27 < simplechat> it will fail on you at about 50% of max load 06:27 < simplechat> the graphs are ok for most of it, then they go off pretty much exponentially 06:28 < simplechat> and you can't throw hw at it to fix it easily 06:28 < simplechat> (its cheaper to just throw more cheaper servers at it) 06:28 < simplechat> what experience do you have with doing this? 06:29 < simplechat> cause the big A is just about the best company in the world when it comes to cdn's and load balancing 06:29 < simplechat> and if you can show that you can do things better then they do, i'll see if i can set you up with a job 06:29 < simplechat> cause you'll save us a bundle of cash :) 06:29 < simplechat> bandini, i'm done :) 06:29 < simplechat> any openvpn related issues? 06:32 < simplechat> vramesh, so which is it? Do you know what your talking about or do you not? 06:46 < Solarbaby> is anyone here running OpenVPN on a Linksys router? 06:47 < Solarbaby> I try and try.. but I think im just going to need someone with experience at this point 06:48 < simplechat> Solarbaby, using the router itself as a server? 06:48 < simplechat> is it running generic linux? or what? 06:49 -!- vramesh [n=vramesh@c-98-212-205-165.hsd1.il.comcast.net] has quit [Read error: 145 (Connection timed out)] 07:18 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:24 -!- dotCOMmie [i=tox@glitchinthe.net] has quit [Remote closed the connection] 07:27 -!- dotCOMmie [n=tox@65.110.59.200] has joined ##openvpn 07:46 -!- tjz [n=tjz@bb121-7-65-125.singnet.com.sg] has joined ##openvpn 07:49 < Mahmoud> any decent book on openssl u guy srecomment 07:49 < Mahmoud> recommend* 07:50 -!- lilalinux is now known as lila_gassi 07:52 -!- J-23 [n=zelazko@unix.net.pl] has left ##openvpn [] 07:53 < simplechat> Mahmoud, iirc theres a book recommended on the website 07:54 < Mahmoud> simplechat, link? 07:54 < Mahmoud> the one by by Markus Feilner? 07:55 < simplechat> i think so 07:55 < Mahmoud> that's openvpn's book. i need something only about openssl 07:56 < simplechat> ah, openssl 07:57 < simplechat> sorry, misread 07:57 < simplechat> i'm not sure 07:57 < Mahmoud> np.. eyepos happen 07:58 < Mahmoud> seems i'll use orelly's book on openssl and give it a try 08:04 < Mahmoud> Orielly's book on openssl is just 300 pages. nice. hope it's easy. 08:05 < simplechat> :) 08:05 < simplechat> hopefully 08:12 < Mahmoud> the book says in chapter 1, call openssl from other scripts, like shell, perl..etc 08:13 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit ["Leaving"] 08:32 < ecrist> Mahmoud: "Network Security with OpenSSL" (O'reilly) 08:33 < Mahmoud> yeah, im reading it now 08:33 < ecrist> it's a good book, all I've needed, and far superior to most of the online documentation. 08:33 < Mahmoud> i see 08:33 < Mahmoud> but so far their introduction is so generic and boring 08:33 < Mahmoud> i hope it gets dirty soon 08:34 < ecrist> I wouldn't recommend it for reading material, unless you're *really* constipated. ;) It's a great reference, though. 08:34 < Mahmoud> somewhere it says this book is not for security experts, but only people who want to do practically, and please don't do stuff your self as u r likely to be mistaken 08:35 < Mahmoud> only use pre-made stuff, don't deal with encryption directly 08:35 < Mahmoud> ecrist, u wouldn't recommend it for reading? :/ 08:35 < ecrist> what're you looking to do? 08:35 < Mahmoud> i want a book to read and understand 08:36 < Mahmoud> using openssl to generate stuff for openvpn, plus understand ssl details 08:36 < ecrist> Mahmoud: no. It's a great reference. Very dry for general reading, though. I would tend to agree with the statement above, to use stuff already developed. 08:36 < ecrist> Mahmoud: what OS you using? 08:36 < Mahmoud> i don't want to know how 3des encrypts/decrypts blocks in fixed sizes blah blah though 08:37 < Mahmoud> freebsd 08:37 < ecrist> ah, see the perl script I wrote in /usr/ports/security/ssl-admin 08:37 < Mahmoud> easyrsa? 08:37 < ecrist> no 08:37 < ecrist> easyrsa blows, IMHO 08:37 < ecrist> that's why I wrote ssl-admin 08:37 < ecrist> http://www.freshports.org/security/ssl-admin/ 08:38 < vpnHelper> Title: FreshPorts -- security/ssl-admin (at www.freshports.org) 08:38 < Mahmoud> i see, is it generic for other usage? i'm thinking to make my own CA and sign certificates for all my websites inside the corporate i work for 08:38 < ecrist> yes, it's generic for most other uses, but has some OpenVPN specific support, as well. 08:38 < ecrist> I use that script for exactly what you're saying you need. 08:39 < ecrist> It also handles CRLs. 08:39 < Mahmoud> great man.. 08:39 < Mahmoud> i'm making it now 08:39 < ecrist> now, since you know where to find me, please let me know about any bugs for feature requests. 08:40 < dvl> here I was... wondering why FreshPorts was mentioned here... 08:40 < Mahmoud> ecrist, thanks man, an honour for me to meet you in irc :D 08:40 < ecrist> dvl: you may have noticed that most of the regular support folks here are FreeBSD fans... 08:41 < dvl> I've see a few signs 08:41 < dvl> see... I wrote FreshPorts.org 08:41 < ecrist> I'm aware; nice job! 08:41 < dvl> thanks 08:43 < dvl> well, I guess I should be getting ready for a bike ride... 08:43 < ecrist> hopefully the weather is warmer where you are. 08:43 < ecrist> 13* F here... 08:44 < ecrist> oh, sorry, 5* 08:44 < Mahmoud> so instead of reading the orielly book, i'm reading ssl-admin's manual page :) 08:45 < dvl> About 30F here 08:47 < Mahmoud> ## Read config file and die if there's a syntax error. 08:50 < ecrist> Mahmoud: the man page is far from complete. If there is something specific missing, let me know so I can add it for the next release. 08:51 < Mahmoud> your wishes are my commands :-D 08:53 < ecrist> actually, feel free to send any recommendations, patches, or feature requests to me (use email in Makefile in security/ssl-admin dir) 08:53 < ecrist> I've gotta go for the day. See you folks later. 08:54 < Mahmoud> thanks, see ya 09:00 -!- ikevin_ [n=kevin@ANancy-256-1-88-32.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 09:01 -!- lila_gassi is now known as lilalinux 09:43 -!- Solarbaby [n=Dave@70-41-208-166.cust.wildblue.net] has quit [Read error: 54 (Connection reset by peer)] 10:31 -!- joat [n=joat@ip70-174-79-200.hr.hr.cox.net] has joined ##openvpn 10:32 -!- joat [n=joat@ip70-174-79-200.hr.hr.cox.net] has left ##openvpn ["Ex-Chat"] 11:25 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:40 -!- tjz [n=tjz@bb121-7-65-125.singnet.com.sg] has quit [] 11:48 -!- masrawy [i=admin@freebsd-help.org] has left ##openvpn [] 11:52 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 14:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:54 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has quit [Connection reset by peer] 15:00 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has joined ##openvpn 17:15 -!- dvl [n=nnnnnndv@pdpc/supporter/professional/dvl] has left ##openvpn ["Leaving"] 19:40 -!- manitoba98 [n=jeremy@CPE00131077b1ee-CM001868e7eda6.cpe.net.cable.rogers.com] has joined ##openvpn 19:41 < manitoba98> Hello all - sorry if this is a FAQ, but Google didn't give me anything useful. Is there a way to meter (and ideally restrict) bandwidth usage per VPN user? 20:44 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 20:54 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 20:58 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 21:06 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Nick collision from services.] 21:08 -!- manitoba98 [n=jeremy@CPE00131077b1ee-CM001868e7eda6.cpe.net.cable.rogers.com] has left ##openvpn [] 22:02 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:02 -!- TheMahmoud [n=foo@unaffiliated/mahmoud] has joined ##openvpn 22:12 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has quit [Connection timed out] 22:24 -!- tjz [n=tjz@bb121-7-65-125.singnet.com.sg] has joined ##openvpn 22:42 < ecrist> bitches. 22:42 < ecrist> g'night 22:47 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 22:49 < jeev> night testicle sucker 22:53 -!- paruchuri [n=paruchur@61.16.248.247] has joined ##openvpn 23:03 < tjz> haha 23:03 < tjz> testicle sucker.. 23:03 < tjz> haha 23:03 -!- Dopefish [i=dopefish@unaffiliated/imk] has joined ##openvpn 23:31 -!- Solarbaby [n=Dave@70-41-208-166.cust.wildblue.net] has joined ##openvpn 23:34 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 23:35 < PeterFA> How do I make a server make tls-authentication optional? 23:41 -!- tjz [n=tjz@bb121-7-65-125.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 23:54 -!- ikevin [n=kevin@ANancy-256-1-88-32.w90-26.abo.wanadoo.fr] has joined ##openvpn --- Day changed Mon Dec 08 2008 00:08 < Solarbaby> this has turned out to be a major configuration nightmare.. you get to the point where you've spent so much time trying to make something work you'll feel like you wasted all that time if you dont complete it 00:09 < Solarbaby> thats kinda a crappy feeling 00:09 < Solarbaby> least it connects though 00:15 < jeev> what's wrong heh 00:28 < Solarbaby> at this point I'm just connecting my remote (ubuntu linux) to my server (openwrt_openvpn) and I can see the network, but I want to access the servers internet as well. 00:36 < jeev> have you enabled nat? 00:42 < Solarbaby> iptables -t nat -A POSTROUTING -s 255.255.255.128/24 -o eth0 -j MASQUERADE 00:42 < Solarbaby> thats what i typed on the server running openvpn.. i thought thats how it should work.. I was just guessing 00:43 < jeev> 255.255.255.128 ?? 00:43 < jeev> [asteb 00:43 < jeev> pastebin your openvpn server conf 00:43 < jeev> i'm gonna play WoW very fast 00:43 < jeev> please do it 00:43 < jeev> also, traceroute 4.2.2.2 while connected to vpn 00:43 < jeev> and pastebin 00:44 < Solarbaby> I'd be thankful for any help.. I'll post bin it 00:44 < Solarbaby> certainly 00:47 < jeev> postbin heh 01:01 < Solarbaby> jeev: did you get those post bins? (grin) 01:28 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 01:30 -!- Luria [n=trashed@cpe-74-66-17-216.nyc.res.rr.com] has joined ##openvpn 01:35 < jeev> nope 01:35 < jeev> lol 01:35 < jeev> i went through 3 battlegrounds 01:36 < jeev> and a long ass alterac valley queue 01:36 < jeev> and nothing 01:36 < Solarbaby> I sent them to you privately 01:36 < jeev> oh 01:37 < jeev> i got a new phrase for 01:37 < jeev> the most interesting man in the world 01:37 < jeev> "his blood is used to wash clothing, as the antibodies clean stains better than liquid detergent" 01:41 < jeev> ? 01:41 < jeev> wanna try pastebin.ca ? 01:44 -!- pa [n=pa@unaffiliated/pa] has quit ["Sto andando via"] 01:44 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 02:47 -!- Luria [n=trashed@cpe-74-66-17-216.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 03:50 -!- paruchuri [n=paruchur@61.16.248.247] has quit [Read error: 110 (Connection timed out)] 03:53 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 03:54 -!- justdave_ [n=dave@unaffiliated/justdave] has joined ##openvpn 03:55 < bsdbandit> im running openvpn 2.0.9 on openbsd 4.4 but when trying to start the openvpn daemon its just hanging on the TLS_Auth MTU parms that is all that it shows in the log file 03:55 -!- justdave [n=dave@unaffiliated/justdave] has quit [Read error: 104 (Connection reset by peer)] 03:55 < bsdbandit> any suggestions on what to look for 04:00 < Solarbaby> did you create a da.key? 04:01 < Solarbaby> i mean a ta.key 04:01 < Solarbaby> point a path to it in your server.conf 04:01 < bsdbandit> yeah i did now im getting address already in use 04:01 < bsdbandit> error 04:01 < Solarbaby> Im just a novice 04:03 < bsdbandit> i hear that 04:06 < Solarbaby> every long ass day I get a little further 04:24 < ropetin> Still not working Solarbaby? 04:25 < Solarbaby> ropetin: its getting better and better.. it handshakes pretty well.. i see samba.. those things are great.. but I must get internet to my ubuntu openvpn client 04:26 < Solarbaby> i've done my fair share of research.. but something just isn't jiving 04:26 < ropetin> Hmmm, that sucks 04:26 < Solarbaby> you couldn't be more right about that 04:27 < ropetin> I don't know what to say, I had one small issue setting mine up, and once I fixed that, perfect 04:27 < Solarbaby> very nice 04:27 < Solarbaby> some people just get it 04:27 < Solarbaby> I've struggled the whole way 04:28 < ropetin> :( 04:31 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 145 (Connection timed out)] 04:36 < ropetin> What exact hardware/network connectivity are you trying to connect? 04:36 < Solarbaby> Is James Yonan logged in? 04:36 < Solarbaby> he probably never comes to this channel.. he's the programmer for OpenVPN 04:37 < Solarbaby> Ok heres the setup 04:37 < ropetin> I've never seen anyone claiming to be a programmer, no 04:38 < Solarbaby> I have 2 linksys routers.. the one thats connected directly to the internet is hardwired. Its running dd-wrt. Its been programmed to port forward ip and port for openvpn 04:39 < Solarbaby> then my other linksys router is running openwrt and it has openvpn installed to it 04:39 < Solarbaby> my openwrt router is completely wireless in every way accept the power plug :) 04:40 < Rienzilla> except 04:40 < Rienzilla> (sorry :)) 04:40 < Solarbaby> so its setup as a wireless bridge.. its basicly a litewait server.. and when I need to plug something like an xbox into it.. its always available somewhere in the house for that sort of thing 04:40 < ropetin> Hmmm, ok, so it's not just 'a vpn server' and a client, that explains a lot 04:41 < Solarbaby> Im sure this would have been more straight forward if I installed the server to a windows xp computer.. and in the future after I get this one working, i'll probably do that 04:41 < Solarbaby> it's just excellent having stuff that is always on performing multiple functions 04:41 < ropetin> Well no, install it on a Linux computer and it will be easy peasy 04:42 < ropetin> But my VPN Concentrator, if that's the right word, until I borked it was a NSLU2 with Debian installed 04:42 < ropetin> So I agree on the reuse thing, why have 60+ watts of power being used for something that can take 5 watts 04:42 < Solarbaby> anyways.. my openvpn client is running on my ubuntu laptop.. it connects.. but no internet.. and my goal is to always use my local internet from the road 04:42 -!- TheMahmoud is now known as Mahmoud 04:43 < Solarbaby> you've got it 04:43 < ropetin> OK, so it's a fairly common config then 04:43 < ropetin> Apart from the 'two routers' thing, but does that really affect it at all? 04:43 < Solarbaby> naw I dont think it does 04:44 < Solarbaby> the openwrt thinks its a linux computer anyhow 04:44 < ropetin> No, me either 04:44 < ropetin> Yeah, although if I remember from what I've read OpenWRT or whatever it is is kind of mutated from a standard install 04:45 < Solarbaby> yeah.. I had my ups and downs so far 04:45 < ropetin> Sounds like it 04:49 < ropetin> Oh my goodness, do you read SlashDot at all? 04:49 < Solarbaby> not for a long time now 04:49 < Solarbaby> nothing against it 04:50 < ropetin> They have a story about a special handgun designed for old people has been determined to be a medical device, so Doctors can now prescribe it to their elderly patients with bad hands 04:50 < ropetin> (This is in the USA of course, if you couldn't guess) 04:50 < Solarbaby> wow 04:51 < Solarbaby> so even mr shakey hands can shoot shoot you with out shooting his own feet first? 04:51 < ropetin> It's scary beyond belief 04:51 < Solarbaby> old people get robbed allot 04:51 < ropetin> Yup, so basically Medicare will cover the cost of the device to shoot someone, but won't cover the cost of fixing the person who got shot 04:52 < Solarbaby> hahaha 04:52 < Solarbaby> jeezus what a way to look at it 04:52 < ropetin> It's the truth! 04:52 < Solarbaby> yeah the truth is stunning 04:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:52 * ropetin will get off his liberal high horse now :) 04:53 < ropetin> I wonder if I could get my Dr to prescribe me one? "Doc, I'm so depressed, I need Xanex and a hand-gun" 04:53 < ropetin> Meh 04:53 < Solarbaby> theres a doc for everything 04:53 < ropetin> Back to VPN issues :D 05:14 -!- paruchuri [n=paruchur@61.16.248.247] has joined ##openvpn 05:23 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 104 (Connection reset by peer)] 05:45 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 05:50 -!- paruchuri [n=paruchur@61.16.248.247] has quit [Read error: 104 (Connection reset by peer)] 06:06 -!- doke [n=me@unaffiliated/emrah] has joined ##openvpn 06:07 < doke> Hello people 06:09 < doke> before I start moaning, I'd like to say that OpenVPN is great and wonderful... I'm connected on my OpenVPN server via a tap interface on a captive portal supposed to cost 10 eur per hour... And because I use udp port 53 and they don't make any traffic shaping... and the dns port is open... Everything is free 06:09 < doke> So thank you 06:09 < doke> But now the big question is 06:10 < doke> How do I proceed to either port OpenVPN to Symbian or compile it on my Nokia E90? 06:10 < doke> If the project works as I'd expect to I could even start a nice bounty.... who ever it could interest 06:31 -!- paruchuri [n=paruchur@61.16.248.247] has joined ##openvpn 06:41 < Solarbaby> ropetin: its working 06:42 < Solarbaby> ropetin: my network is very very slow right now.. I'm still using satalite.. but that should change next week.. 06:43 < Solarbaby> ropetin: the answer was instead of disabling the firewall, like I had done.. it needed to be running and the right iptables arguements added 07:05 < Mahmoud> openssl enc defaults to -salt, but the manual page says it defaults to -nosalt... hmmmm 07:14 < ecrist> g'morning folks 07:19 < Solarbaby> Morning 07:30 < Mahmoud> ecrist, your ssl-admin is SUPER AMAZING!!! 07:37 < ecrist> glad you like it. 07:38 < doke> guys did any body read me 07:38 < doke> Does anybody have an experience with OpenVPN on Symbian 07:43 < ecrist> not i 07:44 < Solarbaby> sorry Doke 08:07 -!- netcrash [n=andre@88.157.82.196] has joined ##openvpn 08:10 < netcrash> Hello, I'm trying to send a /27 route via openvpn but the client isn't able even to ping the open vpn ppp server ip, I have a push route of 192.168.23.64 255.255.255.224 , I have other direct routes to hosts with host 255.255.255.255 , that also don't work , any tips ? 08:18 < ecrist> netcrash: we need your configs to help 08:18 < ecrist> !conigs 08:18 < vpnHelper> ecrist: Error: "conigs" is not a valid command. 08:18 < ecrist> !configs 08:18 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:25 < netcrash> ecrist: pastebin.com/d20f46522 <- server.cf 08:26 < doke> thx for your reply Solarbaby and ecrist 08:27 < netcrash> ecrist: http://pastebin.com/d3758082c 08:27 < netcrash> client.cf 08:29 < ecrist> ok, so, to start, can your clients connect to the VPN and ping the VPN interface? 08:31 < netcrash> ecrist: yes 08:31 < netcrash> the vpn is started withouht any problems I get the routes are set in the client 08:31 < ecrist> ok 08:33 < ecrist> but the /27 you're trying to add isn't working? 08:33 < netcrash> none of them are ... :S I can't event ping the vpn ip of the server 08:34 < netcrash> The 192.168.23.83 I can ping ok , the 192.168.45.1 I can't 08:35 < ecrist> :\ 08:35 < ecrist> 08:29 < ecrist> ok, so, to start, can your clients connect to the VPN and ping the VPN interface? 08:35 < ecrist> 08:31 < netcrash> ecrist: yes 08:35 < netcrash> my vpn server version is ... 2.0.9 08:35 < netcrash> ha , sorry I read it wrong :s 08:35 < ecrist> netcrash: do you have a firewall running on the VPN server? 08:36 < netcrash> Yes, it's behind a firewall. 08:36 < ecrist> that's not what I asked. 08:36 < ecrist> netcrash: do you have a firewall running on the VPN server? 08:36 < netcrash> yes 08:36 < ecrist> try disabling it, see if you're able to ping the IP on tap0 08:37 < netcrash> ok 08:39 < netcrash> still can't 08:39 < ecrist> you're connected to the VPN, and you are successfully assigned an IP on the VPN subnet? 08:40 < netcrash> correct 08:41 < netcrash> let me try to see the log 08:42 < ecrist> what does a traceroute 192.168.45.1 show, from the client 08:43 < netcrash> all * * * 08:43 < netcrash> ping: sendmsg: No buffer space available 08:43 < ecrist> that still sounds liek a firewall 08:46 < netcrash> :s 08:48 < netcrash> but if I push direct routes it works ok , like "172.16.68.11 255.255.255.255" 08:49 < netcrash> I'm going to try to redo all the config ... server included... 08:51 -!- Carlos_Tico [n=ircap@c-98-200-244-36.hsd1.tx.comcast.net] has joined ##openvpn 08:52 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 08:55 -!- gfather [n=g@79.173.226.86] has joined ##openvpn 08:55 < gfather> hello guys 08:55 < gfather> when i use redirect-gateway from clint side , should i enable it from server ? 08:56 < ecrist> iirc, you can't do that on the client side, it's a server setting. 08:56 < gfather> i did redirect-gateway on clint , i can perefcly connect to lan , but couldent have wan 08:56 < ecrist> gfather: you're going to need NAT on the server side, regardless how you do redirect-gateway 08:58 < gfather> brb 08:58 -!- kombi [n=kombi@port-92-198-15-96.static.qsc.de] has joined ##openvpn 08:58 -!- gfather [n=g@79.173.226.86] has quit [Read error: 104 (Connection reset by peer)] 08:59 < kombi> can't get the management interface to work. I put management localhost 7505 into the config file and restart but telnet won't connect and nmap won't show the port. Did I get the concept wrong? 09:00 < netcrash> ecrist: thanks for the help. I haven't found the problem but I'll keep on trying :) 09:00 -!- gfather [n=g@79.173.220.255] has joined ##openvpn 09:00 < gfather> im back 09:02 < kombi> what can I do to speed things up? (other than buy bandwidth;) 09:02 < gfather> <ecrist> but im sure my routed settings are right 09:02 < gfather> what im messing here , or didnt understand ? 09:04 < ecrist> kombi: enable compression (LZO) 09:05 < gfather> <ecrist> you mean i have to nat it on the openvpn mashine itslef 09:05 < ecrist> gfather: the VPN ips you're using are probably not internet routable. as such, you'll need NAT on teh VPN server for outgoing connections to the internet 09:05 < Solarbaby> ecrist: figured that out myself today ;) 09:07 < Solarbaby> ecrist: something isn't working right though for me.. can't even get the full google.com page to load up.. just partial 09:07 < ecrist> sounds like a slow connection and some page components are timing out 09:07 < Solarbaby> my connection is really slow satalite with wildblue 09:08 < ecrist> that's gonna be your problem. 09:08 < ecrist> latency is a bich 09:08 < ecrist> bitch* 09:08 < kombi> ecrist: comp-lzo you mean? got that enabled.. Sometimes the connection seems to stall though 09:08 < Solarbaby> and im inside my own network connecting to my no-ip account.. pointed right at where im coming from 09:09 < ecrist> kombi: tcp or udp? 09:09 < Solarbaby> ecrist: would you recommend any settings for my ubuntu client? 09:09 < kombi> ecrist: udp 09:10 < kombi> bridged mode 09:12 < gfather> <ecrist> what vpn ips can be internet routable ? 09:12 < ecrist> none, unless you have an internet-routable IP block 09:12 < ecrist> !1918 09:12 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 09:13 < Solarbaby> dunno 09:15 < gfather> im using 172.19.3.x 09:15 < gfather> so either i change that to 172.16.0.0 or to add a new iptable rule 09:15 < gfather> right ? 09:16 < ecrist> gfather, you need NAT 09:18 -!- SerajewelKS [i=devnull@wikipedia/Crazycomputers] has joined ##openvpn 09:19 < gfather> iptables -t nat -A alpaca-post-nat -s 172.19.3.0/255.255.255.0 -j MASQUERADE 09:19 < SerajewelKS> is it possible to specify options in a vpn server config that will be put into effect only for specific clients? 09:19 < gfather> this should make it work if im not wronge 09:20 < Solarbaby> gfather: shouldn't you have a network adapter in that line? 09:21 < gfather> dont think so :S 09:21 < Solarbaby> ok just checking 09:21 < ecrist> SerajewelKS: yes 09:21 < SerajewelKS> ecrist: good to know 09:21 < ecrist> you need a client config dir, then a config file for each client with 'special' config options named the same as their SSL cert. 09:22 < ecrist> this is also how static IPs are accomplished. 09:22 < SerajewelKS> ecrist: basically what i want to do is set up a route to a subnet for only one specific client and also assign it a static ip. all other clients should get a dynamic ip. 09:22 < ecrist> !iroute 09:22 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 09:23 < SerajewelKS> ecrist: is that possible? if so i'm sure i can figure it out, i just don't want to head down a road that's a dead end. 09:23 < ecrist> oh, nm, you don't need iroute, you just need client config 09:23 < ecrist> yes, it's really simple 09:23 < SerajewelKS> nods, i was wondering what that was for :) 09:23 < ecrist> read the howto 09:23 < SerajewelKS> alright 09:23 < SerajewelKS> i have, probably just missed the relevant sections 09:23 < SerajewelKS> in other news, i've been up for 24 hours :/ 09:24 -!- kombi [n=kombi@port-92-198-15-96.static.qsc.de] has quit ["Verlassend"] 09:25 < SerajewelKS> couple more hours hacking at this and i can play dungeon siege with my brother, without configuring any router port forwards... 09:39 -!- Carlos_Tico [n=ircap@c-98-200-244-36.hsd1.tx.comcast.net] has left ##openvpn [] 09:43 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:43 < ecrist> hey plaerzen 09:44 < plaerzen> hey ecrist 09:44 < plaerzen> what's up? have a good weekend? 09:44 < ecrist> yeah 09:44 * ecrist <3 new truck. 09:44 < plaerzen> me too :D 09:44 * plaerzen <3 fornication in restaurant bathrooms. 09:45 < ecrist> lol 09:45 < plaerzen> you got a new 4x4 ? 09:46 < ecrist> yep 09:48 < plaerzen> ah, which one ? 09:48 < ecrist> hang on, let me find the info 09:48 < ecrist> aw, they took it off their website already 09:49 < SerajewelKS> can the key password be specified in the config file or must i use a non-password-protected key? 09:51 < ecrist> if you're going to put the password in a file, you're not any more secure by password protecting it 09:52 < SerajewelKS> right 09:52 < plaerzen> ecrist, what do you think of the toyota tacoma? I think I want to own one some day. I'm looking for a rugged medium sized truck I can put a canopy on and use for car camping in the rockies during those long rock climbing trips. 09:52 < SerajewelKS> but it's easier to do that than remember the openssl incantation that removes the password protection :) 09:52 < ecrist> plaerzen: I've never been in one or under one, so I can't really offer an opinion. 09:53 < ecrist> I tend to stick with US-made 4x4s, as there are lots of parts for them, and they have a few year's more experience than the imports building trucks 09:53 < ecrist> SerajewelKS: just don't create a password on the key to begin with. 09:53 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has joined ##openvpn 09:54 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has left ##openvpn ["Leaving"] 09:55 < SerajewelKS> ecrist: my GUI forced me to. guess i'll just google the command to remove the password. 09:55 < ecrist> lol @ GUI 09:57 < SerajewelKS> heh 09:57 < SerajewelKS> i don't have time to memorize all those silly openssl commands 09:59 < ecrist> SerajewelKS: there are scripts out there to do that for you. 09:59 < ecrist> !ssl-admin for one 09:59 < vpnHelper> ecrist: Error: "ssl-admin" is not a valid command. 10:00 < ecrist> o.O 10:00 < ecrist> !ssladmin 10:00 < vpnHelper> ecrist: Error: "ssladmin" is not a valid command. 10:00 < ecrist> !search * 10:00 < vpnHelper> ecrist: There were no matching configuration variables. 10:00 < ecrist> !menu 10:00 < vpnHelper> ecrist: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 10:00 < ecrist> !factoids search * 10:00 < vpnHelper> ecrist: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'tls-cipher', 'multi', 'configs', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', '', 'forum', 10:00 < vpnHelper> ecrist: 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'hmac', 'winipforward', 'help', 'fragment', '2.1-winpass-script', 'activedirectory', 'net30', 'someclient2client', 'local', 'dhcp', 'chooseip', 'irclogs', 'noenc', 10:00 < vpnHelper> ecrist: 'iptables', 'all', 'mactuntap', 'nobind', 'pwfile', 'servercert', 'mitm', 'fbsdbridge', 'easy-rsa-unix', 'certs', 'bridge-fw', 'linipforward', 'linnat', 'man', 'webgui', 'wintaphide', and 'topology' 10:01 < ecrist> !learn ssl-admin as http://www.secure-computing.net/ssl-admin 10:01 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 10:03 < ecrist> well, regardless, see http://www.secure-computing.net/ssl-admin for one such script 10:03 < vpnHelper> Title: SCN Open Source - Trac (at www.secure-computing.net) 10:03 * ecrist shoots vpnHelper 10:03 < ecrist> !die 10:03 < vpnHelper> ecrist: Error: "die" is not a valid command. 10:03 -!- Irssi: ##openvpn: Total of 48 nicks [0 ops, 0 halfops, 0 voices, 48 normal] 10:04 < plaerzen> !/30 10:04 < vpnHelper> plaerzen: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:04 < plaerzen> with by ? 10:04 < ecrist> !learn ssl-admin as http://www.secure-computing.net/ssl-admin 10:04 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 10:05 < ecrist> blargh 10:28 -!- whaletales [n=Paul@5ad3b1fb.bb.sky.com] has joined ##openvpn 10:42 < ecrist> bbiab --- Log closed Mon Dec 08 10:42:47 2008 --- Log opened Mon Dec 08 11:41:12 2008 11:41 -!- ecrist [n=ecrist@MINERVA.SECURE-COMPUTING.NET] has joined ##openvpn 11:41 -!- Irssi: ##openvpn: Total of 47 nicks [0 ops, 0 halfops, 0 voices, 47 normal] 11:41 -!- Irssi: Join to ##openvpn was synced in 22 secs 11:47 < PeterFA> I'm trying to get openvpn to run with minimum security shy of open house, that is user/pass authentication. However, it still requires the ca cert, and the TLS handshake fails. How do I disable this? 11:49 < ecrist> static keys 11:54 < PeterFA> ecrist, that's not minimum above open house. 11:56 < ecrist> sure it is 11:57 < ecrist> you need *some* method of encryption 11:57 < ecrist> OpenVPN uses SSL to encrypt. 11:58 < plaerzen> oh man. dhcp server ran out of leases. 12:04 < ecrist> lol 12:05 < ecrist> just open up another /24 12:05 < plaerzen> I just turned off some machines. Deal with it later. 12:06 < plaerzen> preferably off hours 12:24 < SerajewelKS> when using 'server 192.168.5.0 255.255.255.0' clients are not seeing a /24 netmask on the link, is this normal? 12:24 < SerajewelKS> there is no route to 192.168.5.0/24 over the tun interface 12:25 < SerajewelKS> do i have to manually push it? 12:28 < SerajewelKS> according to the manpage, it should be pushing this option 12:29 < ecrist> yes, it's normal 12:29 < ecrist> it is. you may need client-to-client 12:29 < ecrist> read howto 12:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:32 < SerajewelKS> got it 12:32 < SerajewelKS> ecrist: what i discussed earlier is not working 12:33 < SerajewelKS> ecrist: i want one specific client to have a route created on the server side 12:33 < SerajewelKS> ecrist: but putting a route directive in their per-client config file doesn't appear to work 12:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:38 < ecrist> SerajewelKS: have you read the howto? it should work just fine. 12:39 < SerajewelKS> ecrist: Options error: option 'route' cannot be used in this context 12:40 < ecrist> can you pastebin that config? 12:41 < SerajewelKS> ah, i think i need to use iroute in the client-specific config and route in the general one 12:42 < ecrist> no 12:42 < ecrist> can you pastebin that config? 12:43 < SerajewelKS> yup, it sure worked 12:43 < SerajewelKS> when i say client config i mean a client-config-dir config file on the server 12:44 < ecrist> SerajewelKS: I understood that. 12:44 < ecrist> iroute, if I understand your original question, is not what you needed. 12:45 < SerajewelKS> route 192.168.8.0 255.255.255.0 adds the route to go to the openvpn daemon 12:45 < SerajewelKS> iroute in the client config tells openvpn to route that subnet to this specific client 12:45 < SerajewelKS> which is what i want 12:45 < SerajewelKS> maybe a diagram of what i'm doing would be more helpful :) 12:47 * ecrist goes away 13:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:34 -!- Cyllene [i=UNtQZrND@unaffiliated/cyllene] has quit [Remote closed the connection] 13:46 < krzie> SerajewelKS 13:46 < krzie> i made a diagram 13:46 < krzie> !route 13:46 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:47 < krzie> <SerajewelKS> ecrist: i want one specific client to have a route created on 13:47 < krzie> the server side 13:47 < krzie> <SerajewelKS> ecrist: but putting a route directive in their per-client config 13:47 < krzie> file doesn't appear to work 13:47 < krzie> that belongs as a push route, not a route 13:47 < krzie> a route in a ccd would make NO sense 13:51 < reiffert> quoting the manpage from --client-config-dir: 13:51 < reiffert> The following options are legal in a client-specific context: 13:51 < reiffert> --push, --push-reset, --iroute, --ifconfig-push, and --config. 13:51 < reiffert> --config sounds intresting. what is it about? 13:53 < krzie> whoa 13:53 < krzie> good question 13:53 < krzie> ooooo 13:53 < krzie> i bet you can include files 13:53 < reiffert> and recursivly waste all memory? 13:53 < krzie> by using the config option in a config 13:53 < krzie> well lets say you have a bunch of routes, only for some clients 13:54 < krzie> you toss them all in a file and include the file in each ccd 13:54 < krzie> then can mod all at once easily 13:54 < krzie> (im totally guessing) 13:55 < reiffert> that would be a sane approach, but what about including another file from the included file and how about looping a recursion there? 13:56 < krzie> the app could check for it, but even if it doesnt that would be the users fault 13:56 < krzie> kinda like how my server would let me type rm -rf / 13:56 < krzie> its prolly best i dont do it, but it will if i say so 15:29 < ecrist> um, no, that's not what --config is. 15:29 < ecrist> --config is invalid within a config file. 15:31 -!- [exa] [n=exa@199.241.broadband9.iol.cz] has joined ##openvpn 15:34 < [exa]> hi guys, simple question - as OpenVPN is the only program I was able to find that uses Win32-tap driver, I guess someone here could give me directions on any documentation of that driver or just some quick view about how it works... 15:35 < [exa]> I'm just asking; if there's none I will just read through the openvpn source. 15:35 < krzie> ecrist, then why can it be valid in a ccd file? 15:36 < krzie> or was his paste wrong? 15:38 -!- paruchuri [n=paruchur@61.16.248.247] has quit [Remote closed the connection] 15:45 < [exa]> anyone? 15:54 -!- gfather [n=g@79.173.220.255] has quit [Read error: 110 (Connection timed out)] 16:00 < ecrist> I think his paste was wrong 16:06 < krzie> [exa] no idea 16:11 < krzie> !man 16:11 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:13 < krzie> The following options are legal in a client-specific context: --push, --push-reset, --iroute, --ifconfig-push, and --config. 16:13 < krzie> ecrist, its right there in man like reiffert said 16:14 < krzie> in both 2.0 and 2.1 16:15 < krzie> Note that configuration files can be nested to a reasonable depth. 16:15 < krzie> it is exactly what i guessed it was 16:15 < krzie> nestable, and usable in ccd for the reason i guessed i bet 16:17 < [exa]> krzie: thx anyway 16:17 < [exa]> see ya 16:17 -!- [exa] [n=exa@199.241.broadband9.iol.cz] has left ##openvpn ["All your base are belong to us!"] 16:44 -!- bandini [n=bandini@host155-6-dynamic.6-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:07 -!- Solarbaby [n=Dave@70-41-208-166.cust.wildblue.net] has joined ##openvpn 17:08 < ecrist> krzie: that's kick-ass then. 17:09 < ecrist> common routing groups among clients. 17:09 < krzie> totally 17:09 < krzie> i thought it had to be done via up script to do that 17:09 < krzie> way easier with ccd --configs 17:36 -!- mXr [i=1001@packst.net] has joined ##openvpn 17:37 < mXr> can anyone help me with an arp problem in bridging mode? 17:38 < krzie> first a question for you 17:38 < mXr> shoot 17:38 < mXr> "why the f* do you ask metaquestions" :P 17:38 < krzie> hahaha 17:38 < krzie> no 17:38 < krzie> why do you want bridge mode? 17:38 < mXr> 'cause i need to get vlans transparently from one end to the other 17:39 < mXr> maybe even non-ip traffic, but thats for later 17:39 < krzie> k 17:39 < mXr> i have two boxes, each with a rather basic setup.. one "uplink" nic, and one purely-vpn nic 17:39 < mXr> and a br0 that just bridges (static) tap0 and the "vpn" interface together 17:39 < mXr> promisc is on on tap0 and vpn on each box 17:39 < mXr> mtu is raised because of the vlan stuff, .. but that most probably is not the issue 17:40 < mXr> listening with tcpdump on the "vpn" (local ethernet tunnel endpoint) interface, i see that .. the requests is handled correctly; 17:40 < mXr> it goes in at site A, comes out at site B 17:40 < mXr> site B tcpdump then shows me the reply incoming - but it never makes it to the other side of the tunnel 17:41 < mXr> actually, tcpdumping "vpn" on site B shows the reply - but tap0 never has the packet sent 17:41 < mXr> so it doesn't even leave site b 17:44 < mXr> i tried playing around with the /proc parameters... arp_announce and such.. but they seem to have no effect on this problem 17:45 < mXr> interestingly, after an unknown period of time - sometimes seconds, sometimes minutes, the reply DOES get sent 17:50 < krzie> interesting 17:50 < krzie> i havnt used bridging for a long time 17:50 < krzie> im not sure what it could be 17:51 < krzie> first thing i was thinking was firewall, but if it DOES make it after some time, you stumped me 17:51 < mXr> also, i have no iptables/ebtables loaded 17:51 < mXr> all chains empty 17:53 < krzie> usually i convince bridgers they wanted routed 17:53 < krzie> (less overhead) 17:53 < krzie> but you mentioned non ip traffic 17:53 < mXr> juh, i'd prefer that as well, 17:53 < krzie> so you have your reasons 17:53 < mXr> but first i might have appletalk soon 17:53 < mXr> yeah 17:53 < mXr> :) 17:53 < mXr> and i really need transparently-transmitted vlans 17:54 < krzie> why? 17:54 < krzie> a routed setup you can share lans behind clients / server 17:54 < krzie> (if you choose to) 17:54 < mXr> cause on one end, there is a way too expensive and way too crappy astaro appliance thingie that takes over a handful of vlans 17:55 < mXr> its a bit of a complex setup :) 17:55 < mXr> it *would* be solveable with routes, but way less elegant 17:55 < mXr> until the day they really want their applecrap 17:55 < krzie> but you coul 17:55 < mXr> then i'm lost :p 17:55 < krzie> no it would be simple 17:56 < mXr> throw out the bad apples and buy actual computers? 17:56 < mXr> (i'm not that much of an apple hater actually :p) 17:56 < krzie> (til the appletalk) 17:56 < krzie> i straight up LOVE osX 17:56 < krzie> for desktop use 17:56 < mXr> it has its pro-arguments imho, 17:56 < mXr> but i would definitely not fall for those :) 17:57 < krzie> i used windows for over a decade 17:58 < krzie> ive run linux and freebsd as a desktop 17:58 < krzie> but i prefer osx 18:00 < krzie> (for desktop, not server) 18:01 < mXr> well, whatever one prefers :) i'm not *really* saying any one of them is unusable 18:01 < mXr> just, i couldn't really live with osx after a week or so of testing 18:01 < krzie> ill say that bout vista 18:01 < mXr> i did so too, 18:01 < mXr> until i made it look and act like xp 18:01 < mXr> and nowaydays i'm actually pro-vista, which i would never have thought possible 18:02 < krzie> well that explains your not liking apple, lulz 18:02 < mXr> of course, making it useable first is a pita 18:02 < mXr> but in terms of overall stability i really looks like an improvement to me 18:02 -!- superdug [n=superdug@wilug/madlug/superdug] has joined ##openvpn 18:02 < mXr> also.. 64bit support in xp was crappy 18:02 < mXr> and with 8 gig ram, it would be a waste to use a 32bit os 18:03 < mXr> and yes, thats more of a luxury, but at those prices... 18:03 < mXr> running a vmware workstation vm in background.. 2 eve online clients on 2 screens.. 18:03 < mXr> you need some ram :p 18:06 < superdug> I have a network 192.168.0.0/16 and in that network I have the openvpn server running on 192.168.6.10 ... I've setup openvpn to use 192.168.7.0/24 ... and I'm pushing a route up to the clients of 192.168.0.0/16, but the only thing I can connect to is 192.168.6.10 ... do I need to bridge the eth0 (192.168.6.10/16) in order to hit the whole /16 ? 18:06 < krzie> !route 18:06 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 18:08 < superdug> ahh I need a route definition, as well as the push route 18:08 < superdug> thanks 18:08 < krzie> np 18:09 < krzie> please be sure you read the whole thing too 18:09 < krzie> cause its often people skim it, think they found the answer, come back saying it didnt work, only to find they missed the rest 18:09 < superdug> no, that was the missing part, I'm good, thanks 18:11 < krzie> np =] 18:14 < krzie> the part you may be missing tho is this: 18:14 < krzie> ROUTES TO ADD OUTSIDE OF OPENVPN 19:00 < PeterFA> What is it called when you have security based on the trading of public keys? 19:00 < PeterFA> TLS? 19:00 < krzie> SSL 19:00 < PeterFA> Oh. 19:00 < PeterFA> Thanks. 19:00 < krzie> that was an off-the-cuff answer 19:00 < krzie> may or may not be what you meant 19:01 < krzie> could be pgp 19:01 < krzie> in fact i guess i should give a broad answer 19:01 < krzie> PKI 19:01 < krzie> public key infrastructure 19:01 < krzie> thats a good answer 19:01 < PeterFA> That sounds better. 19:01 < PeterFA> krzie, thanks. 19:02 < krzie> np 19:03 < krzie> TLS can be PKI or not 19:03 < PeterFA> krzie, oh. 19:03 < PeterFA> I want to set up a VPN server that does PKI only with user/pass authentication. 19:04 < krzie> normal client server cert setup is PKI 19:04 < PeterFA> So, we get away from having to install certs on customer computers. 19:04 < krzie> the .crt is a public key, signed by the CA 19:04 < PeterFA> Oh. 19:04 < krzie> the .key is the private key 19:07 < ecrist> krzie: before I go cook dinner, quick question for you. 19:08 < ecrist> I haven't heard back from Francis, so I'm assuming 'no;' should I create an openvpn-specific wiki at secure-computing.net/openvpn instead of where it is now? 19:10 < ecrist> well, ponder that, I'm going to cook dinner 19:10 < krzie> well its up to you of course, i like the idea of doing that tho 19:11 < krzie> of course each could link to the other tho 19:12 < krzie> PeterFA i believe you are talking about having a SHARED key as opposed to PKI (no certs) but thats no good for client/server, that is only ptp where there is 2 peers only 19:16 < PeterFA> krzie, hmmm. 19:23 < krzie> PKI is certs 19:23 < krzie> SHARED is a static key 19:23 < krzie> which can be a file or a line in the config 19:25 < krzie> but you can only use shared keys in a peer to peer setup, not client/server 19:26 -!- s2r [n=dada@190.2.0.105] has joined ##openvpn 19:26 -!- s2r [n=dada@190.2.0.105] has left ##openvpn [] 19:30 < PeterFA> krzie, so, PKI will only work in a p2p set up? 19:41 < krzie> you have it backwards 19:41 < krzie> PKI is certs 19:41 < krzie> the cert itself is the public key 19:41 < krzie> (the .crt) 19:42 < krzie> the csr is signed with the certs private key 19:42 < krzie> then the CA signs the csr and gives a .crt 19:42 < krzie> but the CA private key and cert's private key are never sent 19:42 < krzie> that is PKI 19:42 < krzie> and it works in client/server mode 19:43 < krzie> a shared key setup has no certs, and is NOT PKI 19:45 -!- netcrash [n=andre@88.157.82.196] has quit ["Ex-Chat"] 19:48 < PeterFA> Ugh, why does Openvpn in client mode have to have a CA? 19:48 < PeterFA> Why can't it just use the crt and key files? 19:50 < krzie> because of how PKI works 19:51 < krzie> as i explained above 19:51 < krzie> <krzie> the csr is signed with the certs private key 19:51 < krzie> <krzie> then the CA signs the csr and gives a .crt 19:51 < krzie> <krzie> but the CA private key and cert's private key are never sent 19:51 < krzie> <krzie> that is PKI 19:52 < krzie> so client and server were signed by same CA, but never had to send out their private keys in the process 19:53 < krzie> so in an ideally secure setup, the client generates a csr signed with its private key, and sends it to the CA, who sends back a .crt 19:53 < krzie> the csr and crt are of no risk if grabbed on the wire by evil hakirs 19:53 < krzie> the client made its own .key and the ca made its own as well, niether were ever transmitted 19:54 < krzie> same exact thing for the server 19:54 < krzie> then the server and client can verify eachother based on their certs and their own keys 19:55 < krzie> maybe give this a read: http://en.wikipedia.org/wiki/Public_key_infrastructure 19:55 < vpnHelper> Title: Public key infrastructure - Wikipedia, the free encyclopedia (at en.wikipedia.org) 19:55 < PeterFA> Ok... that would verify based on keys and then cryptography based on those keys. 19:55 < PeterFA> krzie, can I make it just skip the key based authentication and just use the keys for authentication? 19:56 < ecrist> PeterFA: didn't I tell you earlier today that you needed static keys for what you wanted? 19:56 < PeterFA> ecrist, it's not solving the problem. 19:56 < krzie> ecrist, static keys wont work for more than 2 machines 19:56 < ecrist> well, this morning he only mentioned two machines. 19:56 < krzie> ohhh 19:57 < krzie> PeterFA, 2 machines or more? 19:57 < PeterFA> krzie, more. 19:57 < krzie> certs 19:57 < krzie> <PeterFA> krzie, can I make it just skip the key based authentication and just 19:57 < krzie> use the keys for authentication? 19:57 < krzie> that made NO sense to me 19:57 < krzie> skip key based auth and just use keys for auth... 19:57 < krzie> thats like skipping dinner and having dinner instead 19:57 < krzie> hehe 19:57 < ecrist> PeterFA: if keys are such a problem and you want just plain user/pass VPN, look at mpd 19:57 < PeterFA> krzie, as in not verify the keys and just trust them. 19:57 < ecrist> pptp is your ticket 19:58 < PeterFA> mpd, huh? 19:59 < ecrist> the added benefit of PPTP is that it's got native support in most (if not all) main-stream OSes 19:59 < ecrist> bbl 19:59 < PeterFA> I'll look at mpd, thanks. 20:16 < krzie> the benefit of openvpn is its security 20:16 < krzie> well and its quite flexible imho 20:17 < krzie> but if you are trying to get rid of the security, look into what ecrist said 20:17 < krzie> ive never seen mpd, but i know he knows what hes tlakin bout 20:17 < krzie> talkin 20:21 < krzie> actually lemme look at something 20:21 < krzie> i think you can use only login/pass for auth without certs 20:21 < krzie> !man 20:21 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:21 < krzie> you using 2.0 or 2.1? 20:25 < krzie> --username-as-common-name 20:25 < krzie> For --auth-user-pass-verify authentication, use the authenticated username as the common name, rather than the common name from the client cert. 20:25 < krzie> thats how you get common-name without using a cert 20:25 < krzie> --client-cert-not-required 20:25 < krzie> Don't require client certificate, client will authenticate using username/password only. Be aware that using this directive is less secure than requiring certificates from all clients. 20:25 < krzie> If you use this directive, the entire responsibility of authentication will rest on your --auth-user-pass-verify script, so keep in mind that bugs in your script could potentially compromise the security of your VPN. 20:26 < krzie> thats how you tell it you dont want a cert 20:26 < krzie> there may or may not be more to it, i have never and will never setup a vpn that way 20:27 < krzie> (unless someone is paying me for it and understands i dont recommend it) 20:47 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 20:51 -!- bipolar_ [n=bflong@204.186.46.66] has joined ##openvpn 21:28 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 21:31 -!- bipolar_ is now known as bipolar 22:11 -!- bipolar [n=bflong@204.186.46.66] has quit [Read error: 113 (No route to host)] 22:20 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 22:43 -!- superdug [n=superdug@wilug/madlug/superdug] has quit ["Lost terminal"] 23:32 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:42 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn --- Day changed Tue Dec 09 2008 00:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:02 -!- paruchuri [n=paruchur@61.16.248.247] has joined ##openvpn 00:16 -!- tjz [n=tjz@bb121-7-65-125.singnet.com.sg] has joined ##openvpn 00:16 * tjz swim in 00:26 -!- paruchuri [n=paruchur@61.16.248.247] has quit ["Konversation terminated!"] 00:37 -!- tjz [n=tjz@bb121-7-65-125.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 00:41 -!- paruchuri [n=paruchur@61.16.248.247] has joined ##openvpn 01:26 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 02:19 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:20 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 02:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:28 -!- stephenh [i=stephen@69.30.200.88] has quit [Read error: 110 (Connection timed out)] 02:40 -!- tjz [n=tjz@bb121-7-65-125.singnet.com.sg] has joined ##openvpn 02:40 * tjz swim in 03:14 -!- tjz [n=tjz@bb121-7-65-125.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 03:49 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 03:50 < oc80z> we there yet ? 03:50 < oc80z> :) 04:02 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 05:22 -!- tiav [n=tiav@91.197.165.222] has joined ##openvpn 05:32 -!- normal1 [n=eddie@76-252-235-221.lightspeed.sndgca.sbcglobal.net] has joined ##openvpn 05:33 < normal1> Is there a quick how-to for setting up a site-to-site bridge with openvpn? 05:33 < normal1> I got ipsec-tools running now and well.. its not going very good 05:33 < normal1> I should mention its running on freebsd 05:46 < Solarbaby> quick howtos usually dont work 05:46 < Solarbaby> thats my experience anyways ;) 05:47 < normal1> I guess I agree 05:47 < normal1> i should have said how to period.. 05:47 < normal1> I see a lot of documentation for linux but very little pertaining to freebsd thats why I ask 05:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:48 < normal1> actually thats the reason I Went with vpn over ipsec in the first place... now it appears to be coming back to bite me in the arse 05:48 < Solarbaby> I set mine up on a linksys router ;) 05:48 < normal1> what, openvpn? 05:48 < Solarbaby> documentation wasn't easy to come by either.. so I read about 10 howtos and figured alot of stuff out eventually 05:49 < Solarbaby> yup 05:49 < normal1> problem is this is an enterprise site-to-site.. :/ 05:49 < Solarbaby> i flashed my router and put openwrt on it.. and then uploaded openvpn into it and made it into a server 05:49 < Solarbaby> lots of traffic? yeah 05:50 < normal1> the end result should really just be one bridge from site A to site B 05:50 < Solarbaby> I know bridging is good for gamers.. and maybe video chat software i guess.. but otherwise its got issues 05:51 < normal1> what kind of issues? 05:51 < Solarbaby> I haven't used it.. but I read it does 05:51 < Solarbaby> just another thing for you to google so your more aware 05:51 < normal1> oh 05:52 < normal1> I know scalability is an issue, but not for this setup 05:52 < Solarbaby> server client was good for me so I went that route 05:52 < Solarbaby> oh yeah.. security was probably something ;) 05:52 < Solarbaby> bridge gives you less options to secure the network 05:53 < normal1> huh.. I wouldnt see how 05:53 < Solarbaby> im just going by memory... 05:53 < normal1> it should use the same encryption as the other options 05:53 < Solarbaby> security is a very broad subject.. might be internal security that was the issue 06:24 < doke> Anybody interested in porting OpenVPN to Symbian? 06:42 -!- normal1 [n=eddie@76-252-235-221.lightspeed.sndgca.sbcglobal.net] has left ##openvpn [] 07:02 -!- protocols [n=protocol@p5791FC0A.dip.t-dialin.net] has joined ##openvpn 07:13 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 07:29 < ecrist> bridge vs routed really offers no difference in security 07:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 07:40 < doke> I think people associate routed vpn = different subnet = different firewall rules = security = not same net = acl possible 07:40 < doke> but I'm so happy that someone took the initiative to implement bridging via OpenVPN and the tap interface... It's wonderful 07:41 < doke> Remote network that can be served by the same tftp servers or dhcp options.... 07:42 < doke> And I love my wrt54gs that can connect via OpenVPN ;) 07:42 < doke> especially from networks with restricted policies :D 08:23 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 09:20 < Solarbaby> doke you setup OpenVPN on your linksys router? 09:20 < Solarbaby> I did that too.. recently 09:22 < Solarbaby> ecrist: thanks for pointing that out.. I know I read something about security concerns over bridge and routed.. but it was vague 09:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:31 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 09:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:00 < doke> Solarbaby: yep sorry for my late reply 10:00 < doke> basically Solarbaby 10:01 < doke> My girlfriend is in a uni that doesn't allow any udp traffic (no skype, no voip...) and thanks to OpenVPN and the Linksys wrt54gl and openwrt, I managed to make her router become an accesspoint for her friends, passing all the traffic through the vpn to a server hostd in switzerland 10:01 < doke> now each time they connect and they authenticate, they get a public ip address 10:01 < doke> in switzerland ;) 10:01 < doke> and no more restrictions 10:03 < doke> and the it guys in the uni were surprised to find a router in her room... so first they were angry and she could have goten in hard troubles but then I asked her to suggest one of the IT to plug his laptop... he saw that the IP he got didn't belong to the uni... so he assumed she was connected through another carrier ;) 10:03 < doke> sorry for my weird english 10:04 < Solarbaby> thats awesome 10:04 < Solarbaby> perfect use 10:29 < plaerzen> morning ovpn 10:29 < doke> morning plaerzen 12:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:07 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 12:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:07 < krzee> [09:30] <ecrist> bridge vs routed really offers no difference in security 12:07 < krzee> thats the last thing i saw before i got disconnected 12:08 < krzee> and im going to have to interject some counterpoints on that 12:08 < krzee> if i get into a box that you connected to a lan with bridging instead of routed 12:08 < krzee> i can arp poison the shit out of your whole network remotely 12:08 < krzee> for complete ownage 12:10 < doke> krzee: of course 12:11 < doke> but it's also the poin who you give the bridge access too. But bridged vpn is wonderful 12:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 12:11 < doke> somebody is having trouble with connectivity 12:15 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit [Remote closed the connection] 13:02 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: mXr, protocols, jeev, vpnHelper, kreg, reiffert, Typone 13:03 -!- Netsplit over, joins: Typone, vpnHelper, kreg 13:03 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 13:03 -!- Netsplit over, joins: protocols, mXr, reiffert 13:04 -!- tiav [n=tiav@91.197.165.222] has quit [Read error: 54 (Connection reset by peer)] 13:04 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has quit [Read error: 54 (Connection reset by peer)] 13:08 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: mXr, protocols, reiffert 13:09 -!- Netsplit over, joins: protocols, mXr, reiffert 13:13 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [] 13:21 -!- protocols [n=protocol@p5791FC0A.dip.t-dialin.net] has quit [Connection timed out] 13:22 -!- protocols [n=protocol@p5791FC0A.dip.t-dialin.net] has joined ##openvpn 13:30 -!- justdave_ is now known as justdave 13:35 < ecrist> krzie: that's not a VPN-related issue. It's a networking-related issue. 13:35 < ecrist> which can be blocked with firewalls and transparent bridging 13:39 < doke> any suggestion on how I can provide public addresses to my openvpn clients? 13:39 < doke> i have a /24 subnet 13:39 < doke> allocated 13:39 < doke> routed to 2 openbsd machines 13:39 < ecrist> then provision them the same as you would for private addresses 13:40 < doke> alright 13:40 < doke> but 13:40 < doke> there is a routing issue there..... 13:40 < doke> I'm studying the question 13:40 < ecrist> how so? 13:41 < doke> the vpn won't be on those openbsd which are only ment to route and firewal the traffic toward some debians 13:41 < doke> sorry 13:41 < doke> let me reformulate that 13:41 < doke> hold on 13:42 < doke> sorry I'm trying to figure it out in my mind 13:47 < doke> ok so let me rewrite this 13:47 < doke> sorry for my late answer 13:48 < doke> imagine I have a machine with 10 virtual interfaces eth0:x and one main ip eth0 13:49 < doke> I don't think the dhcp configuration would be an actual problem for me to assign one of those external ips to an openvpn user... I'm more stuck with how to route packets addressed to one of the external ips as basically I would have to route it to the same ip but on an other interface? 13:49 < doke> sorry if it sounds confusing 13:50 < doke> imagine I have ip range 80.244.1.0/255.255.255.0 13:50 < doke> the linux box there is listening to all usable address 13:51 < doke> I'd like to be able to assign OpenVPN clients one of those IPs 13:52 < doke> so for example when I conect to my openvpn server behind a firewall, I optain a public IP with no more firewall restrictions and I can run whatever server I want 13:52 < doke> does anybody get what I'm trying to explain? 13:52 < doke> sorry 13:53 < doke> ecrist ? 14:05 < doke> I think I'm going to end up just bridging the whole thing 14:17 < ecrist> sup? 14:18 < ecrist> SilenceGold does that exact thing 14:18 < ecrist> don't think he's here, though 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:15 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: reiffert, mXr 15:16 -!- Netsplit over, joins: mXr, reiffert 15:22 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: reiffert, mXr 15:28 -!- Netsplit over, joins: mXr, reiffert 16:00 -!- randra [n=sleepkno@187.4.211.211] has joined ##openvpn 16:05 -!- protocols [n=protocol@p5791FC0A.dip.t-dialin.net] has quit ["Leaving"] 16:07 -!- randra [n=sleepkno@187.4.211.211] has quit [] 16:11 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has joined ##openvpn 16:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:20 < krzie> you can setup a bidirectional NAT with a routed setup 16:20 < krzie> just like i did on my home lan once 16:20 < krzie> i had 2 ips, and 4 computers 16:20 < krzie> so i put 3 behind 1 ip in a normal NAT 16:20 < krzie> then i put 1 on a bi-directional NAT 16:21 < krzie> so the interface used a LAN ip, butas far as the internet was concerned that computer was on its own ip 16:21 < krzie> didnt need to forward ports even, because it was a bidirectional NAT 16:21 < krzie> a 1:1 NAT 16:29 -!- cpg [n=amahi@c-98-234-182-104.hsd1.ca.comcast.net] has joined ##openvpn 17:12 < reiffert> moin 17:12 < krzie> moin 17:14 < reiffert> and good night! 17:15 < cpg> hi all. we have a situation that one client can connect to an openvpn server 17:15 < cpg> however, when a second client connects, the first one freezes 17:15 < cpg> seem as if both clients are issued the same ip 17:15 < cpg> (though we're not sure of this) 17:16 < krzie> you have both using the same certs i bet 17:16 < cpg> we're wondering what determines the ip or ips given out to the client(s) 17:16 < krzie> or same common-name in the certs 17:16 < cpg> yes 17:16 < krzie> there ya go 17:16 < krzie> use different certs for different clients 17:16 < cpg> certs are identical 17:16 < krzie> go make another 17:17 < krzie> each client should have its own cert 17:17 < krzie> then you can revoke 1 if needed in the future 17:17 < cpg> cool 17:17 < cpg> i will have to remember hoe to create certs 17:17 < cpg> hehe 17:18 < reiffert> !howto 17:18 < reiffert> !howto 17:18 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:19 < reiffert> How about removing the nickname in front of the answer? 17:20 < krzie> thats a pita when multiple people use coimmands 17:20 < krzie> ]also if you use freebsd 17:21 < krzie> check out ssl-admin in ports 17:21 < krzie> recently updated 17:23 < cpg> thanks 17:24 < reiffert> !howto tell krzie 17:24 < vpnHelper> reiffert: Error: "howto" is not a valid command. 17:24 < reiffert> !howto $(ls /tmp) 17:24 < vpnHelper> reiffert: Error: "howto" is not a valid command. 17:24 < krzie> lol 17:24 < cpg> krzie: what bot do you guys use/recommend? i like it 17:25 < reiffert> !howto `ls /tmp` 17:25 < vpnHelper> reiffert: Error: "howto" is not a valid command. 17:25 < krzie> vpnHelper is a supybot 17:25 < vpnHelper> krzie: Error: "is" is not a valid command. 17:25 < reiffert> vpnHelper die 17:25 < vpnHelper> reiffert: Error: "die" is not a valid command. 17:25 < reiffert> You think reading the source is not worth it as people allready did this before? 17:26 < krzie> reiffert completely up to you 17:26 < krzie> but ya we played with it a ton in #remote-exploit awhile back 17:26 < krzie> i found a way to overload !learn 17:26 < krzie> but thats it 17:27 < reiffert> Adding more than 65536 replys for one command? 17:27 < krzie> with [command] it inserts output of !command 17:27 -!- cpg [n=amahi@c-98-234-182-104.hsd1.ca.comcast.net] has left ##openvpn [] 17:28 < reiffert> hacking the regular expression syntax? 17:28 < krzie> so !learn command-to-kill [command] [command] [command] etc etc 17:29 < krzie> easily uglying up the db beyond usability for helping people 17:29 < krzie> no hack involved 17:29 < krzie> but the bot would hate 17:29 < krzie> there is likely a DOS in the url title grabbing too 17:30 < krzie> but ill leave finding that to you ;] 17:30 < reiffert> collapsing /'s? 17:30 < krzie> neg 17:30 < krzie> well who knows 17:30 < krzie> just not what im thinkin of 17:31 < reiffert> collapsing 1000 /'s took almost 60 seconds on a P1-233Mhz for the adzapping squid redirector program called "adzapper". Got a CVE assigned that for 2007. 17:32 < reiffert> DoS'ing squid after all adzapper forks got busy collapsing. 17:33 < reiffert> CVE-2006-0046 17:33 < krzie> ahh 17:33 < krzie> nice 17:34 < krzie> what we found was a tcl error, im not sure if supybot would have same issue or not 17:34 < krzie> but urltitle.tcl died from it 17:34 < reiffert> The author was ignoring my patch for 6 months until I found a CVE submitter who helped speeding up the fix enormously :) 17:34 < krzie> basically just make a php file saying size is 0 17:34 < krzie> then append a bunch of /dev/null to the end 17:34 < krzie> err /dev/random i mean 17:35 < reiffert> Oh, that sounds nice too 17:36 < reiffert> What will urltitle.tcl do with a redirecting loop? 17:39 < krzie> good question 17:39 < krzie> i can test a link on it 17:40 < reiffert> too lazy for that now, watching tv and listening to some classic radio atm 17:40 < krzie> i have a bot running urltitle.tcl on efnet 17:40 < krzie> but its prolly fixed with the bug i said by now 17:40 < krzie> cause the botmaster is on the tcl dev team 17:51 < reiffert> I will never understand why all the ircbots hang on using tcl. 17:51 < reiffert> It just sucks. 17:54 < krzie> tcl is a nice scripting language 17:54 < reiffert> perl is. 17:55 < krzie> both are 18:00 < reiffert> tomorrow my 2 new SL72G CPU's will make their way to the postoffice in the UK, yippieh! 18:38 < krzie> my fbsd box at home could damn sure use a new cpu 18:38 < krzie> although ild have to go amd64 18:38 < krzie> (cause i use zfs) 19:13 -!- amine [n=amine@unaffiliated/amine] has joined ##openvpn 19:13 < amine> hey 19:14 < ecrist> hi 19:17 < amine> openvpn traps all IP data, and I know tcp over tcp is bad, but isn't possible to have a special mode for tcp over tcp where headers aren't sent raw over the network but modified so that it avoids all the tcp over tcp meltdown effect? 19:18 < amine> for example.. when initiating a tcp connection, tell the server to initiate the connection and then report back that it was successful or not? This limits the ability to do syn stealth scanning but that's probably the only downside I see from it 19:22 < amine> Kind of like a proxy 19:36 < krzie> you talking bout taking off the delivery assurances of TCP? 19:36 < krzie> cause it kinda sounds like you'want to turn TCP into UDP 19:36 < amine> hi krzie 19:37 < krzie> and since you couldnt change the TCP stuff on the inside, only the tunnel itself (because the stuff on the inside is reaching real inet services and not openvpn itself) 19:37 < amine> I'm talking about the connection being handled differently, and only the data remaining the same 19:37 < krzie> it sounds pointless 19:37 < krzie> udp already existrs 19:37 < amine> right, but some people can't use udp 19:37 < amine> (like me) 19:38 < krzie> your office wont allow udp outbound? 19:38 < amine> my school 19:38 < krzie> sucks 19:38 < amine> I think you helped me get setup a few weeks ago 19:38 < krzie> your school doesnt even allow port 53 udp outbound? 19:38 < krzie> i prolly did ;] 19:39 < amine> nope, the dns server is the router and the router does the queries 19:39 < amine> but it isn't a big issue, I'm just here for a conversation :) 19:39 < krzie> right on 19:40 < krzie> so i take it you tried resolving dns through a 3rd party NS 19:40 < krzie> like host ircpimps.org ns1.doeshosting.com 19:40 < amine> yup 19:40 -!- Solarbaby [n=Dave@70-41-208-166.cust.wildblue.net] has left ##openvpn [] 19:41 < amine> So I was reading why tcp is bad and I've been thinking about it.. when a SYN packet goes out to initiate a conneciton, why doesn't the server connect (syn/synack/ack), and if successful respond with a fake synack/ack, this takes care of the connection.. and if you got client } connection A { server } connectin B { destination, anything sent over connection A can be sent over connection B, and when the client wants to disconnect, the server simply seve 19:41 < amine> rs the connection 19:42 < amine> This should stop the meltdown effect since it won't have any ttl problems and resent packets 19:43 < amine> Of course this isn't really the point or job of vpn software 19:44 < krzie> you're also talking about openvpn making its own transport protocol 19:44 < amine> yup, for tcp only 19:44 < krzie> users always come in wanting openvpn to handle * 19:44 < krzie> but i really like that it doesnt 19:44 < krzie> it shouldnt handle NAT 19:45 < krzie> it shouldnt have its own transport protocol 19:45 < krzie> etc etc 19:45 < amine> I don't want it to do that.. like I said i got my system setup and i'm just here for a conversation :) 19:45 < krzie> the security possibilities of making your own transport protocol exist too 19:45 < krzie> even TCP has problems 19:45 < krzie> little known problems, but serious ones 19:47 < krzie> ones that are NOT os specific, but exist in anything that speak TCP/IP 19:47 < amine> like what? 19:47 < krzie> specially crafted packets can take out any machine or device that speak tcp/ip 19:47 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has quit [] 19:47 < amine> do you mean syn attack? 19:47 < krzie> a 14.4 can force a cisco on an oc3 to reboot before it can be used anymore 19:47 < krzie> not at all 19:48 < krzie> im talking about a bug thats been known by whitehats for years, but they havnt been able to find a fix 19:48 < amine> ah, one of those bugs 19:48 < krzie> it now excists in the wild 19:48 < krzie> basically a nuke, but one that targets ANYTHING that speaks tcp/ip 19:48 < krzie> with no workaround or fix known 19:48 < amine> I can't imagine such a bug in any system 19:49 < krzie> if that exists in tcp/ip, how much do you want to trust a little app like openvpn to make its own transport protocol 19:49 < amine> if it exists in tcp/ip, I don't think you can trust anything tcp/ip ? 19:49 < amine> and since you don't have a choice but to trust the protocol, I guess you're forced to ignore it 19:49 < krzie> its a DOS not a vuln 19:50 < amine> right, so what difference would it make if openvpn made a sub-tcp transport layer, or even if the user didn't use a vpn as an internet gateway? 19:51 < krzie> it couldnt be used on the inside of the vpn, it would have to be the outter layer 19:52 < amine> my point though is if the user wanted to do sometihng malicious, it wouldn't matter if another user is tunneling or not 19:53 < amine> and I'm sure these 'whitehats' knew about a bug in the protocol, they would not keep it to themselves, and a fix could be made 19:53 < amine> if* 19:53 < krzie> they knew, they been trying 19:54 < amine> is there a public paper on this bug? 19:54 < krzie> ya i cant find it right now tho 19:55 < amine> Ah :) 19:56 < amine> So assuming this bug isn't stopping the world from developing software that uses tcp, and this wasn't a conversation about openvpn, what else can you think of that wuold make a vpn-like tcp-specific transport layer over tcp bad? 19:57 < krzie> my point in bringing up the bug is that protocols can have issues, and that i would rather not see software making its own protocols 19:58 < krzie> err, transport protocols i mean 20:01 < amine> all software can have issues, and the point of such protocols is to fix an issue with tunneling tcp over tcp 20:02 -!- jeev [n=email@unaffiliated/jeev] has quit [Connection timed out] 20:04 < krzie> http://seclists.org/dailydave/2008/q4/0000.html 20:04 < vpnHelper> Title: Dailydave: TCP Resource Exhaustion DoS Attack Speculation (at seclists.org) 20:04 < krzie> there ya go btw 20:05 < krzie> http://insecure.org/stf/tcp-dos-attack-explained.html 20:05 < vpnHelper> Title: Outpost24's TCP DOS Attack and Botched Disclosure (at insecure.org) 20:05 < krzie> They gave a PodCast interview with an even gloomier prognosis for the Internet: 20:05 < krzie> Q [Brenno de Winter]: .... we can draw the inference at this point that TCP/IP as we know it is broken beyond repair, as far as we know?. 20:05 < krzie> A [Robert Lee]: .Certainly the implementations that we've played with.. 20:05 < krzie> Q: .And that's basically Linux, BSD, Windows, probably all the routers that are out there?. 20:05 < krzie> A: .yeah.. 20:06 < amine> wow, this is very recent 20:06 < amine> will make a good read! brb 20:07 < krzie> the info has been known in secret for yrs 20:07 < krzie> just not by most people (including me) 20:07 < amine> lies, you knew and kept it from us.. you have doomed us! 20:08 < krzie> haha 20:16 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:17 < amine> this bug isn't really a bug 20:17 < amine> it's just a way of making the victim computer use more resources 20:19 < amine> and the problem with this attack is that in order to actually interact with the software listening on that tcp port, you need to have a full connection.. this means that you could spot the attacker and ban him 20:21 < amine> if the victim computer had a software to simply accept the connection, it wouldn't be much of a denial of service, just a small resource hog (probably a few hundred megs at most) 20:22 < ecrist> yet cisco gives it a '3' 20:22 < amine> 'mild' 20:22 < amine> there's still a level or two above that 20:22 < ecrist> I'm aware. My point is, their doom-and-gloom is crap 20:23 < amine> that's what I'm trying to say 20:23 < krzie> <amine> it's just a way of making the victim computer use more resources 20:24 < ecrist> krzie: did you see my response to you earlier, about bridged vs routed? 20:24 < amine> for example, apache creates a new process for every connection (if using prefork mod).. of course you could use up massive resources on the victim machine but it isn't really tcp's fault, it's apache's 20:24 < krzie> right, but by more resources, it means a 14.4 modem could take out anything with a couple minutes of attack, and force it to be unusable until reboot 20:24 < krzie> ecrist, no i missed it =[ 20:24 < ecrist> oh, well, as far as OpenVPN goes, there's no security difference. 20:24 < amine> krzie, not quite.. since this requires a full connection, apache can ignore the ip after a few connections 20:25 < krzie> ecrist, oh very true 20:25 < ecrist> which was the original question 20:25 < krzie> its a security issue just with bridging into a network, no matter how you do it 20:25 < amine> are we talking about the same issue here? 20:25 < ecrist> no 20:26 < amine> ok 20:26 < amine> krzie, it was a good read though :) 20:26 < krzie> ahh i took it as the user was curious about all issues of bridging vs routing via openvpn, whether specific to ovpn or not 20:27 < krzie> amine, i thought so too 20:27 < amine> I'm at my family house for the next few months and they got shitty internet, make me something to cheat dsl :( 20:29 < krzie> heh 20:29 < krzie> youd need cable for that 20:31 < ecrist> ugh, big LDAP import tonight. last time I did a big import, it crashed the datastore. 20:31 < ecrist> :\ 20:32 < ecrist> ~3000 users. 20:35 < amine> krzie, i know, I went from 18mbit at home to like 2mbit here.. it's horrible :( 20:36 < krzie> i dont even want to hear about it, i pay $100 USD/mo (fastest they sell) for around 1.5 down and 386 up 20:36 < krzie> it sucks man =[ 20:39 * ecrist has 50Mb/10Mb available in his area 20:39 < ecrist> I only have 12/2 20:42 < krzie> shiet 20:42 < krzie> i woulda been sleeping outside the building waiting for them to open the morning they started offering 50/10 20:42 < ecrist> krzie: I don't have $200/mo to afford it... 20:43 < ecrist> that, and I just bought a friggin truck for $17K 20:43 < krzie> whoa 200/mo is steap for that 20:43 < krzie> its under 100/mo with fios 20:44 < krzie> ild gladly pay $300/mo for it here tho 20:44 < amine> krzie, 1.5 down? that sucks man 20:44 < krzie> (which is more than my monthly rent + electricity + water + tv 20:44 < krzie> ) 20:45 < amine> some entertainment: http://www.youtube.com/watch?v=4pXfHLUlZf4 20:45 < vpnHelper> Title: YouTube - Jizz In My Pants (at www.youtube.com) 20:46 < ecrist> lol, my mortgage is $1200/mo, plus another $600/mo for prop taxes and insurance 20:47 < krzie> ya 3rd world countries are cheap 20:47 < krzie> but dont take out a loan out here ;] 20:47 < krzie> their rates and terms are worse than loan sharks 20:49 -!- amine [n=amine@unaffiliated/amine] has quit ["Leaving"] 20:51 < ecrist> w00t 20:51 < ecrist> out of 2897 entries, only 35 failed to import 20:51 < ecrist> :D 20:53 < krzie> ive never played with ldap 20:55 < ecrist> I just started this year. moving all our systems at work over to it. 20:55 < krzie> nice 20:55 < krzie> hows it compare to AD? 20:55 < ecrist> out of 35 servers, 32 of them are completely switched over 20:55 < krzie> AD was the only time i could ever see windows as a server 20:56 < ecrist> never used AD, but AD is just MS implementation of LDAP + MS stuff 20:56 < krzie> ahh 20:57 < ecrist> we use LDAP for FreeBSD authentication, going to use it for VPN auth soon, jabber auth, client contact data, and all our SUDO stuff is stored in LDAP 20:57 < krzie> ya i know they use the same stuff 20:57 < krzie> ahh nice 20:57 < krzie> PAM makes that extremely easy ild assume 20:57 < ecrist> yes 20:58 < ecrist> what else is nice, we're going to be able to store all our client account passwords in plain text now, so we can recover them when they lose it. 20:58 < ecrist> not an option with password files 21:00 < ecrist> http://www.secure-computing.net/wiki/index.php/OpenLDAP 21:00 < vpnHelper> Title: OpenLDAP - Secure Computing Wiki (at www.secure-computing.net) 21:00 < ecrist> if you ever get the urge 21:00 < krzie> nice man 21:00 < krzie> even without the urge im down for the read 21:02 < ecrist> lol 21:03 < ecrist> I'm watching tail -f /var/log/all.log on my ldap server with debug. pulling 300KB/s watching the log file 21:03 < krzie> if it will stay open for awhile consider using tail -F 21:04 < krzie> it follows the new inode if the log gets rotated 21:04 < krzie> and thats a CRAZY amount of bw for a logfile veiwing 21:04 < krzie> thats more BW than i have, lol 21:04 < ecrist> lol 21:05 < ecrist> fwiw, it's across my OpenVPN connection. 21:05 < krzie> =] 21:05 < ecrist> I was watching debug loggin on secondary LDAP server as it replicated the ~3000 record import 21:12 * krzie doublechecks the size of your /var 21:13 < ecrist> lol, /var/log is 1.9G 21:13 < ecrist> all.log for *today* is 929M 21:13 < krzie> lol 21:14 < ecrist> the past weeks, bzipped are still around 10M 21:14 < krzie> ya text compresses well 21:14 < krzie> not THAT well tho ;] 21:15 < ecrist> well, ldap in full debug, spits out about 150 lines for each part of each query 21:15 < krzie> WOW 21:15 < ecrist> when you're replicating ~3000 records, there's a lot of activity 21:15 < krzie> enjoy debugging that 21:15 < krzie> hahah 21:16 < krzie> and i thought named -d9 was big 21:16 < krzie> (and some think openvpn verb 6 is big, lol) 21:16 < ecrist> lol 21:19 < ecrist> sweet, someone hit my website today via IPv6 21:21 < ecrist> and, someone working for juniper networks was on my site. 21:22 < krzie> sweet 21:22 < krzie> my buddy runs a obsd repository 21:22 < krzie> one day he saw a guy at microsoft.com downloading openbsd 21:22 < krzie> i thought that was funny 21:22 < ecrist> lol 21:23 < ecrist> I get a ton of people from Secure Computing Corp hitting my site. I've seen a few google searchs from their network for things like "I hate my job at secure computing" or "secure computing sucks" 21:23 < krzie> HAHAHA 21:24 < ecrist> here's another juniper networks host: security-lab1.juniper.net 21:28 < ecrist> w00t 21:29 < ecrist> my ldap import is fine. now our user file ownership is textual rather than numerical (I don't know which client is 1461) 21:29 < ecrist> now, tomorrow, I get to test pure-ftpd and vshell with PAM 21:31 < ecrist> krzie: if you have a lot of hosts and use sudo, you'll fall in love with LDAP+sudo 21:34 < krzie> ever tried out proftpd? 21:35 < ecrist> no, what do you like about it? 21:35 < krzie> i used both pro and pure, ended up liking pro more personally 21:35 < krzie> it was a bit of time ago but its worth looking at if you find yourself bored 21:38 < ecrist> will keep that in mind. 21:38 < ecrist> I wish I had time to be bored. 21:38 < ecrist> so friggin busy lately. 21:38 < krzie> sounds like it 21:39 < ecrist> at work, we're looking at changing our data center. 21:39 < ecrist> what a pain in the ass that's going to be. 21:40 < ecrist> but, i'm going to get away from this keyboard - see ya tomorrow 21:40 < krzie> cool, have a good night 21:47 < simplechat> hey, is there any way to cause clients to actually connect p2p? rather then all traffic going through the server? 21:47 < simplechat> i've got a bunch of australian hosts running on an american openvpn server 21:47 < simplechat> and the latency is starting to be an issue 21:50 < krzie> no 21:51 < krzie> but you could give the AU hosts an AU server 21:51 < krzie> and connect those 2 vpns 21:56 < krzie> that way au --> au traffic wont flow through usa 21:57 < krzie> and usa --> usa traffic wont go through au 21:57 < krzie> but au --> usa traffic will still work fine 22:16 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Remote closed the connection] 22:23 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:27 < krzee> !man 22:27 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:30 < krzee> whoa 22:30 < krzee> <connection> stuff in 2.1 is badass 22:47 -!- syntaxx [n=syntaxx@unaffiliated/syntaxx] has joined ##openvpn 22:51 < syntaxx> question: i can ping the vpn server local ip but the server local ip cant ping the client ip any idea? 22:56 < krzee> what os is the client 23:00 -!- mode/##openvpn [+o krzee] by ChanServ 23:00 -!- krzee changed the topic of ##openvpn to: HowTo: http://openvpn.net/howto || | Your problem is probably your firewall. || you only use bridges when you need to communicate based on MAC address || lans behind openvpn? see !route || !menu 23:00 -!- mode/##openvpn [-o krzee] by krzee 23:00 -!- mode/##openvpn [+o krzee] by ChanServ 23:02 < syntaxx> krzee: the client os is winxp and the vpn server is freebsd 23:02 -!- krzee changed the topic of ##openvpn to: HowTo: http://openvpn.net/howto || Your problem is probably your firewall. || you only use bridges when you need to communicate based on MAC address || lans behind openvpn? see !route || !menu 23:02 -!- mode/##openvpn [-o krzee] by krzee 23:03 < krzee> disable windows firewall on tap adapter 23:03 < krzee> it will still run for the inet but should not interfere with the vpn 23:04 < syntaxx> krzee: the firewall is off 23:04 < krzee> reboot 23:04 < syntaxx> ok hold on 23:04 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 23:05 < krzee> you are pinging .6 right? 23:05 < krzee> from the server 23:06 < krzee> (assuming a x.x.x.0/24 with default topology =] ) 23:07 < syntaxx> yes 23:10 < syntaxx> krzee: i already rebooted the machine and same thing 23:10 < krzee> !logs 23:10 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 23:18 < syntaxx> krzee: this is the client log http://pastebin.ca/1281365 and this is the server log http://pastebin.ca/1281366 23:42 -!- syntaxx [n=syntaxx@unaffiliated/syntaxx] has quit ["Killed (rox (Requested by panasync))"] 23:44 -!- whaletales [n=Paul@5ad3b1fb.bb.sky.com] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Wed Dec 10 2008 00:03 < krzee> bleh he disapeered 00:04 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 00:05 -!- spike [n=spike@unaffiliated/spike] has joined ##openvpn 00:05 < spike> !menu 00:05 < vpnHelper> spike: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 00:06 < spike> !route 00:06 < vpnHelper> spike: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:49 < spike> I've got openvpn 2.0.9 working on debian etch with dev tun and server / routing setup. I can connect just fine everywhere I want from my client, but I do not seem to be able to ping my client from the remote side, I see incoming traffic but no replies are sent from my client. I've checked my firewall logs and there's nothing there 00:49 < spike> any idea why server->client conectiosn fail? 00:54 < spike> and I can ping my client from another box on the lan, so not really a fw problem on my client 00:55 < krzee> could be firewall for the tun device 00:55 < spike> that's true, but as I said I did check the fw logs anf there's nothing there about rejected incoming connections 00:56 < spike> connections icmp packets 00:56 < spike> lemme pull out the list of rules and see if there's any chance they are discarded silently 00:56 < krzee> well that does reek of firewall issue 00:56 < krzee> because it receives the replies from server 00:57 < spike> true that 00:57 < spike> I see udp packets tho, I havent confirmed they contain the icmp echo requests 00:57 < spike> but if I stop pingeing I see no more traffic so I guess it's safe to assume they are 01:00 < krzee> right, because the firewall is not blocking the ethernet device 01:01 < krzee> but if you sniff inside the tunnel 01:01 < krzee> you wont see anything 01:01 < krzee> need an allow rule for that device like in the manual 01:01 < krzee> !factoids search lin 01:01 < vpnHelper> krzee: 'linipforward' and 'linnat' 01:01 < krzee> !factoids search fire 01:01 < vpnHelper> krzee: "dynamicfirewall" is to learn how to modify the firewall based on which client has which ip, please read --learn-address in the manpage (!man) 01:01 < krzee> !factoids search fw 01:01 < vpnHelper> krzee: "bridge-fw" is in bridging mode you could still have a firewall handle who'sdoing what. On linux it's ebtables and reiffert says it's working great. 01:01 < krzee> bleh 01:01 < krzee> 1sec 01:02 < krzee> !factoids search * 01:02 < vpnHelper> krzee: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'tls-cipher', 'multi', 'configs', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', '', 'forum', 01:02 < vpnHelper> krzee: 'secure', 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'hmac', 'winipforward', 'help', 'fragment', '2.1-winpass-script', 'activedirectory', 'net30', 'someclient2client', 'local', 'dhcp', 'chooseip', 'irclogs', 'noenc', 01:02 < vpnHelper> krzee: 'iptables', 'all', 'mactuntap', 'nobind', 'pwfile', 'servercert', 'mitm', 'fbsdbridge', 'easy-rsa-unix', 'certs', 'bridge-fw', 'linipforward', 'linnat', 'man', 'webgui', 'wintaphide', and 'topology' 01:02 < krzee> !forget '' 01:02 < vpnHelper> krzee: Error: There is no such factoid. 01:03 < krzee> !forget 01:03 < vpnHelper> krzee: (forget [<channel>] <key> [<number>|*]) -- Removes the factoid <key> from the factoids database. If there are more than one factoid with such a key, a number is necessary to determine which one should be removed. A * can be used to remove all factoids associated with a key. <channel> is only necessary if the message isn't sent in the channel itself. 01:05 < krzee> If you are using a Linux iptables-based firewall, you may need to enter the following command to allow incoming packets on the TUN device: 01:05 < krzee> iptables -A INPUT -i tun+ -j ACCEPT 01:06 < spike> brb, one sec, phone call 01:06 < krzee> !learn linfw If you are using a Linux iptables-based firewall, you may need to enter the following command to allow incoming packets on the TUN device: iptables -A INPUT -i tun+ -j ACCEPT 01:06 < vpnHelper> krzee: Invalid arguments for learn. 01:06 < krzee> !learn linfw as If you are using a Linux iptables-based firewall, you may need to enter the following command to allow incoming packets on the TUN device: iptables -A INPUT -i tun+ -j ACCEPT 01:06 < vpnHelper> krzee: Joo got it. 01:45 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 60 (Operation timed out)] 02:58 < simplechat> krzee, don't forget the output chain 03:03 < krzee> !linnat 03:03 < vpnHelper> krzee: "linnat" is for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 03:04 < krzee> hrm i coulda sworn i made a full rule for linux firewall 03:04 < krzee> !firewall 03:04 < vpnHelper> krzee: Error: "firewall" is not a valid command. 03:04 < krzee> ahh 03:04 < krzee> !iptables 03:05 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 03:05 < krzee> thats the link i wanted! 03:06 < krzee> !learn linfw as [iptables] 03:06 < vpnHelper> krzee: Joo got it. 03:09 -!- tarbo [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 03:10 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 03:11 < krzee> simplechat, thanx =] 03:12 < simplechat> tis good :) 03:21 < robert_> what subnet mask would I use to forward 10.0.0.10 to 10.2.0.x clients? 03:26 < krzee> huh? 03:26 < reiffert> moin 03:26 < krzee> moin 03:27 < krzee> robert_, i dont understand the question 03:29 < robert_> kreg, Wed Dec 10 04:06:39 2008 Warning: address 10.0.0.10 is not a network address in relation to netmask 255.255.255.0 03:30 < krzee> is that an openvpn log 03:31 < krzee> !configs 03:31 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:31 < robert_> alright 03:32 < robert_> I'm using FreeBSD, and a ports compile of openvpn 03:32 < krzee> openvpn/ or openvpn-devel? 03:32 < robert_> openvpn/ 03:32 < krzee> werd 03:33 < robert_> http://rafb.net/p/zli2nA71.html 03:33 < vpnHelper> Title: Nopaste - Server.conf (at rafb.net) 03:35 < reiffert> grep -vE '[^;^#]' 03:35 < krzee> bigboy-2:~ Jeff$ grep -vE '^#|^;' test 03:35 < krzee> blah blah 03:35 < reiffert> aerhm. 03:35 < reiffert> ^[;#] 03:35 < krzee> ya i just was doing that too 03:35 < krzee> heheh 03:35 < krzee> ooo nice 03:35 < krzee> ;] 03:35 < robert_> oh :p 03:36 < krzee> !forget configs 03:36 < vpnHelper> krzee: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 03:36 < krzee> !forget configs * 03:36 < vpnHelper> krzee: Joo got it. 03:37 < krzee> !learn configs as please pastebin your client and server configs (with comments removed, you can use `grep -vE '^[#;]' client.conf`), also include which OS and version of openvpn. 03:37 < vpnHelper> krzee: Error: "#;" is not a valid command. 03:37 < reiffert> hahaha. 03:37 < krzee> !learn configs as dont forget to include any ccd entries 03:37 < vpnHelper> krzee: Joo got it. 03:37 < krzee> bleh 03:37 < krzee> !forget configs * 03:37 < vpnHelper> krzee: Joo got it. 03:37 < reiffert> ;] 03:38 < robert_> :P 03:38 < krzee> !learn configs as please pastebin your client and server configs (with comments removed, you can use `grep -vE '^[#;]' client.conf`), also include which OS and version of openvpn. 03:38 < vpnHelper> krzee: Error: "#;" is not a valid command. 03:38 < krzee> !learn configs as dont forget to include any ccd entries 03:38 < vpnHelper> krzee: Joo got it. 03:38 < krzee> there 03:38 < krzee> still waiting for client.conf 03:38 < reiffert> !configs# 03:38 < reiffert> !configs 03:38 < vpnHelper> reiffert: Error: "configs#" is not a valid command. 03:38 < reiffert> !config 03:38 < vpnHelper> reiffert: "configs" is dont forget to include any ccd entries 03:38 < vpnHelper> reiffert: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose. 03:38 < robert_> client.conf? that's my server config :p 03:39 < krzee> !configs 03:39 < vpnHelper> krzee: "configs" is dont forget to include any ccd entries 03:39 < krzee> wtf 03:39 < reiffert> krzee: [] 03:39 < reiffert> 10:39 < vpnHelper> krzee: Error: "#;" is not a valid command. 03:39 < krzee> oh bleh 03:39 < krzee> right 03:39 < krzee> !forget configs * 03:39 < vpnHelper> krzee: Joo got it. 03:39 < krzee> !learn configs as please pastebin your client and server configs (with comments removed, you can use `grep -vE '^\[#;\]' client.conf`), also include which OS and version of openvpn. 03:39 < vpnHelper> krzee: Error: "#;\" is not a valid command. 03:39 < krzee> !forget configs * 03:40 < vpnHelper> krzee: Error: There is no such factoid. 03:40 < krzee> !learn configs as please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn. 03:40 < vpnHelper> krzee: Joo got it. 03:40 < krzee> !learn configs as dont forget to include any ccd entries 03:40 < vpnHelper> krzee: Joo got it. 03:40 < krzee> robert_, i noticed 03:40 < robert_> yeah 03:40 < krzee> and that is why im still waiting on the other config 03:40 < robert_> oh 03:40 < robert_> moment heh 03:41 < reiffert> fix the toy, fix the toy! 03:42 < krzee> the [] thing is actually a feature 03:42 < krzee> [05:07] <krzee> !learn linfw as [iptables] 03:42 < krzee> [05:07] <vpnHelper> krzee: Joo got it. 03:42 < krzee> !linfw 03:42 < vpnHelper> krzee: "linfw" is (#1) If you are using a Linux iptables-based firewall, you may need to enter the following command to allow incoming packets on the TUN device: iptables -A INPUT -i tun+ -j ACCEPT, or (#2) "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, 03:42 < vpnHelper> krzee: iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 03:43 < robert_> YAY idjit 03:43 < robert_> I just noticed something 03:43 < robert_> tun != tap 03:43 < krzee> !forget linfw * 03:43 < vpnHelper> krzee: Joo got it. 03:43 < robert_> but now sheet is timnig out 03:43 < krzee> !learn linfw as [iptables] 03:43 < vpnHelper> krzee: Joo got it. 03:44 < reiffert> !learn foo as #; 03:44 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 03:44 < krzee> oooooo 03:44 < reiffert> !learn grep '^[foo]' 03:44 < krzee> no botlove! 03:44 < vpnHelper> reiffert: Error: "foo" is not a valid command. 03:45 < robert_> heh 03:45 < krzee> robert_, both are tun now right? 03:46 < robert_> both were tun 03:46 < robert_> the client is tap and the server is tun now 03:47 < krzee> umm 03:47 < krzee> make both tun 03:47 < robert_> (win cilent) 03:47 < reiffert> do as he says. 03:47 < krzee> and did i miss you pasting the client conf? 03:47 < krzee> windows has a tap device, it does tun emulation, the config gets entered as tun 03:47 < robert_> ah 03:48 < robert_> nope, nobody missed it :P 03:48 < robert_> I realized, 'Oh sheet, wrong type..' and switched it 03:48 < robert_> then reloaded the client 03:52 < robert_> another idiot mistake 03:52 < robert_> that I just corrected heh 03:52 < robert_> http://rafb.net/p/IZYFbQ19.html 03:52 < vpnHelper> Title: Nopaste - Client.ovpn (at rafb.net) 03:53 < krzee> 1b350b80-c688-11dd-a31a-a73d4ab0721b 03:53 < krzee> really!? 03:53 < krzee> thats the filename!? 03:53 < robert_> yup 03:53 < krzee> any chance thats also the common-name? 03:54 < robert_> very perceptive, commander :p 03:54 < robert_> wow 03:54 < robert_> I just quoted Mon Mothma 03:54 < robert_> heh 03:54 < krzee> i dont know who that is, but i bet you are getting an error in logs 03:54 < krzee> about your common name sucking 03:55 < robert_> nope 03:56 < robert_> only about the route 03:56 < krzee> ya i was wrong 03:56 < krzee> show me logs pls 03:56 < krzee> !logs 03:56 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 03:56 < robert_> yeah yeah 03:56 < krzee> verb 6 03:56 < robert_> I know :P 03:56 < robert_> oh 03:56 < robert_> 6 03:56 < robert_> alright 03:56 < krzee> haha 03:58 < robert_> http://rafb.net/p/mqe3eM53.html 03:58 < vpnHelper> Title: Nopaste - Client logs (at rafb.net) 03:59 < krzee> umm 03:59 < krzee> i think you're missing some 04:01 < krzee> at the point that paste ends everything is going great 04:01 < krzee> you just verified the server cert 04:01 < robert_> oh yeah 04:02 < krzee> i see you have 3 routes 04:02 < krzee> have you read this? 04:02 < krzee> !route 04:02 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:02 < robert_> http://rafb.net/p/eM1rNZ32.html 04:02 < vpnHelper> Title: Nopaste - More server logs (at rafb.net) 04:02 < krzee> because a route in server without an iroute is uncommon 04:02 < krzee> usually that would mean you meant push route 04:03 < krzee> see the writeup for more info 04:03 < robert_> hm 04:04 < robert_> I'm saving the two routes for other things 04:04 < robert_> so I'm not using those yet 04:05 < robert_> ohh 04:05 < robert_> alright 04:05 < krzee> actually you can never use route without iroute on a server 04:05 < krzee> cause it adds to its routing table but wont know which client to send to 04:06 < robert_> ah 04:06 < krzee> (writeup explains it) 04:06 < krzee> read the whole thing 04:06 < krzee> let me know if you dont get anything 04:12 < robert_> indeed 04:13 < robert_> my remote routes don't work 04:13 < robert_> damn 04:14 < robert_> but the server route works 04:15 < krzee> did you read it all? 04:16 < robert_> yeah 04:16 < robert_> I have push and route 04:16 < krzee> route 10.3.0.0 255.255.255.0 04:16 < krzee> route 10.4.0.0 255.255.255.0 04:16 < krzee> where is each? 04:17 < robert_> then I guess I'll comment out the ones I'm not using 04:17 < robert_> at least for now 04:17 < krzee> would make sense 04:17 < krzee> !configs 04:17 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:18 < krzee> when you change stuff, repaste and ill keep helping 04:18 < krzee> unless it works how you want it to 04:18 < krzee> is there a lan behind a client? 04:18 < robert_> yeah, but I don' want clients talking with eachother 04:19 < krzee> then dont add client-to-client 04:19 < robert_> I didn't 04:19 < krzee> each client with a lan behind it needs a ccd with an iroute 04:20 < robert_> yeah 04:21 < robert_> I'm not doing the whole "big happy family" thing :P 04:21 < robert_> and yeah 04:21 < robert_> 10.0.0.x still times out 04:21 < krzee> where is 10.0.0.x? 04:21 < krzee> oh a push route 04:21 < krzee> that is the lan behind the server 04:21 < krzee> ? 04:21 < robert_> yes 04:22 < robert_> openvpn sits on the router 04:22 < krzee> is it the router of its LAN? 04:22 < robert_> yeah 04:22 < krzee> what os is it? 04:22 < robert_> FreeBSD 04:22 < robert_> two are BSD 04:22 < robert_> and one is xP 04:22 < robert_> XP* 04:22 < krzee> the server is BSD right 04:23 < robert_> yes 04:23 < krzee> what firewall? 04:24 < robert_> uh, pf 04:24 < krzee> !factoids search bsd 04:24 < vpnHelper> krzee: 'bsdnat', 'freebsd', and 'fbsdbridge' 04:24 < robert_> its nat 04:24 < robert_> !bsdnat 04:24 < vpnHelper> robert_: "bsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 04:24 < robert_> er, we aren't using natd 04:24 < robert_> we're using pf 04:25 < robert_> to do our routing 04:25 < krzee> i didnt think pf for bsd does nat on its own 04:26 < krzee> ipf and ipfw never did 04:26 < robert_> we're using pf to do routing 04:26 < robert_> heh 04:26 < krzee> !freebsd 04:26 < vpnHelper> krzee: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 04:27 < krzee> doh 04:28 < robert_> ? 04:28 < krzee> basically 04:28 < krzee> !linfw 04:28 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 04:28 < krzee> see #3 04:29 < reiffert> did you find his problem? 04:29 < krzee> ya 04:29 < krzee> i think 04:29 < krzee> his push route is right, he is the router, so its his firewall 04:30 * krzee glances at the topic 04:30 < reiffert> :) 04:30 < krzee> hehe 04:31 < robert_> I'm not using a firewall, I keep telling you 04:31 < robert_> I don't have iptables installed 04:32 < krzee> [06:27] <robert_> we're using pf to do routing 04:32 < krzee> dont use those exact commands, do what they're saying in pf 04:32 < robert_> oh 04:32 < robert_> alright 04:32 < robert_> yay 04:33 < robert_> 5am bites me again 04:33 < robert_> oh 04:33 < robert_> DUH 04:33 < robert_> DUN DUN DUH 04:35 < krzee> ...? 04:35 < robert_> yeah nm 04:35 < robert_> 5am ftw 04:52 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 05:24 -!- syntaxx [n=syntaxx@unaffiliated/syntaxx] has joined ##openvpn 05:24 < syntaxx> i can connect to my vpn server i can ping the server lan but i cant ping the other server within that lan any idea? 05:32 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 05:34 -!- syntaxx [n=syntaxx@unaffiliated/syntaxx] has quit ["Read error: 666 (Connection reset by Satan)"] 05:37 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 60 (Operation timed out)] 06:09 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:48 < simplechat> hmmmm. so yeah, any way to get connections p2p? 06:48 < simplechat> rather then everything through the server 06:52 -!- Dennis84 [n=dennis@party4life.eu] has joined ##openvpn 06:53 < Dennis84> hey 06:53 < Dennis84> i have a question about vpn with tun and the routing to different subnetworks 06:54 < ecrist> great 06:54 < Dennis84> so 06:54 < Dennis84> my client network is 192.168.0.* and my vpn network is 10.1.1.1 06:54 < ecrist> before you go any further, take a look here: 06:54 < ecrist> !route 06:54 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 06:55 < Dennis84> ok, i read this 06:55 < Dennis84> thanks :) 07:39 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:45 < et> is there a way to get at vpnHelpers factoids in a query so you don't have to flood the channel? 07:45 < ecrist> pm the bot 07:47 < et> <vpnHelper> Error: "linfw" is not a valid command. 07:48 < et> tried that already ;) 07:48 < et> and it doesn't like trying around, because ... 07:48 < ecrist> try !factoids search * 07:49 < et> then i get the help for the factoids search command 07:49 < et> 081921 <vpnHelper> You've given me 5 invalid commands within the last minute; I'm now ignoring you for 10 minutes. 07:49 < et> it does not like me playing around, too ;) 07:49 < ecrist> ah, I don' thave control to reset that. 07:49 < ecrist> !factoids search * 07:49 < vpnHelper> ecrist: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'tls-cipher', 'multi', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', '', 'forum', 'secure', 07:49 < vpnHelper> ecrist: 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'hmac', 'winipforward', 'help', 'fragment', '2.1-winpass-script', 'activedirectory', 'net30', 'someclient2client', 'local', 'dhcp', 'chooseip', 'irclogs', 'noenc', 'iptables', 07:49 < vpnHelper> ecrist: 'all', 'mactuntap', 'nobind', 'pwfile', 'servercert', 'mitm', 'fbsdbridge', 'easy-rsa-unix', 'certs', 'bridge-fw', 'linipforward', 'linnat', 'man', 'webgui', 'wintaphide', 'topology', 'configs', and 'linfw' 07:50 < ecrist> !linfw 07:50 < vpnHelper> ecrist: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 07:50 < et> ecrist: that doesn't work in the query for me 07:50 < ecrist> msging the bot isn't working for me, either. 07:50 < ecrist> stupid bot 07:51 * ecrist pokes krzee 07:51 < ecrist> I could have written a better bot. 07:51 < Dennis84> ecrist: do you know if there is a difference to a mac? 07:51 < Dennis84> cause this is exactly what i did 07:51 < ecrist> Dennis84: what do you mean? I don't understand your questions. 07:52 < ecrist> s/s.$/./ 07:52 < Dennis84> so, i try to tell the hole story 07:52 < Dennis84> whole 07:53 < Dennis84> i can connect to my vpn server and ping the server on 10.1.1.1 07:53 < Dennis84> behind my vpn server i have the lan 192.168.100.*, where my clients are... my clients can ping 10.1.1.1 07:53 < Dennis84> but the vpn clients cannot ping 192.168.100.* 07:54 < Dennis84> but ihm using a mac as cpn client, and i did exactly whats written in the howto 07:55 < Dennis84> so my question is, why can my lan clients ping 10.1.1.1, and my vpn client not the 192.168.100.* ? 08:03 < ecrist> do you have a firewall installed on teh vpn server? 08:04 < ecrist> and no, there's nothing special about the mac in regards to openvpn 08:07 < Dennis84> theres a iptables firewall, yes 08:07 < ecrist> make sure that's not blocking the traffic 08:14 -!- spike [n=spike@unaffiliated/spike] has left ##openvpn ["bbl"] 08:42 < et> ecrist: you don't need to write that kind of bot, infobot-derivates are available in hundreds ;) 08:42 < ecrist> et: the bot only needs about 200 lines of code. 08:42 < ecrist> not something with 10K lines and 45 features we'll never use 08:45 < ecrist> sometimes, the hosts I find browsing my webserver amaze me. 08:45 < ecrist> proxyout.lanl.gov 09:25 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:26 < plaerzen> morning irc 09:31 < ecrist> hey plaerzen 09:38 < imbezol> hello there. is anyone able to run openvpn with vista 64 bit? 09:38 < imbezol> i've tried the latest 32 bit tap driver and the 64 bit.. neither seem to work 09:40 < ecrist> imbezol: I've not had luck with it, but I don't have a lot of windows machines around to test. 09:40 < ecrist> are you running 2.0 or 2.1? 09:42 < imbezol> i tried 2.0.9 last 09:42 < imbezol> haven't tried 2.1 09:42 < ecrist> that would probably be your problem. iirc, there aren't any good 64bit drivers in 2.0 09:44 -!- flavour [n=FBoon@grail1.oxfam.org.uk] has joined ##openvpn 09:44 < imbezol> hmm.. i'll try the openvpn-2.1_rc15 09:44 < flavour> !menu 09:44 < vpnHelper> flavour: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 09:49 < flavour> Why does OpenVPN give the tun interface a 255.255.255.252 mask...is this normal? 09:49 < flavour> I'm getting no routes added to get to the other side 09:49 < flavour> Although I get MULTI: Learn 09:50 < flavour> MULTI: internal route 09:50 < flavour> coming up fine in console 09:52 < flavour> PUSH_REQUEST/ PUSH_REPLY is working 10:07 -!- tarbo [n=me@unaffiliated/tarbo] has joined ##openvpn 10:07 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:10 < flavour> Does 'tun' work on Win32? Win32 notes just discuss tap 10:10 < flavour> |But I thought tap was just for bridging 10:16 < plaerzen> ecrist, so how you doing? Personally I'm a little stressed about this whole economy thing. I was talking to a friend in korea yesterday that just graduated. She was telling me that new grads can't find jobs in korea or china, and the unemployment rate is high. I don't really follow the news and whatnot much. But it kind of struck me yesterday. She can't even get a job. 10:34 -!- jeev [n=email@unaffiliated/jeev] has joined ##openvpn 10:35 < ecrist> plaerzen: while it's something to be a little stressed about, things will get better at some point. I'm not stressed a lot as I've a job in an industry that won't really be affected by the downturn. That being said, my personal business as been doing a ton of business despite the recession. 10:36 < ecrist> the lack of new jobs I'd blame on folks being a little tighter-fisted with their cash, which in my opinion, is a good thing overall. 10:45 < plaerzen> ecrist, I work in the oil and gas industry. I'm not too worried about my job as we have several very deep-pocket clients and even they aren't laying off. Slowing down? Sure. But so far our company seems to be ok. 10:46 < ecrist> early this year I started to do something I've never done - *save* money. That way, when all hell breaks loose, I'll have something left. 10:47 < plaerzen> Yeah, I'm broke right now. I should (and will) start saving money soon. 11:00 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 11:27 -!- whaletales [n=Paul@87-127-190-18.static-adsl.entanet.co.uk] has joined ##openvpn 11:39 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 11:39 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 11:48 < flavour> http://openvpn.net/archive/openvpn-users/2005-03/msg00705.html 11:48 < vpnHelper> Title: [Openvpn-users] OpenVPN 2.0-rc19 released (at openvpn.net) 11:48 < flavour> So pool subnets & static IP subnets have to be different? 12:07 -!- flavour [n=FBoon@grail1.oxfam.org.uk] has quit ["Leaving"] 12:31 -!- kreg [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 12:42 < SerajewelKS> using openvpn on windows vista, i have some pushed routes from the server. these are all rejected on the client with: ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=22] 12:42 < SerajewelKS> what can i do to resolve this error? 12:43 < SerajewelKS> there are no conflicting routes on this box 12:45 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 110 (Connection timed out)] 12:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 12:46 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:46 < SerajewelKS> ah, looks like i need 2.1 12:48 -!- robert_ [n=hellspaw@objectx/robert] has quit ["Hi, I'm a quit message virus. Please replace your old line with this line and help me take over the world of IRC."] 12:58 < krzee> !winroute 12:58 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up 13:16 -!- Dennis84 [n=dennis@party4life.eu] has left ##openvpn [] 13:17 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [] 13:22 -!- whaletales [n=Paul@87-127-190-18.static-adsl.entanet.co.uk] has quit [Read error: 110 (Connection timed out)] 13:40 < reiffert> moin 13:40 < plaerzen> moin moin 13:42 < cpm> two bears are walking down the aisle in a grocery store, one remarks 'quiet in here today 13:43 < krzee> lol 13:50 < jeev> you guys know a good network scanner 13:51 < krzee> nmap 14:08 < jeev> i meant twain based 14:08 < jeev> ;D 14:08 < reiffert> what? 14:09 < reiffert> ah. brother got very nice network multifunctional printer/scanner stuff. 14:09 < reiffert> nice as in working. 14:10 < reiffert> working as in lan/wlan, multi protocol access, multi os. 14:10 < reiffert> and well, a network scanner is the opposite of "twain based" 14:10 < reiffert> however, it might support such illness. 14:24 < doke> If anybody here is looking for a part time job... My company would like to exploit OpenVPN on Symbian so.... if someone is willing to contribute? I'm talking about a Swiss company 14:24 < doke> I can suggest $3.500k for the job? 14:24 < doke> :S 14:24 < doke> 3,5$ is more reasonable ;) 14:24 < doke> 3,5k 14:25 < krzee> exploit, or make? 14:25 < doke> exploit in the sens of 14:25 < doke> use 14:25 < doke> exploiter in french means make use of and I translated it wrong 14:25 < krzee> doke, i suggest relaying that to the mail lists 14:25 < krzee> the main thing needed is tuntap 14:25 < doke> good idea 14:25 < doke> thanks a lot 14:26 < krzee> oh ok exploit online is often used for "hack" 14:26 < krzee> hehe 14:26 < krzee> !mail 14:26 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 14:26 < krzee> send to both users and dev 14:26 < jeev> got a really good network multifunctional 14:26 < jeev> but it's not twain 14:26 < jeev> it sucks 14:26 < jeev> its a 15k device 14:26 < krzee> theres likely people who want to do it but its a ton of work so the $$ offer might convince them 14:27 < krzee> in fact it was recent conversation 14:27 < doke> thanks krzee 14:28 < krzee> I'm interested in the iPhone project you mentioned. I had considered 14:28 < krzee> porting to iPhone and blackberry, but havent had the time (and blackberry is 14:28 < krzee> java-based so I don't know if there will be suitable support). 14:28 < krzee> Back on the main topic, it is doable without the TAP driver-- one place I 14:28 < krzee> had worked did something similar in user mode -- but it involved a _lot_ of 14:28 < krzee> user-mode hooking to trap all the network IO calls to do in user-space what 14:28 < krzee> would similarly be done in kernel space with the driver (although at a very 14:28 < krzee> different point in the protocol stack). 14:28 < krzee> -Dave 14:28 < krzee> from dec 5th 14:28 < krzee> it wasnt symbian, but its relevant to the handheld topic 14:29 < krzee> Subject: Re: [Openvpn-users] Openvpn client 2.1 in WEB/APPLET mode 14:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:55 < doke> krzee: thanks a lot for your support 14:55 < doke> I'll have a look at all you mentionned. I subscribed to the mailing list 15:51 < reiffert> 50% payment after contract has been made, 50% when success? 15:55 < reiffert> under the bsd license? 15:56 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 15:56 < Dougy> http://www.ovpnforum.com/viewtopic.php?f=6&t=15&sid=41e7d521b75dbdf5f70b8c1c430f6f7d 15:56 < vpnHelper> Title: OpenVPN Forum View topic - push "push "redirect-gateway... (at www.ovpnforum.com) 15:57 < reiffert> and a free symbian development device (hardware) 15:57 < reiffert> doke: sounds intresting? privmsg me. 15:57 < reiffert> Good night. 15:58 < Dougy> krzie: ring ring ring ding 15:58 < Dougy> ecrist: you too 16:02 < krzie> hey 16:02 < krzie> sup? 16:02 < et> is there a way to exclude an ip from a range for routing? 16:03 < krzie> et, for what?> 16:04 < Dougy> krzie: see link 16:04 < Dougy> :p 16:04 < krzie> heh alright 16:04 < Dougy> err 16:04 < Dougy> i forgot the word please 16:04 < Dougy> :o 16:04 < krzie> hey it looks nice 16:04 < Dougy> please see link 16:04 < et> krzie: routing seems to break when the openvpn server is in the ip range 16:04 < Dougy> what dose 16:04 < Dougy> does* 16:04 < krzie> (the forum) 16:04 < Dougy> h 16:04 < Dougy> yeah i think so 16:04 < krzie> et 16:05 < krzie> !configs 16:05 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:06 < Dougy> krzie: its been dead lately 16:06 < Dougy> there were a few signups every day or two 16:06 < Dougy> now its not even 16:06 < Dougy> EVERYONE JOIN FORUM NOW PLZ KTHX 16:07 < et> krzie: http://nopaste.com/p/afuMCLd0qb is the client config, it works the way that is pasted (when i visit the machine 130.83.32.161 i get routed over the vpn), when i comment that route line and uncomment the 130.83.0.0/16 route, it breaks 16:08 < et> http://nopaste.com/p/aXxqtrUHib is the server config 16:10 < et> (the server is in that range, i suspect that is the reason for the breakage) 16:10 < krzie> ya, thats the reason 16:11 < krzie> if you really need it how you're trying for (which is odd to me) 16:11 < krzie> you can make a more specific route for the single ip to flow through its orig gateway 16:12 < krzie> is 130.83.0.0 255.255.0.0 16:12 < krzie> all the same lan? 16:12 < Dougy> i want a /22 16:12 < Dougy> even a /25 16:13 < et> it's the university network, many subnets ... the reason for that is that many things have an ip-range check, so only clients from within the university network can reach them 16:13 < krzie> ahh 16:14 < krzie> ahh, understood 16:14 < et> so i want to route the traffic to the university machines through my office at the university 16:14 < krzie> ok so ya do what i said 16:14 < Dougy> et: what uni 16:14 < krzie> is your school gateway always the same? 16:14 < et> yes, it's my desktop machine there (public, static ip) 16:15 < et> Dougy: tu darmstadt in germany 16:15 < krzie> i mean same ip 16:15 < krzie> oh duh you said static 16:15 < krzie> coffee is still kicking in ;] 16:16 < krzie> net_gateway -- The pre-existing IP default gateway, read from the routing table (not supported on all OSes). 16:16 < krzie> so route 130.83.165.195 net_gateway 16:16 < krzie> before the commented route command 16:17 < krzie> that should fix you up 16:17 < et> Wed Dec 10 23:18:17 2008 OpenVPN ROUTE: failed to parse/resolve route for host/network: 130.83.165.195 16:18 < krzie> what os? 16:18 < et> mac os 16:18 < et> linux on the server 16:18 < krzie> whats your existing default gateway on osx? 16:18 < krzie> try adding the route manually 16:18 < et> but i can figure it out now, thank you 16:18 < krzie> if that fixes it, make an --up script 16:19 < krzie> the up script can find the gateway and build a route command 16:19 < krzie> and i already have the code to find the GW 16:19 < krzie> lemme grab it from my NStun script 16:20 < krzie> GW=`netstat -rn|grep -v Gateway|grep G|awk '{print $2}'` 16:20 < krzie> route add 130.83.165.195 -gateway $GW 16:20 < krzie> as stolen from http://www.doeshosting.com/code/NStun.sh 16:21 < krzie> (not openvpn related) 16:21 < et> route -n get default | grep gateway: | awk '{print $2}' was what i just came up with 16:22 < krzie> whatever works for you =] 16:22 < krzie> ive tested mine 16:22 < krzie> but im sure theres more than one way to skin a cat so to speak ;] 16:23 < krzie> basically the same thing 16:23 < et> yours works too 16:23 < krzie> ya osX is my main desktop 16:31 < Dougy> hm 16:31 < Dougy> i haet how bsd and linux cli are different 16:31 < Dougy> that command doesnt work on my centos or debian but on freebsd yes 16:32 < krzie> what command? 16:32 < krzie> GW=`netstat -rn|grep -v Gateway|grep G|awk '{print $2}'` should still work fine in linux 16:32 < krzie> the route command would be different tho 16:32 < krzie> as seen in my script i posted 16:32 < krzie> (which supports linux, osx, bsd) 16:33 < krzie> linux would be route add default gw $GW 16:33 < krzie> but switch default for the ip 16:33 < krzie> and you can blame linux for them being different 16:33 < krzie> since bsd followed the orig unix, and GNU did things their own way 16:34 < krzie> reiffert helped me fix a sed difference in ssl-admin today 16:34 < krzie> i have 1 more change to make and ssl-admin will work fine in linux 16:34 < et> well, i miss some of the GNU things on os X ;) 16:34 < krzie> i wouldnt know what to miss, im a bsd guy 16:35 < krzie> i find the differences when i write a script on bsd or osx then test in linux 16:35 < krzie> hehe 16:35 < Dougy> no it does not krzie 16:35 < krzie> like sed -i, in bsd you must specify the backup file or "", in linux its optional and wont take "" 16:35 < Dougy> doug@pc003:~$ route -n get default | grep gateway: | awk '{print $2}' 16:35 < Dougy> Usage: route [-nNvee] [-FC] [<AF>] List kernel routing tables 16:36 < krzie> thats not what i gave you dougy 16:36 < krzie> that was et's 16:36 < krzie> mine works on both 16:36 < krzie> his does not 16:36 < krzie> <krzie> GW=`netstat -rn|grep -v Gateway|grep G|awk '{print $2}'` should still 16:36 < krzie> work fine in linux 16:36 < krzie> do you see route -n anywhere there? 16:37 < krzie> !man 16:37 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:37 < krzie> (that is for the forum post im making) 16:37 < et> krzie: i miss the specify-options-anywhere thing 16:37 < et> rm foo -f 16:38 < krzie> i didnt know that worked anywhere 16:38 < et> gnu tools don't care where options are 16:38 < et> (unless they are after a --) 16:38 < krzie> werd 16:39 < et> well, not valid for all of them, but most 16:40 < et> and when you've grown up with it, you get used to it 16:41 < reiffert> et: port install coreutils 16:41 < reiffert> et: and there you have *all* the fancy gnu stuff on osx. 16:42 < reiffert> macports 16:42 < Dougy> oh 16:42 < Dougy> krzie, my b 16:42 < Dougy> haha 16:44 < krzie> reiffert, ya i love that 16:44 < krzie> things like ettercap running locally on X 16:45 < krzie> tis very nice 16:50 < krzie> nayone have bsd/osx and or linux box on dhcp? 16:50 < krzie> anyone i mean 16:50 < krzie> i want to find a command to find the dhcp server 16:52 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:08 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 17:10 < krzie> dougy, replied 17:15 < Dougy> cool stuff 17:16 < Dougy> i think the forum looks nice pesronally 17:16 < Dougy> s/pesronally/personally/ 17:17 < bsdbandit> im having an issue starting openvpn i took a look at the logs and here is what there are showing me http://pastebin.com/m65f8c996 17:17 < bsdbandit> im not sure what else to try can someone help me out on this one 17:20 < Dougy> !configs 17:20 < vpnHelper> Dougy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:21 < Dougy> that's not enough of anything 17:33 < krzie> bsdbandit, when you post logs use verb 6 and post the whole log 17:33 < krzie> but perhaps seeing the configs like dougy said is the best first step 17:35 < bsdbandit> ok krzie im going to repost my logs right now 17:37 < Dougy> beeeeeeeeer 17:42 < krzie> dougy, wanna unhide my admin status on the forum? 17:42 < krzie> its a lil weird i answer most the questions and im junior member 17:42 < krzie> lol 17:43 < Dougy> haha 17:43 < krzie> not that i really care 17:43 < Dougy> uhh, if i remember admin login.. 17:43 < Dougy> if you want 17:43 < Dougy> let me try and find logins 17:43 < krzie> ahh i thought it was easy 17:44 < krzie> forget bout it, it dont matter 17:44 < Dougy> nono 17:44 < Dougy> i need to find it anyway 17:44 < Dougy> lol 17:45 * Dougy resets admin@openvpn.com password 17:46 < Dougy> got it 17:48 < Dougy> now to figure out how to do that 17:50 < Dougy> krzie: can you get int othe acp 17:50 < Dougy> into the acp 17:51 < krzie> acp?? 17:51 < Dougy> admincp 17:51 < Dougy> not sure if i did or if eric did, but you're set to founder 17:51 < krzie> dunno 17:52 < krzie> yes 17:55 < krzie> cant change rank in user admin tho 17:56 < plaerzen> you guys are krzie 17:57 < plaerzen> guy 17:57 < krzie> ;] 17:57 < plaerzen> anyway - I'm heading out for the day. C ya folks tomorrow 17:57 < krzie> moin 17:57 < krzie> ahh, later 17:57 < plaerzen> haha, moin ;) 17:57 * plaerzen lurks mostly. 17:57 < bsdbandit> im having an issue starting openvpn i took a look at the logs and here is what there are showing me http://pastebin.com/m747bb28f 17:58 < krzie> that is not a complete logfile 17:58 < bsdbandit> openvpn hangs on the TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] 17:58 < bsdbandit> hey kzie thats where is starts 18:00 < bsdbandit> that is the whole log file 18:00 < bsdbandit> thats all it shows 18:01 < krzie> thats where it starts, but there should be a lot more after 18:01 < krzie> comment mute, be sure both sides are on verb 6, and post both 18:01 < krzie> !logs 18:01 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:02 < krzie> and as dougy said, 18:02 < krzie> !configs 18:02 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:03 < bsdbandit> the server will not start im trying to troubleshooting the server.conf 18:03 < bsdbandit> nothing to do with the client 18:03 < krzie> then post the server.conf 18:03 < Dougy> stop ringing meeeeeeee 18:03 < bsdbandit> ok 18:04 < Dougy> hahaha 18:04 < Dougy> jk 18:04 < bsdbandit> 1 sec 18:04 < krzie> dougy dougy dougy 18:04 * Dougy nut checks krzie 18:04 < krzie> hi ;] 18:04 * Dougy runs like the wind 18:07 < bsdbandit> ok krize http://pastebin.com/m3d434dba 18:07 < bsdbandit> thats my server.conf file 18:07 < krzie> !configs 18:07 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:07 < krzie> why dont you read that again 18:07 -!- whaletales [n=Paul@5ad0fd54.bb.sky.com] has joined ##openvpn 18:07 < krzie> then repost the way i can read it 18:08 < krzie> (with comments removed, you can use `grep -vE '^#|^;' 18:08 < krzie> client.conf`) 18:08 < bsdbandit> you talking to me 18:08 < krzie> yes, read !configs again 18:08 < krzie> it said to remove comments 18:08 < krzie> even told you how 18:08 < bsdbandit> my fault 18:08 < bsdbandit> sorry about that 18:08 < bsdbandit> :) 18:08 < krzie> np 18:08 < bsdbandit> 1 sec 18:08 < krzie> ;] 18:11 < Dougy> krzie: stop winking 18:11 < Dougy> i'm getting a bit unnerved 18:11 < krzie> ok ;] 18:11 < Dougy> im gonna beat you man 18:12 < krzie> *zip* 18:12 < Dougy> im gonna fly to wherevermerica and come kick your ass 18:12 < krzie> you better be damn well trained if you want a shot at that 18:13 < Dougy> dude 18:13 < krzie> in fact next time in NY ill give you a shot at that if you ever want, but we'll be friends after no matter what happens ;] 18:13 < Dougy> i'm tony jaa 18:13 < krzie> i love fighting 18:13 < Dougy> me too 18:13 < Dougy> i'm a beast 18:13 < Dougy> i can take everyone in this channel at once 18:13 < krzie> not me, i just know how to do it well 18:13 < krzie> im not very big or anything 18:13 < Dougy> ok maybe not 18:14 < Dougy> i'm tall and lanky 18:14 < Dougy> therefore 18:14 < Dougy> i lack strength and speed 18:14 < Dougy> lol 18:14 < krzie> lanky = easy to take to the ground 18:14 < Dougy> 6'1 135 18:14 < Dougy> i'm probably very easy to throw around 18:14 < krzie> 5'10" 170 18:15 < krzie> and trained in jui jitsu, tai kwon do, was a wrestler, and grew up fighting in california 18:15 < Dougy> nice 18:15 * Dougy fights dirty 18:16 < Dougy> i'll just use a weapon and be done 18:16 < krzie> ive done that plenty of times, buty wouldnt if fighting a friend for fun 18:16 < krzie> thats only when its serious 18:21 < Dougy> yeah 18:21 < Dougy> my dad has a big mag lite in his car 18:21 < Dougy> he'll just split your head open and leave 18:21 < Dougy> he doesnt fight fight 18:23 < krzie> somehow you went from being a beast to needing weapons 18:23 < ecrist> lol 18:24 < ecrist> Dougy: when are you going to clean up the forum to look like an OpenVPN forum? 18:24 < ecrist> Dougy: next time we meet in a dark alley... 18:24 < ecrist> <- 6'2" 280lbs, former US Army. ;) 18:25 < Dougy> haha 18:25 < krzie> thats a size ild opt for weapons against 18:25 < krzie> ;] 18:25 < Dougy> ill bring my girlfriend's brothers 18:25 < Dougy> me too 18:25 < Dougy> @ krzie 18:26 < Dougy> ecrist: i'll sic my gf's brothers on you 18:26 < Dougy> they're 6'6+ and both 400 18:26 < Dougy> lol 18:26 < Dougy> 400lb 18:26 < Dougy> or damn close 18:26 < krzie> dougy, you went from being "a beast" to needing weapons against me and backup against eric 18:26 < Dougy> haha 18:26 < krzie> should prolly just stick to being nice to people ;] 18:26 < Dougy> krzie: i'm just pretending to be tough 18:26 < Dougy> jesus im a sissy you should be able to tell 18:27 < ecrist> Dougy: at that size, I doubt they're much of a challege. too big == slow and cumbersome. 18:27 < krzie> hahah 18:27 < krzie> agreed 18:27 < Dougy> ecrist: with all your muscle 18:27 < Dougy> you couldnt move them 18:27 < Dougy> lol 18:27 < krzie> i used to be able to take our heavyweight in wrestling 18:27 < krzie> he wasnt quick enough 18:27 < Dougy> its moving a car 18:27 < Dougy> or bus 18:27 < Dougy> + 18:27 < krzie> and i was small 18:27 * Dougy bought a weight set yesterday 18:27 < Dougy> i need to put on a little bit of muscle man 18:27 < krzie> get him off balance, use his weight how you want it to go 18:27 < Dougy> i'm pathetically weak 18:28 < Dougy> its embarrassing 18:28 < ecrist> honestly, a guy, 5'11"+, 190lbs or so, well trained, would be hard to beat 18:28 < krzie> thing is with eric, hes that big and trained 18:28 < krzie> harder to get a well trained person off balance before they take some offensive 18:28 < krzie> ecrist, totally... my best friend is like 160 and 5'11", ex army ranger 18:29 < krzie> he is a badass 18:29 < ecrist> heh, I don't mess with rangers, or marines (no matter their size) 18:29 < Dougy> haha 18:29 < Dougy> my friend matt is a marine 18:29 < krzie> ive seen him take out HUGE and BADASS guys 18:29 < Dougy> my boy 18:29 < krzie> he choked out some dude named the lumberjack at his bar in san diego 18:29 < krzie> after catching a matrix like punch in his hand 18:29 < krzie> moving his head to the side, looking at it, while he caught it 18:30 < krzie> i was there saying DAAAAAAMN 18:30 < Dougy> haha 18:30 * Dougy feels like such a pansy right now 18:30 < Dougy> it was a bitch for me to carry the 100lb box of weights into my basement 18:30 < krzie> haha 18:30 < krzie> well thats almost your weght 18:30 < krzie> weight 18:31 < ecrist> see, the difference between 99% of typical martial arts, and most generic military training is it's *defensive* - folks who are in forward positions in the military, are trained to *really* hurt you. *by really hurt, I mean kill 18:31 < krzie> no worries you're young, you'll grow into the frame 18:31 < krzie> ecrist, tru 18:31 < krzie> we were held up at gunpoint once 18:31 < krzie> my boy got the gun 18:31 < krzie> i woulda stood there 18:31 < krzie> he just took the thing 18:31 < krzie> haha 18:31 < ecrist> lol 18:32 < krzie> looked like he was gunna break dudes arm too 18:32 < krzie> shit was so fast 18:32 < krzie> i mean we trained a lot together, but the army taught him some serious shit 18:32 < krzie> especially as far as reaction time goes 18:32 < krzie> before he could finish saying GUN, he almost had it 18:32 < krzie> hah 18:34 < ecrist> lol 18:35 < krzie> oh and that was while diving over the bar 18:35 < krzie> not face to face 18:35 < krzie> needless to say, that guy got the piss beat out of him 18:36 < ecrist> I killed a mouse once, with my bare hands. 18:36 * ecrist is hard core. 18:36 < krzie> lol 18:36 < krzie> my best friend is hardcore, im just a normal guy from my area 18:36 < Dougy> afk karate 18:38 < bsdbandit> hey krzie http://pastebin.com/m183f4626 18:39 < krzie> now remove mute 20 18:40 < krzie> change verb to 6 (as i told ypou like 4 times) 18:40 < krzie> and repost a COMPLETE log 18:40 < krzie> at least i could swear i told you that 18:56 < bsdbandit> you did 18:56 < bsdbandit> its my fault for real 18:57 < bsdbandit> i had a bad day just trying to work through it 18:57 < bsdbandit> http://pastebin.com/m49e2deb3 18:57 < bsdbandit> check it out krzie 18:57 < krzie> i know those days ;] 18:58 < krzie> what makes you think theres a problem? 19:07 < bsdbandit> so what do you see 19:07 < bsdbandit> ? 19:07 < krzie> it looks fine to me 19:07 < krzie> <krzie> what makes you think theres a problem? 19:10 < krzie> if theres nothing after that, i dont see why you think its not working 19:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 19:33 < krzie> ?? 19:38 < ecrist> krzie: I've got a rudimentary wiki install at the new URL 19:38 < ecrist> I've also done some URL rewriting, so they're a bit cleaner 19:40 < krzie> nice 19:45 < Dougy> FUCKG A 19:45 * Dougy is back 19:45 * Dougy grunts 19:45 < ecrist> o.O 19:45 < krzie> keep cussing imma tell your mom 19:45 < Dougy> fuck that 19:45 < Dougy> if my mom gets hit by a train i'll probably luagh 19:45 < Dougy> laugh 19:46 * Dougy shrugs 19:46 < Dougy> i feel like such a teenage rebel saying i hate my mother at the moment 19:46 < ecrist> Dougy: did you create an openvpn-esk logo yet? 19:46 < Dougy> no i did not 19:47 < krzie> ecrist, nailed down the sed issue 19:47 < krzie> gnu sed treats -i differently 19:48 < ecrist> oh, yeah, forgot about that. 19:48 < krzie> commited updated configure script 19:48 < krzie> just need to mod the sed -i out of the Makefile 19:48 < krzie> which prolly takes another mod to the configure script 19:48 < krzie> like SEDCMD 19:48 < ecrist> yeah, prolly 19:49 < Dougy> ecrist: i dont do gfx 19:49 < Dougy> ill probably hire my friend to make one or something 19:49 < krzie> reiffert suggested losing configure and Makefile all together and just using install.sh 19:50 < krzie> Dougy, or we could solicit help from the community 19:50 < krzie> someone somewhere uses openvpn and makes graphics and would like to help 19:50 < krzie> all you gotta do is find them 19:52 < Dougy> we could do that too 19:52 < Dougy> by we i mean i i guess 19:53 < ecrist> krzie: would rather stick with Makefile, as it's called with freebsd ports tree, and is the standard way to do things. 19:54 < krzie> werd 19:54 < krzie> me to, but for completely diff reason 19:54 < krzie> its already made that way, works, and im lazy 19:54 < ecrist> well, for the wiki, I just used my padlock I have for the SCN wiki 19:54 < ecrist> lol 20:18 -!- Dryanta [i=dryanta@dev.hockingits.com] has joined ##openvpn 20:18 < Dryanta> halp plz 20:19 < Dryanta> Wed Dec 10 18:19:23 2008 us=128654 write UDPv4: No buffer space available (code=55) 20:19 < Dryanta> Wed Dec 10 18:19:23 2008 us=129011 write UDPv4: No buffer space available (code=55) 20:19 < Dryanta> mbufs arent full, they are talking to each other 20:19 < Dryanta> mtu is right on both sides 20:19 < Dryanta> ??? 20:19 < Dryanta> 2.0.6 on both ends too 20:22 < krzie> hey dry 20:22 < krzie> hos it been 20:23 < krzie> hows 20:24 < krzie> No buffer space available is reported by the kernel network layer when the 20:24 < krzie> kernel's transmit buffer is full - i.e. the network connection is running at 20:24 < krzie> full speed, and there's no space for more. This means that something is 20:24 < krzie> filling it, such as other OpenVPN requests, or simultaneous traffic. When this 20:24 < krzie> happens, the UDP packet is dropped, and the traffic is shaped to the size of 20:24 < krzie> the pipe it is travelling on. 20:25 < krzie> first hit from: 20:25 < krzie> !google No buffer space openvpn code=55 20:25 < vpnHelper> krzie: [Openvpn-users] OpenBSD errors - write UDPv4: No buffer space ...: <http://openvpn.net/archive/openvpn-users/2007-02/msg00103.html>; Re: [Openvpn-users] OpenBSD errors - write UDPv4: No buffer space ...: <http://openvpn.net/archive/openvpn-users/2007-02/msg00104.html>; [pfSense Support] OpenVPN - No Buffer Space Available: <http://www.mail-archive.com/support@pfsense.com/msg08799.html> 20:26 -!- justdave [n=dave@unaffiliated/justdave] has quit [Read error: 104 (Connection reset by peer)] 20:27 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 20:39 < Dryanta> but 20:39 < Dryanta> no mbufs 20:40 < Dryanta> i looked at that already 20:40 < Dryanta> doesnt describe my problem 20:40 < krzie> even the mail messages say low mbufs 20:40 < Dryanta> $ netstat -m 20:40 < Dryanta> 184/716/900 mbufs in use (current/cache/total) 20:40 < Dryanta> 173/405/578/25152 mbuf clusters in use (current/cache/total/max) 20:40 < Dryanta> 172/340 mbuf+clusters out of packet secondary zone in use (current/cache) 20:40 < Dryanta> 0/0/0/12576 4k (page size) jumbo clusters in use (current/cache/total/max) 20:40 < krzie> but they dont offer a fix 20:40 < Dryanta> 0/0/0/6288 9k jumbo clusters in use (current/cache/total/max) 20:40 < Dryanta> 0/0/0/3144 16k jumbo clusters in use (current/cache/total/max) 20:40 < Dryanta> 394K/989K/1383K bytes allocated to network (current/cache/total) 20:40 < Dryanta> 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) 20:40 < krzie> DUDE 20:40 < Dryanta> 0/0/0 requests for jumbo clusters denied (4k/9k/16k) 20:40 < Dryanta> 0/0/0 sfbufs in use (current/peak/max) 20:40 < krzie> !pastebin 20:40 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 20:40 < Dryanta> 0 requests for sfbufs denied 20:40 < Dryanta> 0 requests for sfbufs delayed 20:40 < Dryanta> 0 requests for I/O initiated by sendfile 20:40 < Dryanta> 0 calls to protocol drain routines 20:40 < Dryanta> well mbufs are obviously not the problem 20:41 < krzie> dude 20:41 < krzie> PASTEBIN 20:41 < Dryanta> understood 20:41 < Dryanta> mbufs still obviously arent the problem 20:42 < krzie> what os? 20:43 < krzie> seems most with your issue are obsd 20:43 < Dryanta> freebsd 20:44 < Dryanta> and openvpn is the issue, because nothing else is broken and i use all sorts of stuff :) 20:44 < krzie> any resources being eaten? 20:44 < krzie> cpu, ram, filehandles, HD space? 20:44 < krzie> i believe you, i seen you helping in #freebsd i know you arent new 20:45 < krzie> but that error doesnt come from openvpn 20:45 < krzie> its actually your kernel handing it to ovpn 20:45 < krzie> not to say its not openvpn related 20:45 < krzie> just where the error 55 comes from 20:46 < krzie> im looking on google for more info, i cant read my email archives til im home on my laptop 20:46 < Dryanta> im probably just going to leave and fix it remotely 20:47 < Dryanta> thanks for the help buddy 20:47 < Dryanta> ill work on it from the airport bar for a minute :D 20:47 < ecrist> Dryanta: no buffer space is a firewall issue, usually 20:47 < krzie> whoa i never seen that one eric 20:48 < krzie> from firewall keeping state or something? 20:48 < ecrist> krzie: trying pinging from a FreeBSD jail without security.jail.allow_raw_sockets 20:48 < Dryanta> ill try not keeping state on that pf entry 20:52 < krzie> also feel free to post: 20:52 < krzie> !configs 20:52 < krzie> !logs 20:52 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:52 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:52 < krzie> and i can look them over and maybe catch you later when you're back 20:53 < ecrist> krzie: create an account on the new wiki when you have time, I'll make you an Op on the board. 20:53 < krzie> k 20:54 < krzie> ill do it from home so i can use my real email 20:54 < krzie> its just s...-c....net/openvpn ? 20:54 < krzie> haha ya im that lazy 21:08 -!- whaletales [n=Paul@5ad0fd54.bb.sky.com] has quit [Read error: 104 (Connection reset by peer)] 21:11 < ecrist> yes, it is 21:11 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 21:16 < krzie> eric 21:16 < krzie> Sending configure 21:16 < krzie> svn: Commit failed (details follow): 21:16 < krzie> svn: File or directory 'configure' is out of date; try updating 21:16 < krzie> svn: resource out of date; try updating 21:16 < krzie> i need to update configure and Makefile 21:16 < krzie> to fix linux 21:21 < krzie> nm fixed it 21:22 < krzie> ok there 21:22 < krzie> this should work fine on linux now 21:22 < krzie> update the tgz in the wiki? 21:25 < krzie> reiffert, ya here?? 21:30 < bsdbandit> ? 21:30 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has quit ["leaving"] 21:36 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 21:38 < krzie> hrm now theres a difference in linux install 21:40 < krzie> install -C -g wheel -o root -m 0660 -S -v ssl-admin.conf /etc/ssl-admin/ssl-admin.conf.default 21:40 < krzie> install: invalid option -- C 21:44 < krzie> hey eric 21:44 < krzie> i can make it -c 21:44 < krzie> BSD will still copy, gnu will ignore 21:44 < krzie> works for you? 21:54 < krzie> well if it doesnt let me know, i commited it 21:54 < krzie> got someone testing it 22:04 < ecrist> ok 22:04 < ecrist> I'll review the commits tomorrow 22:05 < ecrist> g'night 22:09 < krzie> gnite 23:18 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Thu Dec 11 2008 00:22 -!- paruchuri [n=paruchur@61.16.248.247] has quit [Read error: 60 (Operation timed out)] 00:40 < reiffert> moin 00:47 < krzee> moin 00:49 < oc80z> hi #openview. 00:50 -!- syntaxx [n=patrick@unaffiliated/syntaxx] has joined ##openvpn 00:50 < oc80z> hi syntaxx 00:50 < syntaxx> hi oc80z 00:50 < krzee> wassup man 00:51 < oc80z> hey krzee 00:51 < syntaxx> krzee: i am able to make it work however i cant ping other server in the lan 00:51 < syntaxx> krzee: though i can already access them.. is it possible to connect multiple client? 00:51 < krzee> lan behind server or client? 00:51 < syntaxx> lan behind the server 00:51 < krzee> is the server the router for its lan? 00:51 < syntaxx> yes 00:52 < krzee> paste firewall rules 00:52 < syntaxx> the server is the router running openvpn 00:52 < syntaxx> hold on 00:52 < krzee> so the lan points at the server for their default route, right? 00:52 < syntaxx> yes 00:52 < krzee> k 00:52 < syntaxx> krzee: do i need to nat the vpn tun0? 00:53 < krzee> are clients using redirect-gateway? 00:53 < syntaxx> nope 00:53 < krzee> then no 00:53 < krzee> it can be done with nat, but its ugly to me 00:53 < krzee> you can do that if you want tho 00:54 < syntaxx> ok 00:54 < syntaxx> hold on 00:54 < krzee> but to do it with routing right is better, but your firewall has to allow it 00:54 < krzee> !iptables 00:54 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 00:54 < krzee> !learn firewall as please see http://openvpn.net/man#lbBD for more info 00:54 < vpnHelper> krzee: Joo got it. 00:55 < syntaxx> im using freebsd 00:55 < syntaxx> also another question.. can i possible connect multiple client? 00:56 < krzee> right but the link i just put for !firewall tells you what you need 00:56 < krzee> !firewall 00:56 < vpnHelper> krzee: "firewall" is please see http://openvpn.net/man#lbBD for more info 00:56 < krzee> that tells you the rules you need, and an example for linux 00:57 < krzee> for bsd you change your firewall to allow the same stuff, just do it the fbsd way 00:57 < krzee> pf 00:57 < syntaxx> ok 01:25 < syntaxx> !route 01:25 < vpnHelper> syntaxx: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:27 < syntaxx> !menu 01:27 < vpnHelper> syntaxx: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 01:30 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 01:56 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 01:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:51 -!- Solarbaby [n=Dave@70-41-208-166.cust.wildblue.net] has joined ##openvpn 04:07 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 04:10 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 04:17 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 04:27 < doke> sory to bother with something that isn't really related to OpenVPN but... can anybody tell me how I'm supposed to route the subnet I just received? 04:27 < doke> the first phrase is ok... But the fact that my 79.x.x.0/24 is routed to those IP doesn't tell me how to actually route them to my vpn clients (using openvpn). I can't mount an interface with the IPs in this new range although it works with the ip 80.x.x.170 with no pb. 04:27 < doke> The IP 80.xxx.xxx.170 (Netmask 255.255.255.252, gateway 80.xxx.xxx.169) can be used on srv01 and srv02. The subnet 79.xxx.xxx.0/24 is routed over this IP. The ARP-Timeout in this vlan is set to 5 Seconds. 04:31 -!- mRCUTEO [n=info@96.9.131.183] has quit [Read error: 54 (Connection reset by peer)] 04:32 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit ["Leaving"] 04:32 < simplechat> doke, explain? 04:41 < krzee> do we need you public key to understand that? 05:34 < doke> ;) krzee I like that comment 05:35 < doke> simplechat: sorry for my late reply 05:35 < doke> Basically 05:35 < doke> My carrier gave me a subnet of /24 because I'd like to be able to serv openvpn clients with public ips 05:36 < simplechat> yeah 05:36 < simplechat> but why? 05:36 < doke> I'm not in the idea of abusing ips but... if it works it might be nice and very useful 05:36 < doke> so 05:36 < doke> My carrier gave me the following info 05:36 < doke> The IP 80.xxx.xxx.170 (Netmask 255.255.255.252, gateway 80.xxx.xxx.169) can be used on srv01 and srv02. The subnet 79.xxx.xxx.0/24 is routed over this IP. The ARP-Timeout in this vlan is set to 5 Seconds. 05:37 -!- Tsuroerusu [n=tsuroeru@0x50a41f0b.slnxx1.dynamic.dsl.tele.dk] has joined ##openvpn 05:37 < doke> and although I managed to estup the ip where the /24 is supposed to be routed to, I don't know how to actually use my subnet 05:39 < simplechat> doke, so what exactly is it that you want to do with it? 05:39 < simplechat> you want to give every openvpn ip a public ip? 05:42 < doke> basically 05:42 < doke> I have a dhcp server 05:42 < doke> that will serve public IPs to my openvpn clients 05:42 < doke> public ips in the subnet mentionned above 05:43 < doke> but I don't understand how I'm ment to use those ips... 05:43 < doke> :( 05:43 < doke> Once I can mount them on one of my machines I can serve them to my OpenVPN clients 05:43 < doke> but for now nothing seems routed 05:43 < doke> 79.140.34.0/24 05:46 < simplechat> but what are you going to use those ips for? 05:46 < krzee> ecrist, https://bugs.gentoo.org/250611 05:46 < simplechat> whats the point? 05:46 < vpnHelper> Title: Gentoo Bug 250611 - [NEW EBUILD] net-misc/ssl-admin (at bugs.gentoo.org) 05:47 < krzee> you're using server-bridge right? 05:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:50 < doke> simplechat: those IP will be offered to OpenVPN connecting to my servers 05:50 < doke> my goal for now is to bring up an interface with one of those IPs at least 05:50 < doke> after this it should be pretty simple 05:50 < doke> A server-bridge will do it 05:51 < doke> but for now either there is an issue in my carrier's routing tables or I don't know how to use my subnet routed to some IPs that I'm already listening on 05:51 < krzee> its just like you had an ethernet cable plugged into the network 05:51 < doke> is there any protocole I should know about? 05:51 < krzee> server-bridge tunnels ethernet frames 05:51 < doke> I thought it was just a matter of bringing some interfaces up 05:52 < krzee> !bridge 05:52 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 05:52 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 05:52 < doke> but now I'm considering the implication of maybe having to deal with some specific routing protocoles 05:52 < krzee> i dont see why 05:52 < krzee> you will get ip from dhcp 05:52 < doke> krzee: I know that ;) 05:52 < krzee> you will route to the same router as dhcp gives you 05:52 < krzee> it will route like it does for other dhcp clients 05:52 < doke> I'm using Openvpn server-bridge since quite long now with very great satisfaction 05:53 < doke> I love that feature 05:53 < doke> but I'm just now trying to bring one of my ips up 05:53 < doke> sorry don't bother yourself with me 05:53 < doke> I'll have a look around 05:53 < krzee> its the same as before, only you're getting a public ip instead of lan ip 05:53 < doke> maybe I should refresh my brain about IP routing and some protocole being involved in the process 05:54 < krzee> i dont see why you think its a routing issue 05:54 < doke> let me re explain 05:54 < doke> My carrier gave me a new IP subnet 05:54 < krzee> the way i understand it you want to have clients use public ips based on openvpn giving it to them 05:55 < doke> according to their words, this subnet is routed to a particular IP with a netmask of 255.255.255.252 that I can use on 2 machines 05:55 < doke> I manage to bring up the interface on one of those machine that can listen to this particular IP 05:55 < doke> and I can ping the machine through this IP 05:55 < doke> but now, my subnet which is supposed to be routed to this ip... 05:56 < doke> what do I do with it? do I need something to reroute those IPs? How do I bring them up? 05:56 < doke> don't know if you get it 05:56 < doke> sorry 05:57 < krzee> i see 05:57 < krzee> im not 100% sure you can 05:57 < krzee> sounds like a question for the mail list 05:57 < doke> brb 05:57 < doke> krzee: thanks a lot 05:57 < doke> :) 05:57 < krzee> ohh 05:58 < krzee> wait 05:58 < krzee> you can use on 2 machines 05:58 < krzee> after you start the bridge you have to ifconfig the new ips 05:59 < krzee> the ip the server uses (configed in server bridge) should be the one they said to claim 05:59 < krzee> with that netmask 05:59 < krzee> it hands clients ips in the netmask 05:59 < krzee> [07:59] <krzee> after you start the bridge you have to ifconfig the new ips 05:59 < krzee> <--- im not sure how true that is 06:00 < krzee> first step is to find out how you get your box to use the ips without openvpn 06:00 < krzee> when you have that ip they said can you just ifconfig and the ips work? 06:01 < krzee> if so you are operating at the ethernet frame level and routing protocols are pointless anyways 06:12 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 06:12 < doke> krzee: this is the point 06:13 < doke> I'm trying to make my box work with the IP 06:13 < krzee> oh 06:13 < krzee> well once you get that working we can try to help you with ovpn 06:13 < doke> one of the ip at least... when it's done it's pretty simple to make it work with server-bridge 06:13 < doke> thanks a lot for your support 06:13 < doke> sorry it's my fault 06:14 < krzee> np 06:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:18 -!- pawpro [n=IRC@213.166.12.73] has joined ##openvpn 07:18 < pawpro> Hi everybody. Could you please point me to some howto on openvpn and cisco vpn clients? 07:31 -!- pawpro [n=IRC@213.166.12.73] has quit [Read error: 60 (Operation timed out)] 07:33 < reiffert> doke: still looking for someone to port openvpn to symbian? 07:47 -!- dotCOMmie [n=tox@65.110.59.200] has quit [Read error: 54 (Connection reset by peer)] 07:54 < doke> reiffert: yep 07:55 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 07:55 < ebf0> !menu 07:55 < vpnHelper> ebf0: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 08:02 < ebf0> !factoids search * 08:02 < vpnHelper> ebf0: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'tls-cipher', 'multi', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', '', 'forum', 'secure', 08:02 < vpnHelper> ebf0: 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'hmac', 'winipforward', 'help', 'fragment', '2.1-winpass-script', 'activedirectory', 'net30', 'someclient2client', 'local', 'dhcp', 'chooseip', 'irclogs', 'noenc', 'iptables', 08:02 < vpnHelper> ebf0: 'all', 'mactuntap', 'nobind', 'pwfile', 'servercert', 'mitm', 'fbsdbridge', 'easy-rsa-unix', 'certs', 'bridge-fw', 'linipforward', 'linnat', 'man', 'webgui', 'wintaphide', 'topology', 'configs', 'linfw', and 'firewall' 08:05 < ebf0> !factoids ccd 08:05 < vpnHelper> ebf0: Error: The "Factoids" plugin is loaded, but there is no command named "ccd" in it. Try "list Factoids" to see the commands in the "Factoids" plugin. 08:05 < ecrist> ebf0: something you're looking for? 08:05 < ecrist> !ccd 08:05 < vpnHelper> ecrist: "ccd" is entries that are basically included into server.conf, but only for the specified client 08:06 < doke> ecrist: you should make your bot reply privately to the user invoking the command or !ccd ecrist should post the reply to the user in arg 08:07 < ecrist> doke: not my bot. 08:07 < ecrist> if it were, that's what it would do 08:07 < ecrist> ;) 08:07 < doke> ;) 08:08 < ebf0> ecrist: im playing on setting up openvpn with different network-group-resources like "Configuring client-specific rules and access policies" 08:08 < doke> reiffert: I'm not planing to write an rfp for the project :) but if you're interested in porting openvpn to Symbian let me know by mp 08:08 < doke> tell me also your expected revenue for the project 08:08 < ebf0> also would like to do authentication to against a openldap server 08:09 -!- Solarbaby [n=Dave@70-41-208-166.cust.wildblue.net] has quit [Read error: 104 (Connection reset by peer)] 08:09 < ecrist> ebf0: that just requires a script on the server side. 08:10 < ecrist> read through http://openvpn.net/archive/openvpn-users/2006-09/msg00101.html 08:10 < vpnHelper> Title: [Openvpn-users] openvpn authentication using openldap (at openvpn.net) 08:10 < ebf0> ecrist: yes... Im playing with a perl skript to add into it 08:11 < ecrist> lol@openvpn.net folks... their mailing list archive site has php errors. so sad... 08:13 < ebf0> yes 08:13 < ebf0> Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-09/msg00101.html on line 222 08:13 < ebf0> etc 08:14 < ebf0> ecrist: there is no thread on the subject... 08:15 < ecrist> I show this as a reply: http://openvpn.net/archive/openvpn-devel/2007-06/msg00000.html 08:15 < vpnHelper> Title: [Openvpn-devel] RE : OPENVPN with OPENLDAP (at openvpn.net) 08:15 < ecrist> this is the code you're looking for: 08:15 < ecrist> http://code.google.com/p/openvpn-auth-ldap/ 08:15 < vpnHelper> Title: openvpn-auth-ldap - Google Code (at code.google.com) 08:16 < ebf0> I just wondered, if anyone know of an existing ldap-auth perl or what ever script, that will auth the user against the ldapserver, and play with iptables to get him into the right network, say based on his groups etc ? 08:16 < ecrist> ebf0: you'd need an up or down script for that within client config. 08:16 < ebf0> ecrist: that code is for pf, not netfilter 08:17 < ecrist> shouldn't be too hard to modify that code to work with netfilter 08:23 < ebf0> I know... asked my boss, he said yes to sponsor the netfilter part :), though I need it today :P 08:23 < ecrist> I'd talk to the developers at the link above. Otherwise, download that source and modify it yourself. 08:24 < ebf0> http://frost.ath.cx/software/openvpn_auth/ <-- the link dont work :( tried internet archive too... cant get that code :/ 08:24 < ecrist> did you see the code.google.com link above? 08:25 < ebf0> long time ago :) even compiled it... :) 08:25 < ebf0> Im not that good in C, so I cant fix it today :P 09:00 < et> ssssccc 09:00 < et> oops 09:00 < et> sorry 09:02 < et> krzee: the "net_gateway" worked when i explicitely put the netmask in for the openvpn server 09:52 * plaerzen waves 10:40 < Dryanta> ok 10:40 < Dryanta> so i still haz that problem guise 10:40 < Dryanta> hu Dec 11 08:36:57 2008 us=794734 write UDPv4: No buffer space available (code=55) 10:40 < Dryanta> Thu Dec 11 08:36:57 2008 us=795195 write UDPv4: No buffer space available (code=55) 10:50 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 11:08 < doke> krzee: I managed to eventually get my OpenVPN working with my public ip pool 11:08 < doke> wonderful 11:08 < doke> :D 11:09 < doke> basically I can be behind a nat or whatever Firewall... and get an external IP and run whatever service I want on my machine now 11:09 < doke> no more restrictions 11:09 < doke> and I tried using udp port 53 in an airport and I bypassed the captive portal 11:09 < doke> :D 11:10 < doke> thanks for your help though 11:19 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 110 (Connection timed out)] 11:23 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 11:27 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 12:25 < Dryanta> halp plz guise 12:25 < jeev> lol 12:30 -!- Tsuroerusu [n=tsuroeru@0x50a41f0b.slnxx1.dynamic.dsl.tele.dk] has quit [Remote closed the connection] 12:31 < Dryanta> jeev: my shit is busticated 12:31 < jeev> heh 12:31 < Dryanta> 1177 nobody 1 115 0 9028K 2272K CPU1 1 946:07 99.12% openvpn 12:39 < Dryanta> Thu Dec 11 10:38:09 2008 us=262697 write UDPv4: No buffer space available (code=55) 12:39 < Dryanta> Thu Dec 11 10:38:09 2008 us=263408 write UDPv4: No buffer space available (code=55) 13:06 -!- dmz [n=dmz@64.203.203.232.dyn-cm-pool-64.hargray.net] has joined ##openvpn 13:06 < dmz> howdy y'all...i'm trying to figure out a good config for hundreds of users but keeping static ip for each user 13:07 < dmz> i've run into openvpn telling me now that i can only have 100 routes in it 13:07 < dmz> is there any good config i can use to have static ip for each end-node and still have 1 server for all my end-networks? 13:07 < dmz> or do i have to setup different servers for each "100 networks"? 13:09 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [] 13:28 < jeev> weird 13:28 < jeev> if my openvpn server ip is 1.2.3.4 13:28 < jeev> and the mailserver is 1.2.3.4 13:28 < jeev> it wont work! 13:35 < dmz> what = it that wont' work 13:43 < jeev> oh 13:43 < jeev> lol 13:43 < jeev> i mean, i can't access the ip 13:44 < jeev> weird 13:44 < krzie> Dryanta paste your routing table pls 13:44 < jeev> i dunno 13:44 < Dryanta> krzie: uhm 13:44 < Dryanta> ok 13:44 < krzie> Dryanta i wanted to remember what your error was last night when i was with my mail archives 13:44 < krzie> but i forgot =/ 13:45 < Dryanta> default 151.164.184.123 UGS 0 38514 tun0 13:45 < Dryanta> 10.4.0.3 127.0.0.1 UH 0 0 lo0 13:45 < Dryanta> 10.4.0.4 10.4.0.3 UH 5 0 tun1 13:45 < krzie> pastebin man 13:46 < krzie> hrm that doesnt look right to me 13:47 < krzie> <Dryanta> 10.4.0.3 127.0.0.1 UH 0 0 lo0 13:47 < krzie> wwhered that come from? 13:47 < krzie> looks like you have a nice lil routing loop 13:48 < krzie> (which i only homed in on because of the mail list archives i found and pasted yesterday 13:59 < jeev> krzie, i can't ping 1.2.3.4 while vpn'd to it 14:00 < jeev> what could that be? 14:00 < jeev> i can't ssh to it 14:00 < jeev> can't do squat 14:00 < krzie> check your logs 14:00 < krzie> prolly getting a multi error 14:00 < krzie> do you setup a new vpn every month? 14:00 < krzie> or do you just never finish it? 14:00 < jeev> not multi 14:01 < jeev> hold up, i dont know what im doing 14:01 < jeev> it's for my friend, he's at a hotel 14:01 < jeev> 53 udp baby 14:01 < krzie> i bypass hotel fees with a NStun 14:01 < Dryanta> krzie: what do you mean on routing loop? 14:01 < krzie> Dryanta follow the route for packets 14:03 < krzie> 10.4.0.4 wants to route through 10.4.0.3 14:04 < krzie> but 10.4.0.3 routes through 127.0.0.1 14:04 < krzie> which is the entry fubaríng stuff 14:05 < Dryanta> 10.4.0.3 is link local 14:05 < krzie> explains the error and the high cpu usage (and was in the archives post i foubnd on google yesterday) 14:05 < krzie> lok, my routing table doesnt have anything vpn related going to 127.0.0.1, it IS what is breaking your setup 14:05 < krzie> s/lok/look/ 14:05 < Dryanta> well 14:05 < Dryanta> why is openvpn setting the route to be that 14:05 < krzie> good question 14:06 < Dryanta> i showed you the config 14:06 < krzie> show me the logfile at verb 6 from that machine 14:06 < krzie> haha nice 14:06 < krzie> (oops wrong win) 14:06 < Dryanta> 10.4.0.3 10.4.0.4 UH 0 4 tun0 14:06 < Dryanta> 10.4.0.4 127.0.0.1 UH 0 0 lo0 14:06 < Dryanta> on the other one that is NOT acting weird 14:06 < krzie> <Dryanta> 10.4.0.4 127.0.0.1 UH 0 0 lo0 14:06 < krzie> remove that manually 14:07 < krzie> i also wanna see those configs again 14:07 < krzie> but logfile first 14:07 < krzie> so i can see where that route is set 14:10 < Dryanta> krzie: i think you are barking up the wrong tree 14:10 < krzie> *shrug* ok 14:10 < krzie> then dont paste them 14:10 < Dryanta> because my setup that IS working on two completely different servers have the same routes 14:11 < Dryanta> 10.4.0.1 127.0.0.1 UH 0 3 lo0 14:11 < Dryanta> 10.4.0.2 10.4.0.1 UH 1 12754 tun0 14:11 < krzie> and none of mine do 14:11 < Dryanta> that is link local 14:11 < krzie> but really if you dont wanna paste those it wont hurt my day 14:11 < krzie> but im willing to help if you wanna 14:12 < Dryanta> im just asking why you think its weird for a link local to be having a route of lo0 14:13 < krzie> packets headed to internal ovpn ip of 10.4.0.2 are pointing to 10.4.0.1, which is pointing to final destination of lo0 14:14 < krzie> so you are rapidly sending packets to lo0 eating up cpu 14:14 < krzie> you use freebsd, as do i 14:14 < krzie> none of my setups have a vpn ip headed to lo0 14:14 < krzie> are you using ptp 14:14 < Dryanta> yes point to point 14:14 < krzie> actually, no more questions, paste the files i need or dont, i cant look at anythihng more without 14:15 < krzie> ok i dont use ptp, could be the lo0 route's reason 14:15 < Dryanta> verb 6? 14:15 < krzie> ya verb 6 14:18 < jeev> hmac error 14:18 < jeev> while it's working 14:18 < jeev> it's scrolling so fast and i'm logged on via logmein 14:18 < jeev> what's goin on lol 14:18 < krzie> jeev, you know how to fix an hmac error 14:18 < jeev> krzie, he was vpn'd to 1.2.3.50 and he couldn't ping it, so i alias'd .51 and moved vpn to that, then i can ping 14:18 < jeev> i can ping .50 14:18 < krzie> i know you do 14:18 < jeev> :) 14:19 < jeev> is that the ta.key 14:19 < krzie> !hmac 14:19 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 14:19 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:21 < jeev> yea dood 14:21 < jeev> they both match 14:22 < krzie> server has tls-auth ta.key 0 client has tls-auth ta.key 1 14:22 < krzie> ? 14:23 < jeev> authenticate/decrypt packet error: packet HMAC autentication failed 14:24 < jeev> authenticate/decrypt packet error: packet HMAC authentication failed 14:24 < jeev> i'll just copy it over anyway 14:24 < krzie> <krzie> server has tls-auth ta.key 0 client has tls-auth ta.key 1 14:24 < jeev> yes 14:24 * jeev beats krzie with Dryanta's buttscratcher 14:26 < jeev> still giving the error 14:27 < jeev> it's ok though 14:27 < jeev> it's working great for him 14:27 < jeev> i love the port 53 bypass hehe 14:27 < krzie> disable hmac if you cant fix it 14:27 < krzie> personally i would just make a new hmac key tho 14:28 < krzie> you can make a checksum to be sure its xfer'ed right 14:28 < krzie> openvpn --genkey --secret ta.key 14:28 < krzie> then BE SURE server has tls-auth ta.key 0 client has tls-auth ta.key 1 14:29 < krzie> and be sure permissions allow it to be read 14:30 < krzie> and its in the right location (u\or use full paths) 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:06 < Dryanta> http://pastebin.ca/1282986 15:11 < krzie> that is not a cocomplete logfile at verb 6 15:17 < krzie> it could be at verb 6 15:18 < krzie> but its DEFINATLY not compllete 15:19 < jeev> yea 15:28 < Dryanta> what do you mean complete 15:29 < Dryanta> buttscratcher? buttscratcher? 15:30 < krzie> heres what the beginning of a logfile at verb 6 looks like 15:30 < krzie> http://pastebin.com/m49e2deb3 15:30 < krzie> (someone elses) 15:31 < krzie> and those configs again pls 15:31 < krzie> im a lot more awake than yesterday when i looked at them, and a lot less busy 15:36 < doke> Anybody using openvpn on windows here? 15:38 < doke> I'd like to force the default gateway to the one sent by my dhcp (I'm in tap interface)... Not surprising, it doesn't work on Windows.. What I would need is to keep a route to the hostname of the vpn server using the traditional gateway and 0.0.0.0 going through the vpn ink 15:38 < doke> would push "redirect-gateway def1" 15:38 < doke> do it? 15:38 < doke> In bridge mode? 15:40 < krzie> umm 15:40 < krzie> no 15:41 < krzie> i believe its routed only 15:41 < krzie> but you can setup routes with up scripts 15:42 < krzie> if that really does what you need 15:43 < doke> krzie: it's how I do it now but I'd like to avoid this script... so I don't need to setup static gateway addresses 15:43 < doke> thanks for your suggestion 15:43 < Dryanta> so 15:43 < Dryanta> what is that missing 15:43 < Dryanta> ok one sec 15:45 < Dryanta> http://pastebin.ca/1283018 15:45 < Dryanta> for the .log 15:46 < krzie> doke, theres built in vars for gateways 15:46 < krzie> Dryanta, you from the bay area too? 15:47 < Dryanta> for the config 15:47 < Dryanta> http://pastebin.ca/1283019 15:47 < Dryanta> i live in la 15:47 < Dryanta> i was in oakland yesterday and the day before 15:47 < krzie> ahh 15:48 < doke> awww really? 15:48 < krzie> k i see 10.4.0.3 is local on this side 15:48 < Dryanta> dont haxxx my boxen 15:48 < Dryanta> :) 15:48 < doke> I didn't know Windows was so advanced krzie 15:48 < doke> :D 15:48 < krzie> so other side is 10.4.0.4 local? 15:48 < Dryanta> ya 15:48 < doke> I'll google this to google ;) 15:48 < doke> thanks a lot for your help krzie 15:48 < krzie> doke, its not, you arent asking ANYTHING that has to do with windows 15:49 < krzie> and it can be found in: 15:49 < krzie> !man 15:49 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:49 < doke> what? 15:49 < krzie> i THINK under --redirect-gateway, but possibly under route 15:49 < doke> krzie: no the up script 15:49 < doke> would basically do 15:49 < krzie> openvpn has built in vars for gateway 15:50 < doke> something like route add vpn_server mask 255.255.255.255 traditional_gateway 15:50 < Dryanta> and i just got yelled at cos this isnt working :P 15:50 < doke> route delete 0.0.0.0 15:50 < doke> route add 0.0.0.0 mask 0.0.0.0 vpn_gateway 15:50 -!- J4nus [n=janus@78-22-33-101.access.telenet.be] has joined ##openvpn 15:50 < doke> the goal is to replace the default gateway for a Windows user by the one optain during the vpn connection without compremizing the existing vpn link 15:51 < doke> don't know if you got it? 15:51 < krzie> those vars can be passed to the script instead of hard coded 15:51 < krzie> check env vars section of maNPAGE 15:51 < krzie> oops c/l 15:52 < doke> hmmmm 15:52 < J4nus> hello everybody, I'm trying to install OpenVPN on a box running OpenBSD 4.4; When I do the ". ./vars", the openssl.cnf file seems to be launched like a script and I get "HOME: not found, RANDFILE: not found,..." 15:52 < doke> I'll have a look 15:52 < doke> thanks 15:52 < J4nus> I found several posts on forums about similar messages, but without any solutions 15:52 < krzie> J4nus did you edit the vars? 15:52 < J4nus> yes I did 15:53 < krzie> maybe try ssl-admin 15:53 < J4nus> I changed the KEY_CONFIG to point to my file (openssh.cnf) 15:53 < jpalmer> J4nus: wwhich shell are you using? 15:53 < krzie> svn co https://www.secure-computing.net/svn/trunk/ 15:53 < vpnHelper> Title: svn - Revision 34: /trunk (at www.secure-computing.net) 15:53 < J4nus> I tried with zsh and bash 15:53 < krzie> for ssl-admin 15:54 < ecrist> evening folks 15:54 < J4nus> and sh now, still the same problem 15:54 < jpalmer> J4nus: try it with csh. 15:54 < J4nus> ok 15:54 < J4nus> http://www.nabble.com/openvpn-error-PKI-on-obsd-4.4-td20460351.html 15:54 < vpnHelper> Title: Nabble - openbsd user - misc - openvpn error PKI on obsd 4.4 (at www.nabble.com) 15:54 < J4nus> this guy has the same problem than me 15:55 < jpalmer> if you want to run it with zsh, ash, or bash.. modify the script slightly. add an "export" before each of the variables 15:57 < J4nus> with csh, all the "export" commands in the vars file are rejected "export: command not found" 15:57 < jpalmer> right. I didn't say to add export for csh. 15:57 < J4nus> ok right, so I will remove them 15:57 < jpalmer> no 15:57 < jpalmer> now that you have them, use bash or something 15:57 < Dryanta> so now what krzie 15:57 < Dryanta> i dont know 15:57 < Dryanta> but im getting my ass chewed 15:57 < Dryanta> :( 15:57 < J4nus> the file vars has a line: "export KEY_CONFIG=`$EASY_RSA/openssl.cnf $EASY_RSA`" 15:57 < J4nus> and in the file openssl.cnf, there is no "export" 15:59 < jpalmer> the EASY_RSA env variable points to a directory where openssl.cnf is stored 15:59 < J4nus> yes indeed 15:59 < jpalmer> J4nus: have you read any of the installation instructions? the vars script is covered there 16:00 < krzie> Dryanta paste me those configs again too 16:00 < J4nus> it's written "this variable should point to the openssl.cnf file included with easy-rsa" 16:00 < Dryanta> i just did 16:00 < krzie> Dryanta we'ld get this done a lot faster if i didnt wait 30min between asking for a file and seeing it 16:00 < J4nus> so it seems to be correct 16:01 < Dryanta> http://pastebin.ca/1283019 16:01 < Dryanta> krzie: i get calls and get busy, im sure you understand 16:05 < krzie> totally, im right there with ya 16:05 < krzie> i wouldnt have said that if you werent talkin bout getting chewed out for not being finished 16:07 < J4nus> jpalmer: i read again the installation instructions but I don't find any problems in my current config 16:10 < krzie> dry, does it start out ok then get bad? 16:12 < Dryanta> cannot send traffic at all 16:13 < Dryanta> oakland# ping 10.4.0.4 16:13 < Dryanta> PING 10.4.0.4 (10.4.0.4): 56 data bytes 16:13 < Dryanta> ^C 16:13 < Dryanta> --- 10.4.0.4 ping statistics --- 16:13 < Dryanta> 6 packets transmitted, 0 packets received, 100.0% packet loss 16:15 < krzie> did you have a reason for changing mtu? 16:15 < Dryanta> ppp 16:16 -!- doke [n=me@unaffiliated/emrah] has quit [Read error: 60 (Operation timed out)] 16:16 < Dryanta> my dsl handoff is pppoe 16:16 < krzie> you tested that was a good mtu? 16:17 < krzie> i believe its the default 16:17 < krzie> i take it back, def is 1500 16:18 < J4nus> any ideas ? 16:18 < krzie> J4nus my suggestion was to use ssl-admin 16:18 < krzie> which you can get here: 16:18 < krzie> svn co https://www.secure-computing.net/svn/trunk/ 16:18 < vpnHelper> Title: svn - Revision 34: /trunk (at www.secure-computing.net) 16:19 < J4nus> I don't have the choice, I need to use openvpn 16:20 < Dryanta> default is 1500 16:20 < Dryanta> pppoe framing is 8bit, so 1492 16:20 < krzie> ssl-admin is a replacement for easy-rsa 16:20 < Dryanta> i figured having it be 1500 by default perhaps was causing my issue 16:23 < krzie> dry 16:23 < krzie> lets back up 16:23 < krzie> and go with most simple possible 16:23 < krzie> On may: 16:23 < krzie> openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9 16:23 < krzie> On june: 16:23 < krzie> openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9 16:23 < krzie> Now verify the tunnel is working by pinging across the tunnel. 16:25 < J4nus> jpalmer: did you already see that in the past ? 16:25 < ecrist> how goes krzie? 16:25 < krzie> J4nus ssl-admin is for managing openvpn ssl keys 16:25 < krzie> hey ecrist 16:26 < krzie> you see gentoo has a ssl-admin ebuild now? 16:26 < plaerzen> hey guys 16:26 < ecrist> yep, I updated the URL on the PR 16:27 < plaerzen> I just learned it's supposed to be -36 celsius here this sunday. Joy. 16:27 < krzie> DAMN 16:27 < krzie> thats cold 16:27 < plaerzen> yeah 16:28 < krzie> could always move here 16:28 < plaerzen> like if you have exposed skin, frostbite in 5 minutes cold. 16:28 < krzie> it'll be sunny 16:28 < plaerzen> where is here ? 16:28 < ecrist> plaerzen: where you from? 16:28 < krzie> caribbean 16:28 < plaerzen> calgary, canada 16:28 < plaerzen> krzie, ok 16:28 < plaerzen> krzee, consider it done. 16:28 * plaerzen mutters. 16:28 < plaerzen> I wish it was that easy. 16:30 < ecrist> ftr, I got a 'first' comment on /. today that was modded up to 5. :P 16:30 < Dryanta> cannot ping past tunnel 16:30 < Dryanta> no love 16:31 < Dryanta> ecrist: link? 16:31 < ecrist> but, I wasn't a biotch and claim 'first' like most ass-clowns. 16:31 < ecrist> http://science.slashdot.org/article.pl?sid=08/12/11/1322252 16:31 < vpnHelper> Title: Slashdot | Birth of the Moon: a Runaway Nuclear Reaction? (at science.slashdot.org) 16:31 < plaerzen> http://www.patentfile.com/index.php/Home/Webcam 16:31 < vpnHelper> Title: Goodwin McKay | Calgary Webcam (at www.patentfile.com) 16:32 < plaerzen> I HATE the cold. 16:32 < Dryanta> so krzie june and may dont like each other 16:33 -!- [X]Spot [n=stancho@78.90.99.168] has joined ##openvpn 16:33 < [X]Spot> Hi all 16:33 < [X]Spot> where can I read how to use username and password instead of certificate 16:33 < [X]Spot> ? 16:33 < krzie> Dryanta looks like we're getting somewhere 16:33 < [X]Spot> for openvpn connections 16:33 < krzie> Dryanta try switching to tcp temporarily 16:33 < krzie> !nocert 16:33 < vpnHelper> krzie: Error: "nocert" is not a valid command. 16:34 < krzie> hrmz 16:34 < ecrist> krzie: the bot won't let me learn... 16:34 < Dryanta> switch to tcp huh 16:34 < krzie> [X]Spot lemme find it 16:34 < krzie> ecrist it will after you identify 16:34 < krzie> Dryanta to verify its a FW issue 16:35 < krzie> its a troubleshooting solution, not perm 16:35 < [X]Spot> krzee thanks 16:36 < krzie> !learn nocert as to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required 16:36 < vpnHelper> krzie: Joo got it. 16:36 < krzie> !leartn nocert as you will want to read about those in the manual (!man) 16:36 < vpnHelper> krzie: Error: "leartn" is not a valid command. 16:37 < Dryanta> how do i do that krzie 16:37 < Dryanta> -tcp? 16:37 < krzie> in your configs you have proto udp 16:37 < krzie> s/udp/tcp 16:38 < Dryanta> oh so use the configs just change that k 16:38 < krzie> well or --proto tcp 16:38 < krzie> everything in config is also a cli option if you add -- 16:43 < ecrist> krzie: I tried that. 16:43 < ecrist> lemme do it again. 16:43 < Dryanta> when i did tcp 16:43 < Dryanta> i dont have ip addresses on the tunnels in ifconfig 16:43 < ecrist> !learn crazy as krzie is crazy 16:43 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 16:44 < Dryanta> Options error: --proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client 16:44 < krzie> <ecrist> !learn crazy as krzie is crazy 16:44 < krzie> if i recall, that stuff is the reason you need factoids.learn capability for this bot 16:45 < krzie> it did start out as publicly open 16:45 < ecrist> krzie: yeah, that was a test. 16:45 < krzie> you need to identify with him first 16:45 < krzie> (in msg) 16:45 < ecrist> I already did. 16:45 < ecrist> right before I tried that above cmd 16:46 < ecrist> 16:43 <ecrist> !identify ecrist wrong_pass 16:46 < ecrist> 16:43 <vpnHelper> Error: Your hostmask doesn't match or your password is wrong. 16:46 < ecrist> 16:43 <ecrist> !identify ecrist right_pass 16:46 < ecrist> 16:43 <vpnHelper> Joo got it. 16:47 < Dryanta> changed to tcp, still no love 16:47 < krzie> ahh, i guess ill figure out howto give you that capability later 16:47 < ecrist> no worries. 16:47 < krzie> Dryanta diff problem now you said? 16:47 < Dryanta> nope 16:47 < Dryanta> same 16:47 < krzie> ecrist, have you seen the problem hes having? 16:48 < Dryanta> !whoami 16:48 < vpnHelper> Dryanta: I don't recognize you. 16:48 < Dryanta> orly 16:48 < ecrist> !whoami 16:48 < Dryanta> well you should im important 16:48 < vpnHelper> ecrist: ecrist 16:48 < ecrist> lemme read up 16:49 < krzie> Dryanta !whoami 16:49 < krzie> oops 16:49 < krzie> !whoami 16:49 < vpnHelper> krzie: krzee 16:49 < krzie> THATS RIGHT BOT! 16:49 < krzie> heh 16:50 < ecrist> krzie: which problem? 16:51 < krzie> http://pastebin.ca/1283019 16:51 < ecrist> :\ pastebin.ca doesn't like my return-path. 16:51 < krzie> with those he can get a connection, but gets some error=55 errors (something bout out of buffer space) 16:51 < krzie> his mbufs are not fully used 16:51 < krzie> he uses fbsd 16:52 < ecrist> I still stand it's a firewall issue. 16:52 < Dryanta> ecrist: nope 16:52 < krzie> i tried having him goto tcp 16:52 < krzie> which i MUST assume he opened the tcp port for testing 16:52 < krzie> but alas, it is an assumption 16:52 < ecrist> o.O 16:53 < Dryanta> of course 16:53 < ecrist> Dryanta: are you doing this from within a freebsd jail? 16:53 < krzie> GOOD QUESTION! 16:53 < ecrist> http://photos-h.ak.fbcdn.net/photos-ak-snc1/v1357/109/18/5710098/n5710098_41595615_3316.jpg 16:53 < ecrist> loser ^^^ 16:53 < ecrist> hot wife, though 16:53 < krzie> howd you get my pic!? 16:54 < krzie> i mean ummm 16:54 < krzie> ya loser! 16:54 < krzie> ;] 16:54 < Dryanta> ecrist: no 16:55 < Dryanta> it shows connected but i cant ping across the tunnel 16:55 < Dryanta> and i have 99% cpu utilization on the oakland box 16:55 < ecrist> can you try a client from a different OS to the same server? 16:56 < Dryanta> this is a p2p setup 16:56 < Dryanta> and i have two different boxes running the same version perfectly fine 16:56 < Dryanta> also amd64 and 2.0.6 16:57 < ecrist> can you try a client from a different OS to the same other client? 16:57 < Dryanta> my whole network is freebsd 16:57 < Dryanta> i could try xp maybe 16:57 < ecrist> ok, can you try a client from a different system to the same other client? 16:58 < Dryanta> sure 16:58 < Dryanta> well 16:58 < Dryanta> no not really id have to change all the firewalls 16:59 < Dryanta> you see in the log it shows connected rite 17:00 < ecrist> Dryanta: I still really think it's a firewall issue where ICMP is being blocked. are you *sure* you've opened ICMP up over the VPN interface and IP space? 17:00 < Dryanta> icmp? 17:00 < ecrist> that's the protocol ping uses. 17:01 < Dryanta> ping isnt blocked anywhere else 17:01 < Dryanta> i know internet control message protocol 17:01 < Dryanta> but i dont have icmp blocked anywhere 17:02 < ecrist> let's try something else, then. do any other protocols make it across the tunnel? 17:03 < Dryanta> how could i validate that in a simple manner 17:03 < ecrist> ssh from one host to the other over the tunnel 17:05 < krzie> (after checking ssh is listening on *) 17:06 < ecrist> http://www.theonion.com/content/video/in_the_know_how_can_we_make_the_0 17:06 < vpnHelper> Title: In The Know: How Can We Make The Iraq War More Handicap Accessible? | The Onion - America's Finest News Source (at www.theonion.com) 17:06 < Dryanta> cant ssh 17:08 < ecrist> I don't know. I still say firewall, or you really are within a freebsd jail. 17:11 < krzie> i agree that its something at the OS level rather than vpn level 17:11 < krzie> based on the fact that the most simple possible setup didnt work 17:12 < krzie> <krzie> On may: 17:12 < krzie> <krzie> openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9 17:12 < krzie> <krzie> On june: 17:12 < krzie> <krzie> openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9 17:12 < krzie> <krzie> Now verify the tunnel is working by pinging across the tunnel. 17:12 < krzie> (that one) 17:12 < ecrist> I gotta go. l8r 17:12 < krzie> later eric 17:39 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 17:39 < robert_> can I client-to-client certain subnets? 17:44 < Dryanta> ecrist: im not iwthin a jail 17:45 < Dryanta> krzie: i did that and it didnt work 17:45 < Dryanta> remember 17:45 < Dryanta> but the log says connected 17:45 < Dryanta> so the log wouldnt say connected if it was firewalled amirite? 18:21 < reiffert> moin 18:22 < reiffert> robert_: yes. 18:22 < reiffert> Dryanta: yes you are. 18:23 < Dryanta> so what do i do 18:23 < Dryanta> im so lost here 18:23 < Dryanta> it makes no sense what is going on 18:23 < Dryanta> especially the whole load thing 18:23 < Dryanta> i think its because im doing pppoe 18:23 < reiffert> I have no idea. 18:23 < reiffert> !config 18:23 < Dryanta> a tun(4) within a tun(4) maybe? 18:23 < vpnHelper> reiffert: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose. 18:24 < reiffert> !configs 18:24 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:24 < Dryanta> already did that 18:24 < reiffert> sure. url? 18:24 < reiffert> !logs 18:24 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:26 < Dryanta> http://pastebin.ca/1283019 18:26 < Dryanta> configs 18:27 < reiffert> which of them is the client? 18:27 < Dryanta> this is p2p 18:27 < reiffert> no idea. 18:27 < Dryanta> they are peers, no client/server 18:27 < Dryanta> this is much more simple setup should be easier to diagnose 18:28 < reiffert> Allright. And the problem is? 18:28 < Dryanta> cant pass traffic through the tunnel 18:29 < reiffert> Does the log tell you that the connection got established successfully? 18:29 < Dryanta> yes 18:29 < Dryanta> let me get a log 18:29 < reiffert> wait. 18:29 < reiffert> when connected paste: ifconfig tun0 18:29 < reiffert> from both 18:29 < reiffert> add: route -n 18:29 < reiffert> for both. 18:30 < reiffert> (or netstat -nr) 18:35 < reiffert> still with me? 18:39 < Dryanta> http://pastebin.ca/1283134 18:39 < Dryanta> ya i just had to get that stuff 18:39 < reiffert> please DONT snip the routing table! 18:40 < reiffert> and I cant find the ifconfig information I was asking for. 18:41 < reiffert> and please paste ifconfig tun1 from oakland as well as tun0. 18:44 < Dryanta> http://pastebin.ca/1283138 18:46 < Dryanta> everything? 18:46 < reiffert> on oakland: 18:47 < reiffert> tcpdump -n -i tun1 proto ICMP & 18:47 < reiffert> ping -c2 10.4.0.4 18:47 < reiffert> paste result in irc 18:48 < Dryanta> oakland# ping -c2 10.4.0.4 18:48 < Dryanta> PING 10.4.0.4 (10.4.0.4): 56 data bytes 18:48 < Dryanta> 16:45:55.963802 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 48145, seq 0, length 64 18:48 < Dryanta> 16:45:56.964445 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 48145, seq 1, length 64 18:48 < Dryanta> --- 10.4.0.4 ping statistics --- 18:48 < Dryanta> 2 packets transmitted, 0 packets received, 100.0% packet loss 18:49 < reiffert> on 'to': tcpdump -n -i tun0 proto ICMP & 18:49 < reiffert> start the ping again on oakland. Does it reach 'to'? 18:49 < Dryanta> yes 18:49 < reiffert> (we know now: the icmp messages are leasving the right interface on oakland) 18:50 < reiffert> paste the resulting lines from the tcpdump running on 'to' please to irc. 18:50 < Dryanta> 16:49:50.916674 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 48401, seq 0, length 64 18:50 < Dryanta> 16:49:52.317826 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 48401, seq 1, length 64 18:50 < reiffert> and they make it to 'to', now the question is: why doesnt to answer them. 18:51 < reiffert> paste the complete firewall of 'to'. 18:51 < reiffert> or ... wait! 18:51 < reiffert> start a ping on to: ping -c2 10.4.0.3 18:51 < reiffert> what do you get in the tcpdump's? 18:52 < Dryanta> to# ping -c2 10.4.0.3 18:52 < Dryanta> PING 10.4.0.3 (10.4.0.3): 56 data bytes 18:52 < Dryanta> 16:52:22.877244 IP 10.4.0.4 > 10.4.0.3: ICMP echo request, id 29348, seq 0, length 64 18:52 < Dryanta> 16:52:23.878017 IP 10.4.0.4 > 10.4.0.3: ICMP echo request, id 29348, seq 1, length 64 18:52 < Dryanta> nothing in oaklands tcpdump tho 18:52 < reiffert> intresting. 18:53 < Dryanta> also weird 18:53 < reiffert> Back to pasting the 'to' firewall. 18:54 < Dryanta> http://pastebin.ca/1283146 18:55 < reiffert> Did I mention that I really really hate BSD firewalls? 18:55 < Dryanta> haha 18:55 < Dryanta> pf rox 18:55 < Dryanta> ipfw is teh sux 18:55 < reiffert> add: 18:56 < reiffert> allow all from any to any via tun1 18:56 < reiffert> ah well, it should be tun0, right? 18:57 < Dryanta> done, try the pings again? 18:57 < reiffert> yeah, 'to' uses tun0. 18:57 < reiffert> let them ping. 18:58 < Dryanta> same situation, oak is hitting to but not vice versa 18:58 < reiffert> so 'to' answers the ping from oakland? 18:59 < Dryanta> doesnt look like it 18:59 < reiffert> hm. 18:59 < reiffert> cluless. 18:59 < Dryanta> i think it has to do with the tunnel within a tunnel 19:00 < Dryanta> i have pppoe on oak as im sure you noticed 19:00 < reiffert> let's try to find out why 'to' does not reply to ping packets first. 19:05 < reiffert> please remove rulenum 00200 19:05 -!- [X]Spot [n=stancho@78.90.99.168] has quit [Read error: 104 (Connection reset by peer)] 19:05 < reiffert> and 00300 19:05 < reiffert> and 00600 and 00700 19:06 < reiffert> and after that please paste the complete ipfw list again 19:06 < Dryanta> http://pastebin.ca/1283154 19:07 < reiffert> and start the pings again. any change? 19:08 < reiffert> and please add rule num 2400 to 00090 19:10 < reiffert> any change? 19:11 < Dryanta> 17:11:18.215522 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 61457, seq 0, length 64 19:11 < Dryanta> 17:11:18.215540 IP 10.4.0.4 > 10.4.0.3: ICMP echo reply, id 61457, seq 0, length 64 19:11 < Dryanta> 17:11:19.215603 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 61457, seq 1, length 64 19:11 < Dryanta> 17:11:19.215621 IP 10.4.0.4 > 10.4.0.3: ICMP echo reply, id 61457, seq 1, length 64 19:12 < reiffert> please read the channel topic. 19:12 < reiffert> and then send all your money to me. 19:13 < Dryanta> your problem is probably your firewall 19:13 < Dryanta> but pings still arent going across the vpn 19:13 < reiffert> sure, they do: 19:13 < Dryanta> --- 10.4.0.4 ping statistics --- 19:13 < Dryanta> 8 packets transmitted, 0 packets received, 100.0% packet loss 19:13 < Dryanta> oakland# 17:11:10.344746 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 274, seq 7, length 64 19:13 < Dryanta> from oakland there arent ping replies from to 19:13 < reiffert> 02:12 < Dryanta> 17:11:18.215540 IP 10.4.0.4 > 10.4.0.3: ICMP echo reply, id 61457, seq 0, length 64 19:13 < reiffert> 02:12 < Dryanta> 17:11:19.215603 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 61457, seq 1, length 64 19:14 < reiffert> request and reply. 19:14 < reiffert> through the vpn. 19:14 < Dryanta> --- 10.4.0.3 ping statistics --- 19:14 < Dryanta> 8 packets transmitted, 0 packets received, 100.0% packet loss 19:15 < reiffert> ok, lets come down to earth again and have a close look again: on oakland: ping -c1 10.4.0.4 19:15 < reiffert> does the ping show up on both tcpdumps? 19:15 < reiffert> does it get answered? 19:16 < Dryanta> does not get answered 19:16 < Dryanta> oakland is this 19:16 < Dryanta> oakland# ping -c1 10.4.0.4 19:16 < Dryanta> PING 10.4.0.4 (10.4.0.4): 56 data bytes 19:16 < Dryanta> 17:13:28.306352 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 786, seq 0, length 64 19:16 < Dryanta> --- 10.4.0.4 ping statistics --- 19:16 < Dryanta> 1 packets transmitted, 0 packets received, 100.0% packet loss 19:17 < reiffert> and where are the replys from you were pasting some lines ago? 19:17 < Dryanta> to# ping -c1 10.4.0.3 19:17 < Dryanta> PING 10.4.0.3 (10.4.0.3): 56 data bytes 19:17 < Dryanta> 17:17:27.580526 IP 10.4.0.4 > 10.4.0.3: ICMP echo request, id 62628, seq 0, length 64 19:17 < Dryanta> --- 10.4.0.3 ping statistics --- 19:17 < Dryanta> 1 packets transmitted, 0 packets received, 100.0% packet loss 19:17 < reiffert> 02:12 < Dryanta> 17:11:18.215522 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 61457, seq 0, length 64 19:17 < reiffert> 02:12 < Dryanta> 17:11:18.215540 IP 10.4.0.4 > 10.4.0.3: ICMP echo reply, id 61457, seq 0, length 64 19:17 < reiffert> 02:12 < Dryanta> 17:11:19.215603 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 61457, seq 1, length 64 19:17 < reiffert> 02:12 < Dryanta> 17:11:19.215621 IP 10.4.0.4 > 10.4.0.3: ICMP echo reply, id 61457, seq 1, length 64 19:17 < reiffert> those 4 lines .... 19:17 < reiffert> what did you do to get them? 19:18 < Dryanta> i think that was a ping from to 19:18 < reiffert> proove! 19:19 < robert_> reiffert, how would I do that? 19:19 < reiffert> robert_: do what? 19:19 < robert_> client-to-client certain subnets 19:19 < Dryanta> ok on to 19:19 < Dryanta> ping: sendto: No buffer space availabl 19:19 < reiffert> Dryanta: fix your firewall and then all problems will be gone. 19:20 < Dryanta> o# netstat -m 19:20 < Dryanta> 331/509/840 mbufs in use (current/cache/total) 19:20 < Dryanta> i dont get whats broke about the firewall 19:20 < reiffert> robert_: either add routing information to each client on both sides or *be* the default gateway on both sides and do the routing there. 19:20 < Dryanta> should i pastebin the oakland firewall for funsies? 19:21 < reiffert> Dryanta: sure, and please remove all deny's like you did for to. 19:21 < reiffert> and add the obvious allow any from any to any via tun1 19:21 < reiffert> allow all from any to any via tun1 19:21 < Dryanta> http://pastebin.ca/1283163 19:22 < Dryanta> this one is pf 19:22 < Dryanta> and fairly bare 19:22 < reiffert> right. 19:23 < reiffert> going to bed now, it's 2:30 in the morning. 19:24 < Dryanta> thanks for all your help 19:24 < reiffert> welcome 20:08 < ecrist> Dryanta: :\ 20:18 < ecrist> Dryanta: didn't I tell you it was your firewall? 20:31 -!- AwayML is now known as AndyML 20:32 -!- Irssi: ##openvpn: Total of 42 nicks [0 ops, 0 halfops, 0 voices, 42 normal] 20:40 -!- AndyML is now known as AwayML 20:54 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 21:23 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: kreg, vpnHelper, Typone 21:24 -!- Netsplit over, joins: kreg, Typone, vpnHelper 23:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 23:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] --- Day changed Fri Dec 12 2008 00:05 -!- mRCUTEO [n=david@66.199.235.163] has joined ##openvpn 00:07 -!- AwayML [n=quassel@pool-96-227-91-204.phlapa.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] 00:09 < ropetin> Meh 00:18 -!- mRCUTEO [n=david@66.199.235.163] has quit [Read error: 60 (Operation timed out)] 00:54 -!- AndyML [n=quassel@pool-173-49-135-102.phlapa.fios.verizon.net] has joined ##openvpn 01:02 -!- AndyML [n=quassel@pool-173-49-135-102.phlapa.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 01:18 -!- AndyML [n=quassel@pool-173-49-135-242.phlapa.fios.verizon.net] has joined ##openvpn 01:55 -!- AndyML [n=quassel@pool-173-49-135-242.phlapa.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 02:16 < krzee> so did Dryanta find his firewall issue? 02:26 < ropetin> I believe so, yes 02:35 < reiffert> moin 02:46 < krzee> cool 02:46 < krzee> moin! 02:47 < krzee> moin moin moin 02:54 < reiffert> Dryanta: does it work? 02:57 < krzee> reiffert, theres gunna be a gentoo portage for ssl-admin soonish 02:57 < krzee> the ebuild was submitted last night 02:57 < reiffert> woohoo. 02:57 < krzee> yup =] 02:57 < krzee> the other linux issue was install -C 02:57 -!- [X]Spot [n=stancho@78.90.99.168] has joined ##openvpn 02:57 < [X]Spot> Hi all 02:57 < krzee> so i switched to -c 02:58 < reiffert> oh, right! 02:58 < [X]Spot> How can i make clients to connect only with user name and password.. but the username and password to be saved in a file... so the connection be executed automatically 02:59 < krzee> why not use certs then? 02:59 < krzee> i mean, that can be done, but its not the most secure... 02:59 < krzee> bu if you must... 02:59 < krzee> !nocert 02:59 < vpnHelper> krzee: "nocert" is to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required 02:59 < [X]Spot> I cannot use certs.. I want to send the username, password through sms for example 03:00 < krzee> !learn nocert as to know more, read about those config options in the manual (!man) 03:00 < vpnHelper> krzee: Joo got it. 03:00 < krzee> !nocert 03:00 < vpnHelper> krzee: "nocert" is (#1) to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required, or (#2) to know more, read about those config options in the manual (!man) 03:00 < krzee> there ya go 03:01 < reiffert> [X]Spot: you can use certs and block the usage of a client key by a password. 03:02 < [X]Spot> reiffert but I need the same certificate on all the clients and different passwords.. it's not possible 03:03 < reiffert> your setup sounds broken. 03:03 < [X]Spot> !man 03:03 < vpnHelper> [X]Spot: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:04 < krzee> its possible, but broken as hell 03:05 < krzee> and while it can be done, it should not be 03:05 < reiffert> oh well. 03:08 < [X]Spot> krzee and how can I push the username/password from the client ? 03:08 < krzee> huhhhh? 03:08 < [X]Spot> openvpn --config openvpn.conf --auth-user-pass bla 03:08 < [X]Spot> Fri Dec 12 09:09:39 2008 Sorry, 'Auth' password cannot be read from a file 03:09 < krzee> if you want a setup as broken as you want, read the manual 03:09 < krzee> cause thats the worst setup ive ever seen attempted 03:09 < [X]Spot> yes, but that is what I need :( 03:10 < reiffert> same here. 03:10 < krzee> then get reading 03:10 < [X]Spot> is it possible to save username and password in a file.. I cannot find a way 03:10 < krzee> you understand that once you do that it is no longer a username and password right? 03:11 < krzee> it then becomes the most insecure cert ever made 03:11 < krzee> security is broken into 3 things: 03:11 < krzee> something you have, something you know, something you have 03:11 < krzee> you are turning something you know into something you have 03:11 < krzee> but openvpn already has something for that, certs 03:12 < krzee> you should give your setup some serious thought 03:12 < krzee> because anyone who knows what they're talkin bout will laugh at what you want 03:12 < krzee> (with good reason) 03:14 < reiffert> waste of time 03:20 < [X]Spot> but I do not want to be so secured actually 03:21 < [X]Spot> I just need to do it this way :( 03:30 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 03:42 < [X]Spot> one more question 03:42 < [X]Spot> if I use 03:42 < [X]Spot> source ./vars 03:42 < [X]Spot> ./build-key $CLIENT 03:42 < [X]Spot> to create client certificate 03:42 < [X]Spot> how can I automate this to use default settings from vars 03:42 < [X]Spot> and not to ask 03:55 < krzee> its in shell script, should be SIMPLE to mod 03:56 < krzee> in fact more removing stuff than anything else 05:05 < ebf0> Yo! - in My NetworkManager (Ubuntu), I can add an openvpn connection, just requiring a CA and a username / (password) ... How would I set up the server for this ? 05:25 -!- bthornton [n=bthornto@www.simmons-corp.com] has joined ##openvpn 05:26 < bthornton> I'm connected to the Internet via my local LAN which is on the 192.168.1.0/24 network and I am trying to use OpenVPN to connect to another network--and the remote network happens to also be 192.168.1.0/24 . OpenVPN gives me an IP address in the 10.8.0.0 network (or something like that), so there's no problems establishing the VPN link, but... 05:27 < bthornton> When I establish a route to the 192.168.1.0/24 network using the OVPN interface as the gateway, what happens to the 192.168.1.0/24 LAN that I am locally connected to? 05:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:36 -!- bthornton [n=bthornto@www.simmons-corp.com] has quit ["Leaving."] 05:55 < reiffert> krzee: the symbian guy is blind!? 05:56 < reiffert> ebf0: by following the openvpn howto 05:56 < reiffert> !howo 05:56 < vpnHelper> reiffert: Error: "howo" is not a valid command. 05:56 < reiffert> !howto 05:56 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:27 < ecrist> [X]Spot: have you read the documentation? 07:28 < ecrist> ebf0: !nocert 07:28 < ebf0> ecrist: thanks, but I went through the man pages again, and it all came clear to me :) 07:28 < ecrist> ok 08:02 < reiffert> having certs is sooo beautiful, I cant understand why people do not want them. 08:06 < ecrist> me either 08:14 * cpm doesn't get the point. 08:14 < cpm> who doesn't want certs? 08:58 < reiffert> I think ecrist was pointing ebf0 to the docs about !nocert and [X]Spot tried to not have certs as well. 09:07 < ecrist> ldap+PAM+vshell are kicking my ass today. 09:23 < plaerzen> good morning 09:23 < ecrist> howdy 09:23 * plaerzen is hungover 10:04 -!- Solver [n=robert@CPE00a0c96b79ba-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 10:04 < Solver> hi all. running openvpn on Linux (debian etch) how can I reload the server config without impacting any clients 10:05 < Solver> would a simple /etc/init.d/openvpn reload be sufficient? 10:05 < Solver> since this is a prod system I'd rather not try before I had an idea what is going to happen. in the past I've always had the opportunity to do a restart if the config was changing 10:06 < Solver> if all else fails i'll do a restart at midnight 10:08 < reiffert> Solver: read up the manpage, especially the "Sending signals to a running openvpn server" part 10:09 < reiffert> Chapter "SIGNALS" 10:09 < Solver> reiffert: cool thanks. I did RTFM but must have missed that 10:10 < reiffert> etch comes with 2.0 right? 10:10 < reiffert> !man 10:10 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 10:10 < Solver> ah yes I did read that... SIGHUP closes and reopens tunnels while rereading the config. That seems to imply a short outage for users 10:11 < Solver> A HUP is a standard way to force a reread of the config of course. 10:11 < Solver> reiffert: yep 2.0 10:12 < reiffert> http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html#lbAT 10:12 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 10:13 < Solver> reiffert: it sounds like you're implying the HUP will be transparent to active users 10:13 < Solver> would that be a fair statement? 10:13 < reiffert> init.d/openvpn reload sends a HUP btw. 10:13 < Solver> ah cool 10:14 < reiffert> Solver: I'd just do it and let the users cry for that is exactly what users normally deserve. 10:14 < Solver> hahaha 10:14 < Solver> I'll schedule it for midnight ;) 10:14 < reiffert> I'd go for 5 oclock 10:15 < reiffert> how many users will be affected? 10:15 < Solver> killing the vpn will knock out interoffice network so people would not be happy :) 10:15 < Solver> half the company - which in our case is about 20 people :) 10:15 < reiffert> They won't even notice. 10:15 < Solver> so the HUP is fairly transparent? 10:15 < ecrist> reiffert: they may 10:15 < reiffert> Or schedule it for 6:25 and you can claim daily cronjob getting ill. 10:15 < Solver> I'll do it late tonight anyway 10:15 < ecrist> when I HUP our server here, it kills any actively-used ssh session 10:16 < Solver> they are developers so they work at odd hours :) 10:16 < reiffert> ecrist: it shouldnt. 10:16 < ecrist> if it's an idle session, there's no problem. tailing a logfile or something will result in a reset 10:16 < Solver> I used to use TCP instead of UDP and it would reconnect _fast_ if i did a restart 10:16 < reiffert> ecrist: with persist-tun it waits until the tunnel comes back for me. It waits to tcp timeout, which is 3 days. 10:16 < Solver> with UDP it does seem to be slower, which makes sense 10:17 < reiffert> ecrist: means all my ssh connections survive a router reboot without problem here. 10:17 * Solver will have at to a reload at 00:01 and I'll peak in at 00:02 10:17 < reiffert> ecrist: openvpn running on the router. 10:17 < ecrist> not the case here, reiffert 10:18 < reiffert> ecrist: OS's involved? 10:18 < ecrist> FreeBSD, Linux, Windows, MacOS X 10:18 < reiffert> --persist-tun Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. 10:18 < reiffert> SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options. 10:18 < reiffert> ecrist: well I saw this when running the ssh client on windows as well, but I call that a broken windows setting/. 10:20 < reiffert> ecrist: it may happen that TCP KEEPALIVEs within the ssh connection pay attention too quickly for the case the tunnel is down. 10:22 < ecrist> reiffert: it only affects ssh sessions actually doing something, ie tailing a logfile. 10:24 < reiffert> ecrist: They will survive for hours at my setup. 10:24 < reiffert> which is sooooo nice. 10:24 < ecrist> for the record, I've got persist-tun 10:24 < reiffert> same here. 10:27 < ecrist> saw you fixed Dryanta's problems last night... 10:27 < reiffert> To be honest I'm not sure if he really fixed it until the end. 10:28 < ecrist> I spent all day yesterday telling him it was a firewall issue - he didn't believe me. 10:28 < reiffert> I think he even kept on believing after he was able to send data over the tunnel. 10:29 < ecrist> lol 10:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:53 < plaerzen> vpn tastes like sugar. 10:53 < Solver> reiffert: :) 11:14 -!- olarva [n=hostcert@189.0.6.150] has joined ##openvpn 11:21 < Dryanta> haha 11:21 < Dryanta> well dryantas problems arent fixed, but the firewall rulesets look fine so i dont think that is what it is 11:22 < reiffert> Dryanta: 11:22 < reiffert> 02:12 < Dryanta> 17:11:18.215522 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 61457, seq 0, length 64 11:22 < reiffert> 02:12 < Dryanta> 17:11:18.215540 IP 10.4.0.4 > 10.4.0.3: ICMP echo reply, id 61457, seq 0, length 64 11:22 < reiffert> 02:12 < Dryanta> 17:11:19.215603 IP 10.4.0.3 > 10.4.0.4: ICMP echo request, id 61457, seq 1, length 64 11:22 < reiffert> 02:12 < Dryanta> 17:11:19.215621 IP 10.4.0.4 > 10.4.0.3: ICMP echo reply, id 61457, seq 1, length 64 11:22 < Dryanta> you keep pasting that but it hasnt happen 11:22 < reiffert> explain! 11:22 < reiffert> ah, thats because you werent pasting that 11:22 < Dryanta> couldnt tell ya i think that was me pasting from different sides 11:22 < Dryanta> i dont even know, i just know its not working 11:22 < Dryanta> period 11:22 < reiffert> cosmic rays influenced the irc server communication channel! 11:22 < Dryanta> and the firewall rulesets look fine 11:23 < Dryanta> reiffert: im not a networking/sysadmin nub and patronizing wont help 11:23 < Dryanta> OPENVPN SAYS CONNECTED IF IT WAS FIREWALLED IT WOULDNT SAY CONNECTED AMIRITE 11:23 < reiffert> Dryanta: one last question from my side: how comes you were pasting those 4 lines? 11:23 < Dryanta> reiffert: i just said, probably from both sides i dont know 11:23 < reiffert> Dryanta: no, you are not rite. 11:24 < Dryanta> ping never reported any packets passed 11:24 < Dryanta> not once 11:24 < Dryanta> so it might have SENT the packets but they didnt go to the other side 11:24 < reiffert> have fun, I dont feel in the right mood to dig into this, sorry. 11:24 < reiffert> you should already know that the packets reach the other side, thats were we stopped yesterday. 11:25 < Dryanta> from oak to to not to to oak 11:25 < reiffert> so keep on starting at the working firewall on to then. 11:25 < reiffert> starting = staring. 11:26 < reiffert> how long will it take you to wipe out all firewalling rules_ 11:26 < reiffert> all but "allow all from any to any" 11:27 < reiffert> oh wait, why should you do that, it's definitly not the firewall! 11:27 < reiffert> Stupid /me 11:29 -!- robert_ [n=hellspaw@objectx/robert] has quit [Excess Flood] 11:30 < Dryanta> i cant wipe the firewall on a production machine, especially when nothing looks like its breaking it 11:30 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 11:30 < Dryanta> and all the allow rules come before deny, the only denys are on specific ports 11:30 < reiffert> wrong. 11:31 < reiffert> your deny rules where 0300, 0600, 0700 and they were denying communication on lo device. 11:31 < reiffert> to say it with your words: PERIOD 11:31 < Dryanta> http://pastebin.ca/1283706 11:31 < reiffert> whatever, heave fun. 11:31 < reiffert> it's a production machine, I dont want to change it (improve). 11:32 < Dryanta> no, i dont want to break it in the middle of the day (nasty phone calls) 11:32 < Dryanta> besides, there are no lo deny rules anymore, havent been since last night 11:33 < Dryanta> 100/200/300 should cover openvpn, i dont see why you can say FIREWALL FIREWALL FIREWALL when those rules cover it 11:33 < reiffert> Dryanta: openvpn is working. what is not working is the rest of your communication that should make use of the tun devices. 11:33 < Dryanta> not to mention 7491 nobody 1 117 0 9028K 2596K CPU1 0 5:59 99.85% openvpn 11:34 < Dryanta> no, openvpn shouldnt be taking up 99% cpu 11:34 < reiffert> well, then better stop using it. 11:34 < Dryanta> i keep telling you and you keep not listening, the problem is a tun within a tun 11:34 < Dryanta> you dont have to troll 11:34 < ecrist> Dryanta: no, you're not right. 11:34 < Dryanta> ecrist: why is openvpn taking 99% cpu 11:34 < Dryanta> that makes no sense, it means its b0rken 11:34 < ecrist> just because you can connect to the vpn doesn't mean your firewall won't block traffic across the vpn 11:35 < ecrist> then use something else 11:35 < Dryanta> ecrist: id like to figure out why its broken, i dont know of any other solution 11:35 < Dryanta> ipfw/ipsec is super gay 11:37 < ecrist> if you've got this *exact* same setup working elsewhere, as you've claimed, it's obviously a problem with your local system, and not OpenVPN 11:38 < Dryanta> thats some awesome support, "its broken but we arent gonna try to fix it because you are dumb or you obviously could figure out the problem, use something else" 11:38 < ecrist> I would argue that we have tried. 11:42 < olarva> Hi, i use, in client side, redirect-gateway def1 (Vista Ultimate), but metric is wrong (not default gateway) 11:43 < jeev> hi 11:46 < ecrist> Dryanta: gif + ipsec 11:47 < reiffert> Dryanta: oh, looking for official support channel? 11:48 < reiffert> Dryanta: http://lists.sourceforge.net/lists/listinfo/openvpn-users 11:48 < vpnHelper> Title: Openvpn-users Info Page (at lists.sourceforge.net) 11:48 < Dryanta> reiffert: already typing up the email 11:49 < Dryanta> you keep saying firewall and getting frustrated, still doesnt explain 99% cpu 11:49 < Dryanta> something is really broke with this thing 11:49 < Dryanta> much more than fw ruleset 11:49 < Dryanta> again its a tunnel within a tunnel tun(4) 11:49 < Dryanta> that i believe is problem 11:55 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 11:58 -!- olarva [n=hostcert@189.0.6.150] has quit ["WeeChat 0.2.6"] 12:24 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [Read error: 104 (Connection reset by peer)] 14:07 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:13 < krzee> dry 14:13 < krzee> you have your answer, really 14:13 < krzee> [13:31] <Dryanta> i cant wipe the firewall on a production machine, especially when nothing looks like its breaking it 14:13 < krzee> that is complete bullshit 14:13 < krzee> because you can, and need to 14:14 < krzee> you should prolly do it during off-peak hours tho 14:14 < krzee> nobody here is paid to hep anybody, and they arent going to sit here and argue with you to get you to fix your stuff 14:14 < krzee> they'll give you the answer, and leave you to implement it if you care to 14:15 < krzee> and the data i saw when i scrolled points to reiffert and ecrist being right (which happens more often than not) 14:16 < krzee> what you do is up to you, as it is your problem... but i assume you came for ideas on how to fix it, so you should prolly listen to those guys, they know what they're talking about 14:32 < Dryanta> krzee: the firewall ruleset allows all ip on that port and all ip on the tunnel interface 14:32 < Dryanta> http://pastebin.ca/1283706 14:33 < Dryanta> this is why i am completely certain the issue is not firewall related 14:33 < Dryanta> firewall also does not explain why i have 100% cpu utilization 14:33 < Dryanta> well its 25% now, but still recockulously high 14:33 < Dryanta> 7491 nobody 1 -8 0 9028K 2552K biowr 1 128:05 26.03% openvpn 14:34 < Dryanta> there is some problem not related to firewalling 14:34 < Dryanta> again as i said, tun(4) within tun(4) 14:37 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn 14:38 < PeterFA> If I set up a client/server and the client connects to the server automagically, would the lan behind the server be visible to the client assuming the server has it's routing tables configured correctly, or does "push \"route pool mask\"" need to be added to finish it off? 14:39 < krzee> !route 14:39 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 14:39 < PeterFA> That is, does the client naturally learn the path to the server's subnet without any push directive? 14:39 < krzee> that will tell you everything you need to know about lans behind clients and server 14:39 < krzee> no 14:39 < krzee> it needs a push route 14:40 < PeterFA> Thanks. 14:40 < krzee> np 14:42 < krzee> Dryanta, why is it a tun within a tun? 14:43 < krzee> and why did we not get told that until now? 14:44 < Dryanta> i said that like twenty times yesterday actually 14:44 < Dryanta> pppoe 14:44 < krzee> i coulda sworn you said your provider used pppoe, which could be done transparently to you 14:45 < Dryanta> nope 14:45 < Dryanta> i said tun(4) within tun(4) a whole bunch of times, especially with reiffert 14:45 < krzee> yes i see that from today 14:45 < Dryanta> i believe that is the root of my problem 14:46 < krzee> thenhow do you propose to test that... 14:46 < Dryanta> i have two other freebsd boxes running 7.0 amd64 with 2.0.6 same config working perfectly 14:46 < krzee> the other boxes use the exact same firewall setup? 14:46 < Dryanta> and with nearly 0 cpu utilization 14:46 < Dryanta> close enough 14:47 < Dryanta> one is ipfw the other one is pf 14:47 < Dryanta> just like this other setup 14:47 < krzee> btw that has NOTHING to do with testing your tun idea 14:49 < Dryanta> i think it does 14:49 < Dryanta> because they arent tun within tun 14:49 < Dryanta> same version os/openvpn 14:49 < Dryanta> same config with the exception of ip addresses and mtu 14:49 < krzee> are you framiliar with testing ideas rather than just saying "it doesnt work, it must be this" 14:50 < krzee> nm im gunna go do other stuff 14:50 < krzee> later 14:50 < Dryanta> krzee: yes im a network engineer brotato 14:50 < Dryanta> take care 14:52 < krzee> hint, give tap a try 14:53 < Dryanta> i can try that thanks for the suggestion 14:53 < krzee> you have ip encapsulated in UDP ip encapsulated in ppp encapsulated in ethernet frames currently 14:53 < Dryanta> i know its a mess 14:53 < krzee> you prolly wanna use --mtutest too 14:54 < krzee> since that is a likely cause of fubar 14:54 < Dryanta> well i framed the mtu to 1492 14:54 < Dryanta> on both ends 14:54 < krzee> umm 14:54 < krzee> honestly, i think you need to go lower 14:54 < Dryanta> ok ill try that 14:54 < Dryanta> 1480 or 1400 even? 14:54 < krzee> --mtutest will tell 14:54 < krzee> !mtu 14:54 < vpnHelper> krzee: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 15:31 -!- doke [n=me@unaffiliated/emrah] has joined ##openvpn 16:05 < PeterFA> I wonder if it would make sense to make SCORMs. 16:05 < PeterFA> SCORMs are these things that plug into SCORM compliant software, generally LMS. 16:05 < PeterFA> You could make a SCORM and distribute it :) 16:32 < krzee> huh? 16:35 < reiffert> Dryanta: did you manage to get it work properly? 16:35 < PeterFA> krzee, eLearning for OpenVPN, and others. 16:35 < PeterFA> krzee, I was thinking about it and this channel was the one I was in when I decided to talk about it. 16:38 < krzee> PeterFA, im still not sure exactly what you mean 16:38 < krzee> to me elearning for openvpn is !howto and !man 16:40 < PeterFA> krzee, online classes like Blackboard. 16:40 < PeterFA> Only they'd be free. 16:40 < krzee> hah 16:41 < PeterFA> Then they can be distributed to people who have elearning sites. 16:41 < krzee> now all you gotta find is people that want to be free teachers 16:41 < krzee> i dont mind giving people that read for themselves some help 16:41 < PeterFA> Elearning can be self-guided. 16:42 < krzee> it already is, same as any other program 16:42 < krzee> i comes with a manual and docs 16:42 < krzee> it 16:42 < PeterFA> SCORMs would be a different format, more classroom like, good for those comfortable with that. 16:43 < krzee> those not comfortable with manpages and docs might not be the people that should be doing advanced networking (ie: vpn) 16:43 < PeterFA> Hmm.. good point. 17:02 -!- tessier_ [n=treed@kernel-panic/sex-machines] has quit [Connection timed out] 17:07 < ecrist> evenging, folks 17:07 < ecrist> evening even 17:21 < robert_> How would I push a subnet dhcp to specific clients? 17:21 < robert_> push "dhcp-options 10.2.0.0" ? 17:23 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:23 < Dougy> Heyo 17:26 < krzee> a subnet dhcp?? 17:28 < Dougy> heyo krzeeeeeeeeeeeeeeeeeeeeeee 17:45 < Dougy> foooooooooooood yay 17:54 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["leaving"] 18:35 -!- syntaxx [n=patrick@unaffiliated/syntaxx] has quit [Read error: 110 (Connection timed out)] 21:00 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit ["Gone"] 21:59 -!- syntaxx [n=syntaxx@unaffiliated/syntaxx] has joined ##openvpn 21:59 < syntaxx> hi, when a multiple client connect to the vpn server it will gave the same ip address in each client? --- Day changed Sat Dec 13 2008 00:09 < ropetin> syntaxx: No 00:12 < syntaxx> ropetin: hmmm why im getting the same ip address on two clients? 01:18 < Dryanta> reiffert: nope 01:18 < Dryanta> but as krzee said, i have encapsulation on top of encapsulation on top of encapsulation 01:18 < Dryanta> i used test-mtu and it said to use 1450 01:42 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 01:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:01 < reiffert> Dryanta: and 1450 solved it? 02:27 -!- SerajewelKS [i=devnull@wikipedia/Crazycomputers] has quit [Read error: 60 (Operation timed out)] 02:31 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 03:00 < Solver> btw - the HUP kicked all the clients. didn't matter in my case as I'd given everyone warning and did it at midnight 03:00 < Solver> just thought you'd like to know 03:01 < Solver> all the clients connected back within a few minutes 03:11 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 03:12 -!- iamamoron [n=iamamoro@210.238.181.187] has joined ##openvpn 03:13 < iamamoron> hi there 03:13 < iamamoron> I already put routes to my openvpn server of the subnet 192.168.39.0/24 03:13 < iamamoron> now from openvpnclient i cannot ping to subnet 192.168.39.0/24 03:13 < iamamoron> any ideas? 03:13 < iamamoron> but from server I can ping it 03:13 < iamamoron> anyideas? 03:14 < iamamoron> ? 03:33 -!- robert_ [n=hellspaw@objectx/robert] has quit [SendQ exceeded] 03:35 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 03:37 -!- robert_ [n=hellspaw@objectx/robert] has quit [SendQ exceeded] 03:38 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 03:41 -!- robert_ [n=hellspaw@objectx/robert] has quit [SendQ exceeded] 03:42 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 03:52 -!- iamamoron [n=iamamoro@210.238.181.187] has quit [] 04:08 < Dryanta> reiffert: nope 04:08 < Dryanta> still b0rken 04:09 < Dryanta> i was pretty sure it had to do with tun within tun 04:09 < Dryanta> because the fw ruleset is bonehead simple 04:19 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 05:21 -!- robert_ [n=hellspaw@objectx/robert] has quit [SendQ exceeded] 05:22 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 05:30 -!- robert_ [n=hellspaw@objectx/robert] has quit [Excess Flood] 06:05 < reiffert> Dryanta: did you allready sent your mail to the list? 06:05 < reiffert> Dryanta: would you mind using a recent openvpn version? 06:07 < reiffert> Dryanta: and/or try 2.1 openvpn? 07:35 -!- [X]Spot [n=stancho@78.90.99.168] has quit [] 07:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:09 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 08:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:29 -!- bjoernb [n=bbb@e177221250.adsl.alicedsl.de] has joined ##openvpn 08:30 < bjoernb> hello 08:30 < bjoernb> i am trying to set up openvpn. i am following the quick howto on openvpn.org. 08:30 < bjoernb> i am generating keys for certificates right now. 08:31 < bjoernb> i am at step ./build-key client1 now 08:31 < bjoernb> but there is something going wrong 08:31 < bjoernb> i selected 4096 as key length 08:32 < bjoernb> openssl is generating the key for more than 24 hours right now. 08:32 < bjoernb> the machine is TI UltraSparc IIi (Sabre) 08:33 < bjoernb> with 440 MHz and 512 MB RAM running debian. 08:33 < bjoernb> the process is printing out "." and "+" characters since 26 hours or so. 08:34 < bjoernb> i am following this tutorial http://openvpn.net/howto.html#quick 08:34 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 08:42 < reiffert> bjoernb: trx to produce some randomness. 08:43 < reiffert> move mouse and keyboard, do some harddisk action. 08:48 < bjoernb> reiffert: i have no X on that machine 08:48 < reiffert> Have another machine build the keys for you? 08:49 < bjoernb> not rihgt now. 08:49 < reiffert> Well. Try to check the openssl documentation how to get some randomness. 08:51 < bjoernb> i was downloading a mp3-stream with wget 08:51 < bjoernb> hoped that would do 08:51 < reiffert> write some files to the disk, read them, delete them andsoon. 08:51 < bjoernb> but nothing happened 08:51 < bjoernb> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 08:51 < reiffert> I have no idea about how the solaris kernel gathers randomness. 08:52 < bjoernb> 28062 root 20 0 4384 2000 1592 R 97.7 0.4 2272:20 openssl 08:52 < bjoernb> look at the time.... 08:52 < reiffert> Oh, Debian, Linux! 08:52 < bjoernb> yes. 08:52 < bjoernb> on a sparc machine 08:52 < reiffert> what does cat /proc/sys/kernel/random/entropy_avail 08:52 < reiffert> give you? 08:53 < bjoernb> 272 08:53 < reiffert> lsof -n | grep random 08:54 < bjoernb> http://dpaste.com/98771 08:55 < reiffert> Try to stop the processes eating the randomness, dovecotÃ-whatever, imap-login and tlsmgr 08:56 < reiffert> did you run lsof as root? 08:57 < bjoernb> i did run it as root 08:57 < bjoernb> i stopped apache2, dovecot and postfix 08:57 < bjoernb> cat /proc/sys/kernel/random/entropy_avail 08:57 < bjoernb> 435 08:58 < bjoernb> it incremented the entropy available. 09:01 < reiffert> does it grow? 09:01 < bjoernb> no, now it is 365 09:01 < bjoernb> now 386 09:01 < bjoernb> now 405 09:01 < bjoernb> now 416 09:01 < reiffert> attach a trace to the prozess and see what it does. 09:02 < reiffert> strace -f -s1024 -oout -p $(pidof openssl= 09:02 < reiffert> ) 09:03 < bjoernb> i did watch cat /proc/sys/kernel/random/entropy_avail 09:03 < bjoernb> 435 09:03 < bjoernb> and every two seconds i see an update 09:03 < bjoernb> it is now 562 09:03 < bjoernb> and growing 09:03 < bjoernb> 604 09:05 < bjoernb> i now did the strace 09:06 < bjoernb> bjoern:/home/bjoern# strace -f -s1024 -oout -p $(pidof openssl) 09:06 < bjoernb> Process 28062 attached - interrupt to quit 09:08 < bjoernb> what to do now? 09:10 < bjoernb> the strace does not print out anything else 09:13 < bjoernb> Every 2,0s: cat /proc/sys/kernel/random/entropy_avail Sat Dec 13 16:04:11 2008 09:13 < bjoernb> 1676 09:24 < bjoernb> 0 09:25 < bjoernb> reiffert the entropy is growing. now at 3222 09:27 < reiffert> allright, I'd stop the first generation prozess and start a new one here. 09:28 < reiffert> the strace is printing to the file "out" 09:30 < bjoernb> what is the first gen process? 09:30 < bjoernb> ah i have to start strace new. 09:30 < reiffert> the one that is allready running for 26 hours 09:30 < bjoernb> ah okay 09:30 < bjoernb> openssl 09:31 < reiffert> I think we dont need strce anymore. 09:31 < bjoernb> ./build-dh 09:31 < bjoernb> Generating DH parameters, 4096 bit long safe prime, generator 2 09:31 < bjoernb> This is going to take a long time 09:32 < reiffert> You said you were running build-key, now? 09:32 < reiffert> now=no 09:32 < bjoernb> perhaps, sorry if i did. 09:32 < reiffert> sooo where are we exactly? 09:33 < bjoernb> ./build-dh 09:34 < reiffert> and that is the one that was runnning for 26 hours? 09:34 < bjoernb> ./build-dh 09:34 < bjoernb> with 4096 bit long safe prime 09:34 < bjoernb> not 1024 as proposed 09:35 < reiffert> and you were restarting the process? 09:36 < bjoernb> yes 09:36 < bjoernb> i did 09:37 -!- oc80z [i=oc80z@89.46.100.91] has joined ##openvpn 09:38 < reiffert> do you now get more characters per time on your console? 09:39 < reiffert> btw, do you have a soundcard on that particular sparc? 09:40 < bjoernb> no i do not have a soundcard 09:42 < bjoernb> reiffert: what do you mean by getting more characters per time on my console? am i typing too slow? 09:43 < reiffert> 15:34 < bjoernb> the process is printing out "." and "+" characters since 26 hours or so. 09:43 < reiffert> do you get more +'s now at a given period of time? 09:44 < bjoernb> now i do get only dots no pluses 09:44 < reiffert> and trnopy_avail is empty? 09:45 < reiffert> btw ... 09:46 < bjoernb> 3233 09:46 < reiffert> openssl -rand file 09:46 < bjoernb> atm 09:46 < reiffert> -rand file(s) 09:46 < reiffert> specifies a file or files containing random data used to seed the random number generator, or an EGD socket. Multiple files can be specified separated by a OS-dependent character. The separator is ; for MS-Windows, , for OpenVMS, and : for all others. 09:46 < reiffert> openssl -rand file dhparam -out dh4096.pem 4096 09:46 < reiffert> and give it a huge mp3 file 09:48 < bjoernb> openssl rand file dhparam -out dh4096.pem 4096 09:48 < bjoernb> prints out the usage 09:48 < bjoernb> -out file - write to file 09:48 < bjoernb> -engine e - use engine e, possibly a hardware device. 09:48 < bjoernb> -rand file:file:... - seed PRNG from files 09:48 < bjoernb> -base64 - encode output 09:48 < reiffert> http://www.mkssoftware.com/docs/man1/openssl_dhparam.1.asp 09:48 < vpnHelper> Title: openssl dhparam -- DH parameter manipulation and generation (at www.mkssoftware.com) 09:48 < bjoernb> that is the usage for rand 09:48 < reiffert> sorry. 09:48 < reiffert> openssl dhparam -out dh4096.pem 4096 -rand file 09:49 < bjoernb> 0 semi-random bytes loaded 09:49 < bjoernb> Generating DH parameters, 4096 bit long safe prime, generator 2 09:49 < bjoernb> This is going to take a long time 09:50 < reiffert> and do you have a file called "file"? 09:51 < bjoernb> no 09:51 < reiffert> call it with an mp3 file as argument. 09:51 < reiffert> # 09:52 < reiffert> or generate the dh parameters on another machine. 09:52 < bjoernb> okay 09:52 < bjoernb> i am downloading a 70mb mp3 file 09:52 < bjoernb> is that okay? 09:58 < bjoernb> prints dots 10:07 < bjoernb> thanks for your help reiffert. 10:08 < bjoernb> it is going to take a long long time. i think i'll just wait. 10:08 < bjoernb> good night 10:08 -!- bjoernb [n=bbb@e177221250.adsl.alicedsl.de] has quit ["leaving"] 10:38 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 10:39 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 11:44 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 12:08 -!- robert_ [n=hellspaw@objectx/robert] has quit [SendQ exceeded] 13:59 -!- ikevin_ [n=kevin@ANancy-256-1-37-26.w90-26.abo.wanadoo.fr] has joined ##openvpn 14:01 -!- ikevin [n=kevin@ANancy-256-1-88-32.w90-26.abo.wanadoo.fr] has quit [Read error: 60 (Operation timed out)] 14:51 -!- dmarkey [n=dmarkey@159-134-210-10-dynamic.as1.csy.castleblaney.eircom.net] has joined ##openvpn 16:55 -!- syntaxx [n=syntaxx@unaffiliated/syntaxx] has quit ["BitchX-1.1-final -- just do it."] 17:04 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: mXr, vpnHelper, kreg, reiffert, Typone 17:05 -!- Netsplit over, joins: kreg, Typone, vpnHelper 17:06 -!- Netsplit over, joins: mXr, reiffert 17:12 < krzie> Dryanta you here? 17:16 -!- dmarkey [n=dmarkey@159-134-210-10-dynamic.as1.csy.castleblaney.eircom.net] has quit [Read error: 113 (No route to host)] 17:31 < doke> reiffert: can I primsg you? 17:31 < krzie> if its an openvpn question you're better off asking in the channel 17:37 -!- Luria [n=trashed@cpe-74-66-17-216.nyc.res.rr.com] has joined ##openvpn 17:43 < doke> krzie: thanks but it was completely related to something else 17:46 < troy-> krzie = krazy 17:48 -!- Luria [n=trashed@cpe-74-66-17-216.nyc.res.rr.com] has quit [Nick collision from services.] 17:49 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 18:00 < krzie> gotchya 19:23 -!- mXr [i=1001@packst.net] has quit [Read error: 110 (Connection timed out)] 19:24 < reiffert> doke: sure, go on 19:26 < reiffert> good night 19:44 -!- ikevin [n=kevin@ANancy-256-1-37-26.w90-26.abo.wanadoo.fr] has joined ##openvpn 19:44 -!- ikevin [n=kevin@ANancy-256-1-37-26.w90-26.abo.wanadoo.fr] has quit [Client Quit] 20:18 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 145 (Connection timed out)] 20:19 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit [Remote closed the connection] 20:24 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 21:20 < ropetin> evenin' 21:32 < krzie> wassup 21:32 < ropetin> Meh, another long night 21:32 < ropetin> You? 21:32 < krzie> same deaal 21:33 < ropetin> :D 21:34 < ropetin> I don't even have my server at home to play with remotely :( 21:38 < krzie> weak 21:39 < ropetin> I know! 21:39 < ropetin> Ahh well 22:37 -!- oc80z [i=oc80z@89.46.100.91] has quit [Remote closed the connection] 23:30 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 23:36 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 23:44 < jeev> hey krzie 23:44 < jeev> you there --- Day changed Sun Dec 14 2008 00:09 < ropetin> Open question; is there such a thing as an 'OpenVPN Appliance'? I.e. some hardware device I can shove on my networks and use to create connections to a central OpenVPN server? 01:36 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 01:49 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 01:51 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 02:13 -!- ropetin_ is now known as ropetin 02:42 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Rienzilla, imbezol, pa, _trine, ikevin_, ebf0, Solver, noriX 02:43 -!- Netsplit over, joins: imbezol, Solver, ikevin_ 02:44 < ecrist> sup 02:50 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 02:50 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 02:50 -!- noriX [i=noriX@csbnc0002.229.162.clanserver4u.de] has joined ##openvpn 02:51 -!- noriX [i=noriX@csbnc0002.229.162.clanserver4u.de] has quit [Connection reset by peer] 02:51 < ecrist> what's everyone up to this evening? 02:52 < ropetin> Working :) 02:52 < ecrist> ah. so sorry for you. :) 02:52 < ropetin> Hehhe, indeed! 02:54 < ropetin> It's OK though, I like the money 03:11 < ecrist> g'night 03:12 < ropetin> Bon nuit 03:41 < reiffert> moin 03:43 < ropetin> D'accord 03:43 < reiffert> oui 03:44 < ropetin> OK, that's my French exhausted 03:46 < reiffert> :) 05:03 < kala> ropetin: I think some companies indeed package openvpn to appliances, but I don't know any names. Also, you can easily use OpenWRT orsomething like that 05:04 < ropetin> kala: thanks :) I found one (but I forget the name, began with E) but it did waaay more than just OpenVPN and cost bunches 05:04 < ropetin> I'm thinking a low cost piece of hardware with a simple GUI, someone configures it with 3 or 4 questions, then throws it on the network and it just works 05:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:24 < doke> ropetin: have a look at Linksys WRT54GL combined to dd-wrt or openwrt 05:25 < doke> 07:10 ropetin: Open question; is there such a thing as an 'OpenVPN Appliance'? I.e. some hardware device I can shove on my networks and use to create connections to a central OpenVPN server? 05:27 < reiffert> yep 05:27 < doke> http://www.dd-wrt.com/ 05:28 < ropetin> Thanks :) 05:29 < reiffert> does dd-wrt still try to store the openvpn key in nvram that will unlikly fail for wrt54gl when adding more than one client key? 05:30 < ropetin> I think I've found some hardware I could use for my own little device, I'm just waiting for a question to be answered by their support dept, then I'll order one and try it 05:30 < ropetin> Could be a nice little project 05:31 < doke> reiffert: yep ;) 05:31 < doke> ropetin: can you tell us more about the hardware you found? 05:31 < reiffert> doke: have a look for openwrt then. They have a Release Candidate for Kamikaze now, which compiles just fine and doesnt use nvram anymore. 05:32 < ropetin> doke: I cannot... :D 05:32 < doke> hmmm 05:32 < ropetin> But as soon as I have an answer from their support, I will :) 05:32 < doke> thx reiffert 05:33 < ropetin> I assume the OpenVPN license allows for inclusion in commercial products? 05:33 < doke> reiffert: The discussion on the ml is interesting (regarding the port of OpenVPN to Symbian)... There is some issues I haven't thought of. 05:33 < ropetin> doke: no offense, I just don't want to look stupid :) 05:33 < reiffert> There are binary images http://downloads.openwrt.org/snapshots/ 05:33 < vpnHelper> Title: OpenWrt (at downloads.openwrt.org) 05:33 < doke> But if you are courageous the bounty is still in my mind 05:33 < doke> ropetin: don't worry :) 05:34 < ropetin> Bounty? Me likes the sound of that... What are we getting paid for? 05:34 < reiffert> doke: I've been asking around on IRCNet the other day and one guy seemed to be interested ... his nickname was Moci, did he contact you? 05:35 < doke> Don't think so... 05:41 < reiffert> 12:42 [belwue] -!- MocI [~moci@hq.egeek.de] 05:41 < reiffert> 12:42 [belwue] -!- ircname : Sven Grube 05:51 < doke> thx 06:34 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Read error: 110 (Connection timed out)] 06:41 -!- mRCUTEO [n=info@124.13.180.41] has joined ##openvpn 07:07 -!- mRCUTEO [n=info@124.13.180.41] has quit [Read error: 110 (Connection timed out)] 12:05 -!- p0liX [n=p0@pool-71-176-173-251.hgrtmd.east.verizon.net] has joined ##openvpn 12:20 -!- p0liX [n=p0@pool-71-176-173-251.hgrtmd.east.verizon.net] has quit ["Leaving"] 13:02 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 13:46 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 14:08 -!- doke [n=me@unaffiliated/emrah] has quit [Remote closed the connection] 14:55 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has joined ##openvpn 15:27 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit ["Lost terminal"] 15:27 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 15:44 -!- Dopefish [i=dopefish@unaffiliated/imk] has quit ["brb"] 17:25 -!- Luria [n=trashed@cpe-68-175-21-114.nyc.res.rr.com] has quit [Connection timed out] 18:27 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 18:27 < mepholic> uh 18:27 < mepholic> how do you build a csr in windows? 18:57 -!- Kyler [n=chatzill@66.90.70.200] has joined ##openvpn 19:02 < Kyler> I'm trying to determine why a couple of my remote systems aren't getting the IP addresses I specify with ifconfig-push in their ccd files. 19:03 < Kyler> I see they're verified with the correct "/CN=" by the server but they display in the status file as "UNDEF". 19:06 < Kyler> I have a bunch of nodes configured almost identically and only two behave like this. 19:15 < Kyler> Hmmm...on my server I now see "MULTI: Learn: 10.0.100.174 [...]" when one of the problem nodes reconnects. It should be 10.0.100.160, according to the ccd file. 19:17 < Kyler> Ah! I just noticed a slight difference in the certificate for this node. Something to try. 19:28 < Kyler> It looks like the problem is that the certificate has "Subject: CN=uuc02" instead of something like "Subject: C=US, ST=Indiana, O=The Lairds, CN=stifle". 19:28 < krzie> rebuild the cert 19:28 < Kyler> I use a script to generate the keys and certificates so I'm not so good at it. 19:29 < krzie> you use a unix-like os? 19:29 < krzie> aka, bsd/linux/osx 19:30 < Kyler> Linux (Ubuntu) 19:30 < krzie> !ssl-admin 19:30 < vpnHelper> krzie: "ssl-admin" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 19:30 < krzie> doh, 1sec 19:31 < krzie> !learn ssl-admin svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn 19:31 < vpnHelper> krzie: Invalid arguments for learn. 19:31 < Kyler> Where is the "Subject" set? Is it in an environment variable? 19:31 < krzie> !learn ssl-admin as svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn 19:31 < vpnHelper> krzie: Joo got it. 19:31 < krzie> or you can use easy-rsa like the howto shows 19:32 < Kyler> krzie: I'd extracted commands from that to build a script to make my keys and certs. I've made a bunch with it and it seems that only the recent ones are problematic. 19:33 < krzie> ok 19:33 < krzie> well you seem to have found your problem 19:34 < Kyler> The certificate is built with "openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG -batch" but there are a bunch of environment variables and settings in /etc/openvpn/openssl.cnf so I'm not sure where to start. 19:34 < krzie> you may find you like ssl-admin more than your script, maybe give it a try 19:35 < Kyler> I really don't want a "user-friendly, menu-driven interface". 19:35 < krzie> k 19:35 < Kyler> I'd just like my script to work like it did. 19:35 < krzie> well fix your script then, i dont know whats wrong with it 19:35 < krzie> but i do know its your script 19:36 < Kyler> Yes, and it hasn't changed since 2005-07-02 so I'm fairly confident that OpenSSL has. 19:37 < Kyler> I understand that this isn't the place to get help for OpenSSL. 19:43 < ecrist> evening, folks 19:44 < krzie> wassup eric 19:44 < ecrist> nm, trying to find a nice stereo to put in my new truck. 19:45 < ecrist> yu? 19:46 < krzie> nothing really 20:46 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 20:46 < onats> hello everyone 20:47 < ecrist> howdy 20:47 < onats> just got myself a quad core machine:D 20:52 -!- mepholic is now known as mepholic__ 20:53 < krzie> <-- jealous 21:28 < mepholic__> GUESS WHAT GUYS DDOS COMIN 21:31 -!- mode/##openvpn [+o krzie] by ChanServ 21:31 -!- mode/##openvpn [-o+b mepholic__ *!*mepholic@209.17.190.*] by krzie 21:31 < onats> that was fast! 21:32 <@krzie> BitchX-1.1-final+ by panasync - FreeBSD 6.3-RELEASE-p3 21:33 -!- mode/##openvpn [-o mepholic__] by krzie 21:33 -!- mepholic__ was kicked from ##OpenVPN by krzie [No time to change your fate, no time left, it's too late.] 21:33 -!- mode/##openvpn [+b *!*@@209.17.190.*] by krzie 21:33 -!- mode/##openvpn [-b *!*mepholic@209.17.190.*] by krzie 21:34 -!- mode/##openvpn [-o krzie] by krzie 21:34 < krzie> thanx ;] 21:34 < krzie> i guess in here i can ban by nick 21:34 < krzie> since you must be identified 21:35 < krzie> but that just doesnt seem right to me, being from efnet and all 21:51 < ecrist> krzie: you saying we should remove the 'require to be registered/identified' bit? 21:51 < ropetin> You have to be registered to come in here? 21:55 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:00 < krzee> whats up all 22:00 < krzee> the mail list is surprisingly calm lately 22:01 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:11 < ecrist> yeah, that's how it's set up now. 22:12 < krzee> ecrist, whatchya mean? 22:13 < ecrist> if you're not registered and identified to nickserv, you can't get in the chan. 22:13 < krzee> ohh right 22:13 < krzee> thought you were referring to my mail list comment 22:13 < ecrist> oh, no 22:17 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:19 < ropetin> How was that decision made? Were we getting too much spam or something? 22:19 < krzee> i believe it was more preventative than anything 22:22 < ecrist> I just set it up that way when I registered the channel. 22:25 < ropetin> OK :D 22:35 < ropetin> I guess it works out OK, most of the 'serious' people on Freenode are registered 22:37 < krzee> http://www.youtube.com/watch?v=vUQ7nT4Bnpg 22:37 < vpnHelper> Title: YouTube - Monkey Peeing inside mouth upside down (at www.youtube.com) 22:38 < ropetin> Thanks vpnHelper.. :) 22:39 < ropetin> Do we have an auto ban for bad words in here? 22:48 < ecrist> no 22:48 < ecrist> I'm going to log for the night. l8r 22:50 < krzee> nite eric 22:50 < krzee> ropetin, theres no auto bans for anything here 22:51 < krzee> and i dont think anyone cares about people swearing 22:51 < krzee> (i could be wrong) 22:54 < krzee> hey ropetin 22:54 < krzee> http://justforlulz.com/wp-content/uploads/untitled-5.jpg 22:54 < krzee> serious lol 22:54 < ropetin> krzee: I was just thinking, we could get the VpnHelper to ban himself by making him say a bad word in a URL 22:54 < ropetin> (I'm bored as you can tell( 22:54 < krzee> hahah 22:54 < krzee> ya hes not even an op 22:54 < krzee> hes just a helperbot 22:55 < ropetin> :D 22:55 < ropetin> Funny match.com link :D 22:56 < krzee> haha ya 23:08 -!- tjz [n=tjz@bb121-7-106-87.singnet.com.sg] has joined ##openvpn 23:08 < tjz> long time no see, guys! 23:11 < tjz> knock knoc 23:13 < ropetin> WHo's there? 23:14 < tjz> hey rope 23:14 < tjz> ^_^ 23:17 < krzee> hey rope who 23:18 < ropetin> Funnee 23:26 < tjz> yoooooooooooooooooo jeff 23:26 < tjz> ^_^ 23:26 < krzee> wassup man 23:26 * ropetin is hungee 23:26 < krzee> hungee? 23:27 < krzee> ahh need foods 23:27 < ropetin> Sorry, it's my childish way of saying hungry 23:27 < krzee> haha 23:27 < ropetin> As in, I'm so hungry I've started whining like a little kid 23:27 < krzee> i thought you were saying you were hung 23:27 < ropetin> krzee: no need to say that, that goes without saying 23:27 < krzee> lol 23:27 < ropetin> :P 23:27 < krzee> hehehe 23:28 < tjz> http://www.youtube.com/watch?v=9uIj0YvDBKE 23:28 < vpnHelper> Title: YouTube - Bush Shoe Incident - 2 shoes thrown at President Bush during press conference in Iraq (at www.youtube.com) 23:31 < krzee> tjz, http://justforlulz.com/wp-content/uploads/bush.jpg 23:31 < tjz> HAHHA!~!! 23:36 < onats> hahaha thats crazy 23:44 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 23:57 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 54 (Connection reset by peer)] --- Day changed Mon Dec 15 2008 00:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:17 < tjz> . 00:18 < ropetin> .. 00:21 -!- ||arifaX [n=||arifaX@unaffiliated/arifax/x-427475] has joined ##openvpn 00:22 < ||arifaX> !route 00:22 < vpnHelper> ||arifaX: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:22 < ||arifaX> !menu 00:22 < vpnHelper> ||arifaX: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 00:27 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 00:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:42 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [Connection timed out] 00:43 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:57 < ||arifaX> Hi, I have openvpn server running for 129 days now. every client gets the same ip when he is connecting through caching. they got 10.8.0.x 10.8.1.x 10.8.2.x . I did not create fw-rules for 10.8.2x so now they don't have all features. how can I say to the server it should forget about the ip<->user association and start from the beginning assigning ips and not caching them? 00:57 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 01:09 < krzee> are all clients using the same certs? 01:14 < krzee> cause i bet thats what it is (coupled with using an ipp.txt) 01:23 < ||arifaX> krzee: yes 01:24 < ||arifaX> krzee: my authentication is via safeword token and certs. certs all the same and safeword token via radius is unique 01:25 < ||arifaX> krzee: I don't use ipp.txt afaik 01:26 < krzee> i never recommend using the same cert for multiple clients 01:26 < krzee> BUT it can be done 01:26 < krzee> 1sec 01:26 < krzee> !man 01:26 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:26 < krzee> you need --duplicate-cn 01:26 < krzee> --duplicate-cn 01:26 < krzee> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. 01:27 < krzee> so you just put duplicate-cn in the server config file 01:28 < krzee> by ipp.txt i was talking about ifconfig-pool-persist <file> 01:28 < ||arifaX> krzee: that's what I have. so maybe everything is ok since it now points 10.8.2.x so I only have to update my firewall rules for 10.8.2.0 if the entire ip range is empty it would reassign ips right? 01:28 < krzee> you must not have ifconfig-pool-persist 01:29 < krzee> nor can you have a client-config-dir 01:30 < krzee> here is how IPs are chosen: 01:31 < krzee> OpenVPN's internal client IP address selection algorithm works as follows: 01:31 < krzee> 1 -- Use --client-connect script generated file for static IP (first choice). 01:31 < krzee> 2 -- Use --client-config-dir file for static IP (next choice). 01:31 < krzee> 3 -- Use --ifconfig-pool allocation for dynamic IP (last choice). 01:31 < krzee> so you cant have 1 or 2 01:32 < krzee> you are using routed or bridged? 01:32 < reiffert> moin 01:32 < krzee> moin moin 01:32 -!- Grandia [i=Error@d207-216-195-187.bchsia.telus.net] has joined ##openvpn 01:33 < Grandia> my problem is dll hell! 01:33 < krzee> hah 01:33 < ||arifaX> krzee: afaik routed. I just need to know if the ips are all given to clients. will the next client get an ip that has been previously assigned to another automatically? 01:33 < Grandia> what version of libeay32.dll is 2.0.9 built on? 01:34 < krzee> ||arifaX, with the previous client still connected or not? 01:34 < ||arifaX> previous client is gone 01:35 < krzee> ||arifaX, theres no telling 01:35 < krzee> sometimes it will reuse, sometimes it will skip ahead 01:35 < krzee> but it will not save and wait for previous 01:36 < krzee> cause it wont even be able to tell them apart 01:36 < krzee> do you need them to be static ips? 01:36 < krzee> if so, its doable even with your setup 01:36 < krzee> at least im pretty sure it is 01:36 < krzee> Grandia, ild answer you if i knew 01:37 < krzee> Grandia, prolly best for the mail list with that one 01:37 < krzee> !mail 01:37 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 01:37 < ||arifaX> krzee: I don't need them static. 01:38 < ||arifaX> krzee: is there a parameter to tell the server not to save association between ip and client so theoretically the ip is reused after it is free? 01:39 < krzee> ||arifaX, with your setup every client is the same anyways, it cant even tell which machine is connecting 01:39 < krzee> and by default it does not save association 01:39 < krzee> [03:30] <krzee> you must not have ifconfig-pool-persist 01:40 < ||arifaX> krzee: it can because the username is the serial of the token. 01:40 < krzee> thats the command you give if you DO want to save association 01:40 < krzee> ||arifaX, only if you were to add --username-as-common-name 01:40 < krzee> =] 01:40 < ||arifaX> krzee: but the server tries to save even if not configured, right until ip range is empty then it will reassign? 01:40 < krzee> no 01:40 < krzee> but sometimes it will skip ahead anyways 01:41 < ||arifaX> krzee: I have username-as-common-name 01:41 < krzee> why? 01:41 < ||arifaX> krzee: because I have connect scripts where I have to identify some users from their token-serial for special things I do 01:41 < krzee> ok 01:42 < krzee> how bout this 01:42 < krzee> !configs 01:43 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:43 < krzee> i can take a peek and tell you if you have anything messing with ip allocation if you want 01:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:43 < krzee> otherwise, by default it does not actively wait for the client to come back and get its ip back 01:43 < krzee> but it MAY skip ahead when next client comes anyways 01:44 < Grandia> ah 01:44 < krzee> if you cant handle that, assign static internal ips so you have no confusion 01:44 < krzee> which you can do since you have username-as-common-name 01:45 < Grandia> n/m... was actually trying to use an extension for openvpn & google search pointed out that to put any extension programs in the openvpn bin dir because it ships with its own libeay32.dll 01:45 < Grandia> libeay32.dll in path is newer since it's been updated by windowsupdate 01:45 < ||arifaX> krzee: one final question. when I restart openvpn deamon will it forget ip-association? 01:46 < krzee> as long as no ifconfig-pool-persist, or static assignments, yes 01:46 < ||arifaX> krzee: thanks for your help 01:46 < krzee> np =] 01:56 < onats> hey guys, anyone here doing consulting work? 01:56 < onats> how does the charging go about? 01:56 < Dryanta> depends on how good you are 01:56 < reiffert> worst case... 01:58 < ||arifaX> krzee: one word - I love this openvpn stuff since it is rockstable and easy! 01:59 < onats> Dryanta, can you give me an idea? i dont know how to charge 01:59 < onats> and, there's one client asking me for a monthly cost/maintenance 01:59 < Dryanta> if you dont know how to charge how do you know you can do consulting? 02:11 < krzee> my prices varied based on who what and where 02:12 < krzee> from 50 - 150 / hr 02:12 < krzee> then i found out a friend of mine gets $450/hr 02:12 < krzee> but granted he is more skilled than me 02:13 < krzee> but without knowing what you will be doing, and how well you know the material, saying a number is 100% pointless 02:16 < jeev> krzee 02:17 < tjz> $450/hr .. 02:18 < onats> that's the reason i'm asking 02:18 < onats> so it's probably based on market rates then? 02:18 < onats> bah 02:18 < krzee> no its based on how good you are 02:18 < onats> nevermind 02:19 < krzee> bbl, movie time 02:19 < tjz> i am really good lvl 3 sys admin 02:19 < tjz> but my company pay me crap salary! 02:20 < onats> thats why 02:24 < tjz> How much should a cPanel linux administrator with 7 years experience should get pay? 02:25 < tjz> level 3 02:26 < reiffert> What he thinks he's worth. 02:29 < Dryanta> im a bsd admin with about 7y experience and i make $120 02:29 < Dryanta> bsd/network lan/wan 02:30 < reiffert> 1000 / day in selfemployeed mode sounds ok, 1000 / week when normal clerk. 02:30 < Dryanta> $120/h will pay you just fine imo 02:30 -!- [14]Chaosvexs [i=Chaosvex@ip-87-82-79-153.easynet.co.uk] has joined ##openvpn 02:30 < [14]Chaosvexs> There we go ;> 02:30 < Dryanta> thats what i bill out at when im doing contracting 02:30 < [14]Chaosvexs> Hi 02:30 < [14]Chaosvexs> I have a question about OpenVPN (surprise surprise) 02:31 < [14]Chaosvexs> I seem to have it working and connected, but I'm not able to use the net through it no matter what I do 02:31 < [14]Chaosvexs> I'm running it on a Linux machine and connecting to it through XP 02:31 -!- [14]Chaosvexs is now known as [14]Chaosvex 02:32 < [14]Chaosvex> Mon Dec 15 08:20:57 2008 route ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5 02:32 < [14]Chaosvex> Mon Dec 15 08:20:57 2008 Route addition via IPAPI succeeded 02:32 < [14]Chaosvex> Mon Dec 15 08:20:57 2008 Initialization Sequence Completed 02:32 < [14]Chaosvex> Presume it's working anyway 02:33 < reiffert> !paste 02:33 < vpnHelper> reiffert: Error: "paste" is not a valid command. 02:33 < reiffert> Use a public paste service. 02:33 < reiffert> !configs 02:33 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:33 < [14]Chaosvex> One sec :) 02:34 < [14]Chaosvex> http://pastebin.com/m6c139914 - Client config on Windows XP 02:34 < [14]Chaosvex> Doing the server one now 02:34 < [14]Chaosvex> http://pastebin.com/m386b746f - Linux server config (CentOS) 02:34 < reiffert> read again 02:34 < reiffert> !configs 02:34 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:39 < [14]Chaosvex> http://pastebin.com/m6c932d4a = Client 02:40 < [14]Chaosvex> http://pastebin.com/mbe0ff1a = Server 02:40 < [14]Chaosvex> OpenVPN 2.0.9 02:40 < reiffert> !linfw 02:40 < vpnHelper> reiffert: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 02:43 < [14]Chaosvex> Hmm 02:46 < [14]Chaosvex> I have no idea how to do that :/ 02:47 < [14]Chaosvex> Should I ask if disabling them altogether is a good idea? 02:47 < [14]Chaosvex> Going to presume not. Well, I'm not sure how to check the policies are set to accept 02:47 -!- sfire [n=sfire@105-107.102-97.tampabay.res.rr.com] has joined ##openvpn 02:48 < sfire> got a question for all of you.. just configured a VPN and it works if I use the LAN address of the machine. However when I use my dyndns address it cannot connect 02:49 < sfire> I am inside the network.. is that what is preventing it from working using the internet address to connect? 02:49 < sfire> I followed http://www.ventanazul.com/webzine/articles/openvpn-ubuntu-and-hulu that guide 02:49 < vpnHelper> Title: Install OpenVPN on Ubuntu, Hulu Outside the US and Network Security | Ventanazul (at www.ventanazul.com) 02:49 < ropetin> sfire: can you connect to any other services running via that external address? 02:50 < sfire> yes.. I have a web server that runs on it also 02:50 < ropetin> But probably it won't work, because the routing get's all confused 02:50 < sfire> thats what I kinda figured 02:50 < ropetin> You can connect to the web host by the external name? 02:50 < sfire> yes 02:50 < ropetin> Hmmm, weird. What happens if you configure the external name in the OpenVPN configs? 02:51 < sfire> it cannot connect.. it just times out 02:51 < sfire> but if I change it to the LAN IP it connects perfectly 02:51 < ropetin> That's on the client side or both? 02:51 < sfire> yes.. client side 02:52 < sfire> I checked my 1194 port and it is externally accessable (via a website checker) 02:52 < ropetin> And what is the server set to listen on? 02:53 < sfire> could you try connecting (even with the wrong keys) and see if it even attempts to? 02:54 < ropetin> I'll at least telnet in, what's the IP or dns? 02:55 < sfire> travis.blogsite.org 02:55 < ropetin> It's available on that domain name, yeah 02:56 < [14]Chaosvex> Well anyway, I presume IPTables aren't the problem reiffert 02:56 < [14]Chaosvex> There aren't any rules 02:57 < [14]Chaosvex> Like I said, I can connect but I haven't got anything to work beyond that 02:57 < sfire> ropetin, looking at the way I have it configured ... I will be able to access the other machines on the ETH0 network right? 02:58 < reiffert> [14]Chaosvex: can you ping 10.0.8.5? 02:58 < ropetin> I'm maybe confused sfire 02:58 < ropetin> I don't get the question 02:58 < [14]Chaosvex> No reiffert 02:59 < reiffert> [14]Chaosvex: thats your local ip on the client side. increase verbosity to level 6 and paste the client log. 02:59 < reiffert> [14]Chaosvex: paste as well: 02:59 < reiffert> iptables -L -v -n 02:59 < reiffert> iptables -t nat -L -v -n 02:59 < sfire> ropetin, I have a bunch of machines on 172.16.0.x network.. I have this setup to assign 10.8.0.x addresses.. will I be able to access the 172.16.0.x network? 02:59 < reiffert> (both) 02:59 < [14]Chaosvex> Okay 03:02 < [14]Chaosvex> [root@server4 ~]# iptables -L -v -n 03:02 < [14]Chaosvex> Chain INPUT (policy ACCEPT 179 packets, 14634 bytes) 03:02 < [14]Chaosvex> pkts bytes target prot opt in out source destination 03:02 < [14]Chaosvex> Chain FORWARD (policy ACCEPT 4 packets, 240 bytes) 03:02 < [14]Chaosvex> pkts bytes target prot opt in out source destination 03:02 < [14]Chaosvex> Chain OUTPUT (policy ACCEPT 152 packets, 18614 bytes) 03:02 < [14]Chaosvex> pkts bytes target prot opt in out source destination 03:02 < [14]Chaosvex> Damnit, sorry! 03:02 < [14]Chaosvex> Eep, meant to paste a link 03:02 < [14]Chaosvex> http://pastebin.com/m76594894 = iptables -L -v -n 03:03 < [14]Chaosvex> http://pastebin.com/m17198e79 = iptables -t nat -L -v -n 03:03 < reiffert> paste as well: route -n 03:03 < [14]Chaosvex> http://pastebin.com/m643bd14f = Client log at 6 03:04 < reiffert> route -n and: ifconfig 03:04 < [14]Chaosvex> http://pastebin.com/m2d7c93ad = route -n 03:04 < [14]Chaosvex> http://pastebin.com/m588cebcc = ifconfig 03:05 < reiffert> ping 10.8.0.1 03:06 < [14]Chaosvex> Works 03:06 < reiffert> ping 10.8.0.5 03:06 < [14]Chaosvex> Doesn't work 03:06 < reiffert> ping 10.8.0.2 03:06 < [14]Chaosvex> Doesn't work either 03:07 < reiffert> lemme start my linux box. 03:07 < [14]Chaosvex> Okay 03:07 < reiffert> want to check if 03:08 < reiffert> 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 03:08 < reiffert> 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 03:08 < reiffert> looks okay. 03:10 < reiffert> it doesnt. 03:10 < [14]Chaosvex> Oh 03:10 < reiffert> 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 03:10 < reiffert> 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0 03:10 < reiffert> server.config: 03:10 < reiffert> line 03:10 < reiffert> server 10.8.0.0 255.255.255.0 03:10 < reiffert> change to: 03:11 < reiffert> no, wait, that line is ok. 03:12 < reiffert> http://pastebin.com/m643bd14f is it the logfile of the linux client or the windows server? 03:12 < [14]Chaosvex> Windows client 03:12 < [14]Chaosvex> The server is Linux 03:13 < reiffert> When I said I want your firewall settings and route -n, I wanted to have that from your windows client. 03:14 < reiffert> On my linux server even the routing table looks ok: 03:14 < reiffert> 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 03:14 < reiffert> 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 03:14 < [14]Chaosvex> Figured you meant from the server sorry 03:14 < [14]Chaosvex> The client machine isn't running a firewall at the moment 03:15 < reiffert> paste: 03:15 < reiffert> ipconfig /all 03:15 < [14]Chaosvex> Okay, one sec 03:15 < reiffert> netstat -n -r 03:16 < [14]Chaosvex> http://pastebin.com/m324764d8 = IPConfig 03:16 < [14]Chaosvex> http://pastebin.com/m4a0cc767 = netstat -n -r 03:17 < reiffert> on windows side run: ping 10.8.0.5 03:17 < [14]Chaosvex> Doesn't work 03:18 < reiffert> allright, problem found. 03:18 < reiffert> # 03:18 < reiffert> Ethernet adapter Local Area Connection: 03:18 < reiffert> # 03:18 < reiffert> 03:18 < reiffert> # 03:18 < reiffert> Connection-specific DNS Suffix . : 03:18 < reiffert> # 03:18 < reiffert> Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethe 03:18 < reiffert> # 03:18 < reiffert> rnet NIC 03:18 < reiffert> # 03:18 < reiffert> Physical Address. . . . . . . . . : 00-01-2E-10-24-B2 03:18 < reiffert> # 03:18 < reiffert> Dhcp Enabled. . . . . . . . . . . : No 03:19 < reiffert> # 03:19 < reiffert> IP Address. . . . . . . . . . . . : 10.0.0.5 03:19 < reiffert> # 03:19 < reiffert> Subnet Mask . . . . . . . . . . . : 255.0.0.0 03:19 < reiffert> # 03:19 < reiffert> Default Gateway . . . . . . . . . : 10.0.0.2 03:19 < reiffert> your local network card 10.0.0.5/8 envolves 10.8.0.5, so change the ip address of your vpn or that of your local lan 03:21 < [14]Chaosvex> Is "server 10.8.0.0 255.255.255.0" the line that has to be changed for the VPN? 03:21 < [14]Chaosvex> Or am I mixed up? 03:21 < reiffert> change that to server 192.168.168.0 255.255.255.0 03:22 < [14]Chaosvex> Okay 03:23 < [14]Chaosvex> Done 03:25 -!- Grandia [i=Error@d207-216-195-187.bchsia.telus.net] has left ##openvpn [] 03:28 < [14]Chaosvex> Not sure what I'm meant to do with the 10.0.0.5 though, if anything 03:28 < [14]Chaosvex> Pinging 192.168.168.1 works fine, but not the .5 03:36 < reiffert> paste client log 03:36 < [14]Chaosvex> Okay 03:37 < reiffert> however, you have had two interfaces within the same range of network subnet. 03:37 < [14]Chaosvex> Yeah 03:37 < [14]Chaosvex> True 03:37 < [14]Chaosvex> http://pastebin.com/m61aad8b7 is the client log from Windows 03:37 < reiffert> allright. change that and things will work. 03:37 < reiffert> paste: ipconfig /all 03:38 < reiffert> and netstat -n -r 03:38 < [14]Chaosvex> http://pastebin.com/m3a3979c0 = Ipconfig 03:38 < reiffert> on client do: 03:38 < [14]Chaosvex> http://pastebin.com/m2c31a84a = netstat 03:38 < reiffert> ping 192.168.168.6 03:39 < [14]Chaosvex> Works 03:39 < reiffert> ping 192.168.168.1 03:39 < [14]Chaosvex> Works too 03:39 < reiffert> you can reach your server via openvpn. 03:39 < reiffert> welcome 03:39 < reiffert> gtg, buying a car. 03:39 < [14]Chaosvex> Thanks for the help :) 03:41 < [14]Chaosvex> Although the server and client IP pinged okay before 03:42 < [14]Chaosvex> Hmm, the question of how to use the net through it remains mind 03:46 < [14]Chaosvex> Don't suppose you might have any experience there ropetin? 03:46 < reiffert> ping 10.8.0.5 03:46 < reiffert> 10:07 < [14]Chaosvex> Doesn't work 03:47 < [14]Chaosvex> Wasn't that the DHCP server though? 03:47 < [14]Chaosvex> Which is now 192.168.168.5? 03:47 < reiffert> how to use it? You can use various protocols over your tunnel, like e.g. ip 03:48 < reiffert> means ftp, ssh, samba, whatever comes in mind. 03:48 < reiffert> http 03:48 < [14]Chaosvex> Yeah 03:48 < [14]Chaosvex> But XP still uses my normal connection 03:48 < reiffert> nfs 03:48 < [14]Chaosvex> So everything just goes through my usual IP 03:48 < reiffert> redirect-gateway def1 03:48 < reiffert> !man 03:48 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:49 < reiffert> you will have to do masquerading on your linux box then. 03:51 < [14]Chaosvex> The main two things I intend to use it for are the net for country specific sites and those my ISP has problems with (like Rapidshare) and World of Warcraft (another routing problem there) 03:51 < reiffert> http://netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1 03:51 < vpnHelper> Title: Linux 2.4 NAT HOWTO: Quick Translation From 2.0 and 2.2 Kernels (at netfilter.org) 03:51 < reiffert> echo 1 > /proc/sys/net/ipv4/ip_forward 03:51 < [14]Chaosvex> Did that :) 03:51 < reiffert> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 03:51 < reiffert> or whatever is your network card on linux 03:51 < [14]Chaosvex> I'm quite new at Linux as you could probably tell ;> 03:52 < reiffert> meybe change eth0 by venet0 03:52 < reiffert> or venet0:0 03:53 < [14]Chaosvex> I figured once I was connected it'd be a case of telling XP to use the VPN instead 03:53 < reiffert> add redirect-gateway def1 to server conf 03:53 < [14]Chaosvex> Have done, will restart it 03:53 < reiffert> so everything gets passwd throught the vpn tunnel 03:53 < reiffert> passwd 03:53 < reiffert> passwed 03:53 < reiffert> hocxvsdflgjkdf"oklgjdfg 03:53 < reiffert> passed 03:53 < reiffert> however, afk, buying a car 04:03 < tjz> lol 04:04 < tjz> reiffert: serious? 04:04 < [14]Chaosvex> No luck with that 04:04 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:05 < [14]Chaosvex> Nothing I do seems to make any traffic whatsoever go through the VPN 04:06 -!- AukeF [n=auke@x207.flex.surfnet.nl] has joined ##openvpn 04:08 < krzee> [05:07] <reiffert> ping 10.8.0.5 04:08 < krzee> [05:07] <[14]Chaosvex> Doesn't work 04:08 < krzee> [05:07] <reiffert> ping 10.8.0.2 04:08 < krzee> [05:07] <[14]Chaosvex> Doesn't work either 04:08 < krzee> those shouldnt work 04:08 < krzee> never should 04:08 < krzee> server should be able to ping .6 04:08 < krzee> client should be able to ping .1 04:08 < [14]Chaosvex> Ah 04:08 < krzee> the other ips are openvpn internal as a workaround around windows lameness 04:09 < krzee> if you want to understand how or why i can post links to explain 04:09 < krzee> otherwise we can move forward 04:09 < [14]Chaosvex> Moving forward would be good :> 04:09 < krzee> k 04:09 < krzee> can server ping .1 and client can ping .6? 04:09 < [14]Chaosvex> I'll check 04:10 < [14]Chaosvex> Yeah 04:10 < [14]Chaosvex> They work 04:10 < krzee> ok, congrats your vpn is up 04:10 < krzee> now for the routing of traffic 04:10 < krzee> what os is the server? 04:10 < [14]Chaosvex> CentOS 04:10 < krzee> eww 04:10 < krzee> heh 04:10 < [14]Chaosvex> :< 04:11 < krzee> no worries tho 04:11 < krzee> ;] 04:11 < [14]Chaosvex> Took me a good amount of time figuring out how to make it work on CentOS ;P 04:11 < krzee> so heres an overview of what we're going to need to accomplish 04:12 < krzee> all on the machine running the server 04:12 < krzee> we'll enable IP forwarding 04:12 < krzee> we'll enable NAT 04:12 < krzee> we'll tell openvpn to add a route to the clients 04:12 < krzee> notice that the first 2 steps are not actually openvpn related 04:13 < krzee> let me backup a step... 04:13 < krzee> does the client (or other clients) have a LAN behind it that also needs to communicate with the vpn? 04:13 < [14]Chaosvex> No 04:13 < krzee> ok 04:13 < [14]Chaosvex> Just this one machine needs to 04:13 < krzee> so ip forwarding... 04:13 < krzee> !factoids search lin 04:13 < vpnHelper> krzee: 'linipforward', 'linnat', and 'linfw' 04:13 < krzee> !linipforward 04:13 < vpnHelper> krzee: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 04:14 < krzee> do that, if you havnt already 04:14 < [14]Chaosvex> Have done :) 04:14 < krzee> ok 04:14 < krzee> now we need to enable nat 04:14 < krzee> you familiar with NAT? 04:14 < [14]Chaosvex> Not with Linux 04:14 < krzee> (ie: you understand what it does, how, and why?) 04:14 < [14]Chaosvex> I know what it is though 04:15 < [14]Chaosvex> Network address translation so one multiple internal IP addresses can share one WAN IP 04:15 < krzee> do you understand when it is needed and why it is needed 04:15 < krzee> that is true 04:15 < [14]Chaosvex> I understand it as far as I know :P 04:16 < krzee> so in this case 10.8.0.x needs to translate to your inet ip on its way out 04:16 < [14]Chaosvex> Yeah 04:16 < krzee> because if packets went out as 10.8.0.x, they wouldnt be routed over the internet 04:16 < krzee> and especially wouldnt have a return route even if they did 04:16 < [14]Chaosvex> True 04:17 < krzee> !linnat 04:17 < vpnHelper> krzee: "linnat" is for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 04:17 < krzee> !linfw 04:17 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 04:17 < krzee> please see the link in #3 of linfw 04:18 < [14]Chaosvex> Okay 04:18 < krzee> it is a piece of the manual which explains what your firewall needs to have 04:18 < krzee> after that, and implementing those rules, you will add the rule from !linnat 04:18 < [14]Chaosvex> Okay, reading :) 04:21 < krzee> i should make a writeup for this sometime 04:21 < krzee> im just so lazy =/ 04:21 < [14]Chaosvex> ^^ 04:22 < [14]Chaosvex> iptables -t nat -A POSTROUTING -s 192.168.168.0/24 -o venet0 -j MASQUERADE 04:22 < [14]Chaosvex> Would that be correct for the config? 04:22 < [14]Chaosvex> <reiffert> change that to server 192.168.168.0 255.255.255.0 04:23 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 04:23 < krzee> no 04:24 < krzee> i take it venet0 is the internet interface? 04:24 < [14]Chaosvex> Yeah 04:24 < tjz> is that a openvz or xen vps? 04:24 < [14]Chaosvex> OpenVZ I believe 04:24 < tjz> you gonna have a hard time 04:24 < tjz> :) 04:24 < [14]Chaosvex> >< 04:24 < krzee> tjz, his tunnel is already up 04:24 < krzee> your problem was you didnt have the kernel drivers loaded 04:24 < tjz> are you able to surf page? 04:25 < krzee> he didnt have that problem 04:25 < [14]Chaosvex> I did 04:25 < tjz> darn 04:25 < [14]Chaosvex> But I fixed it after many hours :D 04:25 < krzee> oh, lol 04:25 < tjz> better than me 04:26 < [14]Chaosvex> But hmm 04:26 < krzee> [14]Chaosvex, what network is 92.168.168.x? 04:26 < krzee> err 04:26 < krzee> [14]Chaosvex, what network is 192.168.168.x? 04:26 < [14]Chaosvex> VPN 04:26 < krzee> OH 04:26 < krzee> you arent using 10.8.0.x? 04:26 < [14]Chaosvex> reiffert told me to change it from 10.8.0.x 04:26 < tjz> i used MASQUERADE too 04:27 < tjz> but i still couldn't get my openvz working 04:27 < tjz> :) 04:27 < krzee> hrm, i wonder why he said to do that 04:27 < krzee> hehe 04:27 < krzee> anyways 04:27 < [14]Chaosvex> Said it was because my normal LAN uses the 10.0.0.x range 04:27 < krzee> 10.0.0.x and 10.8.0.x are not conflicting networks 04:27 < krzee> unless you actually give 255.0.0.0 subnet 04:27 < krzee> or something near 04:28 < krzee> but anyways 04:28 < krzee> thats fine 04:28 < [14]Chaosvex> Okay 04:28 < krzee> and yes that postrouting rule you pasted with right 04:28 < [14]Chaosvex> I've entered it then 04:28 < krzee> show me your whole firewall config 04:28 < [14]Chaosvex> What's the command for that sorry? 04:29 < krzee> i dont use linux 04:29 < [14]Chaosvex> Ah 04:29 < krzee> i prefer bsd 04:29 < krzee> !google iptables show rules 04:30 < vpnHelper> krzee: Using iptables | CAE: <http://www.cae.wisc.edu/iptables-using>; How to show rules in nat table? - LinuxQuestions.org: <http://www.linuxquestions.org/questions/red-hat-31/how-to-show-rules-in-nat-table-235568/>; Installing and Configuring iptables: <http://wendt.wisc.edu/site/public/?title=liniptables> 04:30 < [14]Chaosvex> http://pastebin.com/m6a996ba3 04:30 < [14]Chaosvex> I think that's the one 04:30 < krzee> heh 04:31 < [14]Chaosvex> Yeah, looks like it 04:31 < krzee> how bout iptables -L 04:32 < [14]Chaosvex> http://pastebin.com/m4e342d77 04:32 < krzee> i wasnt asking for only nat, i want ALL 04:32 < krzee> 1.2.3.4 04:32 < krzee> LOL 04:32 < krzee> you have to actually read the words next to the commands 04:33 < krzee> (where they explain to you what you are copying and pasting) 04:33 < [14]Chaosvex> I did :( 04:33 < [14]Chaosvex> I'm not sure how that happened 04:33 < krzee> i am 04:33 < krzee> FIREWALLS 04:33 < krzee> OpenVPN's usage of a single UDP port makes it fairly firewall-friendly. You should add an entry to your firewall rules to allow incoming OpenVPN packets. On Linux 2.4+: 04:33 < krzee> iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT 04:33 < krzee> This will allow incoming packets on UDP port 1194 (OpenVPN's default UDP port) from an OpenVPN peer at 1.2.3.4. 04:34 < krzee> first command of the manual link i gave you from !linfw 04:34 < [14]Chaosvex> Oh, now I see 04:34 < [14]Chaosvex> Damnit 04:34 < krzee> hha 04:34 < [14]Chaosvex> It's been a long morning >< 04:34 < krzee> check this out 04:34 < krzee> !linfw 04:34 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 04:34 < krzee> get rid of ALL rules 04:35 < krzee> you have a bunch of BS in there 04:35 < [14]Chaosvex> Okay 04:35 < krzee> remove them all, then add those 04:35 < krzee> iptables -P INPUT ACCEPT 04:35 < krzee> iptables -P OUTPUT ACCEPT 04:35 < krzee> iptables -P FORWARD ACCEPT 04:36 < krzee> iptables -t nat -A POSTROUTING -s 192.168.168.0/24 -o venet0 -j MASQUERADE 04:36 < krzee> iptables -F 04:36 < krzee> iptables -Z 04:37 < Dryanta> iptables is isain 04:37 < krzee> isain? 04:37 < krzee> asian? 04:38 < krzee> hey Dryanta did you ever test your tun in a tun theory? 04:38 < [14]Chaosvex> I've done those commands 04:39 < krzee> [14]Chaosvex, did you do them after removing EVERYTHING else? 04:39 < [14]Chaosvex> Yeah 04:39 < krzee> k, show me iptables -L again 04:40 < krzee> and also that other command 04:40 < krzee> iptables -t nat -L -v -n 04:40 < [14]Chaosvex> http://pastebin.com/m7c320cf4 04:40 < krzee> both 04:40 < [14]Chaosvex> Hopefully I've got it right this time >< 04:40 < Dryanta> krzee: i hadnt gotten around to it because of the weekend, but ill be back to it tomorrow tryin to figure that out 04:41 < krzee> Dryanta, you understand the easy way to test that theory right? 04:41 < [14]Chaosvex> http://pastebin.com/m77114dbe 04:41 < krzee> [14]Chaosvex, show me the line from config file where you have redirect-gateway 04:41 < [14]Chaosvex> Okay 04:41 < [14]Chaosvex> push "redirect-gateway def1" 04:42 < krzee> in server config? 04:42 < [14]Chaosvex> Yeah 04:42 < krzee> ACCEPT all -- anywhere anywhere 04:42 < krzee> ACCEPT all -- anywhere anywhere 04:42 < krzee> 04:42 < krzee> Chain FORWARD (policy ACCEPT) 04:42 < krzee> target prot opt source destination 04:42 < krzee> ACCEPT all -- anywhere anywhere 04:42 < krzee> ACCEPT all -- anywhere anywhere 04:43 < krzee> i find that funny, but who knows maybe thats just how iptables roles 04:43 < krzee> i know in anything bsd uses you only need a rule once, and a single rule doesnt output 2x when you look at the rules 04:43 < krzee> but whatev 04:43 < krzee> what happens when you connect now... 04:44 < [14]Chaosvex> Same as before 04:44 < [14]Chaosvex> Connects 04:44 < [14]Chaosvex> Ah, one sec 04:44 < krzee> no inet still? 04:45 < [14]Chaosvex> Mon Dec 15 10:45:58 2008 us=113476 Route addition via IPAPI failed 04:45 < [14]Chaosvex> Mon Dec 15 10:45:58 2008 us=113492 route ADD 192.168.168.1 MASK 255.255.255.255 192.168.168.5 04:45 < [14]Chaosvex> Mon Dec 15 10:45:58 2008 us=330852 Warning: route gateway is not reachable on any active network adapters: 192.168.168.5 04:45 < [14]Chaosvex> Mon Dec 15 10:45:58 2008 us=330891 Route addition via IPAPI failed 04:45 < [14]Chaosvex> Mon Dec 15 10:45:58 2008 us=330908 Initialization Sequence Completed 04:45 < krzee> windows 04:45 < krzee> ? 04:45 < [14]Chaosvex> Yeah 04:45 < krzee> heh 04:45 < krzee> !winroute 04:45 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up 04:45 < krzee> XP service pack 3? 04:45 < [14]Chaosvex> No 04:45 < krzee> vista? 04:45 < [14]Chaosvex> SP1 ;/ 04:45 < [14]Chaosvex> XP 04:45 < krzee> sp1!? 04:45 < krzee> welcome back to 2005 04:45 < [14]Chaosvex> •›› OS Vesrion :: Microsoft Windows XP (version: 5.1) « 04:46 < krzee> actually i think in 2005 everyone had sp2 04:46 < [14]Chaosvex> Probably 04:46 < krzee> welcome back from 2003 04:46 < [14]Chaosvex> Haha 04:46 < [14]Chaosvex> Yeah 04:46 < [14]Chaosvex> ...and the only reason it uses SP1 was to fix a problem with drive sizes 04:46 < [14]Chaosvex> But there we go 04:47 < krzee> heh 04:47 < krzee> drive sizes was broken in newer versions? 04:47 < [14]Chaosvex> Pre SP1 04:47 < krzee> do you also frequent whore houses without using condoms? 04:47 < [14]Chaosvex> Drives bigger than 160 or it might have been 200 didn't work 04:48 < krzee> (thats what running unpatched windows on the internet is = to) 04:48 < [14]Chaosvex> Pretty much 04:48 < krzee> well lets just assume you dont have every virus known to man causing unpredictable behavior on that box 04:49 < [14]Chaosvex> It's perfectly clean ;) 04:49 < krzee> and try the stuff in !winroute 04:49 < krzee> suuuure it is 04:49 < [14]Chaosvex> Of course 04:49 < [14]Chaosvex> It's run for the past 4 years 24/7 with no issues :( 04:49 < krzee> ive fixed many computers that had viruses playing nice until i started kicking their asses 04:50 < krzee> then all sorts of normal symptoms pop up 04:50 < [14]Chaosvex> I'd know if there was a problem with it ;P 04:50 < krzee> but thats niether here nor there 04:50 < krzee> sorry if im not quick to believe someone who is running xp SP1 in 2008 on that 04:50 < krzee> =/ 04:50 < [14]Chaosvex> Haha 04:51 < [14]Chaosvex> No worries ;) 04:51 < krzee> !winroute 04:51 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up 04:51 < [14]Chaosvex> Am doing it 04:51 < [14]Chaosvex> "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine." 04:52 < krzee> give the win box a reboot 04:52 < krzee> then try again 04:52 < [14]Chaosvex> Okay 04:52 < krzee> you wouldnt believe the number of times that has worked 04:53 < [14]Chaosvex> Having said that 04:53 < [14]Chaosvex> Mon Dec 15 09:02:34 2008 us=89605 Route addition via IPAPI succeeded 04:53 < [14]Chaosvex> It worked before the addresses got changed 04:53 < krzee> haha 04:53 < [14]Chaosvex> That's an old paste 04:53 < krzee> right, so lets see what happens after some reboot ;] 04:54 < krzee> Dryanta, you see my question to you? 04:54 < krzee> i only ask it cause if its no ill give you a push the right direction for testing your theory 04:55 < Dryanta> ya i told you that ill hit it tomorrow 04:55 < krzee> [06:41] <Dryanta> krzee: i hadnt gotten around to it because of the weekend, but ill be back to it tomorrow tryin to figure that out 04:55 < krzee> [06:42] <krzee> Dryanta, you understand the easy way to test that theory right? 04:55 < Dryanta> whas the easy way 04:56 < krzee> to test a tun in a tun 04:56 < krzee> without the rest of that box 04:56 < krzee> go to your other working vpn 04:56 < krzee> and build a vpn inside that vpn 04:56 < krzee> =] 04:56 < Dryanta> i can try that too 04:56 < krzee> right 04:56 < krzee> it will test tun in tun, which is your current theory on why it doesnt work 04:57 < krzee> in a sterile environment (not the same box that isnt working currently) 04:57 < krzee> hah i hear the neighbor girl calling for her papi 04:57 < krzee> its 7am 04:58 < krzee> i would be so pissed if people yelled for me this early 04:58 < krzee> (assuming i slept) 04:58 -!- [14]Chaosvex [i=Chaosvex@ip-87-82-79-153.easynet.co.uk] has quit [Read error: 60 (Operation timed out)] 04:59 < krzee> me guesses he was on the windows box, lol 04:59 < krzee> +/ 05:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 05:05 -!- [14]Chaosvexs [n=Chaosvex@ip-87-82-79-153.easynet.co.uk] has joined ##openvpn 05:06 < [14]Chaosvexs> Ahem 05:06 < [14]Chaosvexs> I guess it worked to a degree krzee 05:06 < krzee> to a degree? 05:06 < [14]Chaosvexs> Well 05:06 < [14]Chaosvexs> Connecting to it killed the net 05:07 < [14]Chaosvexs> Except for the SSH connection to the server running that VPN 05:07 < [14]Chaosvexs> That still worked 05:07 < [14]Chaosvexs> :/ 05:07 < krzee> no net access whatsoever? 05:07 < [14]Chaosvexs> SSH, so some ;P 05:07 < krzee> ping 72.14.205.100 05:07 < [14]Chaosvexs> From the server? 05:07 < krzee> from the client 05:08 < [14]Chaosvexs> When connected I presume? 05:08 < [14]Chaosvexs> Or just with normal net? 05:08 < krzee> right ;] 05:08 < krzee> you should be connecting to IRC from another box if possible 05:08 < [14]Chaosvexs> Pretty much 05:09 < krzee> the SSH connection bypasses the vpn route, it has to 05:09 < krzee> otherwise the vpn itself couldnt stay connected ;) 05:10 < krzee> so if you're familiar with commandline irc'ing, you should be safe IRCing via ssh (assuming you dont have another computer there) 05:11 < [14]Chaosvexs> I'll have to do it the hard way me thinks :P 05:11 < [14]Chaosvexs> One sec :) 05:12 < [14]Chaosvexs> Okay 05:12 < [14]Chaosvexs> Ping didn't work with it on 05:12 < krzee> is it still connected? 05:13 < [14]Chaosvexs> No, disconnected 05:13 < krzee> bleh 05:13 < krzee> you're on the client machine right now? 05:13 < [14]Chaosvexs> Am now 05:13 < krzee> no other computer to use? 05:13 < [14]Chaosvexs> Was using somebody's laptop, but they're out now ;P 05:14 < [14]Chaosvexs> Other one is running Linux and doesn't have a monitor or keyboard anywa 05:14 < [14]Chaosvexs> *anyway 05:14 < krzee> no mon/kb that can be plugged in? 05:14 < krzee> or kvm or something... 05:14 < [14]Chaosvexs> I could try boot it into Windows I suppose 05:15 < [14]Chaosvexs> Give me a tick :) 05:15 < krzee> linux can irc too yanno 05:15 < krzee> centos? 05:15 < [14]Chaosvexs> Yeah 05:15 < [14]Chaosvexs> But I'm terrible at Linux :P 05:15 < krzee> yum search BitchX 05:15 < krzee> it find something? 05:15 < [14]Chaosvexs> Connecting to it, sec 05:16 < [14]Chaosvexs> No matches 05:16 < krzee> yum search bitchx 05:16 < [14]Chaosvexs> Still nothing 05:17 -!- [psy] [n=psy0rz@lounge.datux.nl] has joined ##openvpn 05:17 < [psy]> so anyone knows why m$ uses their own header for there SSTP protocol? 05:17 < [psy]> http://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol 05:17 < vpnHelper> Title: Secure Socket Tunneling Protocol - Wikipedia, the free encyclopedia (at en.wikipedia.org) 05:17 < [psy]> seems to me they could do with ppp + ssl, right? 05:18 < [psy]> or even something thats compatible with openvpn :) 05:18 < krzee> [psy], no idea why MS does most the stuff they do 05:18 < tjz> chaos, you are in my shoe.. 05:18 < tjz> you know 05:18 < [psy]> you know if someone is working on a sstp patch for openvpn? shouldnt be too hard, am i right? 05:18 < tjz> :) 05:18 < [14]Chaosvexs> Haha 05:19 < tjz> i have already warn you 05:19 < krzee> [psy], nothing ive heard of 05:19 < tjz> :) 05:19 < [psy]> does openvpn use ppp over ssl as well? 05:19 < krzee> [psy], as far as i know, nobody cares to make openvpn work with other stuff, it uses openssl libs and thats it 05:19 < krzee> openvpn is basically a openssl enabled GRE tunnel 05:19 < [psy]> ah k 05:20 < krzee> which is one reason it rocks ;] 05:20 < krzee> lets say tomorrow theres some BADASS new enc in openssl, openvpn will already support it 05:23 < krzee> tjz, http://forum.openvz.org/index.php?t=msg&goto=31784& 05:23 < vpnHelper> Title: OpenVZ Forum: Support => *SOLVED* NAT/MASQUERADING inside VZ (at forum.openvz.org) 05:23 < krzee> seems there is something else the provider must enable for you 05:23 < krzee> !google openvz nat 05:23 < vpnHelper> krzee: Using NAT for container with private IPs - OpenVZ Wiki: <http://wiki.openvz.org/Using_NAT_for_VE_with_private_IPs>; Talk:Using NAT for container with private IPs - OpenVZ Wiki: <http://wiki.openvz.org/Talk:Using_NAT_for_container_with_private_IPs>; OpenVZ Forum: Support => *SOLVED* NAT/MASQUERADING inside VZ: <http://forum.openvz.org/index.php?t=msg&goto=31784&> 05:24 < krzee> hit #2 05:24 < krzee> ;] 05:24 < tjz> krzee: ya. i have the exact same setup 05:24 < tjz> i mean i have NAT/MASQUERADING setup 05:24 < krzee> tjz, and you had the provider do this: 05:24 < tjz> for that openvz 05:24 < krzee> What about IPTABLES parameter in your /etc/vz/vz.conf? 05:24 < krzee> I totally forgot this. I've added iptable_nat parameter and everything is working fine, now. 05:24 < krzee> Thanks for hint. 05:24 < krzee> Jan 05:25 < krzee> your NAT rules are useless until your provider does that 05:25 < krzee> (both of you) 05:25 * krzee kills 2 birds with 1 stone 05:25 < tjz> i have ipt_MASQUERADE" in vz.xonc 05:25 < tjz> conf 05:25 < tjz> ;) 05:26 < krzee> you run the host system? 05:26 < tjz> LOL 05:26 < tjz> what brids? 05:26 < tjz> ya 05:26 < tjz> i have access to hardware node 05:26 < tjz> :P 05:26 < tjz> am i one of the birds 05:26 < tjz> :P 05:26 < krzee> it is a saying in english 05:26 < tjz> lol 05:26 < tjz> ya 05:26 < krzee> when you do one thing and accomplish 2 things with it 05:27 < tjz> ya.. i know 05:27 < tjz> was kidding around 05:27 < tjz> hehe 05:27 < krzee> ok so you run the whole computer? 05:27 < krzee> not just a vps you paid for 05:27 < tjz> ya 05:28 < krzee> iptables -t nat -L 05:28 < krzee> both of you, do you get an error when you type that? 05:29 < tjz> no error 05:29 < [14]Chaosvexs> make: *** [BitchX] Error 2 05:29 < [14]Chaosvexs> *shrug 05:29 < [14]Chaosvexs> Anyway 05:29 < tjz> http://pastebin.ca/1285841 05:29 < krzee> [14]Chaosvexs, 05:29 < krzee> iptables -t nat -L 05:29 < [14]Chaosvexs> Okay 05:29 < krzee> tjz, your nat rule is wrong 05:30 < krzee> it doesnt say where to send the traffic 05:30 < krzee> it knows what to NAT 05:30 < [14]Chaosvexs> http://pastebin.com/m433e9227 05:30 < krzee> but it doesnt know where to NAT it 05:30 < krzee> !linnat 05:30 < vpnHelper> krzee: "linnat" is for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 05:30 < krzee> you're missing -o 05:30 < tjz> hmm.. 05:30 < tjz> let me try 05:30 < krzee> (thats @ tjz, not [14]Chaosvexs ) 05:31 < tjz> i did execute "iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o veth0 -j MASQUERADE" 05:31 -!- [14]Chaosvexs is now known as [14]Chaosvex 05:31 < krzee> oh ok 05:31 < krzee> add -v 05:31 < krzee> that shows the interface i guess 05:31 < krzee> hehe 05:31 < krzee> <-- not a linux guy 05:32 < tjz> hmm 05:32 < tjz> add -v to which one? 05:32 < krzee> iptables -t nat -v -L 05:32 < tjz> ok 05:33 < tjz> ok . updated to : http://pastebin.ca/1285846 05:34 < krzee> ahh 05:35 < tjz> any clue? 05:35 < tjz> look fine, i think 05:35 < krzee> ya it does look fine 05:36 < krzee> Note: you may need to modify the /etc/vz/vz.conf file to include: 05:36 < krzee> IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT" 05:36 < tjz> hmm.. let me check 05:36 < [14]Chaosvex> I'd do that too ;p 05:37 < [14]Chaosvex> Only there's no such folder 05:37 < krzee> [14]Chaosvex, ya ignore that 05:37 < [14]Chaosvex> Okay 05:37 < krzee> he runs his vps host 05:37 < krzee> so he can test stuff you cant 05:37 < [14]Chaosvex> Alright 05:37 < krzee> if we get him working, we can figure out what your host needs to enable 05:37 < [14]Chaosvex> Cool 05:37 < [14]Chaosvex> I'd do this on a normal dedi 05:37 < [14]Chaosvex> Only I'd have angry people if I broke it :D 05:38 < krzee> you could always test with the linux machine at home 05:38 < krzee> but youd hafta add the local flag after def1 in redirect-gateway 05:38 < krzee> !local 05:38 < vpnHelper> krzee: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. 05:39 < krzee> doh found typo 05:39 < krzee> !learn local as a flag for --redirect gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 05:39 < vpnHelper> krzee: Joo got it. 05:39 < krzee> !forget local 1 05:39 < vpnHelper> krzee: Joo got it. 05:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:40 < krzee> tjz, you seen this: http://wiki.openvz.org/Using_NAT_for_VE_with_private_IPs ?? 05:40 < vpnHelper> Title: Using NAT for container with private IPs - OpenVZ Wiki (at wiki.openvz.org) 05:41 < tjz> krzee: great! 05:41 < krzee> it works now tjz? 05:42 < tjz> i think have to execute some additional Iptables for the container(vps) 05:42 < tjz> on hardware node 05:42 < tjz> i will have a try 05:42 < krzee> cool 05:42 < krzee> if you get it working please report back the fix 05:43 < krzee> then i can make a !openvz 05:43 < tjz> i know dougy got openvpn working on his openvz 05:43 < krzee> (i never used a vps) 05:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:43 < krzee> ya so his provider knew what to do 05:43 < tjz> ya..dougy get his provider to enable MASQUERADE 05:43 < tjz> that is what he said 05:43 < tjz> not sure what else they did 05:44 < tjz> i will try the g_NAT_for_VE_with_private_IPs 05:44 < krzee> they must have had something else before that tho 05:47 < [14]Chaosvex> "if you're running VZ/OpenVZ your provider needs to enable access to the kernel module (and also the IPTables NAT/masquerade module)." 05:47 < [14]Chaosvex> Guess that's it? 05:47 < krzee> hehe you're reading the same post as me 05:47 < [14]Chaosvex> WHT? Haha 05:47 < [14]Chaosvex> Yeah, read that a while back 05:47 < [14]Chaosvex> That was before I'd even managed to get it to install mind 05:50 < krzee> tjz, you on a link-4 account? 05:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 05:55 < tjz> . 05:55 < tjz> what is link-4? 05:55 < krzee> Originally Posted by farcaller 05:55 < krzee> yeah, I have it up and running on OpenVZ node 05:55 < krzee> What level account? Do you think it would run on a level 1 account? 05:55 < krzee> Link-4. Not sure about link-1, but it does not eat lots of ram 05:55 < krzee> i dont use vps, so i dont know 05:56 < tjz> could be a name of VPS plan 05:56 < tjz> name for vps plan 05:56 < tjz> hee 05:56 < krzee> try this: 05:56 < krzee> Add these lines below it, replacing 123.123.123.123 to your servers public IP address, 05:56 < krzee> iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -j SNAT --to public_ip 05:57 < krzee> aqfter losing the other NAT rules 05:57 < tjz> i just tried run this on hardware node: iptables -t nat -A PREROUTING -p udp -d hardwarenodeIP --dport 1194 -i eth0 -j DNAT --to-destination containerIP:1194 05:58 < tjz> krzee: on hardware node or on the vps? 05:58 < krzee> careful man, you might break internet access to the vps 05:58 < krzee> on the vps, assuming you didnt just break it 06:00 < [14]Chaosvex> Mmm 06:00 < tjz> still running fine 06:01 < tjz> how to clear the iptables in vps? 06:01 < tjz> hmm 06:01 < tjz> let me check 06:01 < krzee> same way as on a standalone machine... 06:02 < krzee> im going to have to crash soon 06:03 < krzee> its 8am 06:03 < [14]Chaosvex> 12am here ;> 06:03 < tjz> ok 06:03 < [14]Chaosvex> ...*pm! 06:03 < tjz> 8pm here 06:03 < tjz> :P 06:03 < [14]Chaosvex> Been up that long ;) 06:03 < tjz> chaos, i am in the same shoe when i try to get openvpn working on openvz vps 06:03 < tjz> :) 06:03 < tjz> i pulled my hair for > 2 weeks 06:03 < [14]Chaosvex> >< 06:03 < tjz> LOL 06:04 < tjz> serious 06:04 < tjz> > 2 weeks 06:04 < tjz> :) 06:04 < [14]Chaosvex> I just said something about NAT and masquerading to my provider 06:04 < [14]Chaosvex> Hoping they'll know... 06:05 < tjz> who is your provider? 06:05 < [14]Chaosvex> CreativeVPS 06:05 < [14]Chaosvex> Otherwise Wiredtree! 06:05 < [14]Chaosvex> But I can't mess with the dedi ;p 06:06 < tjz> oh 06:06 < tjz> :) 06:09 -!- [psy] [n=psy0rz@lounge.datux.nl] has left ##openvpn [] 06:09 < krzee> [14]Chaosvex, your vps allowed you to make nat rules 06:10 < krzee> btw masquerading is the linux name for nat 06:10 < [14]Chaosvex> Ah 06:10 < [14]Chaosvex> Mmm 06:10 < krzee> you guys might want to check your rules with dougy (although i think your rules are fine) as he can compare with his vps 06:10 < krzee> then you should see if he can score the vps config 06:11 < krzee> to compare with tjz's 06:11 < [14]Chaosvex> Who's Dougy? 06:11 < krzee> once tjz can get his working, [14]Chaosvex can steal the working info and give to his vps 06:11 < krzee> dougy is someone who frequents here 06:11 < krzee> he keeps an eye on the forum (since he runs it) 06:11 < krzee> !forum 06:11 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 06:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:14 < tjz> last hope before i completely dump openvz and switch to xen for openvpn 06:15 < tjz> :) 06:16 < [14]Chaosvex> Hmm well 06:16 < [14]Chaosvex> Is there maybe not something easier than OpenVPN? 06:17 < tjz> my openvpn works fine when tested on a real dedicated server 06:17 < tjz> :) 06:17 < [14]Chaosvex> :P 06:17 < tjz> it should be easy to setup 06:18 < tjz> actually 06:18 < [14]Chaosvex> Quite the opposite so far :< 06:18 < tjz> openvz is the road block 06:18 < tjz> you need to enable some more modules for openvz 06:18 < tjz> :) 06:18 < [14]Chaosvex> Hopefully the VPS provider will know what to do 06:18 < [14]Chaosvex> Probably not though 06:19 < krzee> im also posting to the mail list to see if anyone wants to chime in 06:19 < krzee> !linfw 06:19 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 06:20 < tjz> if you get a xen vps.. it will be just like a real dedicated server 06:20 < tjz> no need to pester your provider to enable stuffs 06:20 < tjz> :) 06:20 < [14]Chaosvex> If I just disable IPTables 06:20 < [14]Chaosvex> Shouldn't it work without any of those rules? :/ 06:21 < [14]Chaosvex> I mean it doesn't, but shouldn't it? 06:21 < tjz> i think we still need MASQUERADE 06:21 < [14]Chaosvex> Okay 06:29 < krzee> nite all 06:32 < [14]Chaosvex> Night, thanks for the help krzee 06:38 < tjz> nite jeff 06:39 < [14]Chaosvex> Guess I broke something 06:39 < [14]Chaosvex> Server and client can't ping each other anymore 06:39 < [14]Chaosvex> Oops 06:41 < tjz> are you able to ssh to the vps? 06:42 < tjz> hmm 06:42 < [14]Chaosvex> Yeah 06:42 < tjz> look fine.. 06:42 < [14]Chaosvex> Hm? 06:42 < [14]Chaosvex> When I pinged the server from the client and vice versa they'd get a reply 06:42 < [14]Chaosvex> But now now 06:42 < [14]Chaosvex> *not now 06:43 < tjz> oh 06:45 < [14]Chaosvex> Meh 06:45 < [14]Chaosvex> Just emptied the tables 06:45 < [14]Chaosvex> Start with them again if a solution is found 06:45 < [14]Chaosvex> Since it didn't work anyway 06:45 < reiffert> is it working? 06:46 < [14]Chaosvex> No 06:46 < reiffert> why not? 06:46 < reiffert> you could ping the server from the client ... 06:46 < reiffert> in other words "It's working" 06:46 < [14]Chaosvex> No traffic went through it still 06:46 < reiffert> krzee: he's got empty ruleset. 06:46 < tjz> Chaosvex: what command did you run to emply table 06:46 < tjz> :P 06:46 < reiffert> did you add redirect-gateway def1 on the serverside? 06:46 < tjz> i used -F 06:46 < tjz> doesn't clear anything 06:47 < reiffert> tjz: It was empty all the time. 06:47 < [14]Chaosvex> I used a few 06:47 < [14]Chaosvex> It wasn't empty all the time 06:47 < reiffert> oh? 06:47 < reiffert> iptables -F INPUT 06:47 < reiffert> iptables -F FORWARD 06:47 < [14]Chaosvex> krzee gave me rules to add 06:47 < reiffert> iptables -F OUTPUT 06:47 < reiffert> iptables -t nat -F PREROUTING 06:47 < reiffert> iptables -t nat -F POSTROUTING 06:47 < reiffert> iptables -P INPUT ACCEPT 06:47 < reiffert> iptables -P OUTPUT ACCEPT 06:47 < reiffert> iptables -P FORWARD ACCEPT 06:47 < reiffert> which ones? 06:47 < [14]Chaosvex> Apparently it won't work because it uses OpenVZ anyway 06:48 < [14]Chaosvex> http://openvpn.net/man#lbBD 06:48 < vpnHelper> Title: OpenVPN 2.0.x Man Page (at openvpn.net) 06:48 < reiffert> drove the new car to my car garage, looking if somethings wrong with it... 06:48 < reiffert> afk 06:48 < [14]Chaosvex> iptables -t nat -A POSTROUTING -s 192.168.168.0/24 -o venet0 -j MASQUERADE 06:49 < [14]Chaosvex> Anyway 06:49 < reiffert> dont do that, but do: 06:49 < reiffert> iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE 06:49 < reiffert> as I told you hours ago. 06:49 < [14]Chaosvex> Tried that too 06:49 < [14]Chaosvex> Didn't make any difference 06:49 < reiffert> allright, then we have to adjust your serverside. 06:49 < [14]Chaosvex> I connect and then the net died 06:49 < [14]Chaosvex> *dies 06:49 < [14]Chaosvex> But like I said 06:50 < [14]Chaosvex> Apparently it's the fault of the VPS container 06:50 < [14]Chaosvex> Not the config 06:50 < reiffert> VPS? 06:50 < [14]Chaosvex> Yes 06:50 < reiffert> VPS? 06:50 < [14]Chaosvex> OpenVZ... 06:50 < reiffert> what is that? 06:50 < [14]Chaosvex> A VPS is just a shared dedi 06:50 < reiffert> ah. 06:51 < [14]Chaosvex> Only the software used to manage it is causing a problem apparently 06:51 < reiffert> well, probably yes. 06:51 < reiffert> ok, gtg, afk 06:51 < [14]Chaosvex> Bye 06:51 < [14]Chaosvex> I'm off to bed anyway, thanks again 06:51 < [14]Chaosvex> Hopefully something will crop up 06:51 < tjz> ok 06:51 < tjz> nite chaos 06:55 -!- prxtien [i=protien@115.131.201.213] has joined ##openvpn 06:55 < prxtien> hey all 06:55 < prxtien> krzee 06:56 < prxtien> hey all 06:56 < prxtien> can anyone suggest an open source one time password package to use with openvpn 06:57 < prxtien> im trying to use my verisign vip token but i cant see any way to do tihs 06:58 < tjz> yooyoyoyoy 06:58 < tjz> hmm 06:58 < tjz> is that during the install of openvpn? 06:59 < prxtien> how do u mean 07:04 < tjz> err 07:06 < tjz> hmm 07:06 < tjz> you have your openvpn working? 07:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 07:31 < prxtien> yeah 07:31 < prxtien> my vpn is working perfectly 07:32 < tjz> hmm 07:32 < tjz> ok 07:32 < tjz> omg.. 07:32 < tjz> how to flush this: 07:32 < tjz> Chain POSTROUTING (policy ACCEPT) 07:32 < tjz> target prot opt source destination 07:32 < tjz> MASQUERADE all -- 192.168.50.0/24 anywhere 07:32 < tjz> MASQUERADE all -- 192.168.50.0/24 anywhere 07:46 < prxtien> yubico looks like a good otp option 07:46 < prxtien> openvpn with freeradius+pam authentication with the yubico authentication 07:46 < prxtien> for certificate + otp two factor authentication 07:56 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 08:35 < ecrist> morning. 08:36 < ecrist> prxtien: opie is part of freebsd, and I think it's available for linux. 08:37 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: onats, cpm, mikkel 08:37 -!- prxtien [i=protien@115.131.201.213] has quit [Remote closed the connection] 08:38 -!- Netsplit over, joins: onats 08:38 -!- Netsplit over, joins: cpm 08:39 -!- Netsplit over, joins: mikkel 08:41 -!- prxtien [i=proleone@115.131.201.213] has joined ##openvpn 08:44 -!- Kyler [n=chatzill@66.90.70.200] has quit [Remote closed the connection] 08:53 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 08:53 < plaerzen> morning irc 08:58 -!- prxtien [i=proleone@115.131.201.213] has quit [Remote closed the connection] 08:58 < ecrist> howdy plaerzen 08:59 < plaerzen> I can't get my damn input devices to switch to my VM.... not sure why. 09:32 -!- ||arifaX_ [n=||arifaX@unaffiliated/arifax/x-427475] has joined ##openvpn 09:32 -!- ||arifaX [n=||arifaX@unaffiliated/arifax/x-427475] has quit [Read error: 104 (Connection reset by peer)] 09:41 -!- ||arifaX_ [n=||arifaX@unaffiliated/arifax/x-427475] has quit [Read error: 104 (Connection reset by peer)] 11:02 < ecrist> ping krzee 11:14 < jeev> ok 11:14 < jeev> i'm hating blackberry and gmail. 11:32 < tjz> -_- 11:32 < tjz> try to love them 11:32 < tjz> if possible 11:32 < tjz> hehe 11:33 < jeev> actually, it's cause bnlackberry 11:34 < jeev> if you reply to a gmail email from home or on the blackberry 11:34 < jeev> it copmes back into the bb 11:35 < tjz> hmm.. 11:35 < tjz> why did it bounce back.. 11:36 < jeev> it doesn't, gmail takes replies and puts it in levels or whatever it's called 11:36 < tjz> oh 11:48 < reiffert> moin 11:49 < tjz> morning 12:01 < ecrist> well, I'm about to shut down my solid little backup server of 4 years. 12:01 * ecrist tears up 12:01 < ecrist> *sniffle* 12:01 < ecrist> jeev: it's an IMAP thing 12:02 < ecrist> BES is seeing a *new* message in your sent-items folder 12:02 -!- whatever-thingy [n=whatever@79-77-94-105.dynamic.dsl.as9105.com] has joined ##openvpn 12:03 < tjz> going off to bed 12:03 < tjz> ;) 12:03 < tjz> good nite 12:03 -!- tjz [n=tjz@bb121-7-106-87.singnet.com.sg] has quit ["GG. X_X"] 12:06 < reiffert> ecrist: uptime? 12:08 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 12:10 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 12:10 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 12:20 < dmz> howdy y'all, what's the easiest way to provide static IPs for a large number of vpn clients (say 5000) 12:22 < jeev> yea ecrist 12:22 < jeev> it's annoying 12:27 < reiffert> dmz: --ifconfig-pool-persist file [seconds] 12:27 < reiffert> Persist/unpersist ifconfig-pool data to file, at seconds inter- 12:27 < reiffert> vals (default=600), as well as on program startup and shutdown. 12:27 < reiffert> ccm:~# cat /etc/openvpn/ipp.txt 12:27 < reiffert> thomas,10.8.0.4 12:27 < reiffert> kellerlan,10.8.0.8 12:27 < reiffert> hoerig,10.8.0.12 12:28 < dmz> excellent, thank you that's a start 12:28 < reiffert> dmz: right, 4 ip's thats because windows needs /30 subnet. 12:28 < reiffert> windows clients.# 12:28 < dmz> reiffert, one other question no way to pre-assign without doing a full /28 setup for all connections? (ie static definition for all) 12:29 < reiffert> full /28? where? 12:29 < dmz> i had done that before but ran into the issue of only able to have 100 subnets defined at one time 12:29 -!- jabular [n=jabular@82-32-104-27.cable.ubr02.hawk.blueyonder.co.uk] has joined ##openvpn 12:29 < reiffert> dmz: 5000 clients sound like 8192, which is 2^14 which should be a /18 mask 12:30 < dmz> no i was originally setting up each client with it's own client config and static mapping 12:30 < reiffert> but wait, 5000 * 4 is 20000, sounds like 32768, which is 2^15 which is /17 12:30 < dmz> woops, yeah a /30 subnet not sure why i typed /28 :) 12:30 < dmz> i need to know what each host is gong to have/get in advance of assignment 12:30 < dmz> i guess i could prefill the persist pool 12:30 < reiffert> /30 12:31 < reiffert> You can of course assign /30 to windows machines and have /32 for !windows 12:31 < dmz> yeah but the problem i had with /30 or /32 is that openvpn can only handle 100 subnets 12:32 < reiffert> Well, not sure about that especially how to distingiush the client OS on the serverside. krzee? 12:32 < dmz> so i'm looking at converting over to a large subnet with dynamic addressed 12:32 < reiffert> dmz: why not use *ONE* big /17 subnet? 12:32 < dmz> all end-points are linux 12:32 < dmz> that's where i think i'm going to go 12:32 < reiffert> 255.254.0.0 12:32 < dmz> however i need to know what each end-node specifically is 12:32 < reiffert> sorry? 12:33 < dmz> i can have a long persistance of the ip 12:33 < reiffert> ipp.txt will care about it, !man 12:33 < dmz> but when a client connects, how (other than looking at log file) can i pre-determine what ip it's suppose to have 12:33 < reiffert> !man 12:33 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:33 < reiffert> dmz: by looking into the ipp.txt file 12:33 < dmz> yeah but my applications are on 30 different back-office machines 12:34 < dmz> they don't have access to ipp.txt :( 12:34 < reiffert> I dont understand you here ... 12:34 < dmz> the vpns are for remote kiosks, so pushing updates, syncing, other stuff 12:34 < dmz> currently i've set static ips and i know by definition what each client ip is 12:34 < dmz> but i broke myself by having > 100 /30 subnets 12:34 < reiffert> ah! why not let the openvpn client set the right ip on the client side? 12:34 < dmz> so i'm looking at a big pool, but i still need to know what each individual one is 12:34 < dmz> hmm 12:35 < ecrist> reiffert: only like 400 some days. 12:35 < dmz> i do push out the vpn config 12:35 < dmz> so i could have it pre-build the ip in there too 12:35 < reiffert> thats whats builtin ... 12:35 < ecrist> had a power outage a little over a hear ago caused by a roaming finger in my breaker panel. 12:35 < reiffert> dmz: have a look to the manpage what the "server 10.0.0.0 255.255.0.0" line exspands to 12:36 < dmz> i'll check that, you gave me something to think about, thanks 12:36 < reiffert> dmz: write the "to be assigned ip" into ipp.txt and openvpn will handle it right. 12:36 < reiffert> dmz: commonname,10.2.3.4 12:36 < reiffert> dmz: anothercommonname,10.2.3.5 12:37 < dmz> yeah that'll work, ok let me give it a try 12:37 -!- whatever-thingy [n=whatever@79-77-94-105.dynamic.dsl.as9105.com] has quit ["Leaving"] 12:37 < reiffert> be sure to read --topology as well 12:37 < reiffert> (subnet for your case) 12:38 < reiffert> assuming that you are using openvpn 2.1 12:38 < reiffert> ecrist: one tear should be enough then :) 12:39 < reiffert> teardrop 12:41 < reiffert> I'd probalby go for having a /18 net which should be 255.255.192.0, right? 12:42 < reiffert> or whatever you like, have 30 * /24 subnets 12:42 < reiffert> you'll get the idea? 12:57 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit ["asfd"] 13:30 < dmz> sorry too many things going on @ once today :) 13:30 < dmz> but yeah i get the idea, thanks for the suggestions 13:43 < krzee> [14:32] <reiffert> You can of course assign /30 to windows machines and have /32 for !windows 13:43 < krzee> just use topology subnet 13:43 < krzee> my girls here, bbl 13:51 < reiffert> ah, 'k, have fun and remember taking the pics for me 14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:59 < dmz> who needs pics, take video 15:00 < krzie> heh 15:00 < jeev> heh 15:00 < krzie> i been working on the video thing 15:00 < krzie> moreso with my girl that brings her friend than this one 15:01 < krzie> but both are a lil cam shy 15:01 < dmz> tell them they can wear masks 15:01 < krzie> lol 15:01 < krzie> not a bad idea 15:01 < dmz> might get them to be a little less inhibited 15:02 < krzie> the other problem is im not fluent in their language 15:02 < krzie> so its harder to spit game 15:07 < [14]Chaosvex> Hey hmm 15:08 < [14]Chaosvex> Apparently my VPS provider knew what to do and fixed it 15:08 < [14]Chaosvex> Going to check in a minute >< 15:11 < krzie> oh sweet, its fixed? 15:12 < [14]Chaosvex> Not sure yet 15:12 < [14]Chaosvex> Trying to check ^^ 15:12 < krzie> gotchya 15:13 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:16 < [14]Chaosvex> Hmm 15:16 < [14]Chaosvex> No luck there 15:16 < [14]Chaosvex> Time to try the IPTables again and see if they make a difference now 15:16 < krzie> !linfw 15:16 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 15:16 < krzie> !linnat 15:16 < vpnHelper> krzie: "linnat" is for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 15:16 < krzie> there ya go =] 15:17 < [14]Chaosvex> Thanks 15:18 < [14]Chaosvex> Just to double check 15:18 < [14]Chaosvex> In iptables -A INPUT -p udp -s 10.8.0.6 --dport 1194 -j ACCEPT 15:18 < [14]Chaosvex> I put the IP that gets assigned to me right? Not my normal net IP? 15:18 < Dryanta> there is something super messed with this krzie 15:19 < Dryanta> using a different host same issue with the sendto: no buffer space available and all 15:19 < Dryanta> using the mtu suggested by mtu-test 15:19 < krzie> [14]Chaosvex, just allow all in INPUT and you wont need that 15:19 < krzie> Dryanta, testing tun in tun or normal? 15:20 < Dryanta> still tun in tun, i cant do it any other way 15:20 < Dryanta> im running pppoe on that oakland host 15:20 < [14]Chaosvex> Okay 15:20 < krzie> did you do what i suggested yet? 15:20 < krzie> to test tun in tun 15:20 < Dryanta> to do another vpn inside the existing vpn, i dont know how i would configure that 15:20 < Dryanta> but i added another host to the mix and its still doing the same thing 15:20 < krzie> lol 15:20 < krzie> !insanity 15:20 < vpnHelper> krzie: "insanity" is doing the same thing over and over expecting different results 15:21 < Dryanta> krzie: ive identified the issue 15:21 < Dryanta> you dont think i have, but i have 15:21 < Dryanta> itd be nice if someone would reply to my mailing list post 15:21 < krzie> you have no clue if you have 15:21 < krzie> you have a theory 15:21 < Dryanta> yes, i do 15:21 < krzie> one which you should test 15:21 < Dryanta> because again i have another host same config without pppoe working fine 15:21 < Dryanta> or another pair of separate hosts 15:22 < krzie> that means nothing to me, you havnt isolated the problem 15:22 < krzie> instead of arguing with me, you should be asking for help isolating the problem 15:22 < Dryanta> how not? different ips, same software, same setup, no pppoe 15:22 < krzie> same box 15:22 < Dryanta> EXACT SAME SETUP AMD64 PF - IPFW 15:22 < krzie> with possibly something diff that you forgot bout 15:22 < Dryanta> srsly 15:22 < Dryanta> no, im looking at the config files 15:23 < krzie> ok whatever 15:23 < krzie> you know everything, why you asking for help? 15:23 < Dryanta> this setup is as bonehead simple as possible, i got the other one working inside of an hour, its been nearly a week on this one 15:23 < reiffert> :) 15:23 < Dryanta> i dont know everything, ive isolated the issue and you have no suggestions to resolve it 15:23 < Dryanta> i mailed the mailing list, no replies 15:23 < Dryanta> so essentially im just bitching right now 15:24 < [14]Chaosvex> Hmm, well 15:24 < reiffert> let us logon on both machines and share a screen session with us, means: give us root access. 15:24 < krzie> thomas, why do people come in and not listen, but instead argue? 15:25 < reiffert> they want us to get amused? 15:25 < krzie> ahh 15:25 < krzie> could be 15:25 < Dryanta> you people arent listening 15:25 < Dryanta> same version of software same platform 15:25 < Dryanta> different results 15:26 < Dryanta> it is NOT a firewall issue no matter what you might think 15:26 * reiffert thinks: let me logon. 15:26 < Dryanta> so it is related to the tun(4) over tun(4) as i thought last week when you guys shut me down, because that is the only variable that is different 15:26 < krzie> Dryanta, either test tun in tun on a box with no pppoe (which is FUCKING SIMPLE to do) or quiet 15:27 < Dryanta> krzie: no, because there is only one variable that is different 15:27 < Dryanta> i know the scientific method 15:27 < krzie> k, you're getting awfully close to a kick tho 15:27 < krzie> so quiet time for you 15:27 < reiffert> nah 15:28 < reiffert> I dont want him to get kicked. 15:28 < Dryanta> ive not been impolite 15:28 < krzie> ok 15:28 < krzie> you're very far from a kick, sorry 15:28 < krzie> =] 15:28 < Dryanta> :) 15:28 < reiffert> Dryanta: although you think we might think that you were ignoring our proposals :) 15:28 < krzie> ill just grow up and ignore 15:29 < Dryanta> i cant give a root shell on it because id have to change the firewall rulesets on both and there is cpni on both machines 15:29 < reiffert> krzie: come on .. maybe he discovers a real bug ... 15:29 < krzie> if he were to test what i been asking, we would know we found a bug in the driver 15:29 < Dryanta> it might be a freebsd specific bug 15:29 < reiffert> cpni? 15:29 < krzie> i know reiffert, but he refuses to help find it 15:29 < Dryanta> confidential proprietary network information 15:29 < krzie> instead he insists he knows, and refuses to help 15:29 < Dryanta> krzie: i dont know how to do that setup 15:29 < krzie> THEN ASK 15:29 < Dryanta> i did earlier 15:29 < krzie> instead of insisting you dont need to do it 15:29 < reiffert> Dryanta: sure, like I wrote .. *share* (and log) the complete screen session. 15:30 < krzie> no, you said you didnt know and argued you wouldnt do it anyways 15:30 < Dryanta> how to share the screen session, use script and pastebin it? 15:31 < Dryanta> unless one of you guys has gotoassist or something 15:31 < reiffert> Dryanta: start "screen", and with screen -x, we can share the same session 15:31 < krzie> ok so heres how you setup tun in tun on the box that works fine 15:31 < reiffert> Dryanta: you could have my logon shell run "screen -x; exit", so I cant do strange stuff. 15:31 < krzie> you connect to the VPN ips instead of external IPs 15:32 < krzie> so you could make the client a server using a dif subnet 15:32 < Dryanta> this is all p2p 15:32 < krzie> and have the outter server connect to client ip 15:33 < krzie> same deal, diff terminology 15:33 < [14]Chaosvex> Still no luck :< 15:33 < krzie> just pretend the outter most vpn is real inet ips, and setup a vpn ionside it 15:33 < [14]Chaosvex> The client and server can't ping each other still, but I guess that makes no difference as long as they can connect 15:34 < krzie> [14]Chaosvex they were pinging last night... 15:34 < [14]Chaosvex> Yeah, for a while 15:34 < [14]Chaosvex> Think I might know why, one sec 15:34 < krzie> so firewall was broken during the playing to get nat working 15:35 < [14]Chaosvex> Okay, back 15:35 < [14]Chaosvex> Can't see what might have caused it 15:35 < [14]Chaosvex> Nothing's changed 15:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:35 < Dryanta> hey reiffert for firewall reasons 15:35 < Dryanta> can you sign up for a trial of gotoassist? 15:35 < Dryanta> its free 15:35 < krzie> [14]Chaosvex must not have finished connecting yet 15:36 < Dryanta> in the interest of brevity 15:36 < krzie> [14]Chaosvex remember we added route-delay to windows 15:36 < krzie> [14]Chaosvex that creates a 30sec wait 15:36 < [14]Chaosvex> Mon Dec 15 21:36:13 2008 us=27330 Initialization Sequence Completed? 15:36 < reiffert> Dryanta: when I'd do that I want to have krzie share the same session, so it's up to him. 15:36 < Dryanta> i think gotoassist only allows up to two people 15:36 < Dryanta> i can try to see if netmeeting does a trial one sec 15:36 < [14]Chaosvex> I'll try without the delay 15:37 < reiffert> net what? 15:37 < krzie> using a 3rd party app wont be so nice here, im on sat connection 15:37 < krzie> high latency 15:37 < krzie> high jitter 15:37 < Dryanta> im signing up for webex trial 15:38 * reiffert is sitting on a OS X laptop right now, ssh will be fine by me. vnc would work as well, but ssh might be the easiest approach. 15:38 < Dryanta> its the best way to do it so i dont have to change fw on all the machines to poke holes for screen/vnc/etc 15:39 < [14]Chaosvex> Does the server config need any DNS info in it? 15:40 < reiffert> Dryanta: and how does webex work? 15:40 < Dryanta> its a little java applet 15:40 < krzie> [14]Chaosvex, not really, for now just change your NS to use 4.2.2.1 15:40 < krzie> instead of your LAN ns 15:40 < Dryanta> pretty nifty its like citrix goto assist only cisco does it so it works better 15:40 < reiffert> fine by me. krzie? 15:40 < [14]Chaosvex> Okay 15:40 < krzie> [14]Chaosvex thats why i had you ping a google host by ip last night 15:40 < [14]Chaosvex> Yeah 15:44 < krzie> reiffert, i can give it a shot but im not on the best connection for apps like that 15:44 < krzie> fine by me if i can connect from my bsd box 15:45 < krzie> if it requires a direct connection via browser or something, just send me screenshots 15:45 < [14]Chaosvex> Okay 15:45 < [14]Chaosvex> I can ping the server again ;/ 15:45 < reiffert> I'd like to have two ssh sessions, one per box, however. 15:45 < Dryanta> ok guise 15:45 < krzie> [14]Chaosvex find dougy nd have him ask his openvz provider what they did 15:45 < [14]Chaosvex> Changed the server IP to 192.168.168.0 and it decided to ping 15:45 < reiffert> maybe four sessions, running 2 x tcpdump and 2 free shells 15:46 < [14]Chaosvex> Will do krzee 15:46 < [14]Chaosvex> I'll give him a PM on WHT 15:46 < krzie> [14]Chaosvex he prolly watches ovpnforum more 15:46 < krzie> since he runs it 15:46 < Dryanta> ok go to webex.com 15:47 < Dryanta> what are your guys email addresses? 15:47 < reiffert> thomas@reifferscheid.org 15:47 < krzie> im not home, no access to my email 15:47 < krzie> and like i said, if i cant connect through freebsd (no browser, just send me screenshots) 15:47 < reiffert> krzie: sure I can paste some invataion code to you by irc 15:48 < krzie> but my email is krzee@ircpimps.org 15:48 < krzie> in case you ever need it 15:48 < Dryanta> k thx 15:50 < reiffert> krzie: how can you watch photos but not have a browser? 15:50 < Dryanta> you should have gotten that invite 15:50 < reiffert> Dryanta: I've allready clicked "join" 15:50 < reiffert> "One Moment please ..." 15:51 < Dryanta> kk 15:51 < reiffert> Preparing: Time remaining: about 1 minute 15:52 < Dryanta> there you are 15:54 < Dryanta> ok first terminal is oakland 15:54 < Dryanta> second is to 15:54 < Dryanta> the ssh sessions tabs in terminal 15:54 < Dryanta> allright 15:56 < krzie> besides, i honestly see no point in going any further on that box til testing tun in tun in a different box 15:56 < krzie> i know dry dont agree with that, but thats where i stand 16:03 < reiffert> traceroute 10.4.0.4: 16:04 < reiffert> sendto: no buffer spave available 16:04 < reiffert> wtf? 16:04 < reiffert> krzie: bsd expert ... 16:04 < reiffert> say something 16:11 < dmz> reiffert you got the buffer problem on bsd? 16:11 < dmz> i had a friend w/a mac have that problem last week 16:11 < dmz> she rebooted & it worked again 16:12 < dmz> hey don't use webex, try dimdim, it's free and works great! 16:13 -!- [14]Chaosvex [n=Chaosvex@ip-87-82-79-153.easynet.co.uk] has quit [Read error: 60 (Operation timed out)] 16:14 < reiffert> Dryanta: can you stop the tcpdump pls? 16:16 -!- [14]Chaosvexs [i=Chaosvex@ip-87-82-79-153.easynet.co.uk] has joined ##openvpn 16:16 < [14]Chaosvexs> Strange 16:16 < [14]Chaosvexs> My net keeps randomly cutting out on this machine with OpenVPN on ;/ 16:16 < [14]Chaosvexs> As in, normal net 16:20 -!- [14]Chaosvexs [i=Chaosvex@ip-87-82-79-153.easynet.co.uk] has quit [Read error: 54 (Connection reset by peer)] 16:20 < Dryanta> OK HERE I AM HEH 16:20 < Dryanta> CAN U HIT CAPSLOCK? 16:20 < reiffert> allright, so I wonder why there is traffic between oakland:tun1 and to:tun0 at all 16:21 < Dryanta> WELL TUN1 IS THE VPN TUN0 IS THE PPPOE 16:21 < Dryanta> CAN YOU HIT CAPSLOCK PLZ? 16:21 < reiffert> oakland:tun0 is a pppoe connection to? 16:21 < reiffert> capslock is off here. 16:22 < Dryanta> HMMMM 16:22 < reiffert> WHEN I HIT IT, I WRITE IN BOLD 16:22 < Dryanta> WEIRD GUESS ILL B IN CAPS FOR abcnute 16:22 < Dryanta> there we gDFDFDFJKDFJDKFJDKF 16:22 < Dryanta> SO TUN0 IS PPPOE, TUN1 IS VPN 16:23 < reiffert> where is tun0 connecting to, to to? 16:23 < Dryanta> TUN0 CONNECTS TO UPSTREAM PROVIDER 16:23 < Dryanta> THATS MY PUBLIC IP FROM THE PPP PROCESS 16:23 < reiffert> ok, understood, so again: 16:23 < reiffert> why do I see traffic on oakland tun1 at all? 16:24 < Dryanta> I DONT KNOW 16:24 < Dryanta> ILL CAT THE CONFIGS IN BOTH WINDOWS BUT MY CAPSLOCK IS STILL ON 16:24 < Dryanta> THE CONFIGS ARE /USR/LOCAL/ETC/OPENVPN/OPENVPN.CFG 16:24 < reiffert> I gave up screen control to your screen btw 16:25 < Dryanta> I DONT KNOW WHY MY CAPS IS ON ITS NOT ON OVER HERE 16:25 < reiffert> press it. 16:25 < Dryanta> I DID HEHEH 16:25 < Dryanta> AND TRIED HOLDING DOWN SHIFT 16:25 -!- [14]Chaosvex [i=Chaosvex@ip-87-82-79-153.easynet.co.uk] has joined ##openvpn 16:25 < [14]Chaosvex> Okay, figured that out :X 16:26 < [14]Chaosvex> Gateway kept randomly changing to 10.8.0.1 for no reason 16:26 < Dryanta> HMM I DONT KNOW HOW TO GIVE YOU REMOTE CONTROL ON THAT 16:26 < [14]Chaosvex> Without OpenVPN even being on, meh 16:29 < reiffert> Dryanta: can we please share a ssh session, it just sucks. 16:29 < Dryanta> LET ME TRY TO FIGURE THAT OUT ONE SEC 16:29 < Dryanta> awesome im not on caps anymore 16:30 < reiffert> my ip is: 88.198.83.82 16:30 < Dryanta> i dont know how to share a ssh session via screen 16:30 < Dryanta> never done it 16:31 < reiffert> allright. enter in a terminal on your mac: screen and hit return 16:31 < reiffert> now let me logon to your mac by ssh 16:31 < Dryanta> done 16:31 < reiffert> want my public key? 16:31 < Dryanta> naw 16:31 < reiffert> would be easiest. 16:32 < Dryanta> ok fine then :) pastebin it i guess 16:32 < Dryanta> but my mac is behind a lan 16:32 < reiffert> wait, my public is secured... I'll have to free it. 16:33 < [14]Chaosvex> Sent Dougy a PM 16:33 < [14]Chaosvex> ;> 16:33 < [14]Chaosvex> Hopefully he'll know the answer 16:34 < reiffert> ssh-dss AAAAB3NzaC1kc3MAAACBAOUE03uNT/OitMdBZTnmRg6SNTPMSYtWSxDzvAf2s2HWFYFML+/q7uEfC2g9p4BZ5CNrLsOY4K33X5D6uVUPfPt1WuxFJbVneKCYn5cgaYAJmiR1WkqkYJQb6Ms1FBAviR9khyDsAtMS51/1pFzjVBMEYEO03dLEFJsic9Xdwj7RAAAAFQDCESfwoM8/j27IboOkfaZfdLN+UQAAAIAjUyEV4s71TTuMCfUXfAsfpBLzd9e0pRE62RWn+4PiaiEtz0aHa5k5hAdPBpd1jvuRrsaU1gyfzHrsebu0FTjho++7rVTgqRneKe7UBOhziuphOGlJCKB02zupcRIgULE90XSMZ2taeS7IuzFnb2Mjly2ZjwCCzJ5Go/WvaxBipgAAAIAAmgpLiNlrJdbUQJPmjodH/Jsyt7kzC52C7Q/IG 16:35 < reiffert> the last two bytes are: == 16:35 < reiffert> got that? 16:35 < Dryanta> ya 16:35 < jpalmer> Dryanta: in .screenrc add: "multiuser on" next line "acl hislogonaccount" then he logs in via ssh and types screen -x youuseraccount/ 16:36 < Dryanta> would it be better to do this from my server 16:36 < reiffert> if you like ... 16:37 < reiffert> jpalmer: thanks, will have to remember that. 16:37 < jpalmer> reiffert: np. dryanta is probably on freebsd, which means he could just as easily use "watch -W" 16:38 < reiffert> yep 16:38 * jpalmer goes back to updating the resume 16:39 < ecrist> :\ 16:39 -!- [14]Chaosvexs [n=Chaosvex@server4.touringnet.co.uk] has joined ##openvpn 16:39 < ecrist> I ran out of IPs. :( 16:40 < [14]Chaosvexs> The VPN 16:40 < [14]Chaosvexs> Is working! 16:40 < [14]Chaosvexs> Finally 16:40 < ecrist> I new a /29 was too small for me. 16:40 < reiffert> ecrist: 127.0.0.2 16:40 < ecrist> [14]Chaosvexs: gratz 16:40 < [14]Chaosvexs> Thanks :D 16:40 -!- [14]Chaosvex [i=Chaosvex@ip-87-82-79-153.easynet.co.uk] has quit [Read error: 60 (Operation timed out)] 16:44 < ecrist> reiffert: how's that gonna help me? 16:44 < reiffert> however, I'm to bed. 16:49 < ecrist> where the hell is krzee today? 16:52 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:57 < Dryanta> ok 16:57 < Dryanta> ill pick this back up tomorrow reiffert thanks for all your help 17:12 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 17:17 -!- tobbez [n=tobbez@h-60-98.A163.priv.bahnhof.se] has joined ##openvpn 17:26 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [Read error: 104 (Connection reset by peer)] 17:30 < [14]Chaosvexs> Is it possible to exclude certain ports from going through the VPN somehow? 17:33 < ecrist> yeah, with a firewall 17:34 < ecrist> it's called policy-based routing 17:34 < [14]Chaosvexs> Nah, I meant 17:34 < [14]Chaosvexs> So they'll still use my normal Internet 17:34 < [14]Chaosvexs> Figured that'd be client side 17:34 < [14]Chaosvexs> So that anything not defined would use the VPN connection, and anything that was set would go through my usual net 17:40 < ecrist> you can do that based on IP, but not port 17:41 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 17:44 < [14]Chaosvexs> Ah 17:56 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 18:03 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 18:08 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has quit [] 18:16 -!- [14]Chaosvexs [n=Chaosvex@server4.touringnet.co.uk] has quit [Read error: 60 (Operation timed out)] 18:26 < krzie> <[14]Chaosvexs> The VPN 18:26 < krzie> <[14]Chaosvexs> Is working! 18:26 < krzie> <[14]Chaosvexs> Finally 18:27 < krzie> shit he didnt say what they did to the openvz host to get it working 18:27 < krzie> ecrist, im in and out today 18:28 < krzie> whats up 18:55 -!- tobbez [n=tobbez@h-60-98.A163.priv.bahnhof.se] has left ##openvpn [] 19:20 < troy-> hmm i installed openvpn 2.1.15 but there is no binary in /etc/rc.d/init.d 19:20 < troy-> just /usr/local/sbin 19:27 < krzie> you installed from source? 19:30 < troy-> krzie, yes sir! 19:32 < krzie> source wouldnt add that os specific file you're looking for 19:32 < krzie> only your package manager would 19:32 < krzie> you hafta add it yourself if you need it 19:32 < troy-> yep i need it!! where can i cp from inside the src? 19:33 < krzie> its isnt inside the src 19:34 < troy-> err where can i find it then? 19:37 < troy-> krzie, not sure where i can symlink the binary from 19:41 -!- gleblanc [n=chatzill@75.108.7.23] has joined ##openvpn 19:41 < gleblanc> !routing 19:41 < vpnHelper> gleblanc: Error: "routing" is not a valid command. 19:41 < gleblanc> doh 19:41 < gleblanc> !help 19:41 < vpnHelper> gleblanc: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin. 19:41 < gleblanc> oh 19:41 < gleblanc> !route 19:41 < vpnHelper> gleblanc: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 19:41 < gleblanc> helps to read the topic, eh? 19:43 < troy-> glenblanc where can i find the binary that should go in /etc/rc.d/init.d (compiled from source) 19:43 < gleblanc> binaries should not go in /etc 19:43 < troy-> i see.. 19:43 < troy-> i'm running centos 19:43 < gleblanc> I've not set up OpenVPN on linux recently 19:44 < troy-> but yes i agree, /etc should be reserved for configs 19:45 < gleblanc> I think the howto goes through the setup in some detail 19:46 < gleblanc> I'm still unable to get routing to work the way that I expect it to 19:47 < gleblanc> I've got a moderately complex setup, which I'm happy to explain 19:47 < troy-> doubt i would be of much assistance :? 19:47 < gleblanc> Heh 19:53 < ecrist> gleblanc: I'll be back on in an hour or two, or all day tomorrow, if you don't get help before then. 19:53 * ecrist goes away again. 19:53 < gleblanc> ecrist: thanks, I'll stop in on the morrow 20:08 -!- gleblanc [n=chatzill@75.108.7.23] has quit [Read error: 104 (Connection reset by peer)] 20:15 -!- tjz [n=tjz@bb121-7-106-87.singnet.com.sg] has joined ##openvpn 20:31 * tjz swim in 20:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 21:13 < krzie> tjz, 21:13 < krzie> <[14]Chaosvexs> The VPN 21:13 < krzie> <[14]Chaosvexs> Is working! 21:13 < krzie> <[14]Chaosvexs> Finally 21:14 < krzie> then he lfet before saying what they did to his openvz host 21:14 < krzie> heh 21:14 < krzie> left 21:28 < tjz> wtf!! 21:28 < tjz> omg 21:39 < tjz> i gonna check the openvpn digest to see whether chaosvexs did post in there.. 21:59 < krzee> troy-, still here? 21:59 < troy-> yah 22:00 < krzee> install openvpn using yum 22:00 < krzee> copy the init.d file 22:00 < krzee> remove openvpn using yum 22:00 < krzee> install from source 22:00 < krzee> put init.d file back 22:00 < krzee> or find someone using openvpn from yum and steal it from them 22:01 < krzee> or you could have used google 22:02 < krzee> http://svn.openvpn.net/projects/openvpn/trunk/openvpn/suse/openvpn.init 22:02 < krzee> took me under a minute 22:02 < krzee> init.d openvpn were my search terms 22:05 < ecrist> krzee: freeswitch or asterisk? 22:05 < krzee> is there more to that question? 22:05 < krzee> like: which is better, which is worse 22:06 < ecrist> well, we're not super happy with our VoIP provider - lots and lots of problems, so we're thinking of rolling our own, with 5 POTS and a Sangoma card. 22:06 < ecrist> and a telco huntgroup for incoming. 22:07 < ecrist> so, you had mentioned freeswitch before, voip is not my area of expertise. 22:09 < krzee> FS 22:09 < krzee> but go to their chan and be sure the card works 22:10 < ecrist> yeah, I was in the chan today, sorta got laughed at that we still want to use POTS lines, rather than an SIP provider or PRI 22:11 < ecrist> the place I've got a bunch of servers colo'd lost a belt last night on an AC unit - over 100 degrees in the data center when I got up and saw the graphs. 22:12 < krzee> oh god 22:13 < ecrist> what's really funny, since they've fixed the problem, temps are lower than they were before the belt broke. 22:13 < ecrist> http://skitch.com/ecrist/6irh/graph-image.php 22:13 < vpnHelper> Title: Skitch.com > ecrist > over 100* in data center last night - ouch (at skitch.com) 22:15 < ecrist> http://skitch.com/ecrist/6ifb/graph-image-1.php 22:15 < vpnHelper> Title: Skitch.com > ecrist > better history of our rack temps (at skitch.com) 22:15 < krzee> nice errors at the top 22:15 < ecrist> ? 22:15 < krzee> Warning: Memcache::connect() [function.Memcache-connect]: Can't connect to localhost:11211, Connection refused (111) in /var/www/skitch.com/default/classes/skitchBaseClass.php on line 392 22:15 < krzee> Warning: Cannot modify header information - headers already sent by (output started at /var/www/skitch.com/default/classes/skitchBaseClass.php:392) in /var/www/openads/lib/xmlrpc/php/openads-xmlrpc.inc.php on line 162 22:15 < krzee> Warning: Cannot modify header information - headers already sent by (output started at /var/www/skitch.com/default/classes/skitchBaseClass.php:392) in /var/www/openads/lib/xmlrpc/php/openads-xmlrpc.inc.php on line 162 22:16 < ecrist> hrm, I don't see those, too funny. skitch *is* still beta, though. 22:16 < tjz> port 11211 .. 22:16 < krzee> mostly covered by their banner 22:16 < krzee> and im using newest safari on osX 22:16 < ecrist> ah, I see it now. 22:16 < ecrist> ditto 22:17 < tjz> ecrist: 100 deg! 22:17 < tjz> did your hw get burned.. 22:17 < ecrist> tjz: yeah, nice, huh? 22:17 < ecrist> no 22:17 < tjz> that is freaking hot 22:17 < tjz> what hw? 22:17 < ecrist> most server stuff is good, by spec, to about 115 22:17 < tjz> omg 22:17 < ecrist> provided humidity is right 22:17 < ecrist> a mix of supermicro and dell, with some cisco gear 22:17 < tjz> nice hw! 22:17 < tjz> supermicro is good 22:18 < tjz> but ex 22:18 < tjz> :P 22:18 < ecrist> everything new we buy is dell now 22:18 < ecrist> I'm in love with our new backup box. 22:18 < tjz> is it through some special dealing from dell? 22:19 < ecrist> we had a supermicro box with 12x300GB SATA2 Drives in a 2.6TB RAID 50 that would take about 15 hours to complete a daily incremental backup of all our hosts. 22:19 < ecrist> the new box, a Dell R300 married to an MD1000 with 12x500GB SATA2 drives in RAID60 does the same backup in about 5 or 6 hours 22:20 < ecrist> tjz: no, call dell three different times and you'll get three different prices 22:20 < tjz> lol 22:20 < tjz> call them in the wee hour 22:20 < tjz> when they are half-asleep 22:20 < tjz> probably can get them to mis-quote and offer a cheap hw 22:20 < tjz> :P 22:20 < ecrist> the new dell system, after all the deals we could get, about $3000 worth, was still ~$9500 22:21 < tjz> omg 22:21 < tjz> you paid $3k for that only?! 22:21 < ecrist> no, $9500 is *after* a $3000 discount 22:21 < tjz> cool 22:22 < ecrist> doesn't help that the external PERC 5/e was $900 22:22 < ecrist> I think the SCSI/whatever cable was another $300 22:22 < ecrist> but, it's a sweet piece of hardware. 22:23 < ecrist> about 9 months ago we got a 2950 with 6x143GB SAS in RAID 1+0, 2x4core Intel with 16GB RAM from $2500 22:23 < ecrist> *that* was a steal 22:24 < ecrist> some special sale, with all the options, bumped the server high enough we got a gigantic rebate 22:24 < tjz> wtf 22:24 < tjz> nice price for that spec 22:24 < ecrist> that's our DB server 22:25 < tjz> $300 just for cable?! 22:25 < tjz> why so much? 22:25 < ecrist> well, our master DB server 22:25 < ecrist> it's some special cable, forget what it's called, to connect to an external raid enclosure 22:25 < ecrist> lemme look up the invoice 22:27 < ecrist> just says "SAS Cable, 1 Meter, MDx000" on invoice, $297.67 22:27 < tjz> ah 22:27 < ecrist> that RAID enclosure, btw, weights 110lbs 22:27 < ecrist> loaded 22:28 < tjz> wow 22:28 < tjz> did you forgot to buy some fan? 22:28 < tjz> hehe 22:28 < tjz> 100 deg in your cabinet? 22:28 < tjz> lol 22:28 < ecrist> no, not our data center, we colocate. 22:29 < tjz> ok 22:30 < ecrist> what sucked is, that graph shows during their outage, my racks were breathing in 85* air, outputing 101* air. There's another row of racks behind us, they were breathing in that 101* air 22:30 < ecrist> we're right in front of the local AC unit 22:30 < tjz> LOL 22:31 < ecrist> but, I'm off to bed. need to 'cuddle' with the wife before she's too sleepy 22:32 < tjz> ok 22:32 < tjz> lol 22:32 < tjz> X_X 22:33 < krzee> nite eric 22:33 < krzee> sorry im off doing other stuff so i was short winded 22:33 < krzee> im trying to break stuff 22:39 < tjz> hmm 22:39 < tjz> break stuff.. 22:39 < tjz> X_x 23:27 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Read error: 60 (Operation timed out)] 23:30 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 23:41 -!- [14]Chaosvex [n=Chaosvex@server4.touringnet.co.uk] has joined ##openvpn 23:45 < [14]Chaosvex> Hmm 23:45 < [14]Chaosvex> Can't spot a way to make OpenVPN use a specific IP address 23:45 < [14]Chaosvex> I have it listening on the address that I want it to use for the net, but it keeps using the default one 23:47 < [14]Chaosvex> Is that possible? 23:50 < [14]Chaosvex> It doesn't need to change per user or anything 23:50 < [14]Chaosvex> Just rather than using the default IP address I want it to use another 23:53 < [14]Chaosvex> At the moment I connect to the IP I want it to use and set that for the listen 23:53 < [14]Chaosvex> But it uses the net on the wrong address --- Day changed Tue Dec 16 2008 00:01 -!- [14]Chaosvex [n=Chaosvex@server4.touringnet.co.uk] has quit [Read error: 54 (Connection reset by peer)] 00:03 -!- [14]Chaosvex [n=Chaosvex@server4.touringnet.co.uk] has joined ##openvpn 00:03 < [14]Chaosvex> Well 00:03 < [14]Chaosvex> That didn't work well 00:08 < [14]Chaosvex> Did you manage to solve your problem tjz? 00:13 < tjz> chaos!!!!!!!!!!!!!! 00:13 < tjz> yes 00:13 < tjz> you are hereeeeeeeeeeeeeeeeeeeeeeeee 00:13 < tjz> no..i did not solve my problem 00:14 < tjz> did your provider do something which allow your openvpn to work eventually? 00:15 < [14]Chaosvex> They said they did but I don't know if they actually did :D 00:15 < [14]Chaosvex> But it does work now 00:15 < [14]Chaosvex> Well, other than using the wrong IP which I'm trying to figure out ^^ 00:16 < tjz> -_- 00:16 < [14]Chaosvex> Says 174.34.138.194 00:16 < [14]Chaosvex> But I want it on 174.34.138.195 00:16 < [14]Chaosvex> Don't know if that's even in my control to change though 00:16 < [14]Chaosvex> I read something saying about tun being bound to one IP 00:17 < [14]Chaosvex> But I'm not sure... 00:18 < tjz> i think it is possible.. 00:19 < tjz> but i haven't try it yet 00:19 < [14]Chaosvex> :> 00:22 < [14]Chaosvex> Maybe krzee or another of the experienced guys will know 00:24 < ropetin> [14]Chaosvex: that IP is given to you by your ISP? 00:24 < [14]Chaosvex> Ah 00:24 < [14]Chaosvex> The server has two IP's ropetin 00:24 < ropetin> ? 00:24 < [14]Chaosvex> That I'm connecting to 00:24 < [14]Chaosvex> 174.34.138.194 and 174.34.138.195 00:24 < [14]Chaosvex> I can't seem to make it stop using 174.34.138.194 though for the net 00:25 < ropetin> Ahhh, so two NICs and you want OpenVPN to run on one, not the other? 00:25 < [14]Chaosvex> I think they're both on the same NIC 00:25 < ropetin> Do you have shell access to the server? Are they 'named' something different, like when you ifconfig for whatever? 00:25 < [14]Chaosvex> Yeah, checking them 00:26 < [14]Chaosvex> Ah 00:26 < [14]Chaosvex> It seems it's on vetnet0:0 00:26 < [14]Chaosvex> Where the first one is venet0 00:26 < [14]Chaosvex> *venet 00:27 < [14]Chaosvex> Hmm, possibly 00:27 < [14]Chaosvex> There's venet0, venet0:0 which is listed as 174.34.138.194 and venet0:1 which is 174.34.138.195 00:27 < ropetin> So in the server config what does your 'local' line say? 00:27 < ropetin> Can you specify the right IP on that? 00:27 < [14]Chaosvex> I set it to 174.34.138.195 00:28 < [14]Chaosvex> It listens and connects on that IP without problems 00:28 < ropetin> And both IPs are wide open to the internet or do they go through a firewall or something? 00:28 < [14]Chaosvex> They're both open 00:28 < ropetin> Excellent, so what fails? 00:28 < [14]Chaosvex> I'm not sure 00:28 < [14]Chaosvex> It connects through 174.34.138.195 00:28 < [14]Chaosvex> But all the traffic still goes through 174.34.138.194 00:28 < ropetin> But if you set local to .194 it still doesn't work? 00:29 < [14]Chaosvex> It does 00:29 < [14]Chaosvex> I can connect through either address 00:29 < [14]Chaosvex> But it doesn't change which one is actually used on the net 00:30 < [14]Chaosvex> So it ends up as: My PC -> 174.34.138.195 -> 174.34.138.194 -> Internet 00:30 < [14]Chaosvex> Instead of staying as 174.34.138.195 00:30 < ropetin> Hmmm, maybe the default route on the server is .194? 00:30 < [14]Chaosvex> Yeah 00:30 < krzee> [02:17] <[14]Chaosvex> Says 174.34.138.194 00:30 < krzee> [02:17] <[14]Chaosvex> But I want it on 174.34.138.195 00:31 < ropetin> So it thinks that's the way it has to go to the Internet? What if you change that? (although don't blame me if something breaks!) 00:31 < krzee> both those ips are on the server? 00:31 < [14]Chaosvex> Yeah krzee 00:31 < krzee> to change that you need to change your NAT 00:31 < [14]Chaosvex> They're both active and working on it 00:31 < krzee> as i mentioned yesterday I'm not experienced with linux iptables 00:31 < ropetin> krzee: from what [14]Chaosvex the NAT isn't the issue, it isn't being NAT;d 00:31 < krzee> yes it is 00:32 < krzee> hes using --redirect-gateway 00:32 < krzee> and his server is NATing his traffic 00:32 < ropetin> Ahhh, ok, my bad, I'll get all the info next time :) 00:32 < krzee> =] 00:32 * ropetin shuts up again! 00:32 < [14]Chaosvex> :P 00:33 < krzee> dont shut up fully tho! 00:33 < krzee> if you know iptables tell him how to do it ;] 00:33 < krzee> cause i only popped in cause im in between files of my movie 00:33 < [14]Chaosvex> Haha 00:33 < ropetin> I know Iptables well enough to search on Google for someone who already has configured what I need and steal their config 00:33 < krzee> and i use my laptop to control what my media center plays 00:33 < krzee> haha 00:33 < ropetin> :D 00:34 < krzee> you bring up a good point, its gotta be on google 00:34 < krzee> and i should steal it to the bot after 00:34 < ropetin> Which is about as well as I know most things, but generally it gets me through. 00:34 < [14]Chaosvex> I did a shot at Google, manuals etc 00:34 < [14]Chaosvex> Couldn't turn anything up mind 00:34 < ropetin> [14]Chaosvex: it will be there, the key is what to search for! 00:34 < ropetin> Google knows all! 00:34 < [14]Chaosvex> True 00:35 < ropetin> In IT classes they shouldn't teach people how to do stuff, they should teach them how to search Google to find instructions on what they want to do 00:35 < [14]Chaosvex> :D 00:35 < ropetin> A 6 month IT class down to 1 day :D 00:35 < [14]Chaosvex> They didn't teach anything other than Powerpoint and Access in my IT classes 00:35 < [14]Chaosvex> :/ 00:36 < ropetin> I hate it when co-workers say, "I don't know how to do that". Because 99% of the time, type the question in Google, and step by step guide comes up 00:36 < ropetin> Anyway, rant over :) 00:36 < krzee> ropetin, TOTALLY 00:37 < krzee> that doesnt work in a case like this tho 00:37 < krzee> cause most the words you can come up with will lead you to other stuffs 00:37 < ropetin> True, true, if you're not sure what you're wanting to do exactly 00:37 < ropetin> If you could find that one sweet search criteria though... 00:37 < krzee> exactly 00:38 < ropetin> And I may have found it, but I need to pee like a race horse, so BRB! 00:40 < krzee> !linnat 00:40 < vpnHelper> krzee: "linnat" is for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 00:43 < ropetin> Yup, how about just changing the port name in the MASQUERADE statement to whichever one you want to terminate out of? 00:43 < [14]Chaosvex> Okay 00:44 < [14]Chaosvex> Would I need to remove the other rule? 00:44 < krzee> yes 00:44 < ropetin> Hmmm, you mean the old MASQUERADE? 00:44 < ropetin> If so, yeah 00:44 < [14]Chaosvex> Yeah 00:44 < krzee> ropetin, port name? 00:44 < [14]Chaosvex> One sec, I'll go figure out how to delete it ;D 00:46 -!- prxtien [n=proleone@115.131.200.12] has joined ##openvpn 00:47 < [14]Chaosvex> MASQUERADE all -- 192.168.168.0/24 anywhere 00:47 < krzee> pro! 00:47 < [14]Chaosvex> Just have to figure out how to remove it 00:47 < prxtien> dude is that the one and only krzee? 00:47 < [14]Chaosvex> I have a feeling if I wipe the tables, I'll break the whole thing 00:47 < krzee> ya man!!! 00:47 < krzee> its been forever! 00:49 < prxtien> have i have a working openvpn setup using certificate authentication, when my clients conncet they get an ip address from my local dhcp server on my internal network... what i want to do is restrict the openvpn clients access to only one ip address on my network, are there config options to do this? 00:49 < krzee> prxtien, why are you bridging? 00:49 < krzee> you more than likely want a routed setup 00:50 < prxtien> well briding is what i originally wanted 00:50 < krzee> why? 00:50 * krzee points to topic 00:50 < prxtien> lol yeah i know 00:50 < prxtien> it was working sweet for me for the past year or so until now 00:50 < prxtien> but i want to move to a more secure model 00:51 < krzee> routed is more secure than bridged 00:51 < krzee> cause when i get in your server, i can arp poison your lan if you bridge 00:51 < krzee> ;] 00:51 < krzee> plus, you are wasting overhead 00:52 < krzee> plus in a routed network, no access to the rest of the lan unless you choose to make it that way 00:52 < prxtien> yeah so i best move to a routed setup 00:52 < krzee> yup 00:52 < krzee> !sample 00:52 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 00:52 < krzee> !route 00:52 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:53 < krzee> my route writeup should help you with any access to lan you do want 00:53 < krzee> without using ethernet frames 00:53 < prxtien> thanks bruh ill check it out now 00:55 < krzee> for sure man 00:55 < krzee> any time 00:56 < krzee> damn man i was thinkin bout you the other day 00:56 < krzee> finding you is like a solar eclipse 00:57 < prxtien> yeah preety crazy 00:57 < prxtien> ive been floating around freenode a bit more lately 00:58 < krzee> ya i been in here helping people get vpns up for a bit now 00:58 < krzee> the way govs are going i think everybody should have a grasp of encrypting their stuff 00:58 < krzee> hell, .au is gunna build a china-like firewall 00:58 < [14]Chaosvex> They are? 00:58 < krzee> usa is sniffing * 00:58 < prxtien> connecting the caribbien one vpn at a time 00:58 < krzee> its ugly man 00:58 < prxtien> yep 00:58 < [14]Chaosvex> The UK is doing well enough 00:58 < prxtien> australia are going nuts 00:58 < [14]Chaosvex> I have to use this VPN to get reliable access to RapidShare etc 00:59 < [14]Chaosvex> Otherwise it's banned 00:59 < [14]Chaosvex> Imageshack, Megaupload, etc ;/ 00:59 < [14]Chaosvex> More recently Wikipedia! 00:59 < krzee> usa wants to classify ddos nets = to nuclear weapons 01:00 < prxtien> lol 01:00 < krzee> which opens the door REAL HUGE for a ton of other legislation 01:01 < [14]Chaosvex> Okay 01:01 < krzee> http://blog.devost.net/2002/10/08/weapons-of-e-destruction/ 01:01 < vpnHelper> Title: Devost.Net » Weapons of E-Destruction (at blog.devost.net) 01:01 < [14]Chaosvex> Finally figured out how to delete that one rule 01:01 < [14]Chaosvex> Time to add the new one 01:02 < [14]Chaosvex> Hmm 01:02 < [14]Chaosvex> [root@server4 ~]# iptables -t nat -A POSTROUTING -s 192.168.168.0/24 -o venet0:1 -j MASQUERADE 01:02 < [14]Chaosvex> Warning: wierd character in interface `venet0:1' (No aliases, :, ! or *). 01:02 < [14]Chaosvex> Apart from Linux not spelling weird properly, that's not a good sign 01:02 < krzee> ya thats not it works 01:03 < krzee> i forget how it does 01:03 < krzee> but thats not a real interface 01:03 < krzee> you need to specify the ip with another flag 01:03 < [14]Chaosvex> Oh 01:04 < [14]Chaosvex> Okay, back 01:04 < [14]Chaosvex> Did I miss anything? >< 01:04 < [14]Chaosvex> Think I killed the VPN doing that (removing the command) 01:04 < krzee> you left? heh 01:05 < [14]Chaosvex> IRC is quite generous when it comes to timeouts ;P 01:05 < krzee> freenode is 01:05 < reiffert> moin 01:05 < krzee> some other nets are not 01:05 < [14]Chaosvex> ^^ 01:05 < krzee> moin moin 01:05 < reiffert> you cant have alias interfaces on iptables 01:05 < reiffert> thats why alias interfaces are depreceated 01:06 < reiffert> the new way is setting up one interface and having additional ip's for the interface by doing 01:06 < reiffert> ip addr add 1.2.3.4 dev venet0 01:06 < [14]Chaosvex> Both the IP addresses already work mind 01:07 < [14]Chaosvex> It just uses the wrong one for net access 01:07 < [14]Chaosvex> So I guess it's already added to venet0 if it's venet0:1 01:07 < [14]Chaosvex> Unless I've misunderstood 01:08 < reiffert> ip route replace default via 1.2.3.4 source 4.3.2.1 01:08 < reiffert> sorry 01:08 < reiffert> ip route replace default via 1.2.3.4 src 4.3.2.1 01:09 < [14]Chaosvex> Hmm 01:09 < [14]Chaosvex> Don't understand that command sorry 01:10 < [14]Chaosvex> Should 1.2.3.4 be the current default IP, or..hm 01:10 < krzee> reiffert, you use linux! i forgot 01:10 < krzee> basically: 01:10 < krzee> if im using `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE` how could i change the ip address it NATs to from 1.2.3.4 to 1.2.3.5 assuming both ips are on the box 01:10 < [14]Chaosvex> Sounds perfect 01:11 < [14]Chaosvex> Oh, thought that was a thread :D 01:11 < [14]Chaosvex> But that sums it up 01:11 < reiffert> krzee: lemme ask a debian channel. 01:12 < krzee> right on, #gentoo ignored it 01:13 < reiffert> #debian.de on ircnet, I used to chat there for some years. 01:13 < reiffert> btw, let's have a look into the netfilter docs. 01:15 < reiffert> answer from #debian.de 01:15 < reiffert> use -j SNAT instead of -j MASQUERADE 01:15 < reiffert> (and add additional parameters when required) 01:15 < reiffert> s,when,that are, 01:15 < krzee> i dont use iptables and [14]Chaosvex doesnt know how to use it 01:15 < krzee> heheh 01:16 < reiffert> http://netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.1 01:16 < vpnHelper> Title: Linux 2.4 NAT HOWTO: Saying How To Mangle The Packets (at netfilter.org) 01:16 < krzee> ild read the docs for him if it was pf 01:16 < krzee> im not a big iptables fan ;] 01:17 < [14]Chaosvex> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 01:17 < [14]Chaosvex> Oops 01:18 < [14]Chaosvex> Would it be something like that one mind? 01:18 < reiffert> I'll try it out, but lemme have a breakfast. 01:18 < [14]Chaosvex> I guess it needs -s 192.168.168.0 in it too 01:19 < reiffert> SNAT 01:19 < reiffert> This target is only valid in the nat table, in the POSTROUTING chain. 01:19 < reiffert> It specifies that the source address of the packet should be modified 01:19 < reiffert> (and all future packets in this connection will also be mangled), and 01:19 < reiffert> rules should cease being examined. It takes one type of option: 01:19 < reiffert> --to-source ipaddr[-ipaddr][:port[-port]] 01:19 < reiffert> which can specify a single new source IP address, an inclusive 01:19 < reiffert> range of IP addresses, and optionally, a port range (which is 01:19 < reiffert> only valid if the rule also specifies -p tcp or -p udp). If no 01:19 < reiffert> port range is specified, then source ports below 512 will be 01:19 < reiffert> mapped to other ports below 512: those between 512 and 1023 01:19 < reiffert> inclusive will be mapped to ports below 1024, and other ports 01:19 < reiffert> will be mapped to 1024 or above. Where possible, no port alter- 01:19 < reiffert> ation will 01:20 < reiffert> In Kernels up to 2.6.10, you can add several --to-source 01:20 < reiffert> options. For those kernels, if you specify more than one source 01:20 < reiffert> address, either via an address range or multiple --to-source 01:20 < reiffert> options, a simple round-robin (one after another in cycle) takes 01:20 < reiffert> place between these addresses. Later Kernels (>= 2.6.11-rc1) 01:20 < reiffert> don't have the ability to NAT to multiple ranges anymore. 01:22 < reiffert> so instead of your masquerading line ... use: 01:22 < reiffert> iptables -t nat -F POSTROUTING 01:22 < [14]Chaosvex> Okay 01:23 < krzee> -F? 01:23 < reiffert> iptables -t nat -I POSTROUTING -o venet0 -j SNAT --to ipofvenet0:1 01:23 < krzee> ohh right 01:23 < krzee> flushing it 01:23 < [14]Chaosvex> One sec 01:23 < reiffert> is venet0:1 what he wants? 01:23 < [14]Chaosvex> I'll probably be DC'd 01:23 < [14]Chaosvex> Yeah, the address was listed as venet0:1 01:23 < reiffert> DC'ed? 01:23 < [14]Chaosvex> Disconnected 01:24 < krzee> 174.34.138.195 01:24 < krzee> iptables -t nat -I POSTROUTING -o venet0 -j SNAT --to 174.34.138.195 01:24 < [14]Chaosvex> Ah 01:24 < [14]Chaosvex> It would seem to have worked 01:25 < [14]Chaosvex> Your IP Address Is 174.34.138.195 :> 01:25 < krzee> nice 01:25 < krzee> !linnat 01:25 < vpnHelper> krzee: "linnat" is for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 01:25 < [14]Chaosvex> Thanks guys 01:25 < [14]Chaosvex> Much appreciated for the time and help 01:25 < krzee> hey wait pls 01:25 < [14]Chaosvex> Don't worry, not going anywhere :P 01:25 < krzee> how did your provider fix openvz host? 01:26 < [14]Chaosvex> Not sure yet, waiting on a reply from them 01:26 < [14]Chaosvex> I've promised to tell Tjz as soon as they do ;> 01:26 < krzee> !learn linnat as to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o venet0 -j SNAT --to <IP ADDRESS> 01:26 < vpnHelper> krzee: Joo got it. 01:26 < krzee> doh 01:26 < krzee> !learn linnat as to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> 01:26 < vpnHelper> krzee: Joo got it. 01:26 < krzee> !forget linnat 2 01:26 < vpnHelper> krzee: Joo got it. 01:27 < reiffert> replace venet0 by eth0 krzee 01:27 < reiffert> you did. 01:27 < reiffert> krzee: add: 01:27 < reiffert> http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html 01:27 < vpnHelper> Title: Linux 2.4 NAT HOWTO (at netfilter.org) 01:27 -!- [14]Chaosvex [n=Chaosvex@server4.touringnet.co.uk] has quit [] 01:27 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 01:27 < krzee> !learn linnat as http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 01:27 < vpnHelper> krzee: Joo got it. 01:27 < krzee> !linnat 01:27 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 01:27 < mRCUTEO> hi anyone knows how to add nameserver for tap0 in Linux ? 01:28 < krzee> add a nameserver to a device!? 01:28 < mRCUTEO> yes 01:28 < krzee> thats not how n it works 01:28 < mRCUTEO> in windows you can simply edit the win-tao 01:28 < mRCUTEO> *tap 01:28 < reiffert> mRCUTEO: let krzee convince you, that a routed setup will be best for you. 01:28 < krzee> in linux the NS info is resolv.conf 01:28 -!- [14]Chaosvex [n=Chaosvex@osvex.com] has joined ##openvpn 01:28 < krzee> actually iirc he needs samba and is scared of WINS 01:28 < mRCUTEO> yes but i cant get to internet even i already set the resolv.conf 01:28 < krzee> hehe 01:28 < [14]Chaosvex> Oops, wrong button there 01:29 < krzee> mRCUTEO, thats how you change NS info in linux 01:29 < krzee> and it doesnt go on per device basis 01:29 < mRCUTEO> ic 01:30 < reiffert> There is a very nice libc in OSX: you can have nameservers on a per domain basis 01:30 < krzee> oh and btw, routed > bridged 01:30 < krzee> lol 01:30 < reiffert> which is what I love. 01:30 < krzee> whoa! 01:30 < krzee> i didnt know that 01:30 < krzee> thats kinda cool 01:30 < mRCUTEO> my config is like this.. i set dns in the server.conf but when connecting to the server using client i can conect to the vpn but no internet connection even gateway already redirect 01:30 < reiffert> they took gnulibc and added that feature at some point 01:30 < reiffert> krzee: you can have/watch the source if you like 01:31 < mRCUTEO> push "redirect-gateway def1 bypass-dhcp" 01:31 < reiffert> krzee: I once tried to merge back the stuff into a recent gnu libc, but the differences were too big. 01:31 < mRCUTEO> push "dhcp-option DNS 202.188.0.133" 01:31 < krzee> dhcp-option is only for windows 01:31 < reiffert> !configs 01:31 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:31 < mRCUTEO> my goodness 01:31 < reiffert> krzee: it is not! 01:31 < krzee> as the manual states 01:31 < krzee> really? 01:31 < mRCUTEO> how about for linux krzee? 01:31 < krzee> coulda sworn manual said it was 01:32 < krzee> !man 01:32 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:32 < reiffert> krzee: yeah, you can have helperscripts setting stuff you pass there. 01:32 < krzee> oh ok 01:32 < reiffert> krzee: e.g. OSX openvpn comes with a client shell script that set's the nameservers for you. 01:32 < mRCUTEO> ic 01:32 < reiffert> "tunnelblick" 01:32 < krzee> an up script could just modify resolv.conf pretty easy too 01:32 < krzee> i no use tunnelblick 01:33 < mRCUTEO> where can i find the client shell script? 01:33 < krzee> i just put my openvpn command in a shell script and name it .command 01:33 < reiffert> krzee: after all it's shell. 01:33 < krzee> then i have it in stacks 01:33 < krzee> click, done 01:33 < reiffert> tunnelblick's worth it 01:34 < krzee> i tried it once 01:34 < krzee> it couldnt start a vpn without crashing 01:34 < krzee> that was last time i looked at it 01:34 < krzee> heheh 01:35 < reiffert> I was fixing that shellscript recently :) 01:35 < reiffert> http://code.google.com/p/tunnelblick/issues/detail?id=8#c10 01:35 < vpnHelper> Title: Issue 8 - tunnelblick - Google Code (at code.google.com) 01:35 < krzee> i had no clue you work on tunnelblick! 01:36 < reiffert> I just was fixing those two lines, nothing more. 01:36 < krzee> thats a shell script!? 01:36 < krzee> shiet 01:36 < krzee> thats using commands i never seen 01:36 < reiffert> the shellscript setting up dhcp options 01:37 < reiffert> +is 01:37 < krzee> i should read up on osx specific commands 01:38 < reiffert> yeah. 01:38 < reiffert> Dryanta was using OSX as well. 01:38 < reiffert> made me smile the other day .. 01:38 < reiffert> cause I'm on OSX too 01:41 < krzee> as am i 01:41 < krzee> and ecrist as well 01:41 < krzee> this channel is all osx'ed up 01:41 < reiffert> /rename tunnelblick 01:41 < reiffert> can we have a #tunnelblick redirection? 01:41 < mRCUTEO> i have added DNS to my client but still no connection ... dhcp-option DNS xxx.xxx.xxx.xxx 01:42 < mRCUTEO> krzee : editing resolv.conf still wont allowed with me to connect to internet 01:42 < krzee> reiffert, i think common sense would redirect them here 01:42 < krzee> heheh 01:42 < mRCUTEO> this drivin me crazy.. 01:42 < krzee> mRCUTEO, can you do this? 01:42 < reiffert> krzee: you expect too much. 01:42 < krzee> host google.com 4.2.2.1 01:43 < mRCUTEO> okay 01:43 < krzee> reiffert, why do i fear that is true 01:43 < krzee> haha 01:43 < mRCUTEO> krzee put it in the resolv.conf? 01:43 < reiffert> krzee: I stopped fearing it, it saves my selfemployment. 01:43 < mRCUTEO> or the client? 01:43 < krzee> just type it 01:43 < krzee> tell me what it says 01:44 < mRCUTEO> okie 01:44 < krzee> reiffert, hahaha so true 01:44 < reiffert> where 4.2.2.1 is one of your nameservers 01:44 < krzee> no 01:44 < krzee> 4.2.2.1 is a nameserver 01:44 < krzee> has been for yrs 01:44 < krzee> open and recursive 01:44 < reiffert> didnt know that. 01:44 < mRCUTEO> [root@tony myopenvpn]# host google.com 4.2.2.1 01:44 < mRCUTEO> ;; connection timed out; no servers could be reached 01:44 < reiffert> 1.2.2.4.in-addr.arpa domain name pointer vnsc-pri.sys.gtei.net. 01:44 < krzee> mRCUTEO, dns isnt your problem 01:45 < krzee> which is why editing resolv.conf isnt helping 01:45 < mRCUTEO> oh 01:45 < krzee> ping 72.14.205.100 01:45 < krzee> i bet it times out 01:45 < mRCUTEO> yeah.. 01:45 < reiffert> Verizon Trademark Services LLC 01:45 < mRCUTEO> but if i disable redirect traffic in the server the client will hve internet connection.. 01:45 < reiffert> allright, cleaning up my old car. 01:46 < krzee> mRCUTEO, why are you using bridge again? 01:46 < mRCUTEO> no this is routed 01:46 < mRCUTEO> i want to connect my pc (linux) to my server (linux) 01:47 < krzee> [03:29] <mRCUTEO> hi anyone knows how to add nameserver for tap0 in Linux ? 01:47 < krzee> tap0 = bridge 01:47 < mRCUTEO> on remote shell 01:47 < mRCUTEO> oh .. 01:47 < krzee> how bout this: 01:47 < krzee> !configs 01:47 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:47 < mRCUTEO> okie 01:47 < mRCUTEO> hold on 01:50 < [14]Chaosvex> By the way krzee 01:50 < [14]Chaosvex> Does OpenVPN allow for being picky about which connections should go through the VPN and which should use normal Internet? 01:50 < [14]Chaosvex> By IP and/or ports? 01:50 < reiffert> push route 01:50 < krzee> which clients or which hosts 01:50 < [14]Chaosvex> As in 01:51 < [14]Chaosvex> If I browsed to www.google.com it would use my home net 01:51 < krzee> ahh 01:51 < [14]Chaosvex> But www.rapidshare.com would VPN 01:51 < krzee> not so much openvpn 01:51 < krzee> your routing table and firewall rules 01:51 < [14]Chaosvex> Ah 01:51 < krzee> firewall rules for port based 01:51 < krzee> routing table for host based 01:51 < reiffert> by port: cannot be done the same way on the differnet OS's so it's left up to you. 01:51 < [14]Chaosvex> I see 01:51 < mRCUTEO> krzee: http://pastebin.com/m456a9c98 01:51 < mRCUTEO> this is my config 01:52 < krzee> for route based, openvpn can facilitate it as reiffert said <reiffert> push route 01:52 < krzee> push route would be in server config 01:52 < krzee> or just route command in client config 01:52 < krzee> good to know you can only push so many routes... 01:52 < [14]Chaosvex> Okay, cheers, I'll take a look 01:52 < krzee> its a byte limit, internal to openvpn 01:52 < krzee> i forget then number 01:53 < krzee> !learn pushlimit as This is a limitation of OpenVPN: the "push" block cannot exceed a maximum of about 1 KB 01:53 < vpnHelper> krzee: Joo got it. 01:53 < reiffert> 1500 minus required stuff? 01:54 < reiffert> however, I was about to do important things ... :) 01:55 < krzee> important man! 01:55 < mRCUTEO> any idea krzee on my config? 01:56 < krzee> im still trying to figure out why you didnt strip the comments 01:56 < krzee> !configs 01:56 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:58 < mRCUTEO> sorry 01:58 < mRCUTEO> here: http://pastebin.com/m5776a112 01:59 < krzee> change both to dev tun 01:59 < krzee> instead of dev tap 02:00 < krzee> you are using routing, encapsulated in ethernet frames 02:00 < mRCUTEO> okie 02:00 < krzee> you're using 2.1 on both sides, right 02:01 < mRCUTEO> yes 02:01 < krzee> consider adding this: 02:01 < krzee> !hmac 02:01 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 02:01 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 02:02 < krzee> niether of those are related to your problem 02:02 < krzee> but both are important 02:02 < mRCUTEO> okie 02:03 < mRCUTEO> i try 02:03 < krzee> now.. 02:03 < mRCUTEO> okie 02:03 < krzee> push "dhcp-option DNS 202.188.0.133" 02:03 < krzee> push "dhcp-option DNS 202.188.1.5" 02:03 < krzee> is in your server 02:03 < krzee> dhcp-option DNS 202.188.0.133 02:03 < krzee> dhcp-option DNS 202.188.1.5 02:03 < mRCUTEO> yes 02:03 < krzee> is in your client 02:03 < mRCUTEO> in client? 02:03 < mRCUTEO> yes 02:03 < krzee> remove them from one or the other 02:03 < mRCUTEO> okay 02:03 < krzee> !push 02:03 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 02:04 < mRCUTEO> okay its removed 02:04 < [14]Chaosvex> push "route www.rapidshare.com 255.255.255.0" 02:04 < [14]Chaosvex> Would that be a correct entry? 02:04 < krzee> umm 02:04 < krzee> why add the whole /24? 02:05 < krzee> you prolly only want to push a route for that single host 02:05 < [14]Chaosvex> Yarr 02:05 < krzee> which would be 255.255.255.255 02:05 < [14]Chaosvex> push "route www.rapidshare.com" by itself then I guess 02:05 < krzee> no... 02:05 < krzee> 255 02:05 < [14]Chaosvex> 255.0.0.0? 02:05 < krzee> [04:06] <krzee> which would be 255.255.255.255 02:06 < [14]Chaosvex> Ah 02:06 < krzee> i highly recommend a firm grasp of networking before using vpns 02:06 < [14]Chaosvex> I'm learning ;P 02:06 < [14]Chaosvex> On the fly anyway 02:06 < krzee> heh 02:06 < krzee> ok so mRCUTEO 02:06 < krzee> have you setup NAT on your server? 02:08 < mRCUTEO> yes 02:08 < mRCUTEO> iptables is up 02:08 < mRCUTEO> i use SNAT 02:08 < mRCUTEO> on the0 02:08 < reiffert> brrr, it's -1 Celsius outside. 02:08 < mRCUTEO> *eth0 02:08 < krzee> post all your iptables rules 02:09 < mRCUTEO> wait i paste you the error 02:09 < krzee> error? 02:09 < mRCUTEO> yes in the client 02:09 -!- [14]Chaosvexs [n=Chaosvex@ip-87-82-79-153.easynet.co.uk] has joined ##openvpn 02:09 < [14]Chaosvexs> Hmm, that didn't go too well 02:09 < [14]Chaosvexs> I added the push in client side, but it doesn't seem like anything gets routed to the VPN after that 02:10 < krzee> hahaha 02:10 < krzee> !push 02:10 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 02:10 < mRCUTEO> http://pastebin.com/m5135fd93 02:10 < [14]Chaosvexs> Ah 02:10 < [14]Chaosvexs> Thought it worked in the client config properly too 02:10 < krzee> it does, if you remove the push 02:11 < [14]Chaosvexs> Ah, I see 02:11 < reiffert> # 02:11 < reiffert> /sbin/route add -net 58.26.192.13 netmask 255.255.255.255 gw 192.0.2.1 02:11 < reiffert> # 02:11 < reiffert> SIOCADDRT: File exists 02:11 < krzee> ya looks like you already have that route 02:11 < reiffert> back to icy conditions. 02:12 < mRCUTEO> oh 02:12 < mRCUTEO> what does it mean? 02:12 < krzee> post netstat -rn 02:13 < mRCUTEO> okay 02:13 < mRCUTEO> in the client? 02:13 < krzee> ya gimme clients routing table 02:13 < mRCUTEO> ok 02:14 < mRCUTEO> http://pastebin.com/m20aec09f 02:15 < krzee> ok, reconnect to vpn 02:15 < krzee> then show me your routing table 02:15 < [14]Chaosvexs> Doesn't seem to be doing it, although it's in the log files 02:15 < mRCUTEO> okay 02:15 < mRCUTEO> okie 02:15 < [14]Chaosvexs> Such as Tue Dec 16 08:15:47 2008 us=771 route ADD 72.233.89.199 MASK 255.255.255.255 192.168.168.5 02:15 < krzee> ohhhh 02:16 < krzee> lol 02:16 < krzee> my bad, route command tells it to go over the vpn 02:16 < krzee> you're trying to bypass the vpn 02:16 < krzee> 1sec 02:16 < [14]Chaosvexs> No 02:16 < mRCUTEO> http://pastebin.com/m2cfc44ba 02:16 < [14]Chaosvexs> I'm trying to make specific ones go through the VPN :) 02:16 < krzee> 58.26.192.13 192.0.2.1 255.255.255.255 UGH 0 0 0 venet0 02:16 < krzee> mRCUTEO, it added the route just fine 02:16 < krzee> still getting the error? 02:17 < mRCUTEO> yes 02:17 < mRCUTEO> no internet connection now 02:17 < krzee> dude, the internet connection thing was the problem when you came in here 02:17 < krzee> we havnt fixed it yet 02:17 < krzee> heh 02:17 < krzee> you thought it was dns, it wasnt 02:17 < mRCUTEO> Tue Dec 16 11:10:12 2008 /sbin/route add -net 58.26.192.13 netmask 255.255.255.255 gw 192.0.2.1 02:17 < mRCUTEO> SIOCADDRT: File exists 02:17 < mRCUTEO> :) 02:17 < krzee> mRCUTEO, 02:18 < krzee> !logs 02:18 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 02:18 < mRCUTEO> my windows client work great but not in linux :) 02:18 < krzee> skip the server logs 02:18 < krzee> your windows client connected now? 02:18 < mRCUTEO> nope 02:19 < mRCUTEO> previously i use windows and everything works great 02:19 < krzee> connect it, and test with whatismyip.com 02:19 < mRCUTEO> the thing is i need to go to windows-tap and add nameserver 02:19 < mRCUTEO> okay 02:19 < krzee> oh your linux client has iptables doesnt it 02:19 < tjz> heyyyyyyyyyyyyyyyyyyyyyyyyyyyyy mrcuteo!! 02:20 < mRCUTEO> yes krzee 02:20 < tjz> long time no see 02:20 < mRCUTEO> it has iptables 02:20 * krzee points to part 2 of the topic 02:20 < mRCUTEO> but not any rules inside 02:20 < mRCUTEO> empty firewall 02:20 < [14]Chaosvexs> Seems to have worked now krzee, thanks :) 02:20 < mRCUTEO> hey tjz :) 02:20 < krzee> if you windows client works, linux doesnt, and no big differences in the configs... 02:20 < krzee> then its firewall 02:21 < krzee> but lemme get that log 02:21 < mRCUTEO> okie 02:21 < krzee> also, can client ping 10.7.0.1? can server ping 10.7.0.6? 02:21 < mRCUTEO> oh let me try that one 02:22 < mRCUTEO> yes 02:22 < mRCUTEO> it can ping to it 02:22 < krzee> [14]Chaosvex yw 02:22 < mRCUTEO> but not 10.7.0.6 02:23 < krzee> hehe 02:23 < krzee> welcome to your firewall issue 02:23 < mRCUTEO> it can ping 10.7.0.1 but not 10.7.0.6 02:23 < mRCUTEO> oh my.. 02:23 < mRCUTEO> should set another nat here? 02:23 < krzee> no 02:23 < mRCUTEO> oh 02:23 < krzee> your firewall is just blocking stuff 02:23 < mRCUTEO> turn off firewall? 02:23 < mRCUTEO> okay 02:23 < krzee> if it has no rules, stop loading it 02:23 < mRCUTEO> ok 02:24 < krzee> if you want to load it, configure it right 02:24 < mRCUTEO> i turn off firewall : services iptables stop 02:24 < mRCUTEO> still not working 02:25 < mRCUTEO> this really get me a headached :_) 02:26 < krzee> !google disable iptables 02:26 < vpnHelper> krzee: Howto disable the iptables firewall in Linux: <http://www.cyberciti.biz/faq/turn-on-turn-off-firewall-in-linux/>; Linux disable or remove the iptables firewall: <http://www.cyberciti.biz/faq/linux-howto-disable-remove-firewall/>; How do I disable/stop iptables/Guarddog? - LinuxQuestions.org: <http://www.linuxquestions.org/questions/linux-software-2/how-do-i-disablestop- 02:26 < vpnHelper> krzee: iptablesguarddog-618672/> 02:26 < mRCUTEO> okie 02:26 -!- [14]Chaosvex [n=Chaosvex@osvex.com] has quit [Read error: 110 (Connection timed out)] 02:28 < mRCUTEO> in windows i have the same issue but i add nameserver to windows-tap and its working perfect but not in linux you cant add nameserver to tun devices :-( 02:28 < krzee> dude 02:28 < mRCUTEO> !google disable iptables 02:28 < vpnHelper> mRCUTEO: Howto disable the iptables firewall in Linux: <http://www.cyberciti.biz/faq/turn-on-turn-off-firewall-in-linux/>; Linux disable or remove the iptables firewall: <http://www.cyberciti.biz/faq/linux-howto-disable-remove-firewall/>; How do I disable/stop iptables/Guarddog? - LinuxQuestions.org: <http://www.linuxquestions.org/questions/linux-software-2/how-do-i-disablestop- 02:28 < vpnHelper> mRCUTEO: iptablesguarddog-618672/> 02:28 < krzee> YOU CANT PING 02:28 < krzee> YOU DONT HAVE A DNS ISSUE 02:28 < mRCUTEO> oh 02:28 < mRCUTEO> ;D 02:28 < mRCUTEO> i forgot that 02:35 < mRCUTEO> krzee: firewall completely uninstall and disable still cant get it to ping 10.7.0.6 ;-=D 02:35 < krzee> the server should be pinging 10.7.0.6 02:36 < mRCUTEO> oh okay 02:36 < mRCUTEO> hold on 02:36 < krzee> heh 02:36 < mRCUTEO> oh nope no connection to it argh.. 02:37 < mRCUTEO> this is ping from there server.. 02:37 < mRCUTEO> serevr still got iptables 02:37 < mRCUTEO> but client is completely uninstalled 02:37 < [14]Chaosvexs> www.rapidshare.com resolves to 21 addresses, choosing one by random 02:37 < mRCUTEO> ;D 02:37 < krzee> so client can ping 10.7.0.1 02:37 < mRCUTEO> yes 02:37 < krzee> but server cannot ping 10.7.0.6 02:37 < [14]Chaosvexs> Seeing that kind of thing a lot in the logs and I guess that'd be why it doesn't always use the right IP 02:37 < mRCUTEO> clent can ping to 10.7.0.1 02:37 < [14]Chaosvexs> Is it possible for it to use all the addresses? 02:37 < mRCUTEO> its working now 02:38 < krzee> [14]Chaosvexs, ya, add a route for all 14 02:38 < mRCUTEO> server can ping to 10.7.0.6 (client) already 02:38 < mRCUTEO> ;) 02:38 < mRCUTEO> and client can ping to server 10.7.0.1 02:38 < [14]Chaosvexs> Ah 02:38 < krzee> you know you dont have to use hostnames in the route command right [14]Chaosvexs 02:38 < mRCUTEO> the problem now client doesnt have internet connection 02:38 < krzee> ok mRCUTEO 02:38 < mRCUTEO> okie 02:38 < [14]Chaosvexs> Is there a better way krzee? 02:38 < krzee> now try this on the client 02:38 < mRCUTEO> :) 02:38 < krzee> [14]Chaosvexs, no 02:39 < krzee> mRCUTEO, now try this on the client 02:39 < mRCUTEO> okie 02:39 < krzee> host google.com 202.188.1.5 02:39 < mRCUTEO> ok 02:39 < mRCUTEO> [root@tony myopenvpn]# host google.com 202.188.1.5 02:39 < mRCUTEO> ;; connection timed out; no servers could be reached 02:40 < krzee> ok, dns is not your problem still 02:40 < krzee> which convinces me that your windows client isnt working now either 02:40 < krzee> connect your windows client and prove me wrong 02:40 < mRCUTEO> okie 02:41 < mRCUTEO> yerp windows not working also.. 02:41 < krzee> right 02:41 < krzee> your NAT is broken 02:41 < krzee> !factoids search lin 02:41 < vpnHelper> krzee: 'linipforward', 'linnat', and 'linfw' 02:41 < krzee> !linipforward 02:41 < vpnHelper> krzee: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 02:41 < krzee> !linnat 02:41 < krzee> !linfw 02:41 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 02:41 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 02:42 < krzee> read those, understand those, and make sure those are right on your server 02:42 < mRCUTEO> iptables -t nat -A POSTROUTING -s 10.7.0.5 -j SNAT --to-source 58.26.212.40 02:42 < krzee> when they are right, the windows client will work 02:42 < mRCUTEO> the windows is working now 02:42 < mRCUTEO> i add those 02:42 < krzee> go back to linux 02:42 < krzee> host google.com 202.188.1.5 02:42 < krzee> whoa whoa whoa 02:42 < mRCUTEO> ok 02:42 < krzee> -s 10.7.0.5 02:42 < krzee> wtf 02:43 -!- prxtien [n=proleone@115.131.200.12] has quit [Read error: 110 (Connection timed out)] 02:43 < krzee> you only want to nat 1 client?? 02:43 < mRCUTEO> nope no luck at linux phew~.. 02:43 < mRCUTEO> yes 02:43 < krzee> how bout -s 10.7.0.0/24 02:44 < mRCUTEO> okie 02:44 -!- prxtien [n=proleone@115.131.206.221] has joined ##openvpn 02:45 < mRCUTEO> nope still no luck argh.. 02:45 < mRCUTEO> but its working fine in windows client now 02:45 < mRCUTEO> :) 02:46 < krzee> you got rid of the old NAT rule, right? 02:46 < mRCUTEO> yerp 02:46 < mRCUTEO> reset 02:46 < mRCUTEO> and restarted 02:47 < krzee> both clients are connected? 02:47 < mRCUTEO> nope 02:47 < mRCUTEO> only linux now 02:47 < krzee> k 02:49 < mRCUTEO> some sort of i dunno blocking the inet to the client.. 02:56 * mRCUTEO bbl 02:56 < mRCUTEO> thanks for the help kreg 02:56 < mRCUTEO> krzee 02:56 < mRCUTEO> :) 02:56 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has quit [] 02:56 < prxtien> !ssl-admin 02:56 < vpnHelper> prxtien: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn 02:57 < krzee> !sample 02:57 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 02:58 < [14]Chaosvexs> Hmm 02:58 < [14]Chaosvexs> This routing seems pretty strange 02:58 < [14]Chaosvexs> It randomly decides to stop/start 02:58 < jeev> krzee 02:58 < jeev> i gues i'll test iodine tomorrow 02:58 < krzee> cool, dont come to me for support on it pls 02:58 < krzee> hehe 02:59 < krzee> i just pointed the way 02:59 < krzee> im not supporting it 02:59 < jeev> i wont 02:59 < jeev> one thing though 02:59 < jeev> ;D 02:59 < jeev> address is listening address, obviously 02:59 < jeev> right 02:59 < krzee> [05:00] <krzee> cool, dont come to me for support on it pls 02:59 < krzee> [05:00] <krzee> hehe 02:59 < krzee> [05:00] <krzee> i just pointed the way 02:59 < krzee> [05:00] <krzee> im not supporting it 02:59 < krzee> read the docs 03:00 < krzee> or dont tunnel over dns 03:00 < onats> hi krzee 03:00 < krzee> hey 03:00 < jeev> ok 03:01 < jeev> krzee, you sure you're not the staro f Grumpy old men ? 03:01 < jeev> of 03:01 < krzee> you sure you can read? 03:01 < krzee> i tell you dont ask me questions 03:01 < krzee> RIGHT AWAY what did you do? 03:01 < jeev> okee dokee 03:02 < krzee> you can ask me openvpn questions of course 03:02 < krzee> but i do not, and will not support iodine 03:02 < jeev> wonderful 03:02 < [14]Chaosvexs> Good stuff because I have another question ;> 03:03 < [14]Chaosvexs> The routing seems to randomly stop doing anything quite often, and restarting ends up with 03:03 < [14]Chaosvexs> Warning: route gateway is not reachable on any active network adapters: 192.168.168.5 03:03 < krzee> iodine only has 1 use, and while im not against that use, if you cant figure it out you get to pay for the internet access :-p 03:03 < [14]Chaosvexs> Whenever it tries to add a route 03:04 < [14]Chaosvexs> It just seems a case of retrying over and over until it works 03:06 < [14]Chaosvexs> Is there any way to get it to route with more reliability? 03:07 < krzee> --route-delay [n] [w] 03:07 < krzee> Delay n seconds (default=0) after connection establishment, before adding routes. If n is 0, routes will be added immediately upon connection establishment. If --route-delay is omitted, routes will be added immediately after TUN/TAP device open and --up script execution, before any --user or --group privilege downgrade (or --chroot execution.) 03:07 < krzee> This option is designed to be useful in scenarios where DHCP is used to set tap adapter addresses. The delay will give the DHCP handshake time to complete before routes are added. 03:07 < krzee> On Windows, --route-delay tries to be more intelligent by waiting w seconds (w=30 by default) for the TAP-Win32 adapter to come up before adding routes. 03:07 < [14]Chaosvexs> Okay 03:13 < reiffert> why do people want that? 03:13 < reiffert> ah well.# 03:14 < krzee> want what? 03:14 < reiffert> krzee: oh btw, when Dryanta manages to get us hop on the machines, it really looks very crazy there. 03:14 < reiffert> It looks like he is sharing the tun adapters. 03:14 < reiffert> means there is traffic like hell over it, but openvpn doesnt work on them. 03:15 < reiffert> however, you'll discover all the details once tcpdump is running. 03:17 < krzee> ohh sharing the same adapter!? 03:17 < krzee> haha 03:17 < krzee> he can specify which to use in openvpn 03:17 < krzee> --dev tunX | tapX | null 03:17 < krzee> TUN/TAP virtual network device ( X can be omitted for a dynamic device.) 03:18 < krzee> just have him mktun and then use it 03:18 < [14]Chaosvexs> Incase I missed it, is there no flag to stop it picking a random address and to use all of them? 03:18 < sfire> I have a VPN all setup with openVPN .. I want the VPN server to also act as a client and connect to another site.. is this possible? 03:19 < sfire> I suspect I would need multiple instances 03:19 < krzee> you suspect correctly 03:20 < reiffert> krzee: not sure about that, it was just looking strange. 03:20 < krzee> although a single instance can connect to 2 servers now 03:20 < krzee> with a new 2.1 feature 03:20 < krzee> which i just learned about and was impressed by 03:21 < reiffert> oh. 03:21 < krzee> see <connection> in manual 03:21 < krzee> <connection> 03:21 < krzee> Define a client connection profile. Client connection profiles are groups of OpenVPN options that describe how to connect to a given OpenVPN server. Client connection profiles are specified within an OpenVPN configuration file, and each profile is bracketed by <connection> and </connection>. 03:21 < krzee> An OpenVPN client will try each connection profile sequentially until it achieves a successful connection. 03:21 < krzee> --remote-random can be used to initially "scramble" the connection list. 03:21 < reiffert> wasrgh, xml will come over us. 03:23 < reiffert> why not have multiple connect lines? 03:23 < reiffert> s,connect,remote, 03:23 < krzee> cause you can specify all sorts of stuff specific to the connection 03:23 < krzee> its fuckin cool 03:24 < krzee> <connection> 03:24 < krzee> remote 198.19.36.99 443 tcp 03:24 < krzee> http-proxy 192.168.0.8 8080 03:24 < krzee> http-proxy-retry 03:24 < krzee> </connection> 03:24 < krzee> <connection> 03:24 < krzee> remote 198.19.34.56 1194 udp 03:24 < krzee> </connection> 03:24 < krzee> etc 03:25 < krzee> The following OpenVPN options may be used inside of a <connection> block: 03:25 < krzee> bind, connect-retry, connect-retry-max, connect-timeout, float, http-proxy, http-proxy-option, http-proxy-retry, http-proxy-timeout, local, lport, nobind, port, proto, remote, rport, socks-proxy, and socks-proxy-retry. 03:26 < sfire> krzee, thanks :) 03:27 < krzee> sfire, only 1 line of that all was directed at you 03:27 < krzee> [05:21] <krzee> you suspect correctly 03:27 < krzee> that one 03:27 < krzee> you need 2 instances 03:27 < krzee> dont be mislead by all that stuff i pasted ;] 03:27 < sfire> thats what I figured :) 03:27 < krzee> ok cool 03:27 < krzee> hehe 03:28 < sfire> are there any good guides on multiple instances?? 03:29 < krzee> umm 03:29 < krzee> theres nothing to it really 03:29 < krzee> just put the files in a diff place 03:29 < krzee> use a diff config file 03:30 < sfire> so /etc/init.d/openvpn restart will restart all the VPNs ? 03:30 < sfire> or would I have to modify that too? 03:31 < krzee> i dont use any os with init.d 03:31 < krzee> so read through the script 03:31 < krzee> see how it works 03:34 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 03:35 < ropetin> sfire: which distro? 03:36 < sfire> ropetin, ubuntu 03:36 < ropetin> Yup, in which case it will restart them all 03:36 < ropetin> It basically looks in /etc/openvpn for any config files and tries to process them 03:36 < sfire> oh sweet 03:37 < ropetin> I used to run one to my house and one to work on Ubuntu like that 03:37 < sfire> I'm sending a Server off next week.. I want to make sure I can access it to do any setup after they install it 03:38 < sfire> I'm going to have it open a VPN connection to my machine 03:38 < sfire> outgoing connection should blow right thru their router 03:39 < sfire> they don't know how to open ports or anything like that 03:40 < krzee> ahh i see 03:40 < krzee> makes sense now =] 03:41 < krzee> was confused for a sec 03:41 < krzee> (on why have a client and server on same box) 03:41 < reiffert> the init script sends a HUP 03:41 < reiffert> which tells openvpn to reread the configfile an close and reopen all open connections, see manpage. 03:42 < sfire> after I get it all up and running I'll just delete that tunnel.. 03:42 < sfire> I'll be able to access it for service the same way they do for VPN :) 03:43 < sfire> such cool stuff.. sorry this is just my first time doing it this way.. I've only bridged networks in the past using netgear "business" routers 03:44 < reiffert> I even run a dhcp server on each side of the bridged networks, thats fun :)# 03:45 < reiffert> ebtables will care. 03:45 < reiffert> asuming you want that too. 03:46 < krzee> bridging isnt what you want btw sfire 03:46 < krzee> you want a routed setup 03:47 < krzee> (see topic) 03:47 < sfire> yea.. I didn't like their setup 03:47 < sfire> thats why I went openvpn :) 03:47 < krzee> openvpn does routed or bridged 03:47 < reiffert> or both. 03:47 < krzee> just was making sure you knew which one you wanted 03:47 < krzee> both?? 03:48 < reiffert> lemme think about that. 03:48 < sfire> routed is good enough 03:48 < krzee> hahah 03:48 < krzee> layer 2 AND 3 03:48 < reiffert> krzee: sure, I have a bridged connection and openvpn gives me multiple routes for other net's ...? 03:48 < sfire> the windows shares work.. thats whats important 03:48 < sfire> I can refer to them by IP .. thats no problem 03:48 < sfire> point of a login script anyway 03:48 < krzee> reiffert, its only tunneling ip packets or ethernet frames 03:49 < reiffert> right. 03:49 < krzee> sure when you tunnel ethernet frames, they contain ip packets in them 03:49 < krzee> but that doesnt count ;] 03:49 < krzee> sfire, WINS 03:49 < krzee> but ya without wins you can go by ip 03:50 < reiffert> or a broadcast relay. 03:51 < reiffert> there is one in the pptp package. 03:51 < krzee> eww 03:51 < sfire> this is for a small business... they only have 3 network shares anyway 03:51 < krzee> he said pptp 03:52 < reiffert> :) 03:52 < reiffert> full grown up, ships with every windows, just click and die. 03:52 < sfire> Atom 330 processor :) 03:55 < reiffert> uh, turntable makes strange noise, just like the plate scratches on something... uh oh 04:00 < [14]Chaosvexs> jeev 04:10 < prxtien> !route 04:11 < vpnHelper> prxtien: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:58 < [14]Chaosvexs> If I add a subnet of 255.255.255.0 to 86.53.218.90 04:58 < [14]Chaosvexs> Would that make it route 86.53.218.x? 04:58 < [14]Chaosvexs> Damn content distribution service has more addresses than I can hope to manually add 04:59 < [14]Chaosvexs> There's releasegeo.hulu.com 04:59 < krzee> correct 04:59 < [14]Chaosvexs> But it's tied to so many addresses 04:59 < krzee> !google cidr cheatsheet 04:59 < vpnHelper> krzee: CIDR SUBNET MASK CHEATSHEET & ICMP TYPE CODES: <http://www.oav.net/mirrors/cidr.html>; IPv4 CIDR notation cheat sheet | Samat Jain's personal home page: <http://samat.org/cheat_sheets/ipv4_cidr_notation>; CIDR Block Prefix: <http://www.internetsecurityguru.com/cidr.html> 04:59 < [14]Chaosvexs> Since OpenVPN just picks one it hardly works 05:00 < [14]Chaosvexs> 404s 05:00 < krzee> you never thought of just using a socks proxy did you 05:00 < krzee> heh 05:00 < [14]Chaosvexs> I have no idea what one of those is :< 05:00 < [14]Chaosvexs> So no 05:01 < krzee> a vpn for what you're doing is like killing a fly with a jackhammer 05:01 < krzee> squid is a web proxy, dante is a socks proxy 05:01 < krzee> ild suggest either of them, EXCEPT 05:01 < krzee> you've come this far 05:01 < krzee> and are basically done with a setup that requires you to learn no more 05:02 < [14]Chaosvexs> Well 05:02 < [14]Chaosvexs> It has uses other than sites 05:02 < [14]Chaosvexs> So it still has uses :> 05:03 < [14]Chaosvexs> It just so happens that releasegeo.hulu.com is being a pain 05:03 < [14]Chaosvexs> But I'm sure there's a solution 05:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:10 -!- prxtien [n=proleone@115.131.206.221] has quit [Read error: 110 (Connection timed out)] 05:25 -!- prxtien [i=proleone@115.131.207.230] has joined ##openvpn 05:28 < reiffert> . 05:42 < krzee> !static 05:42 < vpnHelper> krzee: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 05:43 < krzee> btw pro, you may find find reading through some of these if you get bored 05:43 < krzee> !factoids search * 05:43 < vpnHelper> krzee: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'tls-cipher', 'multi', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', '', 'forum', 'secure', 05:43 < vpnHelper> krzee: 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'hmac', 'winipforward', 'help', 'fragment', '2.1-winpass-script', 'activedirectory', 'net30', 'someclient2client', 'local', 'dhcp', 'chooseip', 'irclogs', 'noenc', 'iptables', 05:43 < vpnHelper> krzee: 'all', 'mactuntap', 'nobind', 'pwfile', 'servercert', 'mitm', 'fbsdbridge', 'easy-rsa-unix', 'certs', 'bridge-fw', 'linipforward', 'linnat', 'man', 'webgui', 'wintaphide', 'topology', 'configs', 'linfw', 'firewall', 'nocert', and 'pushlimit' 05:43 < reiffert> args. 05:43 < reiffert> !irclogs 05:43 < vpnHelper> reiffert: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.) 05:44 < reiffert> argh, so it gets all the nonsense ... sigh 05:44 < reiffert> !/30 05:44 < vpnHelper> reiffert: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 05:44 < reiffert> !wintaphide 05:44 < vpnHelper> reiffert: "wintaphide" is (#1) in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89, or (#2) To show again, set it to 0x81 05:44 < reiffert> !pushlimit 05:44 < vpnHelper> reiffert: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 05:44 < reiffert> !'' 05:44 < vpnHelper> reiffert: Error: "''" is not a valid command. 05:44 < reiffert> ! 05:45 < krzee> ya i dunno what that is either 05:45 < reiffert> 'cidr', '/30', 'samba', 'betaman', 'download', '', 'forum', 05:45 < reiffert> there is '' 05:45 < reiffert> !1918 05:45 < vpnHelper> reiffert: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 05:45 < reiffert> !menu 05:45 < vpnHelper> reiffert: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 05:45 < reiffert> !config 05:45 < vpnHelper> reiffert: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose. 05:46 < krzee> heh thats an internal bot command 05:46 < krzee> configs is a factoid 05:46 < krzee> shit why is it so hard for me to put down the laptop and sleep... 05:46 < krzee> gnite guys 05:48 < reiffert> wait ... 05:48 < reiffert> krzee: ? 05:49 < krzee> ?? 05:50 < reiffert> ah, another 4 minutes wasted. 05:50 < krzee> hah 05:50 < reiffert> :D 05:50 < reiffert> I know this, same for me on my laptop. 05:50 < reiffert> It must be something with the manufacturer apple ... 06:02 < krzee> !hmac 06:02 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 06:02 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 06:07 < reiffert> krzee: just down the laptop. 06:07 < reiffert> krzee: everything else will come shortly. 06:08 < krzee> lol seriously man 06:08 < krzee> but yanno 06:08 < krzee> "ok ill just finish checking my email" 06:08 < krzee> "ok ill reply to this message on this mail list" 06:15 -!- prxtien [i=proleone@115.131.207.230] has quit [] 06:18 -!- prxtien [i=proleone@115.131.207.230] has joined ##openvpn 06:37 -!- prxtien [i=proleone@115.131.207.230] has quit [] 06:50 -!- Pulpie_ [n=Pulpie@unaffiliated/pulpie] has joined ##openvpn 06:50 < Pulpie_> oh i love the topic 06:52 < reiffert> you are welcome 06:54 < Pulpie_> anyways 06:54 < Pulpie_> I cant seem t connect to my openvpn that i just setup 06:55 < Pulpie_> i used this but I dont have PF in use... http://www.ubergeek.co.uk/blog/2008/05/openvpn-freebsd-pf-windows-howto/ 06:55 < vpnHelper> Title: OpenVPN on FreeBSD with PF and Windows XP Howto | Ubergeek Technical Howtos' (at www.ubergeek.co.uk) 06:57 < Pulpie_> http://pastebin.ca/1286798 this is my error log 06:57 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 148 (No route to host)] 06:59 -!- Pulpie_ is now known as Pulpie 06:59 < Pulpie> this is my server error log http://pastebin.ca/1286803 07:00 -!- mRCUTEO [n=info@124.13.181.131] has joined ##openvpn 07:01 < Pulpie> anyone have any ideas 07:02 -!- mRCUTEO [n=info@124.13.181.131] has quit [Remote closed the connection] 07:17 < ecrist> reiffert: sorry, I haven't moved the log process to the new server 07:17 < ecrist> I'll set that up now. 07:31 -!- gleblanc [n=chatzill@216.30.212.117] has joined ##openvpn 07:32 < reiffert> sigh. 07:32 * reiffert 's prefer no log 07:33 < ecrist> why? 07:33 < gleblanc> Howdy folks 07:34 < ecrist> howdy gleblanc, welcome back 07:34 < gleblanc> I'm having some issues with a routing setup 07:34 < gleblanc> ecrist: thanks 07:35 < gleblanc> Let me outline my network setup, and maybe somebody can spot a conceptual error 07:35 < gleblanc> I currently have a 192.168.16.x/24 network that is the main office LAN. It has several public facing IPs that are controlled and protected by a SonicWall appliance. 07:36 < gleblanc> The sonicwall is the default gateway for the network, and has a UDP port forward configured for OpenVPN 07:36 < ecrist> sounds reasonable 07:37 < reiffert> ecrist: because all the nonsense comes available by google. 07:38 < gleblanc> The OpenVPN server runs Windows Server 2003, and OpenVPN 2.1rc15 07:38 < reiffert> ... but? 07:39 < ecrist> reiffert: which nonsense? the link is only available from vpnHelper, and it's a gzipped file, which I believe is not parsed out by googlebot 07:39 < gleblanc> At the moment, I can fire up an OpenVPN client from a remote network, and it will connect, and allow me access to the OpenVPN server 07:39 < ecrist> ok 07:39 < gleblanc> However, I cannot gain access to any other machine on the main office LAN 07:39 < ecrist> but not the rest of the lan? 07:39 < ecrist> easy 07:40 < ecrist> what IP space are you using for the VPN, and are you using tun or tap? 07:40 < gleblanc> heh 07:40 < gleblanc> let me fetch that directly from the config file, so I don't misquote 07:41 < gleblanc> dev tun 07:41 < gleblanc> server 10.54.20.0 255.255.255.0 07:43 < reiffert> ecrist: google parses everything, even pdf documents. 07:44 < reiffert> push "route 192.168.16.0 255.255.255.0" 07:44 < reiffert> have that in the server config and it'll work 07:46 < ecrist> gleblanc: you're going to need to tell all the lan machines where 10.54.0.0/24 is, too 07:47 < reiffert> well, he could use masquerading on the NT box. 07:47 < reiffert> I think thats called "internet connection sharing" 07:48 < reiffert> else, he will have to tell his firewalling gateway: 07:48 < reiffert> route add -net 10.54.0.0 netmask 255.255.255.0 gateway ipofntbox 07:49 < ecrist> I don't know if sonicwalls have support for decent routing 07:49 < reiffert> gleblanc should know. 07:52 < ecrist> I can't stand sonicwalls 07:52 < Pulpie> to setup openvpn i completed http://www.ubergeek.co.uk/blog/2008/05/openvpn-freebsd-pf-windows-howto/ skipping the pf part because its not installed and I forworded the correct port on my router. http://pastebin.ca/1286798 this is my client error log and this is my server error log http://pastebin.ca/1286803 07:52 < vpnHelper> Title: OpenVPN on FreeBSD with PF and Windows XP Howto | Ubergeek Technical Howtos' (at www.ubergeek.co.uk) 07:55 < gleblanc> ecrist: ah, hmm, ok 07:55 < gleblanc> OK, I'll chuck that in the routing config 07:57 < gleblanc> yeah, they have lots of routing options 07:57 < gleblanc> I have to make the other admin set it up, though, since I can't figure out gooeys 07:59 < reiffert> Pulpie: there is an official howto, please follow that one. 07:59 < reiffert> !howto 07:59 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:59 < Pulpie> reiffert: then why does it not show when googled >.< 08:00 < reiffert> it shows when googling: openvpn howto 08:00 < reiffert> 1st hit. 08:00 < ecrist> Pulpie: you've been in here before 08:01 < ecrist> we've told you about the howto before 08:01 < Pulpie> ecrist: actually i never left 08:01 < Pulpie> ecrist: no you haven't 08:01 < ecrist> it's in the channel topic, always has been 08:01 < Pulpie> anyways 08:01 < Pulpie> the how-to use RPM which i use freebsd 08:02 < reiffert> and it uses non-rpm 08:02 < Pulpie> where i cant seem to find it 08:02 < reiffert> oh and it talks about bsd 08:02 < ecrist> Pulpie: 08:02 < ecrist> !freebsd 08:02 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 08:12 < Pulpie> ecrist: this line in the config confuses me 08:12 < Pulpie> server 172.30.0.0 255.255.255.0 08:18 < ecrist> ok, what's confusing about that? it says, 'hey! be a server and use 172.30.0.0/24 for the IP range, grab the first one for yourself" 08:19 < Pulpie> so i should change the 172 ip to 127.0.0.1 ? 08:19 < Pulpie> or do i have to actually change it to my ip 08:23 < Pulpie> I only have one ip.. so how can I tell it not to use more then one ip? 08:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:24 < ecrist> Pulpie: how about you read the documentation? 08:24 < ecrist> use the 172.30 range 08:24 < ecrist> !1918 08:25 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 08:26 < Pulpie> ecrist: why are you being so rude about this. Im just trying to learn 08:28 < ecrist> not trying to be rude. I get frustrated when there are documents out there that people don't read. 08:28 < ecrist> let me know if that freebsd link I sent you above doesn't make sense or is missing something - I wrote it. 08:30 < ecrist> Pulpie: I may have mistaken you for someone else. 08:31 < Pulpie> maybe, but thats life. 08:31 < ecrist> sorry man 08:32 < Pulpie> its ok dude. 08:32 < ecrist> bbiab, gotta reboot this damn laptop for an update 08:32 < Pulpie> ok 08:39 < Pulpie> ecrist: http://www.secure-computing.net/wiki/index.php/OpenVPN_Server#Setup_SSL_Certificates.2FKeys it says to get some .tar and you will get two files but the link doesn't have a tar OR those two files 08:39 < vpnHelper> Title: FreeBSD OpenVPN Server HowTo - Secure Computing Wiki (at www.secure-computing.net) 08:48 < ecrist> Pulpie: I need to update that, I got that script ported to freebsd's ports tree 08:49 < ecrist> cd /usr/ports/security/ssl-admin && make install 08:50 < Pulpie> ecrist: thanks 08:51 < ecrist> if you have questions/problems about that script, let me know, I wrote that, too. krzee's got a couple bits in there, and he's getting it ported to gentoo linux now. 08:52 < Pulpie> nice 08:52 < Pulpie> I am still working on my perl script 08:52 < ecrist> perl script for? 08:53 < Pulpie> it doesn't do anything close to what yours does 08:53 < Pulpie> just allows people to learn the command line in a safe environment, almost like an interactive tutorial system 08:53 < Pulpie> Im going to create it as an engine and break away all the parts 08:53 < ecrist> oh, yeah, I remember that, from ##freebsd, right? 08:53 < Pulpie> maybe 08:54 < Pulpie> http://fushi.sf.net 08:54 < vpnHelper> Title: FUSHI » Home (at fushi.sf.net) 08:54 < Pulpie> that it? 08:56 < ecrist> is that your page? 08:56 < Pulpie> ecrist: yes 08:57 < Pulpie> now I already created my keys for vpn but I think thats why i have an error 08:57 < Pulpie> I manually created them, put them over to the client so the server and client use the same keys, thats correct right? 08:57 < ecrist> Pulpie: CSS issue I think in Safari - http://skitch.com/ecrist/6sn3/picture-5 08:57 < vpnHelper> Title: Skitch.com > ecrist > Picture 5 (at skitch.com) 08:57 < ecrist> not really 08:58 < ecrist> you want to build a certificate/key pair for the server, and a certificate/key pair for each client 08:58 < Pulpie> erm I did such but i get a TLS error for some reason 08:59 < Pulpie> the client matchs the server one on the call back password 08:59 < ecrist> can you post client/server configs and the logs? 08:59 < ecrist> pastebin.com, please 08:59 < Pulpie> sure 08:59 < Pulpie> ok 09:04 < Pulpie> http://pastebin.com/d1fb53b93 09:05 < Pulpie> erm that was stupid, I masked my server domain on the config but not on the error log >.> 09:06 -!- straterra [n=straterr@ipv6.projectstfu.com] has joined ##openvpn 09:07 < straterra> I have a bridge VPN set up, but OpenVPN keeps changing the MAC of the tap interface..is there any way to make sure the MAC stays the same? 09:08 < ecrist> weird, never seen that error before, Pulpie. You built two separate certs, one for the server and one for the client? 09:09 < Pulpie> ecrist: yes, techically i built one for the server and 3 for 3 different clients 09:09 < ecrist> straterra: I haven't played with bridge mode a lot, check the howto or man pages to see if there's any mention of it. 09:10 < Pulpie> ecrist: do you think i may have built them incorrectly? 09:10 < ecrist> possibly - did you use ssl-admin? 09:10 < Pulpie> no i didn't. 09:10 < Pulpie> I have not tried your way fully yet 09:11 < Pulpie> i was trying to see if I could avoid rebuilding the keys 09:11 < ecrist> if you do, make sure your ports tree is current - we just pushed an updated version last week. 09:11 < Pulpie> i update every day, thanks for the heads up. 09:11 < Pulpie> ecrist: should openssl be installed? 09:11 < straterra> I suppose I can just use ifconfig to manually set the MAC 09:12 < straterra> o.O 09:12 < straterra> maybe 09:12 < Pulpie> would that be helpful? :P 09:13 < ecrist> yes, it would. ;) 09:13 < Pulpie> ecrist: odd openssl doesn't have a man page but is installed >.> 09:14 < Pulpie> i thought i had just found my problem too 09:15 < Pulpie> ecrist: does anything need to be edited in ssl-admin anymore? 09:19 < Pulpie> ecrist: ignore the above 09:19 < ecrist> yes, the openssl.cnf needs to be edited 09:20 < straterra> I'm stuck in the water :/ 09:21 < ecrist> !mac 09:21 < vpnHelper> ecrist: "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/) 09:21 < Pulpie> i dont have a KRL_CRL_LOC like crl.pem do i create one and if so how? 09:21 < straterra> Hmm? 09:21 < Pulpie> !pem 09:21 < vpnHelper> Pulpie: Error: "pem" is not a valid command. 09:21 < Pulpie> :/ 09:21 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [Read error: 54 (Connection reset by peer)] 09:21 < ecrist> Pulpie: just leave that alone if you don't have one, you're going to want to generate CRLs, though. 09:21 < ecrist> I gotta work for a bit, so I'll be in and out. 09:21 < Pulpie> ok 09:22 < Pulpie> thanks for all your help so far 09:27 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:27 < plaerzen> hey guys 09:29 < Pulpie> hi 09:31 < Pulpie> ecrist: your openssl dhparam -out active/dh1024.pem 1024 ends in active/dh1024.pem: No such file or directory 09:31 < Pulpie> what should i do 09:35 < ecrist> hrm 09:35 < ecrist> lemme look at it 09:39 < ecrist> Pulpie: the command works on a clean install for me, from within the script 09:43 < ecrist> oh, you know why the command alone doesn't work, the active/ directory doesn't exist where you are. 09:43 < ecrist> just run openssl dhparam -out dh1024.pem 1024 09:44 < Pulpie> ok 09:45 < Pulpie> do i have to restart the server to get vpn working or something 09:45 < ecrist> yes, if you're going to change keys and certificates, you'll need to restart it 09:46 < Pulpie> define change, because when i created these keys i did not restart. 09:47 < Pulpie> has this been my problem all along? 09:52 -!- Pulpie [n=Pulpie@unaffiliated/pulpie] has quit [Remote closed the connection] 09:54 < ecrist> heh, could have been. 09:54 < ecrist> the certs and keys are read at startup 09:55 -!- Pulpie [n=Pulpie@unaffiliated/pulpie] has joined ##openvpn 09:56 < Pulpie> lame 09:58 < Pulpie> ok im litterally out of ideas to make this work 09:58 < Pulpie> i have redone the keys 09:59 < Pulpie> even the configs 09:59 < Pulpie> same damn error 09:59 < ecrist> Pulpie: I would recommend you completely follow the directions on the freebsd page I listed. start to finish 09:59 < ecrist> try ssl-admin to generate certificates and keys 09:59 < Pulpie> i did that 10:00 < Pulpie> TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use < thats in my log file 10:03 < Pulpie> ecrist: is there anyway to see my attempts in a log file 10:03 < ecrist> um, that means openvpn is already running 10:03 < Pulpie> ecrist: my connection attempts arent shown 10:04 < ecrist> set verb 4 or berb 6 10:04 < ecrist> verb* 10:07 < Pulpie> i get nothing on verb 4 for connections 10:08 < Pulpie> even on verb 8 i dont get any connection mentions 10:08 < Pulpie> maybe this is a firewall issue? 10:09 < ecrist> something is broken then, you should get connection information on verb 4 10:10 < Pulpie> is it likely to say its a firewall thing, that im not actually connecting? 10:10 < ecrist> yeah 10:10 * ecrist notes the chan topic 10:10 < Pulpie> but then why a TLS error? 10:10 < Pulpie> I dont really have a firewall its just a router 10:10 < ecrist> could have to do with *how* the firewall is blocking the connection 10:11 < Pulpie> but it should be forwarding it 10:12 * Pulpie signs 10:16 < plaerzen> Pulpie, a router has firewall functions 10:16 < Pulpie> plaerzen: i know but its port is forward 10:16 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 10:17 < plaerzen> Pulpie, for both protocols ? 10:17 < Pulpie> yes 10:22 < plaerzen> when you try to connect to your server, run "netstat -p | grep openvpn" give it a second and see if any output shows up. 10:22 < plaerzen> run that on your client, rather 10:38 -!- tjz [n=tjz@bb121-7-106-87.singnet.com.sg] has quit ["GG. X_X"] 11:01 < Pulpie> my client is winows 11:02 < plaerzen> alrighty then. run netstat -nb and look for openvpn (I think those are the flags) 11:14 -!- thechef [n=testi@adsl-89-217-0-168.adslplus.ch] has joined ##openvpn 11:18 < thechef> I want each vpn client to receive as long as possible the same ip over and over 11:22 < plaerzen> !args 11:22 < vpnHelper> plaerzen: Error: "args" is not a valid command. 11:22 < plaerzen> !list 11:22 < vpnHelper> plaerzen: Admin, Channel, Config, Factoids, Google, Misc, Owner, Seen, Services, User, Weather, and Web 11:22 < plaerzen> !list factoids 11:22 < vpnHelper> plaerzen: change, forget, info, learn, lock, random, search, unlock, and whatis 11:23 < plaerzen> !list factoids info 11:23 < vpnHelper> plaerzen: (list [--private] [<plugin>]) -- Lists the commands available in the given plugin. If no plugin is given, lists the public plugins available. If --private is given, lists the private plugins. 11:52 -!- thechef [n=testi@adsl-89-217-0-168.adslplus.ch] has quit [Read error: 110 (Connection timed out)] 12:19 < ecrist> plaerzen: what are you looking for? 12:19 < plaerzen> per client config 12:19 < plaerzen> but I don't really care that much, which is why I gave up 12:20 < ecrist> !ccd 12:20 < vpnHelper> ecrist: "ccd" is entries that are basically included into server.conf, but only for the specified client 12:21 < plaerzen> alrighty 12:21 < plaerzen> hey ecrist, I got an underling - she started yesterday. woop. 12:21 < ecrist> nice, I wish I had an underling 12:22 < plaerzen> yeah, it's cool. Just hope all the testosterone around here doesn't distract here. 12:22 < plaerzen> s/here/her 12:24 < ecrist> if she's cute, I can give her a job here in minneapolis, nice cozy FreeBSD admin position, good pay... 12:24 < ecrist> and, she'd get to work with me. ;) 12:25 < plaerzen> she's not bad 12:25 < plaerzen> but helpdesk, not admin. 12:25 < plaerzen> you can have her after I am done with her 12:27 < ecrist> oh, not admin 12:28 < plaerzen> yeah 12:28 < ecrist> plaerzen: come fix my LDAP ACLs for me. 12:28 < plaerzen> thought you were making a script for that? 12:29 < ecrist> for the import, I did, that's done. now I'm tweaking the ACLs so certain groups can write certain records and attributes 12:30 < plaerzen> does it just use facl ? 12:30 -!- gregHome [n=chatzill@75.108.7.23] has joined ##openvpn 12:30 < gregHome> ecrist: still about? 12:30 < plaerzen> I never worked with ldap / setfacl specifically 12:31 < gregHome> Routing is still unhappy with me, it seems 12:32 < gregHome> I've added a route for 10.54.20.0/24 to the default gateway pointing to the OpenVPN server, but I still can't connect to anything on the OpenVPN server's network 12:32 < ecrist> plaerzen: no 12:33 < ecrist> gregHome: I would do this, select on test system on the OpenVPN server's LAN, add a route to that box for 10.54.20.0/24 to the OpenVPN Server's IP. test that, it should work. 12:36 < gregHome> ok, route added 12:36 < gregHome> testing 12:37 < gregHome> yep 12:37 < gregHome> that works 12:37 < gregHome> Maybe I'm better off pushing the route via DHCP 12:37 < gregHome> Thoughts? 12:38 < ecrist> yeah, that's what I'd do, tbh 12:40 < gregHome> ok, tonight I'll test with my dd-wrt box as the OpenVPN client 12:45 < ecrist> good luck 12:55 < gregHome> Thanks 12:57 -!- gregHome [n=chatzill@75.108.7.23] has quit ["ChatZilla 0.9.84 [Firefox 3.0.4/2008102920]"] 14:07 < reiffert> moin 14:07 < ecrist> moin 14:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:49 < plaerzen> hey 14:49 * plaerzen doesn't know foreign languages. 16:01 -!- gleblanc_ [n=chatzill@mail.pickeringusa.com] has joined ##openvpn 16:14 -!- gleblanc__ [n=chatzill@216.30.212.117] has joined ##openvpn 16:21 -!- gleblanc [n=chatzill@216.30.212.117] has quit [Read error: 110 (Connection timed out)] 16:21 -!- mpetersen [n=mpeterse@c-71-194-132-69.hsd1.il.comcast.net] has joined ##openvpn 16:23 -!- gleblanc_ [n=chatzill@mail.pickeringusa.com] has quit [Read error: 60 (Operation timed out)] 16:25 -!- gleblanc__ [n=chatzill@216.30.212.117] has quit [Read error: 104 (Connection reset by peer)] 16:52 < krzie> moin 16:58 -!- mpetersen [n=mpeterse@c-71-194-132-69.hsd1.il.comcast.net] has left ##openvpn [] 17:38 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 17:41 < mRCUTEO> jiya krzee 17:41 < mRCUTEO> hiya 17:41 < krzie> hey 17:42 < mRCUTEO> its working now 17:42 < mRCUTEO> :) 17:42 < krzie> cool 17:42 < mRCUTEO> you absolutely right nuthing to do with dns 17:42 < mRCUTEO> its my IP address 17:42 < krzie> ya, we tested it 17:43 < krzie> which is why i said it with such certainty 17:43 < mRCUTEO> the IP address which i assigned is not available in the network 17:43 < mRCUTEO> :) 17:43 < krzie> hah, makes sense 17:43 < mRCUTEO> i assigned Ip addres on wrong subnet :D 17:43 < mRCUTEO> hehe 17:45 < krzie> well im glad you figured that out, cause we had no way to know 17:45 < mRCUTEO> krzee is it possible to modify mtu to get better access to openvpn? 17:46 < krzie> !mtu 17:46 < mRCUTEO> i mean increase speed 17:46 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 17:46 < mRCUTEO> okie okie 17:46 < mRCUTEO> ./openvpn --mtu-test will do? 17:46 < mRCUTEO> ./openvpn --mtu-test <host> 17:47 < krzie> just add it to your normal command 17:47 < mRCUTEO> okie 17:47 < krzie> you still need the config obviously 17:47 < mRCUTEO> okie 17:53 < mRCUTEO> i run this command ./openvpn --config server.conf --mtu-test 92.2.192.8 - how can i see the mtu result? 17:53 < krzie> remove daemon from the config while doing mtu-test 17:53 < krzie> it'll start in the foreground 17:53 < krzie> or look at the logs... 17:54 < krzie> aka, the same way you EVER see output 17:54 < mRCUTEO> okie 17:58 < mRCUTEO> krzee: how can i check mtu in a Linux box.. in the tutorial it only shows windows os on how to ping and test mtu.. do you know the way for linux? 17:59 < krzie> you can just use --mtu-test on the client as well 18:01 < mRCUTEO> any documentation on mtu-test for openvpn? 18:02 < mRCUTEO> i search the site cant fine one 18:02 < krzie> !man 18:02 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:02 < mRCUTEO> okie dokie 18:13 -!- mRCUTEO [i=LUNAT@r0x.dave.ksh2008-sarawak.com] has quit [] 18:22 < reiffert> why cant I just sleep .. 18:30 < krzie> <reiffert> krzee: just down the laptop. 18:30 < krzie> <reiffert> krzee: everything else will come shortly. 18:30 < krzie> ;] 18:30 < krzie> lol 18:57 -!- straterra [n=straterr@ipv6.projectstfu.com] has quit [Read error: 113 (No route to host)] 19:27 < ecrist> evening, folks 19:28 < krzie> sup eric 19:29 < ecrist> nm - had to purchase a larger IP space from comcast. :( 19:41 < krzie> had to? 19:42 < ecrist> well, yeah 19:42 < ecrist> stupid SSL/HTTPS and its requirement for a unique IP 19:44 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit [Remote closed the connection] 19:53 < ecrist> hrm, never heard of SNI - looks like it's rolling out. 19:53 < ecrist> will be nice 19:54 < krzie> ahh 20:01 -!- Splooge12 [n=hoebag@76-10-176-231.dsl.teksavvy.com] has joined ##openvpn 20:02 < Splooge12> Hi 20:02 < ecrist> hi 20:03 < Splooge12> I think I've done everything by the book (i've done a few openvpn installs before) but this just goes right over my head. I just can't get the openvpn client to connect eventhough it is running on the server. I can show configs or what not. I'm just lost here though 20:03 < krzie> umm 20:03 < krzie> you just say the client and server are on same box? 20:03 < Splooge12> No, the server is on my linux box 20:03 < Splooge12> and the client is on my vista box 20:04 < krzie> and what happens when you try to connect? 20:04 < Splooge12> Tue Dec 16 21:05:11 2008 TCP: connect to xx.xx.xx.xx:1194 failed, will try again in 5 seconds 20:04 < krzie> and on server? 20:04 < Splooge12> absolutely nothing 20:05 < Splooge12> I've even checked logs 20:05 < krzie> server is behiond a NAT? 20:05 < Splooge12> and I've gone over my client configs a dozen times 20:05 < Splooge12> Quite possibily, this is my second day with this server 20:05 < krzie> you dont know if its behind a NAT? 20:06 * ecrist points subtly at the second part of the channel topic 20:06 < Splooge12> well it's hosted under my friend who is god knows where 20:06 < krzie> ecrist, i agree 20:10 < Splooge12> I just checked over everything and there is infact no nat/firewall stopping it 20:10 < krzie> iptables -v -L 20:11 < krzie> also double check that its connecting to the right ip, and both are using the same protocol 20:11 < krzie> and disable the vista firewall 20:11 < ecrist> on server, set verb to 4, you should see connection info 20:12 < Splooge12> kk, on iot 20:12 < Splooge12> it* 20:24 < onats> can someone give me some topic to research / study? I am so bored here at work 20:33 -!- tjz [n=tjz@bb121-7-106-87.singnet.com.sg] has joined ##openvpn 20:34 < ecrist> sure - figure out how to convince LDAP 2.4 to validate and accept KERBEROS tokens. :) 20:42 < ecrist> g night, time for a beer 20:57 < tjz> g nite 20:57 * tjz swim in 21:00 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 21:04 -!- lolipop [n=soontak@219.94.54.133] has joined ##openvpn 21:08 < lolipop> !route 21:08 < vpnHelper> lolipop: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:37 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 21:39 < lolipop> !menu 21:39 < vpnHelper> lolipop: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 22:01 < lolipop> hello ~ 22:01 < lolipop> i need some help 22:04 < tjz> just ask 22:04 < tjz> we will try to help 22:08 -!- no_maam [n=no_maam@130.83.167.54] has quit [Read error: 60 (Operation timed out)] 22:08 < lolipop> I have 1 openvpn server and client, once it is connected, the client only be able to ping those network within its own subnet, it cant reach to other subnet 22:08 < lolipop> is there any solutions? 23:02 -!- RonDutt [n=thedot@c-24-17-159-108.hsd1.wa.comcast.net] has joined ##openvpn 23:03 < RonDutt> !route 23:03 < vpnHelper> RonDutt: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 23:36 < RonDutt> Anyone know of a peer 2 peer based VPN solution? OpenVPN requires a server to stay up 24/7 for the tunnels to remain active, I would like for clients to still talk to each other even if the server goes down. This also reduces latency which is my aim (main purpose: gaming). --- Day changed Wed Dec 17 2008 00:11 < ropetin> RonDutt: I've used openswan in the distant past for that. Not sure if it even still is updated though 00:41 < tjz> RonDutt: does that server goes down often? 00:43 < ropetin> That's what SHE said 00:48 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:53 < tjz> your clients must be heavy users.. 00:54 < ropetin> That's what SHE said 00:56 < tjz> lol 01:02 < jeev> tjz 01:02 < jeev> how is your vpn doing 01:04 -!- Pulpie [n=Pulpie@unaffiliated/pulpie] has left ##openvpn [] 01:14 < RonDutt> tjz almost never, I just want something that works without traffic going through the server. So far I've found n2n that does the job pretty well, but alas no windows client. 01:14 < RonDutt> tjz basically reinventing the wheel =D Hamachi exists and does exactly what I want, with the exception of me having control. 01:18 < reiffert> moin 01:24 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 01:28 < lolipop> Hi krzee 01:28 < lolipop> are you there? 01:28 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 01:30 < reiffert> ecrist: you dont know the x509 extension "subject alternative name", right? 01:31 < reiffert> ecrist: allowing you to have one cert for multiple hostnames. 01:35 < krzee> sup? 01:35 < lolipop> krzee: regarding ur ROUTES TO ADD OUTSIDE OF OPENVPN on http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:35 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 01:36 < krzee> ok 01:36 < krzee> ... 01:36 < lolipop> krzee: this is what i'm facing now, hopes u can help 01:36 < krzee> the routes that must be added to the routes 01:36 < krzee> router 01:36 < krzee> im drunk but ill try 01:36 < lolipop> krzee : example ? 01:36 < lolipop> krzee : lol, really? cool 01:36 < reiffert> personal trainer >p 01:37 < krzee> tell me what you need, ill try 01:37 < lolipop> ok, great 01:37 < krzee> tell me the setup 01:37 < krzee> reiffert, moin 01:38 < reiffert> trunk on tuesdays, tzt tsztz :) 01:38 < lolipop> I have a router server which is using m0n0-wall and it conssists 4 interfaces, A , B , C and D, my openvpn server is installed on one of the subnet of A 01:38 < krzee> reiffert, trunk = drunk, right? 01:38 < lolipop> now when my openvpn client connected to my openvpn server, it only be able to ping those machines which is under the same subnet 01:39 < lolipop> the openvpn client cant ping those under interface B, C and D 01:39 < lolipop> is there any solution? 01:39 < reiffert> krzee: oh yeah, thats because the germans write: betrunken, getrunken and trinken, so drunk, yeah 01:39 < krzee> should it ping which? 01:39 < krzee> i like getrunken 01:39 < krzee> its like get drunk 01:39 < reiffert> Ich habe getrunken : I was drinking 01:40 < krzee> nice! 01:40 < krzee> i 1/2 want to save that! 01:40 < krzee> i tried to say moin to my neighbor, he looked at me funny 01:40 < reiffert> I'm drunk : Ich bin betrunken 01:40 < reiffert> hahaha rotfl! 01:41 < reiffert> "moin"? 01:41 < lolipop> i want the openvpn client be able to ping those machinese which is under interfaces B, C and D subnet as well 01:41 < krzee> he speaks german and spanish 01:41 < krzee> i speak english and spanish 01:41 < reiffert> :D 01:41 < krzee> (people speak spanish here) 01:41 < krzee> lolipop, add push routes for those subnets 01:42 < krzee> woooo im drunk still helping people 01:42 < reiffert> push "route netipofnetB maskofnetB" 01:42 < lolipop> krzee: when i try to add push routes, i got this error, OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.16.12.1 01:42 < krzee> im 1/3 way to being irish 01:42 < lolipop> because the 172.16.12.1 is not on the openvpn 01:42 < lolipop> is not on the openvpn server 01:42 < reiffert> krzee: the atlantic ocean is deep, plenty of water to drink! 01:43 < reiffert> !configs 01:43 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:43 < krzee> lolipop, you used push "route 172.16.12.0 255.255.255.0" 01:43 < krzee> right? 01:43 < krzee> in server config 01:43 < reiffert> lolipop: what has the special IP .1 got to do with it? 01:44 < krzee> reiffert, exactly what i was thinking 01:44 < reiffert> well, except that it is unspecial. 01:44 < lolipop> krzee: yeap , push "route 172.16.12.0 255.255.255.252.0" 01:44 < reiffert> but .. you never know. 01:44 * krzee wipes beer off the bed and pretends that didnt happen 01:44 < krzee> ummm 01:44 < krzee> 255.255.255.252.0 01:44 < reiffert> lolipop: ouch! 01:44 < krzee> ?????????????????????????? 01:44 < reiffert> 255.255.255.252.0 01:45 * krzee bets the programmers never expected that 01:45 < reiffert> krzee: you girl might assume the beer is pee of another girl! 01:45 < krzee> haha could be 01:46 < krzee> but my main girls knows theres other girls 01:46 < krzee> and none of the others care at all 01:46 < reiffert> allright 01:46 < krzee> so im not worried 01:46 < krzee> as long as i can get these xmas gifts out of here without trouble, im golden 01:46 < reiffert> hehe 01:47 < krzee> [03:47] <krzee> but my main girls knows theres other girls 01:47 < krzee> i meant main girl 01:47 < lolipop> lol 01:47 < lolipop> even i put 255.255.255.0 still the same 01:47 < lolipop> because the 172.16.12.1 host is not on the openvpn server 01:47 < krzee> only 1 main girl 01:47 < reiffert> For your neighbour: Have a nice evening : Guten Abend 01:47 < krzee> the rest are others 01:47 < krzee> reiffert, i think how i say it is the problem 01:47 < reiffert> lolipop: what is so special at .1? 01:47 < krzee> i read it in my language =/ 01:47 < lolipop> argh 01:47 < lolipop> sorry 01:47 < lolipop> dc 01:47 < reiffert> krzee: Gooten Ubend 01:48 < krzee> gew-ten you-bend 01:48 < krzee> ? 01:48 < lolipop> even i put 255.255.255.0 still the same, because the 172.16.12.1 host is not on the openvpn server 01:48 < reiffert> krzee: gew-ten Abend, the A just like the a from "Ball" 01:49 < krzee> lolipop, but that box knows how to send traffic to 172.16.12.1? 01:49 < reiffert> lolipop: please answer me 01:49 < lolipop> lol 01:49 < lolipop> bro 01:49 < lolipop> sorry 01:50 < krzee> lolipop, i think drawing would help me, wanna check out gliffy.com for me? 01:50 < lolipop> i have a line with .1 which forgot to commented 01:50 < reiffert> krzee: http://dict.leo.org/ende?lp=ende&lang=de&searchLoc=0&cmpType=relaxed§Hdr=on&spellToler=on&chinese=both&pinyin=diacritic&search=Guten+Abend&relink=on 01:50 < vpnHelper> Title: LEO Ergebnisse für "Guten Abend" (at dict.leo.org) 01:50 < reiffert> krzee: there is a speaker symbol, right column, 4th row 01:50 < krzee> awesome! 01:51 < lolipop> bro 01:52 < lolipop> on openvpn client, why i will have this error : Options error: option 'iroute' cannot be used in this context 01:52 < reiffert> !configs 01:52 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:52 < lolipop> openvpn is using kubuntu 8.04 01:52 < krzee> ya !configs is right 01:52 < krzee> heh 01:53 < lolipop> http://pastebin.com/mee7d2df 01:53 < lolipop> this is the conf file for openvpn client 01:53 < reiffert> 5 dollars when the comments are removed. 01:53 < krzee> whoa whoa whao 01:54 < reiffert> wow, I won 5 dollars. 01:54 < krzee> you can NOT have iroute in a config file 01:54 < krzee> must be in a ccd entrry 01:54 < krzee> and ONLY when the network is behind a client 01:54 < krzee> when it is behind the server, it must be a push route 01:55 < krzee> [03:44] <krzee> lolipop, you used push "route 172.16.12.0 255.255.255.0" 01:55 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 01:56 < krzee> [03:44] <krzee> right? 01:56 < reiffert> 08:51 < lolipop> i have a line with .1 which forgot to commented 01:56 < mRCUTEO> hiya all 01:56 < mRCUTEO> :D 01:56 * krzee + drunk says hi 01:57 < lolipop> okay 01:57 < lolipop> krzee: then do i need to push route on server config? 01:57 < krzee> right 01:57 < krzee> lolipop, whats your first language? 01:58 < mRCUTEO> hey tjz 01:58 < mRCUTEO> whats up dude 01:58 < mRCUTEO> :D 01:58 < lolipop> chinese 01:58 < mRCUTEO> hey lolipop where you're from ucko 01:58 < krzee> lolipop, ok we'll be sticking to english then =] 01:58 < reiffert> :) 01:59 < krzee> can you get me cheap server colocation in china!? 01:59 < lolipop> hehe 01:59 < mRCUTEO> lol 01:59 < lolipop> lol 01:59 < lolipop> i'm not from china 01:59 < krzee> damn 01:59 < mRCUTEO> krzee you can only get the worst colocation in china :D 01:59 < krzee> mRCUTEO, behind the great firewall tho 01:59 < mRCUTEO> lol.. 01:59 < reiffert> mRCUTEO: at least it is inside of china. 02:00 < krzee> it has advantages, and disadvantages 02:00 < mRCUTEO> double lol 02:00 < reiffert> mRCUTEO: on the otherside of that firewall. 02:01 < mRCUTEO> well i've got a server before in china, they restrict almost everything.. can't even get to adult site not to mention US and government site.. 02:01 < lolipop> krzee: this is my openvpn server config file, http://pastebin.com/m17bca8d5 02:01 < krzee> oh shit its a bridge 02:01 < reiffert> argh 02:01 < krzee> why is it a bridge!? 02:02 < lolipop> because i need to bridge my eth0 and tap0 02:02 < krzee> and why? 02:02 * krzee points to the topic 02:02 < lolipop> i dun need that? 02:02 < mRCUTEO> lolipop: u faham ke i cakap ape ni :D 02:02 < krzee> you only use bridges when you need to communicate based on MAC address 02:02 < mRCUTEO> lolipop: ang dari mane? 02:03 < mRCUTEO> MAC: ethernet :D 02:03 < lolipop> krzee: thats mean i only need server 02:03 < lolipop> mRCUTEO : from malaysia 02:03 < mRCUTEO> oh bagitu seh saya ingat seh dari mana 02:03 < mRCUTEO> bagitu dong 02:04 * reiffert didnt expect communications to stay on iso-8995-1. 02:05 < lolipop> u from? 02:05 < mRCUTEO> i dari malaysia juga seh 02:05 < lolipop> oh 02:05 < mRCUTEO> indadaiskul 02:05 < lolipop> great 02:06 < reiffert> google earth doesnt know indadaiskul 02:06 < lolipop> brb, i need to reconnect 02:07 < krzee> reiffert, lol 02:07 < mRCUTEO> double lol.. 02:08 < mRCUTEO> ni bu hui chiang malay wah ah lolipop? 02:08 < mRCUTEO> wo chiang hua yi 02:09 < mRCUTEO> ni ming bai wo chaing shenme mah? 02:09 < mRCUTEO> :D 02:09 < lolipop> lol 02:09 < lolipop> yeah 02:09 < lolipop> i can understand 02:10 < mRCUTEO> im sure you undertand this my friend :) 02:10 < mRCUTEO> its simple chinese 02:10 < mRCUTEO> i speak malay, english, chinese, tamil, spanish and tagalug 02:10 < mRCUTEO> ;) 02:10 < krzee> simple chinese to you 02:10 < mRCUTEO> :) 02:10 < krzee> random chars to me 02:10 < mRCUTEO> hehe 02:10 < krzee> and im about to passout 02:10 < mRCUTEO> lol.. 02:11 < krzee> so anyone who wants my help within the next 10min, speak english 02:11 * mRCUTEO speaks english from now on :_) 02:12 < krzee> i thought your setup was working right 02:13 < mRCUTEO> yes its okay for now.. 02:13 < mRCUTEO> still finding out on the mtu setting 02:14 < krzee> seriously?!? 02:14 < krzee> its just one run on the vpn 02:14 < mRCUTEO> my connection seems to be very slow from asia to eastern USA.. 02:14 < krzee> with --mtu-test 02:14 < krzee> takes like 3 minutes 02:14 < mRCUTEO> ./openvpn --mtu-test? 02:14 < mRCUTEO> tahts it? 02:14 < krzee> same thing you normally start your vpn with 02:15 < krzee> but with --mtu-test 02:15 < mRCUTEO> ./openvpn --config server.conf (i put in mtu-test in the config) 02:15 < mRCUTEO> will this be okay? 02:15 < krzee> like openvpn --mtu-test --config server.conf 02:15 < mRCUTEO> okay 02:15 < mRCUTEO> let me try this 02:15 < krzee> ya the other should work too 02:16 < reiffert> mz place: http://maps.google.de/maps?f=q&hl=de&geocode=&q=klein-winternheim&sll=51.151786,10.415039&sspn=18.010525,39.199219&ie=UTF8&ll=49.938129,8.20918&spn=0.004502,0.00957&t=h&z=17 02:16 < vpnHelper> Title: Google Maps (at maps.google.de) 02:16 < mRCUTEO> oh 02:16 < krzee> mtu-test goes in client 02:16 -!- lolipop [n=soontak@219.94.54.133] has quit [Remote closed the connection] 02:16 < mRCUTEO> so i check the log aint got nuthing there 02:16 < mRCUTEO> ic 02:16 < mRCUTEO> no wonder.. 02:16 < krzee> remove daemon from config 02:16 < mRCUTEO> i was testing it on the servr :D 02:16 < krzee> hah 02:16 < krzee> !mtu 02:16 < vpnHelper> krzee: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 02:17 < krzee> it says client 02:17 < mRCUTEO> mi big mistake sorry 02:17 < mRCUTEO> argh "[-) 02:17 -!- lolipop [n=soontak@219.94.54.133] has joined ##openvpn 02:17 < mRCUTEO> wb lolipop 02:18 < krzee> i really like that so many people i help in here are not native english speakers 02:18 < mRCUTEO> :) 02:18 < lolipop> argh 02:18 < lolipop> sorry 02:18 < krzee> i like that so many people from other lands want to run vpns with openvpn 02:19 < lolipop> http://pastebin.com/m18f4f4c0 <--- Correct now? 02:19 < reiffert> the english native speakers dont manage to come across the nickserv barrier. 02:19 < krzee> lol reiffert 02:19 < krzee> lolipop, no 02:19 < krzee> push "route 172.16.12.0 255.255.255.252.0" 02:19 < krzee> route 172.16.12.0 255.255.252.0 02:20 < krzee> that could NEVER be right 02:20 < krzee> where is 172.16.12.0? 02:20 < krzee> behind server or a client? 02:20 < krzee> and btw 02:20 < krzee> client can NEVER push a route 02:21 < krzee> in fact client can never push ANYTHING 02:21 < mRCUTEO> yeah.. 02:21 < krzee> it can only pull 02:21 < krzee> which is implied by it being a client 02:21 < mRCUTEO> the push should be in the server 02:21 < krzee> mRCUTEO, depends where the subnet is 02:21 < mRCUTEO> ic 02:22 < krzee> it could belong as an iroute and route 02:22 < krzee> if its behind a client 02:22 < krzee> or a push route if its behind server 02:22 < krzee> drunken krzee for the win! 02:23 < mRCUTEO> '=+\ 02:23 < krzee> dude i was drinking tequila 02:23 < krzee> drinking beer now 02:23 < krzee> going to bed soon 02:24 < krzee> but wish i had some weed 02:24 * mRCUTEO drunken openvpn lecturer 02:24 < mRCUTEO> krzee drunken openvpn lecturer 02:24 < krzee> hah 02:24 < mRCUTEO> you are a drunken lecturer 02:25 < mRCUTEO> "_-) 02:25 < mRCUTEO> teaching while drinking 02:25 < krzee> thats normal, only you are online and not a sexy girl 02:26 < mRCUTEO> lol.. 02:26 < krzee> lolipop, ???? 02:26 < jeev> krzee 02:26 < jeev> iodine has crap lag 02:26 < jeev> but i guess its ok 02:26 < krzee> jeev, told you 02:27 < krzee> its not iodine, its ANY tunneling over dns 02:27 < krzee> iodine is superios to alternatives 02:28 < krzee> superior 02:28 < jeev> yea 02:28 < jeev> latency wise 02:28 < lolipop> sorry, 172.16.12.0 is behind server 02:28 < jeev> ping to my dns was 400 ms 02:28 < jeev> or smething 02:28 < jeev> it's awesome though 02:28 < jeev> i cant wait to test it 02:28 < krzee> lolipop, you want it in a push route 02:28 < krzee> remove is from client 02:28 < krzee> and only push, not just a route command 02:28 < lolipop> done, removed from client 02:29 < reiffert> tunneling over dns sounds like I want to test that. 02:29 < krzee> reiffert, play with iodine then 02:29 < mRCUTEO> yes 02:29 < reiffert> should be possible to break 50% of the public wifi hotspots.. 02:29 < mRCUTEO> tunnling over dns 02:29 < mRCUTEO> :) 02:30 < reiffert> with tunneling over dns 02:30 < mRCUTEO> sounds interesting 02:30 < mRCUTEO> hek hek hek 02:30 < mRCUTEO> gimme gimme gimme 02:30 < lolipop> let me try now 02:30 < reiffert> the public unencrypted ones that redirect you to a login page. 02:30 < krzee> reiffert, exactly, opnly ueful for that 02:30 < krzee> only 02:30 < krzee> grrrr 02:30 < krzee> reiffert, exactly, only useful for that 02:31 < reiffert> trying to speak your native language, eh? 02:31 < krzee> ya man 02:31 < krzee> drunk 02:31 < reiffert> On Tuesday. 02:31 < krzee> any day is good 02:31 < reiffert> :) 02:31 < krzee> it ends in "day" it ok 02:32 < onats> sometimes bright ideas come out when your drunk 02:32 < krzee> onats, mine com in dreams more than drunken time 02:33 < onats> tequila makes me barf even on the first shot 02:33 < krzee> but i have written some savage shell scripts while drunk 02:34 < krzee> i have woke up from being drunk passed out, smoked a blunt, written code i did not understand... but it worked 02:34 < krzee> next morning = confusion on how it works 02:35 < krzee> but fuck it, it worked 02:36 * reiffert was changing the bios password when drunk .. in the age of 14. 02:36 < onats> hahaha 02:36 < onats> lol 02:36 < reiffert> example of "very good idea" 02:36 < krzee> LOL 02:36 < lolipop> http://pastebin.com/m56a575bf <---- is that correct now? 02:36 < onats> when I was 3, i was doing turbo pascal! 02:36 < onats> hahahah 02:37 < krzee> i have a feeling that lead to removing cmos battery 02:37 < krzee> lolipop, why using tap? 02:37 < krzee> should be using dev tun on both client and server 02:37 < lolipop> no idea, lol 02:37 < reiffert> krzee: well, it took quite some time to recover the bios controls ... 02:38 < lolipop> okay 02:38 < lolipop> anything else is wrong? 02:38 < reiffert> krzee: I think everybody was claiming that removing the cmos battery will help but it didnt. After failing in finding the cmos reset switch I had to use a checksum password. 02:38 < reiffert> e.g. LKWPETER is one of them 02:38 < krzee> well not wrong 02:39 < krzee> but you could use: 02:39 < krzee> !hmac 02:39 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 02:39 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 02:39 < mRCUTEO> krzee: can ip-over-dns tunneling increase bandwidth speed ? 02:39 < krzee> mRCUTEO, shit no 02:39 < mRCUTEO> have you experience using any daemon for dns tunneling ? 02:39 < mRCUTEO> oh.. 02:39 < mRCUTEO> hehe 02:39 < krzee> dns is an unreliable protocol 02:40 < reiffert> main problem was: no internet at all and flow of information was slow and rare. 02:40 < krzee> and WILL BE SLOWER] 02:40 < mRCUTEO> ic.. 02:40 < krzee> a good understanding of dns will reveal the reasons 02:40 < mRCUTEO> :) 02:41 < krzee> ip over dns will only give you free internet in some situations, otherwise it is useless 02:41 < krzee> which is why i dont support it 02:41 < reiffert> krzee: chaching? 02:41 < mRCUTEO> ic.. 02:41 < krzee> if you hould be able to get free inet, you can figure it out yourself 02:41 < lolipop> krzee: i still cant ping 172.16.12.1 02:41 < reiffert> krzee: down passing the ns tree? 02:41 < krzee> reiffert, cant cache ip over dns 02:41 < krzee> cause the traffic MUST change 02:41 < reiffert> the reasons for it beeing slow 02:42 < krzee> lolipop, do you know what a netmask is? 02:42 < krzee> you are using 255.255.255.252.0 02:42 -!- onats [n=15172@unaffiliated/onats] has quit [Remote closed the connection] 02:42 < krzee> that is SO not a valid netmask 02:43 < reiffert> he still is_ 02:43 < reiffert> ? 02:43 < krzee> ya man 02:43 < mRCUTEO> ahax 02:43 < reiffert> who"s the sober folk in here? 02:43 < krzee> no clue 02:43 < krzee> it sure as shit aint me 02:43 < lolipop> erm.... 02:43 < reiffert> offforasmoke 02:44 < krzee> bring me some weed and ill do it all for you 02:44 < krzee> =[ 02:45 < krzee> lolipop, ??? 02:45 < krzee> do you know what a netmask is? 02:46 < lolipop> yeah 02:46 < krzee> you sure? 02:46 < lolipop> for ip range? 02:46 < lolipop> i guess 02:46 < krzee> how are you going to have a netmask with 5 octets? 02:46 < mRCUTEO> ahax 02:46 < krzee> try 255.255.255.0 02:46 < lolipop> tried already 02:47 < lolipop> still the same :( 02:47 < krzee> well, 5 octets has not and will never exist 02:47 < krzee> so try it again 02:48 < lolipop> when i try to ping from the opevpn client, still no response 02:49 < lolipop> http://pastebin.com/m4019e44e <--- updated configuration file 02:50 < lolipop> i'm trying to ping the 172.16.12 segment from openvpn client side 02:50 * mRCUTEO time to go 02:50 < mRCUTEO> bye everyone 02:50 < mRCUTEO> bye krzee sleep well 02:51 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 02:51 < krzee> lolipop, in client you can remove pull 02:52 < krzee> client implies this 02:52 < lolipop> okay 02:52 < krzee> you may also want to change udp to tcp 02:52 < krzee> !tcp 02:52 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 02:52 < lolipop> i'm using proto tcp right? 02:53 < lolipop> [16:49] <krzee> you may also want to change udp to tcp ?? 02:53 < lolipop> are you trying to say change tcp to udp? 02:53 < krzee> you are using tcp 02:53 < krzee> right 02:53 < krzee> unless you have a reason not to 02:54 < lolipop> on my openvpn client side, it can ping all those machinese which is under 172.16.16 02:54 < lolipop> but cant reach on 172.16.12 :( 02:54 < krzee> is he server the router? 02:55 < krzee> is the server the router? 02:55 < lolipop> yeap 02:55 < lolipop> soryr 02:55 < lolipop> no 02:55 < lolipop> sorry, no 02:55 < lolipop> the openvpn server is not on the router 02:55 < krzee> ok, what ip is the server on its lan? 02:56 < lolipop> 4 interface 02:56 < lolipop> 172.16.16.1 , 172.16.12.1 , 172.16.8.1 and 172.16.4.1 02:56 < krzee> ok, what ip is the server on its lan? 02:56 < krzee> its lan 02:56 < lolipop> ok 02:56 < lolipop> 172.16.16.196 < openvpn server 02:57 < krzee> the openvn server 02:57 < krzee> ok 02:57 < krzee> so the router on that lan 02:57 < lolipop> yeap, router has 4 interfaces, which is 172.16.16.1 , 172.16.12.1 , 172.16.8.1 and 172.16.4.1 02:57 < krzee> it needs to know that all traffic for EVERY network tha exists in the vpn is behind 172.16.16.196 02:58 < krzee> so far that is 172.16.16.0 255.255.255.0 02:59 < lolipop> erm.... 02:59 < krzee> s/tha/that/ 02:59 < lolipop> ...? 02:59 < reiffert> uah, it"s cold outside! 02:59 < krzee> if a client had a lan behind it, you would need another 02:59 < krzee> lolipop, 03:00 < lolipop> yes 03:00 < reiffert> 26 Fahrenheit 03:00 < reiffert> or -3 C 03:00 < krzee> wait 03:00 < ropetin> reiffert: I'm jealous, it's ~70 F here right now at 4am 03:01 < krzee> you aren wrong 03:01 < lolipop> i'm not wrong? 03:01 * ropetin needs some weather other than, "hot and sunny with a chance of rain" 03:01 < reiffert> ropetin: uh, where is that hell? 03:01 < ropetin> Close, Florida, US 03:01 < krzee> oh no i pasted wrong 03:01 < krzee> to get 172.16.12.0 to work 03:01 < lolipop> okay 03:02 < ropetin> We like to think of it as a suburb of Hell, kind of like Hell for all the people who don't want to actually live in down town Hell 03:02 < krzee> you must tell the router behind the server this: 03:02 < reiffert> ropetin: oh well 70F sounds nice for the night. Was is it at daytime these days? 03:02 < ropetin> It's not too bad, maybe 80 yesterday, but it is yo-yoing, one day we have it at 62, next day 95 03:02 < lolipop> the router here is using m0n0-wall 03:03 < reiffert> sigh, I could probably riding my bike all year long then 03:03 < krzee> 172.16.16.0 255.255.255.0 is behind 172.16.16.196 03:03 < krzee> so for 172.16.16.0 255.255.255.0 it must send packets to 172.16.16.196 03:03 < ropetin> Trouble is, in the summer it's also really humid. Any kind of exercise outside will exhaust you in seconds 03:04 < krzee> im too drunk for this, good luck everyone 03:04 < krzee> gnite 03:04 < ropetin> krzee: You know what I'm talking about right? It's the same in the islands? 03:04 < lolipop> okay, krzee 03:04 < lolipop> good nite 03:04 < reiffert> ropetin: winter in florida, summer in ireland .. doesnt sound too bad ... 03:04 < krzee> ropetin, TOTALLY 03:04 < ropetin> For some reason I thought you were German, no offense ;) 03:04 < krzee> rain. sun. rain, sun 03:04 < reiffert> ropetin: yeah I am, plans are to move to ireland at some day :) 03:05 < ropetin> Northern Ireland or Ireland? 03:05 -!- sfire [n=sfire@105-107.102-97.tampabay.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 03:05 < reiffert> West Coast, somewhere next to Gallway... 03:05 < reiffert> (Ireland) 03:06 < lolipop> thank you so much 03:06 < krzee> oh fuck i just burned my eyelashes trying to light a cig 03:06 < krzee> lolipop, fixed? 03:06 < ropetin> krzee: Seriously, go to bed NOW before someone gets hurt! 03:06 < lolipop> krzee : not yet 03:06 < ropetin> Nice area reiffert, you'll love it 03:06 < reiffert> krzee: did you ever hear from those people who burned their houses, trying to smoke a cig in bed? 03:06 < lolipop> figuring how to tell my router to send packets to 172.16.16.196 03:07 < reiffert> ropetin: been there twice, a friend got a house there. 03:07 < krzee> ropetin, no shit youre right, gnite 03:07 < reiffert> even the nick tabcompletition refuses to work for the drunk people :) 03:08 < ropetin> How is the immigration policy to Ireland from Germany? 03:08 < ropetin> I know it was fairly complex for me to get into the US from the UK 03:08 < reiffert> There is no. 03:08 < lolipop> krzee, how if i install the openvpn server on the router 03:08 < lolipop> will it solve all the problem? 03:08 < reiffert> lolipop: yes. 03:10 < lolipop> ohh 03:12 < ropetin> reiffert: ahh, the whole European union thing means you can just move there? 03:13 < reiffert> ropetin: more or less it does. Some exceptions for poland and other eastern countries. 03:13 < reiffert> Other regularities allow you to stay in spain when you visit your home-country for more then 30 days/year (or similar) 03:15 < krzee> ropetin, where are you from? 03:18 < ropetin> I'm from the UK originally, but I live in Florida now 03:18 < ropetin> I've been here for years though. When I left I had to use my passport to get around Europe mostly 03:19 < ropetin> It's changed a lot apparently :D 03:19 < reiffert> when did you leave? 03:19 < ropetin> 2000 03:20 < reiffert> ah well then you missed the new currency all over europe (but UK) 03:21 < reiffert> some cheap airlines allow poeple to travel all over europe and I think people now just do that pretty often. 03:22 < reiffert> People from eastern countries flood central/western europe ... 03:22 < reiffert> france and germany pretend to belong to the "old world" ah well ... 03:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:23 < reiffert> ropetin: what parts of germany did you visit? 03:25 < ropetin> I went to Cologne, one time, in about 86 :) 03:25 < ropetin> We spent more time in France, Spain, Portugal and Yugoslavia (when there still was a Yugoslavia) 03:39 -!- lolipop [n=soontak@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 03:58 -!- lolipop [n=soontak@219.94.54.133] has joined ##openvpn 04:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:38 -!- mRCUTEO [n=info@118.101.178.121] has joined ##openvpn 04:38 < mRCUTEO> hiya :D 04:49 -!- mRCUTEO [n=info@118.101.178.121] has quit [] 05:22 -!- lolipop [n=soontak@219.94.54.133] has quit [Remote closed the connection] 05:27 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 05:37 -!- bi0os [n=Miranda@189.25.182.180] has joined ##openvpn 06:15 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 06:28 -!- bi0os [n=Miranda@189.25.182.180] has quit ["i´am go =)"] 06:36 -!- ||arifaX [n=||arifaX@unaffiliated/arifax/x-427475] has joined ##openvpn 06:51 < ecrist> reiffert: I'm aware of subject alternative name, but those certificates, when you get one signed by a CA already trusted by browsers, are really expensive. 07:03 < ecrist> http://img171.imageshack.us/img171/9763/codersgu6.jpg 07:49 -!- tjz [n=tjz@bb121-7-106-87.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:07 -!- freysteinn [n=freystei@ailab-gw.ru.is] has joined ##openvpn 09:09 -!- Irssi: ##openvpn: Total of 43 nicks [0 ops, 0 halfops, 0 voices, 43 normal] 09:13 -!- dvl [n=nnnnnnnd@pdpc/supporter/professional/dvl] has joined ##openvpn 09:13 < dvl> morning geeks 09:16 < ecrist> how goes dvl? 09:41 -!- thechef [n=testi@84-73-191-221.dclient.hispeed.ch] has joined ##openvpn 09:42 < thechef> I added ifconfig-pool-persist, but reconnecting clients get a different ip 09:43 < ecrist> what does the man page say about that? 09:43 < ecrist> I don't use ipp, so I'd be looking it up myself. 09:46 < thechef> wait.. 09:48 < thechef> maybe i figured out what the problem is.. i understood the 2. parameter as something like dhcp lease time, but it's the interval openvpn uses to persist ip adresses, so if a client isn't connected long enough the mapping isn't persisted.. that's weird though, cause i thought it would read the mapping from memory then 09:53 < dvl> ecrist: seems to be going OK. I thought I had a VPN problem, but now I think it is a certificate-related Nagios issue. 09:53 < dvl> nrpe[44367]: Error: Could not complete SSL handshake. 5 09:54 < ecrist> dvl - what sort of nagios check are you attempting? 09:55 < thechef> no.. it doesn't seem to work with a lower persist-interval either 09:56 < ecrist> the easiest/safest thing we came up with was to ping the tun interface IP for the OpenVPN server - when the daemon is dead, that IP seems to go away. 09:58 -!- mindframe- [n=mindfram@unaffiliated/mindframe] has joined ##openvpn 09:59 < thechef> oops, looks like i need different CN 09:59 < thechef> which I don't have 09:59 -!- tarbo [n=me@unaffiliated/tarbo] has left ##openvpn [] 09:59 < mindframe-> does anyone have knowledge of the --socks-proxy function in openvpn? I can't seem to get it to work. 10:00 < ecrist> thechef: what os? 10:00 < thechef> Can I have ipp make a real-ip virtual-ip mapping instead? 10:00 < thechef> server is debian etch, clients are ubuntu and debian 10:00 < ecrist> I don't understand what you mean 10:00 < ecrist> ubuntu ~= debian 10:01 < ecrist> oh, I think I understand what you mean - no, you can't. 10:01 < ecrist> create a different certificate for each client. 10:01 < thechef> okay.. that's not possible as there are way too many clients 10:01 < ecrist> mindframe-: never played with it, but I can try to help 10:01 < ecrist> thechef: what's way too many? 10:02 < ecrist> just curious 10:02 < ecrist> thechef: I think, if you use a secondary authentication method, such as LDAP, you can assign an IP to the VPN client based on username. 10:02 < mindframe-> ecrist, http://pastebin.com/m5fa3b69c 10:02 < thechef> ecrist: i don't know how many.. i just don't know ow to create them automatically as i don't know who uses my vpn 10:04 < ecrist> I wrote a perl script to do some of that, you can look at the source 10:04 < ecrist> !ssl-admin 10:04 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn 10:04 < ecrist> check the second link 10:04 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 10:04 < ecrist> it doesn't do batch processing yet, but could be persuaded to. 10:04 < ecrist> mindframe-: tun/tap? 10:05 < ecrist> and upd or tcp? 10:05 < ecrist> nm, can we see your configs? 10:05 < ecrist> !configs 10:05 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:05 < mindframe-> ecrist, udp tun 10:05 < ecrist> hrm... 10:06 < ecrist> mindframe-: lemme see your config, and are you sure your proxy is up? 10:06 -!- thechef [n=testi@84-73-191-221.dclient.hispeed.ch] has quit [Read error: 104 (Connection reset by peer)] 10:07 < mindframe-> ecrist, http://pastebin.com/m79e430a5 10:07 < mindframe-> ecrist, yes im sending traffic through the proxy currently 10:08 < ecrist> I don't see an option in there for --socks-proxy 127.0.0.1 9999 10:08 < mindframe-> i put it at the cmd line 10:09 < ecrist> try putting it in the config 10:09 < ecrist> without the -- 10:09 < mindframe-> k 10:09 < mindframe-> same error 10:11 < ecrist> odd, I'm not sure. have you added socks-proxy-retry? 10:11 < mindframe-> i tried that... it just produces the same error repeatedly 10:12 < ecrist> I'd post on the mailing list, see if one the devs can help you out. krzee might know what's up, but apparently he went to bed late, a little drunk. ;) 10:12 < mindframe-> hah 10:12 < ecrist> 03:04 < krzee> im too drunk for this, good luck everyone 10:12 < mindframe-> are the mailing list details on the openvpn site? 10:12 < ecrist> he's probably a bit more knowledgable than I 10:13 < mindframe-> thanks for your help 10:13 < ecrist> yeah, the openvpn.net site sucks 10:13 < ecrist> http://openvpn.net/index.php/documentation/miscellaneous/mailing-lists.html 10:13 < vpnHelper> Title: Mailing Lists (at openvpn.net) 10:13 < ecrist> !mailinglist 10:13 < vpnHelper> ecrist: Error: "mailinglist" is not a valid command. 10:13 < ecrist> !lear mailinglist as http://openvpn.net/index.php/documentation/miscellaneous/mailing-lists.html 10:13 < vpnHelper> ecrist: Error: "lear" is not a valid command. 10:13 < ecrist> !learn mailinglist as http://openvpn.net/index.php/documentation/miscellaneous/mailing-lists.html 10:13 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 10:13 < mindframe-> should i post to dev or users? 10:14 < ecrist> users 10:14 < ecrist> iirc, the dev list is invite-only 10:15 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 10:15 < bigjohnto> hello if I want a certain user to always use the same ip when they log in, am i able to make a confiuration change to the file.ovpn file that sits on the client machine? 10:18 < ecrist> no 10:18 < ecrist> it would need to be done at the server side 10:18 < bigjohnto> ecrist what would i have to do on the server side to assign specific ip addresses to clients? 10:19 < bigjohnto> or a link if youw ouldn't mind 10:19 < ecrist> read the man page, look for option ifconfig-pool-persist 10:19 < ecrist> !man 10:19 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 10:19 < ecrist> if you're using 2.1 10:19 < ecrist> !betaman 10:19 < vpnHelper> ecrist: "betaman" is http://www.openvpn.net/man-beta.html 10:21 < bigjohnto> thanks :) 10:23 < ecrist> np 10:26 < plaerzen> morning ovpn 10:43 < ecrist> morning plaerzen 10:44 < plaerzen> woop. 11:01 -!- ||arifaX [n=||arifaX@unaffiliated/arifax/x-427475] has quit [Read error: 54 (Connection reset by peer)] 11:05 < plaerzen> ugh. With the IT manager sick for the day - I'm in charge of the rest of the IT team. I don't know how to manage. Damn. I'm just working on my own stuff and they come and bug me about what to do.... 11:06 < plaerzen> I can't even manage myself 11:09 < ecrist> lol 11:19 < plaerzen> the new helpdesk chick is doing good though. She is ADD, which is good for a helpdesk person (I think). 11:33 < ecrist> mmmmmm helpdesk chick 11:33 < plaerzen> lol. Dirty old man 11:34 < ecrist> how 'old' do you think i am? 11:34 < plaerzen> 33 11:35 < ecrist> no 11:36 < ecrist> 29 11:36 < plaerzen> ah, my bad. 11:36 < ecrist> i'm not 'old' till next year 11:36 < plaerzen> of course 11:44 < jeev> ecrist, im sick cause of you 11:45 < ecrist> yeah, prolly. or sick *of* me... 11:45 < jeev> well, i saw one of your video's 11:45 < jeev> and i hurled for hours 11:46 < ecrist> o.O 11:46 < ecrist> videos? 11:46 < jeev> YOU KNOW! 11:46 < ecrist> oh, 2g1c? 11:46 < ecrist> lol 11:47 < jeev> shit man 11:47 < jeev> i'm sick though 11:47 < jeev> kind of. 11:58 -!- Grandia [i=Error@d207-216-195-187.bchsia.telus.net] has joined ##openvpn 11:58 < Grandia> hi 11:59 < Grandia> what does build-key-pkcs12 do & why don't I have build-key-pass under windows 2.0.5 build? 11:59 < ecrist> Grandia: first, use a more current version, 2.0.9 is the current version. 11:59 < ecrist> sounds like your questions are in regard to easy-rsa? 12:00 -!- RonDutt [n=thedot@c-24-17-159-108.hsd1.wa.comcast.net] has quit [Read error: 60 (Operation timed out)] 12:02 -!- RonDutt [n=thedot@c-24-17-159-108.hsd1.wa.comcast.net] has joined ##openvpn 12:02 < Grandia> yes 12:03 < Grandia> it's the 2.0.9 installer I downloaded 12:03 < Grandia> but openvpn --version reports 2.0.5 12:13 < ecrist> hrm, weird 12:13 < ecrist> I'm not a fan of easy-rsa, so I don' tknow a lot about it 12:20 < Grandia> well how else would I do it under windows? 12:30 < ecrist> have you read through the howto? 12:30 < ecrist> there's probably some data there about it. 12:30 < Grandia> I'm using this guide here: http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/ 12:30 < ecrist> I've never had to build keys or certificates on windows. 12:30 < vpnHelper> Title: Its A Tech World | How to configure OpenVPN (at www.itsatechworld.com) 12:30 < ecrist> !howto 12:31 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:52 < Grandia> hmmm 12:52 < Grandia> well I'll give it a read through later 12:52 < Grandia> to hard to read with out contacts in 12:52 < Grandia> I'll go play Persia instead 13:02 -!- [14]Chaosvexs [n=Chaosvex@ip-87-82-79-153.easynet.co.uk] has quit [Read error: 113 (No route to host)] 13:09 < krzee> headache =/ 13:09 < ecrist> lol 13:12 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [] 13:18 -!- bimbo [n=oso@200.92.175.120] has joined ##openvpn 13:21 < bimbo> hello, I'm trying to compile openvpn in opensolaris, since I need the tun driver I downloaded (v1.1) and replaced tun.c with the one supplied from openvpn.net, however I always get the errors devfsadm: driver failed to attach: tun and Warning: Driver (tun) successfully added to system but failed to attach 13:22 < bimbo> I've tried searching for a solution to this but it seems like no body is using the tun driver (hence openvpn) in opensolaris... 13:23 < bimbo> I mean, there's too little information and some said they've solved this already, but well, placing the driver in all the directories they show doesn't really solve this, has anyone successfully installed the driver in solaris? 13:23 < krzee> i believe your os has tap 13:23 < krzee> but not tun 13:24 < bimbo> krzee: what are you suggesting then? 13:25 < krzee> using tap 13:25 < krzee> (which is a very rare suggestion from me) 13:26 < krzee> http://www.whiteboard.ne.jp/~admin2/tuntap/ 13:26 < vpnHelper> Title: TAP driver for Solaris (at www.whiteboard.ne.jp) 13:27 < bimbo> krzee: thank you 13:28 < krzee> !learn solaris as http://www.whiteboard.ne.jp/~admin2/tuntap/ for the solaris tuntap driver, good luck... ive heard mixed reviews. let us know how it works for you 13:28 < vpnHelper> krzee: Joo got it. 13:28 < krzee> np 13:28 < krzee> note, you should still be able to use routed with tap device 13:28 < krzee> its not ideal, but it works 13:28 < ecrist> !learn mailinglist as http://openvpn.net/index.php/documentation/miscellaneous/mailing-lists.html 13:28 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:28 < ecrist> :\ 13:29 < krzee> !mail 13:29 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 13:29 < krzee> the openvpn.net archive sucks 13:31 < ecrist> yeah, it does 13:31 < ecrist> most of the openvpn.net website stuff sucks. 13:31 < krzee> tru 13:32 < krzee> which is why i think francis was nuts 13:32 < krzee> lol 13:32 < krzee> did he ever reply? 13:36 < jeev> who lives in a pineapple under the sea 13:36 < jeev> ecrist squarepants 13:36 < krzee> your mom! 13:36 < ecrist> krzee: no, he didn't 13:36 < krzee> oh boy i think he did! 13:36 < jeev> it's 13:36 < jeev> oh no he di'nt 13:36 < jeev> it's didn't 13:36 < jeev> but the d is silent 13:38 < krzee> but the jeev is never silent =[ 13:38 < krzee> *zing* 13:38 < jeev> krzee 13:38 < jeev> why dont you image up the powerpc version of leopard 13:38 < jeev> and send it to me now 13:38 < krzee> powerpc 13:38 < krzee> lol 13:39 < krzee> only powerpc thing i use is my ipod touch 13:39 < jeev> yes 13:39 < ecrist> jeev: I have it, but I will not image it up and send it to you 13:39 < jeev> ipod's are for losers 13:39 < ecrist> that's called warez 13:39 < jeev> damnit ecrist 13:39 < jeev> oh 13:39 < jeev> BAH 13:39 < krzee> hehe 13:39 < krzee> you THEIF 13:39 < krzee> THEIF THEIF 13:39 < ecrist> jeev, you told me how much you have in your bank account. you can *afford* $129 for a licensed copy 13:39 < jeev> so what 13:40 < jeev> ecrist 13:40 < jeev> paying is for losers 13:40 < jeev> krzee 13:40 < jeev> it's spelled thief 13:40 < jeev> i before e, except after c 13:40 < ecrist> :\ 13:40 < jeev> kick your asses sea basses 13:40 < krzee> ok jeev, then how do you spell weird? 13:40 < jeev> i dont care 13:40 < jeev> lol 13:41 < jeev> that one is an exception 13:41 < krzee> how do you spell "hey jeev, when are you going to do something useful in this channel?" 13:41 < jeev> just like how some men like men, in your case, you would know. 13:41 < jeev> i always do something useful 13:41 < krzee> heh 13:44 < jeev> WoW would've been great if it was more like lord of the rings 13:49 < krzee> !factoids search * 13:49 < vpnHelper> krzee: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'tls-cipher', 'multi', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', '', 'forum', 'secure', 13:49 < vpnHelper> krzee: 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'hmac', 'winipforward', 'help', 'fragment', '2.1-winpass-script', 'activedirectory', 'net30', 'someclient2client', 'local', 'dhcp', 'chooseip', 'irclogs', 'noenc', 'iptables', 13:49 < vpnHelper> krzee: 'all', 'mactuntap', 'nobind', 'pwfile', 'servercert', 'mitm', 'fbsdbridge', 'easy-rsa-unix', 'certs', 'bridge-fw', 'linipforward', 'linnat', 'man', 'webgui', 'wintaphide', 'topology', 'configs', 'linfw', 'firewall', 'nocert', 'pushlimit', and 'solaris' 13:50 < krzee> 'download', '', 'forum' 13:50 < krzee> how did you guys do that eric? 13:50 < krzee> that was when people were playing games with the bot 13:50 < krzee> before i stole permissions from * 13:51 < krzee> ! 13:52 < krzee> ! 13:52 < krzee> ![ 13:52 < vpnHelper> krzee: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 13:52 < krzee> ![] 13:52 < vpnHelper> krzee: Error: """ is Keep It Simple Stupid" is not a valid command. 13:52 < krzee> hrmmmmz 13:52 < krzee> !" 13:52 < vpnHelper> krzee: Error: No closing quotation 13:52 < krzee> !"" 13:52 < vpnHelper> krzee: "" is Keep It Simple Stupid 13:52 < krzee> !forget "" 13:52 < vpnHelper> krzee: Error: You must not give the empty string as an argument. 13:53 < ecrist> how did we do what, jeff? 13:53 < krzee> 'download', '', 'forum' 13:53 < krzee> the middle entry is no char 13:53 < krzee> i just made leadway 13:53 < krzee> found what it says... 13:54 < krzee> !forget '' 13:54 < vpnHelper> krzee: Error: There is no such factoid. 13:54 < krzee> !forget "" 13:54 < vpnHelper> krzee: Error: You must not give the empty string as an argument. 13:54 < krzee> !forget " " 13:54 < vpnHelper> krzee: Error: There is no such factoid. 13:54 < ecrist> krzee: !forget \"\" 13:54 < krzee> !forget "" 1 13:54 < vpnHelper> krzee: Error: You must not give the empty string as an argument. 13:54 < krzee> !forget \"\" 13:54 < vpnHelper> krzee: Error: There is no such factoid. 13:54 < krzee> !forget [""] 13:54 < vpnHelper> krzee: Error: There is no such factoid. 13:54 < krzee> !forget "[]" 13:54 < vpnHelper> krzee: Error: There is no such factoid. 13:54 < ecrist> !forget '""' 13:54 < vpnHelper> ecrist: Error: There is no such factoid. 13:55 < krzee> !forget '""' 13:55 < vpnHelper> krzee: Error: There is no such factoid. 13:55 < krzee> !forget "''" 13:55 < vpnHelper> krzee: Error: There is no such factoid. 13:56 < krzee> heh 13:56 < ecrist> vim factoids.db 13:56 < ecrist> :) 13:56 < krzee> not cleartext 13:57 < ecrist> lame 13:57 < ecrist> I still say I could make an easier bot to deal with. 13:57 < jeev> i believe you ecrist, now send it 13:57 < ecrist> for example, a bot that would use the channel access list for authorization 13:57 < jeev> i think you're an awesome programmer 13:57 < jeev> .dmg is fine 13:58 < krzee> ecrist, im not stopping you 13:58 -!- ecrist [n=ecrist@MINERVA.SECURE-COMPUTING.NET] has left ##openvpn [] --- Log closed Wed Dec 17 13:58:19 2008 --- Log opened Wed Dec 17 14:59:28 2008 14:59 -!- ecrist [n=ecrist@MINERVA.SECURE-COMPUTING.NET] has joined ##openvpn 14:59 -!- Irssi: ##openvpn: Total of 41 nicks [0 ops, 0 halfops, 0 voices, 41 normal] 14:59 -!- Irssi: Join to ##openvpn was synced in 1 secs 15:35 -!- mindframe- [n=mindfram@unaffiliated/mindframe] has quit ["Ex-Chat"] 16:59 -!- mindframe- [n=mindfram@unaffiliated/mindframe] has joined ##openvpn 16:59 < mindframe-> is there a way to get one openvpn daemon to support both tcp and udp connections? 17:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:24 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has left ##openvpn [] 17:34 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 17:42 -!- mindframe- [n=mindfram@unaffiliated/mindframe] has quit [Remote closed the connection] 17:43 -!- mindframe- [n=mindfram@unaffiliated/mindframe] has joined ##openvpn 18:38 < krzie> mindframe-, no 18:54 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 18:55 < mRCUTEO> hello bucko 18:56 < krzie> heya 18:57 < mRCUTEO> ;) how ya doing man 18:57 < mRCUTEO> wake from drunkin already :D 18:58 < krzie> haha 18:58 < krzie> ya man i was hammered 18:58 < krzie> =] 19:00 < mRCUTEO> :) 19:00 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 19:11 -!- RonDutt [n=thedot@c-24-17-159-108.hsd1.wa.comcast.net] has quit ["Leaving"] 19:17 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:34 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 20:02 -!- lolipop [n=soontak@219.94.54.133] has joined ##openvpn 20:17 < krzie> hey loli 20:17 < krzie> how are ya 20:17 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 20:20 < lolipop> hey krzie 20:20 < lolipop> i'm fine 20:20 < lolipop> lol 20:20 < lolipop> hows ur dream? 20:20 < lolipop> still drunk? 20:24 < krzie> nah its the next day and im sober again 20:24 < krzie> lol 20:24 < krzie> did we get your vpn working last night? 20:25 < lolipop> too bad, no :( 20:28 < krzie> i dont remember whats wrong 20:29 < krzie> but i can help more if you like 20:29 < krzie> ill prolly be better at it since im sober ;]\ 20:30 < lolipop> great 20:30 < lolipop> have u ever heard about m0n0-wall ? 20:33 < krzie> if i remember correctly, its a modified freebsd with web interface, used for a firewall 20:34 < lolipop> yeap 20:34 -!- tjz [n=tjz@bb121-7-106-87.singnet.com.sg] has joined ##openvpn 20:34 * tjz swim in 20:34 < krzie> ive never used it, but i use freebsd 20:35 < lolipop> now i have a machine which is running m0n0-wall with 4 interfaces, 172.16.4,0 172.16.8,0 172.16.12.0 and 172.16.16.0 20:35 < lolipop> and my openvpn server is setup under the 172.16.16 20:35 < krzie> ohhh its coming back to me 20:35 < lolipop> lol 20:36 < krzie> keep going tho 20:36 -!- bimbo [n=oso@200.92.175.120] has joined ##openvpn 20:36 < lolipop> alright 20:37 < bimbo> hello, I'm trying to compile openvpn with lzo support, I've already installed the lzo v 2.03 but it complains about not being able to find the library (although it does find the headers) 20:37 < bimbo> why is this happening? maybe it doesn't support lzo v2? 20:37 < lolipop> my problem now is, once my openvpn client connected from other place, it cant reach 17.16.4.0 172.16.8.0 172.16.12.0 20:43 < lolipop> krzie: my configuration -> http://pastebin.com/m494dbbdf 20:44 < krzie> bimbo what os? 20:45 < krzie> lolipop and the server is on the same box as the default router for those LANs right? 20:45 < bimbo> krzie: opensolaris (once again..) 20:45 < krzie> ohhh right 20:46 < lolipop> yes 20:46 < lolipop> sorry? the openvpn server is one of the machine which is connected to the m0n0-wall with ip 172.16.16.196 20:47 < krzie> so for example, a machine on 17.16.4.0, has its default gateway as the same machine the openvpn server is on 20:47 < bimbo> the guys at opensolaris should do something like archlinux did: let the community contribute with packages for the os, so others won't have so much trouble when trying out something not officially supported... 20:47 < krzie> ahh 20:47 < krzie> lolipop your setup is prolly doing exactly what it should 20:47 < lolipop> okay 20:47 < krzie> lolipop you have those 4 lans setup so that each cannot reach the other, right? 20:48 < lolipop> from my openvpn server, i can reach other without any problem 20:48 < krzie> ok so try this then 20:48 < lolipop> okay 20:48 < krzie> on m0n0wall machine, you must add a route 20:48 < krzie> to the vpn network, through 172.16.16.196 20:50 < lolipop> ermm.... 20:50 < krzie> bimbo have you seen this link? 20:50 < krzie> http://blogs.reucon.com/srt/2008/12/17/installing_openvpn_on_opensolaris_2008_11.html 20:50 < vpnHelper> Title: Installing OpenVPN on OpenSolaris 2008.11 - Stefan Reuter (at blogs.reucon.com) 20:50 < krzie> prolly not since it looks like it was made today, lol 20:51 < bimbo> hehe no I haven't, I tried googling first but this didn't showed up 20:51 < krzie> oh, that uysed --disable-lzo 20:51 < lolipop> krzie: it seems like mon0wall dont have the option for me to add route 20:51 < krzie> not helpful to what you're saying 20:51 < bimbo> krzie: no prob 20:51 < bimbo> just realized it was my bad 20:51 < krzie> lolipop, cant you ssh into it? 20:51 < lolipop> krzie: for your info, i only have the WebGUI access for the m0n0 20:51 < lolipop> the ssh port is not open 20:51 < bimbo> I had installed lzo under /usr/local/lib 20:52 < bimbo> reinstalling to /usr/lib made the trick 20:52 < krzie> lolipop if you cant add a route, you cant do what you're saying... i can explain why if you like 20:52 < krzie> ahhh 20:52 < lolipop> sure 20:52 < krzie> bimbo the lzo guys might like to know that 20:53 < krzie> assuming it wasnt the right dir for the os the first time 20:53 < krzie> (could have been openvpn's fault, but im thinkin lzo) 20:53 < krzie> opensolaris is little enough used they prolly never tested on it 20:53 < bimbo> I think it's openvpns fault, since it didn't looked at /usr/local for the library 20:54 < bimbo> adding --prefix=/usr to configure made it 20:54 < krzie> gotchya, in that case letting the mail list klnow might be nice 20:54 < krzie> !mail 20:54 < vpnHelper> krzie: "mail" is http://sourceforge.net/mail/?group_id=48978 20:54 < krzie> of course you dont hafta do anything you dont want, but it would help the next guy im sure 20:54 < bimbo> krzie: ok, I will do that and point them to that url you provide earlier 20:56 < krzie> cool 20:56 < krzie> lolipop, if the router has no route to the vpn 20:57 < krzie> lets say vpn network is 10.8.0.x 20:57 < krzie> the vpn client sends traffic to the lan 20:57 < krzie> lan gets it and tries to respond 20:57 < krzie> lan machine that is 20:58 < krzie> when it tries to respond, it has no route to the vpn, so it uses its default route (the m0n0wall box) 20:58 < krzie> the m0n0wall box has no route to the vpn, so it sends to its default route 20:58 < krzie> which is the internet 20:58 < krzie> who ignores it, because it is a RFC 1918 ip (aka lan only) 20:59 < krzie> the annoying work-around would be to add the route to every box 20:59 < lolipop> ohh 21:00 < krzie> the easy way is to give the route to the router 21:00 < lolipop> is that possible to solve it by setting up the openvpn server on m0n0wall ? 21:00 < krzie> and now that i have explained that, i will update my routing howto with the explanation 21:00 < krzie> to do that you would need ssh access to the m0n0wall box 21:00 < krzie> and if you do that, just add the route 21:01 < lolipop> yeah, i will need to find out the ssh access from a guy 21:01 < krzie> !route 21:01 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:01 < lolipop> lol, actually i'm a web developer 21:01 < krzie> gotchya =] 21:02 < lolipop> hehe 21:02 < lolipop> no choice 21:03 < lolipop> krzie: if i have ssh to the m0n0wall 21:03 < lolipop> if i can* ssh to the m0n0wall 21:05 < lolipop> then i should add the route something like this: route add 172.16.16.196 gateway 172.16.12.1 ? 21:05 < krzie> 1sec 21:05 < lolipop> i remember the route argument is different in freebsd 21:05 < lolipop> okay 21:06 < krzie> no 21:07 < krzie> route add 10.8.0.0 -gateway 172.16.16.196 21:07 < lolipop> eh? how come there is a 10.8.0.0 appear ? 21:07 < krzie> err 21:07 < krzie> i always use 10.8.0.x for my vpn network 21:08 < krzie> i just saw a problem in your setup 21:08 < lolipop> what is the problem? 21:08 < krzie> you should not be giving out ips in a network that are already in use 21:08 < krzie> if you just change server 172.16.16.0 255.255.252.0 to 10.8.0.x everything will work after you add that route 21:08 < krzie> or some other random not in use network of LAN ips 21:09 < lolipop> route add 172.16.18.0 -gateway 172.16.16.196 <---- if i assign 172.16.18.0 to my vpn, correct ? 21:09 < lolipop> owh, okay 21:10 < lolipop> lol, i just finish my nmap scan, only port 53 and 80 is opened on m0n0wall 21:14 < krzie> lol 21:18 -!- bimbo [n=oso@200.92.175.120] has quit [Read error: 104 (Connection reset by peer)] 21:26 < lolipop> anyway, krzie, thanks a lot for your guide and info 21:26 < krzie> you're welcome =] 21:26 < krzie> hey i have a question for you 21:26 < krzie> you're in china right? 21:27 < lolipop> lol 21:27 < lolipop> i'm chinese, but not from china 21:27 < lolipop> i'm from malaysia 21:27 -!- mindframe- [n=mindfram@unaffiliated/mindframe] has quit [Remote closed the connection] 21:27 < krzie> ohhh gotchya 21:27 < krzie> then i dont have a question anymore 21:27 < lolipop> u r from ? 21:27 < krzie> but if you're here when i finish adding to my guide ill have you tell me if it is clear 21:28 < krzie> im from usa, but i live in the caribbean now 21:28 < lolipop> oh, sure 21:29 < lolipop> prirates of the caribbean 21:29 < lolipop> lol 21:29 < krzie> thats me! 21:29 < tjz> hahaha 21:30 < tjz> you haven't heard of the someli pirate 21:30 < krzie> yes i have 21:30 < krzie> in the news 21:30 < krzie> crazy! 21:30 < krzie> they straight up jacked an oil tanker 21:41 -!- mindframe- [n=mindfram@unaffiliated/mindframe] has joined ##openvpn 21:53 -!- Splooge12 [n=hoebag@76-10-176-231.dsl.teksavvy.com] has quit [Read error: 110 (Connection timed out)] 21:54 < onats> krzie, what do you do there? 21:57 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 21:57 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:57 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 21:58 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:58 < krzie> do where? 22:03 < krzie> !route 22:03 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 22:03 < krzie> i added something at the bottom 22:03 < krzie> If you fail to add this route, here is what would happen if a VPN client (for example, 10.8.0.6) wanted to send traffic to 192.168.2.20: 22:03 < krzie> 1) The vpn client sends traffic to 192.168.2.20, with a source address of 10.8.0.6 22:03 < krzie> 2) 192.168.2.20 gets it and tries to respond to 10.8.0.6 22:03 < krzie> 3) 192.168.2.20 checks its routing table, has no route for 10.8.0.6, and sends the traffic to its default gateway which is 192.168.2.1 22:03 < krzie> 4) 192.168.2.1 checks its routing table, has no route for 10.8.0.6, and sends the traffic to its default gateway which is likely its ISP 22:03 < krzie> 5) The ISP ignores it, because it is a RFC 1918 ip (aka lan only) 22:03 < krzie> the annoying work-around would be to add the route to every box on the LAN, in which case step 2 above would work. 22:22 < krzee> lolipop, if that was already in my routing writeup would it have helped you? 22:27 < krzee> whoa cool ecrist 22:28 < krzee> i wrote RFC 1918 in the explanation 22:28 < krzee> and the wiki made it a link to the RFC 22:31 -!- lolipop [n=soontak@219.94.54.133] has quit [Read error: 110 (Connection timed out)] 23:19 -!- thechef [n=testi@147.86.196.134] has joined ##openvpn 23:20 < thechef> Can I use username-as-common name in combination with ifconfig-pool-persist? 23:21 < thechef> instead of client certificates 23:26 < krzee> sure 23:26 < krzee> ipp will use common name 23:26 < krzee> and with username as common name that becomes the username 23:26 < krzee> i havnt done it, but if it doesnt work i consider it a bug 23:34 < thechef> Yeah it seems to work.. though for some reason i don't seem to reach the server via vpn anymore then 23:35 < thechef> What happens if two clients connect with the same username? 23:35 < thechef> when ipp is active 23:35 < thechef> maybe that's the reason why it doesn't work 23:35 < thechef> to reach the server 23:36 < thechef> maybe i can't reach any other machine either, but i couldn't test that 23:53 < krzee> thechef, same thing as if 2 clients connect with the same common-name 23:53 < krzee> (in their cert) 23:54 < krzee> WITH ipp, it breaks stuff 23:54 < krzee> without ipp, it breaks stuff unless duplicate-cn is enabled 23:58 < thechef> okay.. so i disabled both username-as-common-name and ipp 23:58 < krzee> keep username-as-common-name 23:59 < krzee> add duplicate-cn 23:59 < krzee> and you can have multiple usernames connect 23:59 < krzee> (without ipp.txt or any other manual assigning of ips) --- Day changed Thu Dec 18 2008 00:00 < thechef> but i can already connect twice with the same username, i just have username-as-common-name disabled. Or is that configuration still likely to be unstable? 00:00 < krzee> well, you will be giving different certs to each user? 00:00 < thechef> no 00:00 < thechef> no certs are required 00:01 < krzee> what is your goal? 00:02 < thechef> No additional goals since I can't have multiple clients connect with the same username when ipp is enabled 00:02 < krzee> what is your real goal? 00:02 < thechef> Just a stable configuration 00:03 < krzee> you have ventured far from the path of a normal configuration 00:03 < krzee> im wondering if there is a reason 00:03 < thechef> it's quite an open VPN. Everyone should be able to connect with the same username 00:03 < krzee> but if you dont want to tell me what you're trying to do, thats fine 00:04 < thechef> As I said.. since ipp won't work i have no additional goals. All I want now is make sure that my configuration is stable and it's the first time I heard of duplicate-cn, that's why I asked if I should activate it though it works already without 00:05 < krzee> do you need multiple clients with the same common-name to connect... 00:05 < krzee> ? 00:05 < krzee> (at the same tme) 00:05 < thechef> I don't have client certs 00:05 < thechef> nor do I see need for username-as-common-name anymore 00:06 < krzee> *shrug* if it works for you i guess its fine 00:06 < krzee> not an ideal setup for security 00:06 < krzee> but thats your call 00:06 < krzee> its not my vpn ;] 00:06 < thechef> Yeah.. all security is done somewhere else :) 00:07 < krzee> by a simple login/pass? 00:07 < thechef> no.. whoever joins the VPN has to make sure that his machine is secured :) 00:07 < krzee> lol 00:07 < krzee> well if you're happy, cool =] 00:08 < thechef> I use it to play red alert and similar :) 00:08 < krzee> ahh 00:08 < krzee> that would have been a good answer to this: 00:08 < krzee> [02:02] <krzee> what is your goal? 00:08 < thechef> oh :D 00:09 < thechef> Yeah probably :) 00:09 < krzee> ;] 00:09 < krzee> so you're using tap and bridge, right? 00:09 < thechef> No bridging, just tap 00:10 < krzee> many network games use MAC addresses to communicate, as opposed to ip addresses 00:10 < krzee> if you wont be using games like that, routed is fine 00:10 < krzee> if you will, need bridge 00:10 < thechef> Well Red Alert originally used IPX, but since IPX is a mess to configure on newer operating systems it runs on an IPX->UDP wrapper 00:11 < thechef> But I leave on tap in case I manage to configure IPX 00:12 < thechef> Does broadcasting work with tun? 00:12 < krzee> with a broadcast relay 00:12 < krzee> but without external software, no 00:13 < thechef> Okay.. maybe that's the reason why I use tap :D 00:13 < krzee> does broadcasting work with tap but a routed setup? 00:13 < krzee> you see, ive never seen anyone use tap with routed 00:13 < thechef> I don't have routing 00:13 < krzee> if you dont bridge, you are routing 00:13 < krzee> when you give out ips, you use a server statement? 00:14 < thechef> The VPN is not connected to a LAN 00:14 < krzee> something like server 10.8.0.0 255.255.255.0 00:14 < krzee> a routed setup has nothing to do with LANs 00:14 < krzee> it has to do with how stuff is tunneled 00:14 < krzee> routed you tunnel IP traffic over IP 00:14 < krzee> bridged you tunnel ethernet frames over IP 00:15 < thechef> ah 00:15 < krzee> you only use bridges when you need to communicate based on MAC address 00:15 < krzee> (as stolen from the topic) 00:16 < thechef> Okay 00:16 < krzee> but 00:16 < krzee> you tell me 00:16 < krzee> does broadcasting work in your current setup? 00:16 < thechef> yes 00:16 < krzee> interesting 00:16 < krzee> maybe thats a reason to use routed in a tap device 00:16 < krzee> i sent a message to the mail list for clarification for me 00:17 < krzee> you'll be done before i get an answer, but i want to better understand 00:17 < krzee> I know you can run a routed setup (server 10.8.0.1 255.255.255.0) in a 00:17 < krzee> tap device as opposed to tun. 00:17 < krzee> What happens in this case? Is there ever a valid reason to do this? 00:17 < krzee> -krzee 00:17 < krzee> I know you <--- the start of my message 00:18 < thechef> Well but do I use routing? First I thought I wouldn't use bridging because I thought of bridge-utils 00:19 < krzee> ohhh i guess that is a valid reason 00:19 < krzee> broadcasting is confined to ethernet frames 00:19 < krzee> which you are using because of tap 00:19 < thechef> :) 00:19 < krzee> but you are using openvpn's routed technique for communicating in those ethernet frames 00:19 < krzee> and broadcast IS ip 00:20 < krzee> but it is ip that wont route over the inet 00:20 < krzee> i never thought about that 00:21 < krzee> For example, --server 10.8.0.0 255.255.255.0 expands as follows: 00:21 < krzee> 00:21 < krzee> mode server 00:21 < krzee> tls-server 00:21 < krzee> if dev tun: 00:21 < krzee> ifconfig 10.8.0.1 10.8.0.2 00:21 < krzee> ifconfig-pool 10.8.0.4 10.8.0.251 00:21 < krzee> route 10.8.0.0 255.255.255.0 00:22 < krzee> if client-to-client: 00:22 < krzee> push "route 10.8.0.0 255.255.255.0" 00:22 < krzee> else 00:22 < krzee> push "route 10.8.0.1" 00:22 < krzee> if dev tap: 00:22 < krzee> ifconfig 10.8.0.1 255.255.255.0 00:22 < krzee> ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 00:22 < krzee> push "route-gateway 10.8.0.1" 00:22 < krzee> Don't use --server if you are ethernet bridging. Use --server-bridge instead. 00:22 < krzee> see, you are pushing a route to the client 00:22 < krzee> push "route-gateway 10.8.0.1" 00:24 < krzee> hrm, i take that back, --server-bridge pushes a route too 00:24 < krzee> hrm, i guess i need to get a response to my question to the list 00:24 < krzee> im glad you came with this question! gunna learn some stuff from it i think 00:28 < krzee> just to be sure... your setup is working how you want, right? 00:34 < krzee> kudos thechef, i think you picked the best way for your setup, a way i did not know would work 00:34 -!- lolipop [n=soontak@219.94.54.133] has joined ##openvpn 00:34 < krzee> and taught me something in the process, so thank you 00:35 < krzee> reiffert, did you see that? a way to allow broadcasting in a routed setup 00:39 < lolipop> yoo 00:40 < lolipop> krzee: i have a problem here, why will get this error : Options error: --server directive network/netmask combination is invalid when i put this line on server config: server 172.16.18.0 255.255.252.0 00:40 < lolipop> do u have any idea? 00:40 < lolipop> for ur info, my machine is using 172.16.16.196 00:43 < krzee> lolipop, how many hosts will connect? 00:44 < krzee> err, clients 00:44 < lolipop> 2 00:45 < krzee> use 255.255.255.0 00:46 < lolipop> it works, but from client, it cant ping 172.16.16.1 00:46 < krzee> remember those routes i told you you needed to add...? 00:46 < lolipop> openvpn is on 172.16.16.196, and now client is on 172.16.18.6 00:46 < lolipop> yeap 00:46 < krzee> that is why 00:47 < krzee> packets get to 16.1, but 16.1 has no way to reach the client cause it has no route to 18.6 00:47 < lolipop> krzee: when i use server-bridge right, the client can ping all those machine which is under same subnet 00:48 < krzee> right, because it communicates with the router using MAC addresses not IP addresses 00:48 < krzee> so there is no route to be added 00:48 < thechef> krzee: yes it's working how i want it to 00:48 < krzee> with your setup, all you need is 1 route on 1 machine 00:48 < krzee> you just dont know how to do that 00:48 < krzee> thechef, sweet 00:49 < krzee> lolipop, i suggest to you you figure out how to ssh to your m0n0wall box 00:49 < krzee> im sure the folks in #m0n0wall could help you with that 00:51 < lolipop> krzee: i'm setting up an environment with 2 lan 00:51 < lolipop> hehe 00:51 < lolipop> so i can try on that environment without affecting the m0n0wall 00:55 < krzee> i dont know what you mean 00:56 < krzee> btw, with 172.16.18.0 255.255.252.0 your ip range was: 00:56 < krzee> 172.16.16.1 - 172.16.19.254 00:56 < krzee> as seen at: http://www.subnet-calculator.com/subnet.php?net_class=B 00:56 < vpnHelper> Title: Online IP Subnet Calculator (at www.subnet-calculator.com) 00:57 < krzee> and with the server in 172.16.16.x that doesnt work out 00:57 < krzee> the server would try to take 172.16.16.1 for itself 00:57 < krzee> but that is its default gateway 00:58 < krzee> pretty smart of openvpn to say no instead of breaking your connection 00:59 -!- mindframe- [n=mindfram@unaffiliated/mindframe] has quit [Remote closed the connection] 01:02 < krzee> lolipop, pick a machine on your lan you want to communicate with the vpn client 01:02 < krzee> and tell me its IP 01:02 < krzee> (not an ip on the m0n0wall box) 01:03 < lolipop> ermm 01:03 < lolipop> 172.16.16.182 01:03 < krzee> ok, now go to that box 01:04 < krzee> add a route, telling it that 172.16.18.0 255.255.255.255 routes to 172.16.16.196 01:05 < krzee> this is now explained in my routing writeup by the way 01:05 < krzee> sometime if you could look at that and tell me if it makes sense to you ild appreciate it 01:05 < krzee> (only the very bottom has changed) 01:05 < lolipop> so i will do this : route add 172.16.18.0 gateway 172.16.16.196 , correct ? 01:06 < krzee> i believe so 01:06 < krzee> i dont use linux really 01:06 < simplechat> krzee, nobodies perfect 01:06 < krzee> simplechat, i use bsd :-p 01:06 < simplechat> :) 01:06 < simplechat> cool 01:06 < simplechat> which? 01:07 < krzee> free 01:07 < krzee> well for servers, i like osx for desktop 01:07 < krzee> i have used linux, ild say for linux gentoo got it right 01:08 < krzee> but i only used it a little, never really admin'ed it 01:08 < simplechat> gentoo? 01:08 < simplechat> why? 01:09 < krzee> their hier is less uglied up 01:09 < krzee> file hierarchy 01:09 -!- lolipop [n=soontak@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 01:09 < krzee> package management system is nice 01:09 -!- lolipop [n=soontak@219.94.54.133] has joined ##openvpn 01:10 < krzee> and they let you install what you need, vs the shotgun approach 01:10 < krzee> (which sucks sometimes, but with their nice package management system, isnt very painful) 01:10 < lolipop> done, the route is added 01:11 < simplechat> hmmm. 01:11 < simplechat> krzee, compare to debian, say? 01:12 < krzee> debian isnt bad either 01:13 < krzee> well not that bad 01:13 * ropetin jumps in... 01:13 < ropetin> Debian rules! 01:13 < krzee> heheh 01:13 * ropetin jumps out again... 01:13 < krzee> wassup rope! 01:13 < lolipop> windows rox ! 01:13 < ropetin> Hehhe, nada, just working as normal :D 01:13 * lolipop is hiding 01:13 * krzee tilts his head in confusion while looking at loli 01:14 < ropetin> I won't start an argument again, but Windows IS pretty good, for what it is 01:15 < lolipop> krzee: the routing for 172.16.16.182 --> http://pastebin.com/m1898dd97 01:15 < krzee> you need to change the netmask 01:15 < krzee> its 255.255.255.255 01:15 < krzee> should be 255.255.255.0 01:17 < simplechat> lolipop, your joking? 01:17 < Grandia> ok, so a question about the basic operation of openvpn.... it encrypts the data before it gets sent through the physical NIC card so that if I'm using a network connection in a hostile environment it'll stop a man in the middle attack? 01:17 < krzee> Grandia, correct 01:18 < simplechat> yep 01:18 < krzee> they can even sniff the connecting phase without being able to decrypt the traffic 01:18 < krzee> that is the point =] 01:18 < simplechat> now a question is how can i get openvpn to directly connect peers? 01:18 < simplechat> without having everything running through a central server? 01:18 < krzee> you can not 01:18 < simplechat> oh 01:18 < simplechat> thats crap 01:18 < krzee> *shrug* 01:18 < simplechat> how can i directly connect peers then? 01:18 < simplechat> without openvpn? 01:19 < krzee> ipsec does it 01:19 -!- thechef [n=testi@147.86.196.134] has quit [Read error: 110 (Connection timed out)] 01:19 < simplechat> krzee, ? 01:19 < Grandia> so ideal situation is I setup the server on my home pc here with a "trusted" net connection then go web surfing in mexico... connect to my home pc openvpn & it acts as secure as my normal isp 01:19 < krzee> ipsec is another method of setting up a vpn 01:19 < simplechat> is it any good? 01:19 < simplechat> easy to use? 01:19 < krzee> i dont use it 01:20 < krzee> (by choice) 01:20 < simplechat> why? 01:20 < krzee> it uses its own encryption protocol 01:20 < krzee> which has had issues in the past 01:20 < simplechat> basically i've got a bunch of machines in australia and a server in america 01:20 < krzee> openvpn uses SSL 01:20 < krzee> i told you my answer to your problem already 01:20 < simplechat> and its really stupid for all my things to go around the world 01:20 < krzee> have a server in au and a server in usa 01:20 < simplechat> krzee, any other ways to do it? 01:20 < krzee> connect the servers 01:20 < simplechat> server costs are insane here 01:21 < krzee> heh i have a server in au 01:21 < simplechat> as are bw costs, btw 01:21 < Grandia> so get a bigpond account 01:21 < simplechat> .... 01:21 < Grandia> & get stuff tfered into the non-counted areas for you 01:21 < simplechat> Grandia, that won't work for me 01:22 < Grandia> why not? 01:22 < simplechat> like atm i'm thinking of ssh vpn tunnells 01:22 < simplechat> but thats not really the best solution 01:23 < lolipop> krzee, just now u says -> [15:01] <krzee> add a route, telling it that 172.16.18.0 255.255.255.255 routes to 172.16.16.196 01:24 < lolipop> if i put the netmask with 255.255.255.0, i will get this this : route: netmask 000000ff doesn't make sense with host route 01:24 < krzee> i said 255.255.255.255!? 01:24 < krzee> my mistake if i said that 01:24 < krzee> i meant 255.255.255.0 01:24 < krzee> lol 01:25 < krzee> that is the correct netmask 01:25 < krzee> in hex 01:25 < lolipop> hehe 01:25 < lolipop> ok done, 172.16.18.0 172.16.16.196 255.255.255.0 UG 0 0 0 eth0 01:25 < krzee> ok, now ping that machine from the client 01:25 -!- bimbo [n=oso@200.92.175.120] has joined ##openvpn 01:26 < lolipop> no response 01:26 < krzee> lolipop, can you ping 172.16.18.1? 01:26 < krzee> (from client) 01:27 < bimbo> hello again, when running the server as a low priviledge user it won't be able to properly stop it, since it cannot alter the routing table nor unlink the tun interface 01:27 < bimbo> what can be done to solve this? 01:27 < lolipop> krzee: can 01:28 < lolipop> krzee : i can 172.16.16.196 too 01:28 < krzee> bimbo, could prolly make a --down script that does it all, and has privileges to do what you want 01:29 < bimbo> krzee: yeah that's what I just did... but didn't like it.. but I guess there can't be any other way to solve this right.. 01:29 < krzee> lolipop, so the client can not ping 172.16.16.182, right? 01:30 < krzee> bimbo, i wouldnt like it either to be honest 01:30 < lolipop> krzee : yes, cannot 01:30 < krzee> lolipop, does 172.16.16.182 have a firewall? 01:31 < lolipop> krzee : 172.16.16.182 iptables is off 01:32 < lolipop> krzee : client cant ping 172.16.16.1 too 01:32 < krzee> why would client be able to ping 16.1? 01:32 < krzee> 16.1 has no route back 01:32 < lolipop> oh 01:32 < krzee> as ive stressed to you like 4 times 01:32 < lolipop> yeh yeah, sorry 01:33 < krzee> show me your configs again pls 01:34 < krzee> (they have changed since your last posting them) 01:36 < lolipop> http://pastebin.com/m264f7bde 01:36 < lolipop> ini dia 01:36 < lolipop> hehe 01:44 * lolipop ping soontak 01:51 < krzee> it should be able to ping 172.16.16.182 01:51 < krzee> run tcpdump on 172.16.16.182 01:51 < krzee> then ping it 01:51 < krzee> see if it sees the pings 01:51 < lolipop> i just tried with netcat 01:52 < lolipop> and then broadcast data to 172.16.16.182, it din get anything 01:56 < lolipop> krzee : with tcpdump, it can get data 01:57 < lolipop> krzee: i run this -> sudo tcpdump -s 1550 -w test.pcap dst 172.16.16.182 01:57 < lolipop> and ping from client, i can captured the packet 01:57 < lolipop> but for ur info, the tcpdump on vpn server 01:58 < krzee> run tcpdump on the machine you are trying to ping 01:58 < krzee> the vpn server has IP FORWARDING enabled, right? 01:59 < lolipop> yes 01:59 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Ex-Chat"] 01:59 < lolipop> i just tried to tcpdump on another machine ( which is not server or 172.16.16.182 ), and i still able to captured the packet 02:02 < krzee> so if 182 doesnt, i blame firewall 02:03 < krzee> add a route back on the other machine 02:03 < krzee> and you will be able to ping it 02:03 < krzee> or figure out how to make a route back on the m0n0wall, and you can ping all (unless firewalls stop you) 02:04 < reiffert> moin 02:05 < krzee> moin! 02:05 < krzee> hey reiffert you see what i typed @ you? 02:06 < krzee> [02:36] <krzee> reiffert, did you see that? a way to allow broadcasting in a routed setup 02:06 < krzee> without broadcast relay 02:13 < krzee> broadcast is ethernet frame stuff, but works on IP address 02:13 < krzee> so tap with routed setup works for ethernet frames 02:13 < krzee> err works for broadcasting i mean 02:14 < reiffert> ah! 02:14 < reiffert> will have to play with that" 02:14 < reiffert> ! 02:14 * reiffert = still sleepy 02:16 < krzee> brb setting up the hookah 02:17 < ropetin> Hmmmmm.... 02:19 -!- lolipop [n=soontak@219.94.54.133] has quit [Nick collision from services.] 02:19 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 02:20 -!- lolipop [n=soontak@219.94.54.133] has joined ##openvpn 02:20 < mRCUTEO> hiya kiddo 02:20 < mRCUTEO> :) 02:20 < lolipop> hi ya mRCUTEO 02:20 < lolipop> hehe 02:20 < mRCUTEO> heeh :D 02:20 < lolipop> sorry krzee, m0n0wall hang, lol 02:20 < mRCUTEO> still working on your config? 02:20 < lolipop> yeah 02:20 < mRCUTEO> okie 02:23 < krzee> his setup is done 02:23 < mRCUTEO> ah good for him 02:23 < krzee> he just cant figure out how to ssh into his m0n0wall router and add a route back to the vpn 02:23 < mRCUTEO> ic 02:23 < krzee> but he'll get there =] 02:24 < mRCUTEO> :) 02:24 < mRCUTEO> BSDs :D 02:27 < krzee> well he has ssh disabled 02:28 < krzee> so he needs to enable it in his wed interface 02:28 < krzee> web 02:28 < mRCUTEO> ic 02:29 < mRCUTEO> is his server hosted in a DC? 02:29 < lolipop> nope 02:29 < mRCUTEO> im sure most DC provide good itnerface for web management 02:29 < mRCUTEO> are u running it at home? 02:29 < mRCUTEO> m0n0wall firewall with web interface? 02:29 < mRCUTEO> do you have the login ? 02:30 < lolipop> yes 02:30 < lolipop> i have it 02:30 < lolipop> nope 02:30 < lolipop> i have the login* 02:30 < lolipop> haha 02:30 < lolipop> too many question 02:30 < lolipop> its just located at somewhere around my office 02:31 < lolipop> anybody know how to run this on centos ? netcat -l -p 1234 > filename 02:31 < lolipop> i tried with nc , but i got some argument error 02:32 < lolipop> krzee: is that mean the data is sent to 172.16.16.182 ? because i be able to captured the data from 172.16.16.179 02:38 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 02:43 -!- Grandia [i=Error@d207-216-195-187.bchsia.telus.net] has quit [] 02:44 < krzee> yes 02:44 < krzee> it means you have something on 182 blocking the packets 02:44 < krzee> because if they can get to 179, they can get to 182 03:02 < lolipop> opss 03:03 < lolipop> seem like not really got the correct data 03:03 < lolipop> because some other ppl is work on that machine 03:04 < lolipop> thats why i got data captured from 179 03:04 < lolipop> what i supposed to see when i read the tcpdump log file? 03:06 < lolipop> now i tried to listen a udp port on 179, and then i broadcast a msg from vpn client to 179, 179 din receive anything 03:22 -!- juroskk [n=juroskk@78.141.69.143] has joined ##openvpn 03:25 < juroskk> Hello, is there a way to stop this action when OpenVPN is exiting? /sbin/ifconfig tun2 destroy 03:27 < juroskk> Or to say it more clearly, I need to let the tun interface exist even if openvpn process exits. 03:27 < reiffert> why? 03:29 < juroskk> I have an ospfd running on the tun interface 03:29 < ropetin> Yeah, what's that going to achieve? 03:29 < juroskk> and it stops working, because it looses the interface 03:29 < ropetin> Sounds like a bad idea all round 03:29 < juroskk> the openvpn is restarted by a script 03:30 < ropetin> Why run it on that interface rather than another? 03:30 < juroskk> I need to route across a few VPNs 03:30 < juroskk> and use OSPF to learn routes 03:31 * ropetin is lost with that one :) 03:32 < juroskk> the problem is this: 03:33 < juroskk> Dec 18 10:11:16 openvpn[25605]: /sbin/ifconfig tun2 destroy 03:33 < juroskk> Dec 18 10:11:16 ospfd[27828]: if_leave_group: error IP_DROP_MEMBERSHIP, interface tun2 address 224.0.0.5: Can't assign requested addres 03:33 < juroskk> Dec 18 10:11:16 ospfd[27828]: if_act_reset: error leaving group 224.0.0.5, interface tun2 03:33 < juroskk> Dec 18 10:11:16 ospfd[27828]: interface tun2 down 03:33 < juroskk> but when I start the openvpn again, ospfd does not catch 03:35 -!- bimbo [n=oso@200.92.175.120] has quit [Read error: 104 (Connection reset by peer)] 03:36 -!- bimbo [n=oso@200.92.175.120] has joined ##openvpn 03:37 < reiffert> does ospfd notice another interface when it comes up? 03:39 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 03:39 < juroskk> it notices ifconfig up/down, but not ifconfig create 03:41 < reiffert> readup --mktun in the manpage 03:42 < juroskk> Oh, I haven't noticed that openvpn doesn't delete interfaces created this way 03:42 < juroskk> Thank you 03:51 < reiffert> welcome 03:59 -!- lolipop [n=soontak@219.94.54.133] has quit [Read error: 54 (Connection reset by peer)] 04:03 -!- bimbo [n=oso@200.92.175.120] has quit ["Leaving."] 04:07 -!- lolipop [n=soontak@219.94.54.133] has joined ##openvpn 04:12 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 04:44 -!- lolipop [n=soontak@219.94.54.133] has quit [Read error: 54 (Connection reset by peer)] 05:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:00 < krzee> o 06:26 -!- juroskk [n=juroskk@78.141.69.143] has quit ["leaving"] 06:40 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 06:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 07:31 -!- l2trace99 [n=jr@static-71-251-65-16.tampfl.fios.verizon.net] has joined ##openvpn 07:45 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn --- Log closed Thu Dec 18 08:04:34 2008 --- Log opened Thu Dec 18 08:58:22 2008 08:58 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 08:58 -!- Irssi: ##openvpn: Total of 38 nicks [0 ops, 0 halfops, 0 voices, 38 normal] 08:58 -!- Irssi: Join to ##openvpn was synced in 18 secs 08:59 < l2trace99> i don't see where they are defined it only says that openvpn will pass arguments 08:59 < l2trace99> it shows the environmental vars 09:00 < l2trace99> but no description of arguments passed 09:00 -!- [gnubie] [n=[gnubie]@cm248.omega113.maxonline.com.sg] has joined ##openvpn 09:00 < [gnubie]> please enlighten my limited understanding and hopefully not be biased... 09:01 < krzie> See the "Environmental Variables" section below for additional parameters passed as environmental variables. 09:01 < krzie> Note that cmd can be a shell command with multiple arguments, in which case all OpenVPN-generated arguments will be appended to cmd to build a command line which will be passed to the script. 09:01 < [gnubie]> is openvpn or an ssl based vpn a good choice for sip traffic? 09:01 < krzie> [gnubie], as opposed to what? 09:02 < krzie> you know you could use srtp to encrypt the sip rtp without tunneling 09:03 < krzie> i dont think asterisk supports it, but i know for sure freeswitch does 09:03 < [gnubie]> krzie: ip sec vpn? 09:03 < krzie> [gnubie], where both people talking are connected to the vpn? 09:04 < [gnubie]> krzie: not all sip servers supports sip+tls and srtp 09:05 < [gnubie]> krzie: precisely.. asterisk doesn't support it 09:06 < krzie> asterisk also does not support 'not crashing' 09:06 < [gnubie]> krzie: first, tunnelling 2 locations.. second, road warriors 09:06 < [gnubie]> krzie: no comment about that.. :D 09:07 < krzie> personally i would use openvpn in all situations except 1 09:07 < krzie> if you plan to have a phone setup where primary use will be connected users talking to eachother 09:08 < krzie> in that situation, ipsec will out-perform 09:08 < krzie> based on the fact that ipsec supports direct client-to-client 09:08 < krzie> oh wait, im wrong 09:08 < krzie> the traffic will flow through the server either way 09:09 < krzie> so there is no advantage to ipsec there either 09:09 < krzie> and ive personally used sip over openvpn, no issues 09:09 < [gnubie]> krzie: what about performance and voice quality? 09:10 < krzie> i would consider those issues if they didnt get a thumbs up 09:10 < krzie> of course the most important thing there is your link to the server 09:10 < krzie> if its not super-high latency and not much jitter, it will be fine 09:10 < krzie> but thats no fault of the vpn 09:11 < l2trace99> krzie: Thanks. English is my first language and I have only been speaking/reading it for 30 years 09:11 < krzie> l2trace99, congrats 09:11 < l2trace99> sorry for the denseness 09:11 < l2trace99> i read everything around it 09:13 < [gnubie]> krzie: next question would be: how to do a server sizing for an openvpn server/gateway mainly for sip traffic? 09:13 < krzie> server sizing? 09:14 < [gnubie]> krzie: yes.. how to compute on what is the right hardware specs.. no branded servers here.. i have to assemble a pc clone here 09:14 < krzie> no idea 09:15 < [gnubie]> krzie: let's say, there will 10 concurrent calls and all of these calls comes from the road warriors and using g.711u codec 09:15 < krzie> still no idea 09:16 < krzie> but 10 concurrent users... 09:16 < krzie> you could use damn near any box for that 09:16 < krzie> some old pentium 1 could handle that 09:17 < l2trace99> [gnubie]: what is your bandwidth 09:17 < [gnubie]> l2trace99: let's say 1m 09:18 < l2trace99> [gnubie]: figure 89k + ssl overhead per call 09:18 < l2trace99> from the vpn 09:18 < [gnubie]> l2trace99: although, thinking of using g.729 to save bandwidth 09:18 < [gnubie]> l2trace99: the "ssl overhead" part is what i don't know 09:18 < [gnubie]> l2trace99: sorry, i'm wrong 09:19 < [gnubie]> l2trace99: you're talking about the bandwidth 09:19 < l2trace99> yes 09:19 < [gnubie]> l2trace99: my concern is on the hardware sizing 09:20 < l2trace99> [gnubie]: what is the max number of users you are planing ? 09:20 < [gnubie]> l2trace99: if there will be 10 concurrent calls, the openvpn gateway/server will be busy doing encryption/decryption during that time and assuming the entire 1m up/down is fully utilize.. 09:21 < [gnubie]> l2trace99: let's say up to 10 concurrent calls 09:22 < [gnubie]> l2trace99: if let's say that 10 concurrent calls utilizes the 1m up/down bandwidth, how much hardware resources does it need? 09:23 < l2trace99> are you looking to put it all on box ? ( openvpn and voice switch ) ? 09:26 < [gnubie]> l2trace99: nope 09:26 < [gnubie]> l2trace99: just a dedicated openvpn box for the routing, keys, etc. 09:27 < l2trace99> then it doesn't really matter because your bottle neck would still be bandwith 09:27 < l2trace99> [gnubie]: i am in no ways an openvpn expert 09:27 < l2trace99> [gnubie]: but according to this http://lists.soekris.com/pipermail/soekris-tech/2006-January/009873.html 09:27 < vpnHelper> Title: [Soekris] net4801 performance with OpenVPN (at lists.soekris.com) 09:28 < l2trace99> you can support 2.5 megs on via 233 09:28 < [gnubie]> l2trace99: yes, i know that part.. the bandwidth requirement.. but my concern here is on the server sizing 09:28 < l2trace99> so specs matching a lowend pc meets your needs 09:29 < l2trace99> if you go crasy and just do a standard lowend server build you're covered 09:30 < [gnubie]> wow! 09:30 < l2trace99> other people here can give you better advice 09:31 < l2trace99> but from my understanding of what I read. That is what I would do 09:31 < [gnubie]> l2trace99: so, the openvpn server sizing is actually on how large the expected bandwidth that is passing through and not actually on the busyness of encryption/decryption part.. 09:32 < krzie> i agree 09:32 < krzie> 10 vpn users using sip sized BW even at ulaw is nothing 09:32 < krzie> would not tax a lowend server 09:33 -!- BadPtr [i=42fe2542@gateway/web/ajax/mibbit.com/x-e608ea6df022bcf0] has joined ##openvpn 09:33 < [gnubie]> krzie: i see.. nice.. ;) 09:34 < BadPtr> pardon me, I need some guidance on using ifconfig-pool-persist ... what's the separator for the ipp file? tabs? It simply ignores the file content from what I can tell 09:34 < BadPtr> or maybe there is another config directive that I have not set 09:35 < [gnubie]> actually my worry before why i was asking on how to do a server sizing for a pure sip/rtp traffic is because if the machine is busy enough on encryption and decryption, it will affect the voice quality of the calls.. qos is a different story here.. 09:35 < krzie> BadPtr it takes ipp.txt as a suggestion 09:35 < krzie> if you want static ips, 09:35 < krzie> !static 09:35 < vpnHelper> krzie: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 09:36 < BadPtr> alright, I'll have a look into that ... does it push the proper IP based on the CN? 09:37 < BadPtr> oh yeah, client config 09:37 < BadPtr> nvm 09:37 < krzie> !ccd 09:37 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client 09:39 < krzie> !learn ccd as entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name 09:39 < vpnHelper> krzie: Joo got it. 09:39 < krzie> !forget ccd 1 09:39 < vpnHelper> krzie: Joo got it. 09:51 < ecrist> krzie: fyi - i moved to a larger ip block this morning, so there may be some residual dns problems with my domains 09:53 -!- mpetersen [n=mpeterse@66.88.39.226.ptr.us.xo.net] has joined ##openvpn 09:54 < mpetersen> Can I bind to 2 local IP addresses somehow? local IP1 IP2 only binds to IP1, same with local IP1,IP2. But if I bind to all it doesn't work because the server doesn't respond from the VIP and the client gets confused. 09:55 < mpetersen> Could I potentially have 2 servers running sharing an ifconfig-pool-persist? 09:57 < krzie> ahh gotchya ecrist 09:58 < krzie> doesn't work because the server doesn't respond from the VIP 09:58 < krzie> VIP? 09:58 < krzie> ohh virtual ip 10:04 < l2trace99> is there any way around /30 ifconfig-push for windows ? 10:05 < krzie> yes 10:05 < krzie> !topology 10:05 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 10:06 < et> "is is it is" looks broken ;) 10:08 < mpetersen> Yeah, virtual IP. runs with heartbeat. So, no good solution you know of? 10:10 < krzie> ahh thanx et 10:10 < krzie> mpetersen so even if you bind to 2 ips wont you have the same issue with the other virt ip? 10:11 < mpetersen> No.. different routes. 10:12 < mpetersen> 192.168.1.42 (available internally, routed for internal networks) and 66.88.39.42 for Internet (backup if WAN goes down) 10:12 < krzie> you can bind to all and firewall off all but what you want 10:12 < krzie> or you can run 2 instances 10:12 < mpetersen> Can I have a shared fconfig-pool-persist file then? 10:12 < mpetersen> if I run two instances... 10:12 < krzie> i guess so, but why would you want to? 10:13 < mpetersen> firewall does no good, incoming to 192.168.1.42 responds from 192.168.1.40. I could translate, but that seems silly 10:13 < mpetersen> so if the WAN goes to and it connects via the internet the IP wouldn't change... 10:13 < mpetersen> er if the WAN goes down and it connects 10:13 < krzie> the local ones i assume is for --redirect-gateway 10:13 < krzie> right? 10:14 < mpetersen> I don't think so 10:14 < krzie> then whats the lan one for? 10:14 < mpetersen> I want to connect via point-to-point T1 connection, but if the T1 fails it can go over the internet as a backup 10:15 < mpetersen> It's for something like this - http://www.linuxjournal.com/article/9915 10:15 < vpnHelper> Title: Building a Multisourced Infrastructure Using OpenVPN (at www.linuxjournal.com) 10:15 -!- tjz [n=tjz@bb121-7-106-87.singnet.com.sg] has quit ["GG. X_X"] 10:15 < krzie> listening on all and firewalling all but what you want to listen to is - to listening on multiple 10:15 < krzie> no difference 10:16 < krzie> and in 2.1 you may find <connection> blocks useful 10:16 < mpetersen> it is... I can firewall off 192.168.1.40 all day, but when I connect to 192.168.1.42 it will still be able to respond from 192.168.1.40.. or I have to do IP redirection with iptables. 10:16 < krzie> then dont connect to .42 10:16 < krzie> connect to .40 instead 10:16 < krzie> and firewall off .42 10:17 < krzie> cause that same problem will exist if you only listen to .42 in your example 10:17 < mpetersen> Well... then it's not a VIP. I guess I can get around this by having multiple IPs in the client config... 10:17 < krzie> it is the OS that decides what ip to respond as, not openvpn 10:17 < mpetersen> so if the server fails and vip moves, I'd like to connect to a single IP... 10:17 < mpetersen> Well I know the OS decides, but if its bound to only 192.168.1.42 then it will respond from .42 10:18 < krzie> you can have multiple --remote statements, and even diff configs for each in <connection> blocks 10:18 < mpetersen> Hence wanting to bind to 2 IPs. I can do it without a roaming virtual and just list multiple remote servers though I guess 10:19 < krzie> !betaman 10:19 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 10:19 < krzie> to see more bout <connection> blocks 10:20 < krzie> in the page you linked me to they used multiple remote statements 10:20 < krzie> (it is the right way) 10:20 < krzie> and they bound to all ips in that link too 10:20 < krzie> basically, they did what im saying 10:21 < mpetersen> Yeah, I'll go with the multiple remote option 10:21 < krzie> not really an option 10:21 < krzie> its the only way to do what you're saying 10:22 < mpetersen> Well I could have 2 server instances with a shared --ifconfig-pool-persist file, if that works... 10:22 < krzie> what do you hope to gain from --ifconfig-pool-persist file 10:23 < mpetersen> static IPs. I could use ccd or something I'm sure, it's nice to setup a new client and have it assigned a new IP though. 10:23 < mpetersen> without having to configure anything. 10:23 < krzie> the manual says ipp.txt is only a suggestion and will not always be obeyed 10:23 < ecrist> :( pastebin.ca isn't routable to my new IP block, either. 10:23 < krzie> so no, thats not gunna work for you 10:24 < krzie> !static 10:24 < vpnHelper> krzie: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 10:24 < krzie> --ifconfig-pool-persist file [seconds] 10:24 < krzie> Persist/unpersist ifconfig-pool data to file, at seconds intervals (default=600), as well as on program startup and shutdown. 10:24 < krzie> The goal of this option is to provide a long-term association between clients (denoted by their common name) and the virtual IP address assigned to them from the ifconfig-pool. Maintaining a long-term association is good for clients because it allows them to effectively use the --persist-tun option. 10:24 < krzie> file is a comma-delimited ASCII file, formatted as <Common-Name>,<IP-address>. 10:24 < krzie> If seconds = 0, file will be treated as read-only. This is useful if you would like to treat file as a configuration file. 10:24 < krzie> Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push 10:24 * [gnubie] waves.. gtg now.. thanks krzie and l2trace99.. 10:24 < krzie> np 10:25 -!- [gnubie] [n=[gnubie]@cm248.omega113.maxonline.com.sg] has quit ["Leaving"] 10:26 < mpetersen> Oh.. they're just mostly static then? I haven't run into a problem with not getting the IP from that file... 10:26 < krzie> !learn ipp as Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !static 10:26 < vpnHelper> krzie: Joo got it. 10:26 < krzie> no, they are NOT static 10:26 < krzie> they are a suggestion 10:26 < krzie> which may or may not be obeyed 10:26 < krzie> as the manual says 10:26 < mpetersen> Ok, so CCD with 2 server instances, or two remote servers... 10:26 < mpetersen> thanks. 10:26 < krzie> the other thing is this: 10:27 < krzie> you cant have both servers giving out the same block of ips 10:27 < krzie> because each server will want to bind to .1 and routing would be saying "wtf dude" 10:27 < mpetersen> oh... 10:27 < krzie> (2 seperate problems, not same) 10:28 < krzie> so like 10.8.0.1 and 10.9.0.1 10:28 < mpetersen> oh.. bah. I guess 2 remotes is the only option. 10:28 < krzie> right, it is 10:28 < krzie> (i remember saying that earlier ;] ) 10:28 < mpetersen> Yeah... I just didn't understand. 10:28 < mpetersen> Too bad local can't take 2 IPs. 10:29 < mpetersen> thanks again. 10:29 < krzie> and the website you showed me to say what you wanted had 2 remotes 10:29 < krzie> np man 10:29 < krzie> i guess you can use same subnet tho 10:29 < mpetersen> The website 2 remotes is different than what I was trying to accomplish 10:29 < krzie> that web example did 10:29 < krzie> but you have to be tricky bout it 10:29 < krzie> cant just use 2 identical server statements 10:29 -!- AukeF [n=auke@x207.flex.surfnet.nl] has quit [Remote closed the connection] 10:29 < mpetersen> They have clients that connect to 1 or 2 servers... but I have the same server on 2 ips. 10:29 < krzie> can use server on 1, and recreate it on the other 10:30 < mpetersen> that should be 1 of 2 servers. 10:30 < krzie> of course, in the web example its diff boxes so they dont run into the routing problem i bet you would 10:30 < mpetersen> Yeah. That makes sense. 10:30 < mpetersen> I need the server to have a static IP, so running two server instances won't work. 10:31 < krzie> not true 10:31 < krzie> it would still be static as given in config file 10:32 < krzie> when you use server statement it chooses first ip in the block 10:32 < mpetersen> Well then I either end up with a conflict (two tuns with same IP) or each server has a different IP which wouldn't work either. 10:32 < krzie> each server would need diff ip... why wouldnt that work? 10:32 < krzie> you could just push a route to other subnet 10:32 < krzie> and when both are up and you have mixed company, stuff would still work fine 10:33 < mpetersen> I think the cubed-routed service requires that the other end IP is static. 10:34 < krzie> each server would still be static 10:34 < krzie> one would be 10.9.0.1 other 10.8.0.1 10:34 < krzie> thats still quite static 10:35 < mpetersen> cube-routed takes remote_mgmt_ip = 10.200.200.5 and remote_data_ip = 10.100.100.101 in the config file. I'd have to restart the service if I connected to the new IP. One config with 10.9.0.1 and the other with 10.8.01 10:37 < krzie> i dont know anything about cube-routed so i cant help you there 10:37 < krzie> but openvpn has multiple ways to run scripts 10:37 < mpetersen> I wonder if I can submit a feature request for local to accept multiple IPs. 10:37 < mpetersen> Yeah... there's a ton of options there. 10:38 < mpetersen> I have a few different options again, but I think the multiple --remote or the connection blocks will be simplest. KISS and all.. 10:38 < krzie> of course you can submit a request, but they'll prolly tell you to bind to * and firewall the ips you dont want to bind to (its been requested on the mail list in the past with that answer being unanimous) 10:39 < mpetersen> Well since that solution is bogus in this case, maybe someone would listen this time? 10:39 < mpetersen> but I see your point. 10:39 < krzie> <connection> blocks compliment multiple --remote when you need diff stuff for each remote, its not either or 10:39 < mpetersen> well I can do multiple remotes without connection blocks, right? 10:40 < krzie> sure, if you dont want to change options for diff remotes 10:40 < krzie> read the manual! 10:40 < krzie> !betaman 10:40 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 10:40 < mpetersen> so I should have said multiple --remotes potentially with connection blocks... 10:41 < mpetersen> or one or both, not either or. 10:41 < krzie> ya 10:41 < krzie> exactly 10:42 < krzie> ecrist, i wonder why your provider hates pastebin.ca 10:43 < ecrist> not my provider 10:43 < ecrist> it's someon on their end. 10:43 < ecrist> a different ip block from the same provider (totally different class A) routes without issue 10:44 < krzie> how far does your traceroute get? 10:44 < ecrist> 14 hops 10:44 < krzie> ahh 10:44 < krzie> all the way into CA? 10:44 < ecrist> outside my providers network for quite a while 10:44 < mpetersen> how many hops to pastebin.ca ? 10:44 < ecrist> oh yeah 10:44 < mpetersen> from the class A that works 10:45 < krzie> mpetersen, good question! 10:45 < krzie> likely taking same hops too 10:45 < ecrist> oh, that class A isn't working now 10:45 < ecrist> I was wrong, it breaks at hop 17 10:46 < krzie> 17!? damn thats more than i expected in total 10:46 < krzie> you're already up north 10:46 < ecrist> http://pastebin.com/m637e4d96 10:46 < krzie> eric 10:47 < ecrist> thinktel.ca is breaking routing 10:47 < krzie> my trace from san diego dies at that hop, but i can still ping 10:47 < krzie> 12 209.82.125.122 (209.82.125.122) 54.748 ms 54.839 ms 54.607 ms 10:47 < krzie> 13 209.82.119.134 (209.82.119.134) 54.893 ms 55.061 ms 54.560 ms 10:47 < krzie> 14 159.18.52.2 (159.18.52.2) 54.988 ms 54.891 ms 55.150 ms 10:47 < krzie> 15 * * * 10:47 < krzie> 64 bytes from 208.68.18.97: icmp_seq=0 ttl=48 time=55.326 ms 10:47 < ecrist> ok, I can ping from my work office 74 class a, can't ping from my network, 173 class a 10:49 < krzie> you'll prolly find the trace dies at same point tho 10:49 < ecrist> I wonder if pastebin.ca didn't have a spam problem or something, and block 173/8 at the firewall 10:49 < ecrist> yeah, it does 10:49 < krzie> could be, seems to be their border router 10:50 < ecrist> fugger 10:50 < krzie> could email thinktel 10:50 < krzie> ahh no nm, they own the whole /22 s its unlikely they run pastebin 10:51 < krzie> or even the border router 10:51 < mpetersen> any reason to use topology subnet instead of p2p if there will be no windows clients? 10:51 < krzie> afaik, not really 10:52 < krzie> except doesnt p2p take 2 ips per connection? 10:52 < krzie> like a virt ip for server per client? (im not sure) 10:52 < mpetersen> man page says 1 per client 10:52 < krzie> but not in subnet 10:52 < mpetersen> net30 takes 4 (broadcast, server, client, network) 10:53 < krzie> ohh i see 10:53 < mpetersen> subnet and p2p sound the same, but p2p doesn't work with Windows 10:53 < krzie> thought you meant 1 per client as in 1 virt ip on server per client 10:53 < krzie> right, i think you are right 10:53 < krzie> so if you dont need <connection> or subnet you can prolly get away with 2.0.9 10:54 < mpetersen> yeah but I'm using the Ubuntu package which is 2.1 based... 10:54 < mpetersen> some of the server instances will need subnet too 11:08 < krzie> hey, i just realized you could make ipp.txt into a static ip map 11:08 < krzie> but not with the ipp directive 11:08 < krzie> OpenVPN's internal client IP address selection algorithm works as follows: 11:08 < krzie> 1 -- Use --client-connect script generated file for static IP (first choice). 11:08 < krzie> 2 -- Use --client-config-dir file for static IP (next choice). 11:08 < krzie> 3 -- Use --ifconfig-pool allocation for dynamic IP (last choice). 11:09 < krzie> after you made an ipp.txt, you could remove the ipp directive, and have your --client-connect feed ips from that file 11:12 -!- P4k3 [i=P4k3@c-0c34e255.014-33-6b6c7810.cust.bredbandsbolaget.se] has joined ##openvpn 11:15 < P4k3> I have a problem I hope you guys can help me with. I have just joined a new computer to an active directory domain using a openvpn bridge tunnel. Now I want to log on with a username in the AD, but when the password isn't cached it is a bit of a problem as the tunnel isn't innitated on system start.. Can I make the system innitite a tunnel on boot using the openvpn service when the cert is password protected? 11:19 -!- protocols [n=protocol@p5791FCDA.dip.t-dialin.net] has joined ##openvpn 11:39 < l2trace99> is there a way of doing ifconfig-pool within a ccd file ? 12:33 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 13:17 -!- xaashi [i=mahmed@r253122126.resnet.cornell.edu] has joined ##openvpn 13:18 < xaashi> hi, a complete vpn newbie needing some understanding of in the world to do next 13:19 < xaashi> my connection seems to be up (hooraaay) 13:19 < xaashi> now i want to run services that are on my server i.e. tunnel firefox, what in the world do i do 13:20 < xaashi> thanks .. and patience for vpn clueless-ness is much appreciated 13:21 < ecrist> xaashi: you need to setup routes for that traffic 13:21 < ecrist> sounds like you what redirect-gateway 13:21 < ecrist> search the man page for openvpn and you should be on the right track 13:22 < xaashi> ok, so in principle, if i want my trafic on 80/8080 to go through,the vpn, the i need to add a route for it? 13:23 < xaashi> or for that matter, any traffic i want to direct through the vpn, i add routes 13:23 < ecrist> yes 13:23 < ecrist> you can't do it by port, only by IP. 13:23 < ecrist> unless you use policy-based routing on the firewall that's on the local machine 13:24 < xaashi> umm, there will only ever be one machine using it 13:24 < ecrist> doesn't matter 13:24 < xaashi> kool, back to the reading, 13:24 < xaashi> cheers 13:24 < ecrist> cheers 13:33 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 13:55 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: reiffert 13:55 -!- mpetersen [n=mpeterse@66.88.39.226.ptr.us.xo.net] has left ##openvpn [] 13:58 -!- Netsplit over, joins: reiffert 14:03 < xaashi> hi 14:03 < xaashi> could this be why i cant use the --redirect-gatewat 14:03 < xaashi> could this be why i cant use the "--redirect-gateway" option 14:03 < xaashi> "WARNING: potential route subnet conflict between local LAN [10.8.142.0/255.255.255.0] and remote VPN [10.8.142.1/255.255.255.255]" 14:14 < ecrist> yep 14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:06 < krzie> !configs 15:06 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:40 < P4k3> Is it possible to have the VPN tunnel initiated before login in on windows? 15:41 < P4k3> When the certificate is password protected. 15:42 < reiffert> By guessing the password? 15:45 < P4k3> I have the password.. but dosen't I need to pass the password on with some kind of parameter when starting it as a system service? 15:46 < reiffert> paremeters should get listed here: 15:46 < reiffert> !man 15:46 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:47 < P4k3> Yeah checked there.. either Im blind (most likely) or it isn't possible? :) 15:48 < reiffert> What word did you search the manpage for? 15:52 < P4k3> The manpages aren't avaible in windows as there is no "man"? :) Checked the manual url.. Not sure what command I want.. Gonna try --auth-user-pass I guess 15:54 < reiffert> Checking the manual URL sounds like a good strategy. So what did you search for? You were guessing about blindness and such so you must have spent some time searching there. But what for? 15:58 < P4k3> Found this now... 15:58 < P4k3> The major disadvantage with this method is that there is no way to supply the OpenVPN Service with the password used to encrypt your private key. This means that you must use an un-encrypted private key when using this method. A way to get around the problem with having your private key lying unprotected on your hard drive is to import it to the MS Certificate Store and use the --cryptoapicert option to load it. Remember t 15:58 < P4k3> So not possible to do what I wanted then I pressume.. :/ 16:01 < reiffert> Did you read until "A way to get around"? 16:01 < reiffert> or did you read up to --askpass? 16:03 < P4k3> nope, did not... But thx for the hint 16:15 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 16:15 < P4k3> Second time this happens.. I create a couple of certificates one day without problems.. A couple of weeks later when I try to create a new one it dosen't work. I don't seem to be the only one with that problem either 16:15 < oc80z> haaay 16:27 < P4k3> With a little bit of brainusage I managed... :P 16:27 < P4k3> hopefully 16:32 -!- xaashi [i=mahmed@r253122126.resnet.cornell.edu] has left ##openvpn [] 16:44 < reiffert> P4k3: probably you didnt read the docs properly. 16:45 < P4k3> No I didn't study them hard... 16:45 < reiffert> Do you know the official howto? 16:46 < reiffert> It's all the basics about certificate creation... 16:47 -!- xaashi [i=mahmed@r253122126.resnet.cornell.edu] has joined ##openvpn 16:48 < P4k3> I read it once, but I didn't understand that you needed to run the "vars.bat" again when you needed to create additional client certs. 16:49 < reiffert> :) 17:16 -!- xaashi [i=mahmed@r253122126.resnet.cornell.edu] has left ##openvpn [] 17:17 -!- xaashi [i=mahmed@r253122126.resnet.cornell.edu] has joined ##openvpn 17:19 < xaashi> Hi, i've been trying to find a solution to this for a while now, but i've been lost by the tonne of information, 17:19 < xaashi> what is the openvpn equivalent to simple port forwarding between 2 machines, i.e. something like ssh -L 8080:<remote_machine>:80 <local_machine> 17:20 < reiffert> There is no. 17:21 < xaashi> ecrist: thanks for your help earlier, i've been trying the "--redirect-gateway" option, but routes just seem to mess up and i can't ping anything 17:23 < reiffert> Introduction 17:23 < reiffert> OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension 17:23 < xaashi> reiffert: it seems like a bit of an overkill when really all i want to use openvpn is to run forward web-traffic so that u cab watch uk tv online when i'm out ofthe country 17:24 < xaashi> the only options seem to be a whole load of iptable configurations, special routes and the lot?! 17:25 < reiffert> No. There are other options. 17:26 < xaashi> such as 17:26 < reiffert> the one you already mentioned and other kind of vpn software. 17:28 < xaashi> sadly the beeb seems to be very good at not letting simple portforwarding wrok :) 17:28 < reiffert> But when openvpn really is what you want to have, then it is as easy as following the beautiful howto which does two things: It explains all the stuff and it's easy and it doesnt want you to have a whole load of iptable configuration or special routes and the lot. 17:28 < reiffert> Well actually that is more then two things. 17:30 < reiffert> xaashi: oh, and btw, having a http proxy installed at your homesite, such as squid, will be a simple solution to the problem. 17:30 < xaashi> yes it's beautiful and teh tun device is working 17:30 < xaashi> just can't do anyting with it 17:31 < xaashi> reiffert: you have a point 17:32 < reiffert> Can you get me a coffee for that point? 17:32 < xaashi> love to 17:32 < xaashi> you have to come and collect tho' 17:33 < reiffert> Allright. Which country? 17:33 < xaashi> currently at the home of the brave and the land of the free 17:33 < xaashi> appr. 17:33 < reiffert> appr.? 17:34 < xaashi> apparently .. 17:34 < reiffert> oh, the home of the brave ... ireland! 17:34 < reiffert> and the land of the free ... ireland! 17:34 < xaashi> all i've met so far is really annoying customs officials that make you feel like you've just commited genocide and lots of loud nice people 17:35 < xaashi> ^ yes craggy island 17:35 < reiffert> met so far in ireland/island/##openvpn? 17:36 < reiffert> Where exactly do I get my coffee in ireland? 17:36 < xaashi> at the pub 17:36 < xaashi> it;s locally know as guiness 17:37 < xaashi> strange name .. but tastes good . and has a nice frothy head 17:43 < xaashi> reiffert: i'm off, enjoy the coffee, and thanks 17:44 -!- xaashi [i=mahmed@r253122126.resnet.cornell.edu] has quit ["Leaving."] 19:06 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit [Remote closed the connection] 19:28 -!- iamamoron [n=iamamoro@210.238.181.187] has joined ##openvpn 19:28 < iamamoron> hi there 19:29 < iamamoron> i normally used openvpn to get inside our network from anywhere, now I stayed in some hotel tried to connect to our network but it seems I cant be connected, are there by any chance that the hotel firewall is causing the problem in which i cannot connect? any ideas? 19:29 < krzie> yes it is very possible 19:30 < krzie> if you are signed in and can reach google for example, you could try running it on udp 53 19:30 < krzie> (easy to test if it would work by querying a 3rd party nameserver for a dns entry 19:30 < krzie> ) 19:30 < krzie> otherwise, tcp 443 should be safe from anywhere that allows inet 19:32 < iamamoron> what do u mean? 19:32 < krzie> i mean if you are connected to the internet and cant connect from there, its a firewall stopping you 19:32 < krzie> many firewalls allow udp 53 (dns port) 19:33 < krzie> and basically ALL allow tcp 443 (web ssl port) 19:33 < iamamoron> can i also run openvpn on port 53? 19:34 < iamamoron> my server listens on 1194 19:34 < iamamoron> in this case what should I do in my server so that I can connect in most cases 19:34 < iamamoron> ? 19:35 < krzie> you can run your server on any open port you want 19:36 < iamamoron> problem is 19:36 < iamamoron> if other networks is blocking it 19:36 < iamamoron> i cant get through 19:36 < iamamoron> what i want, is I should be connected all the time 19:36 < iamamoron> would it be possible? 19:37 < krzie> i cant tell you what the world uses for their firewalls 19:37 < krzie> i told you what is normal 19:38 < iamamoron> what is the normal 19:38 < iamamoron> so that in most cases i can connect 19:38 < krzie> <krzie> if you are signed in and can reach google for example, you could try 19:38 < krzie> running it on udp 53 19:38 < krzie> <krzie> (easy to test if it would work by querying a 3rd party nameserver for 19:38 < krzie> a dns entry 19:38 < krzie> <krzie> ) 19:38 < krzie> <krzie> otherwise, tcp 443 should be safe from anywhere that allows inet 19:51 -!- AndyML [n=quassel@pool-72-78-117-135.phlapa.fios.verizon.net] has joined ##openvpn 20:00 -!- lolipop [n=soontak@219.94.54.133] has joined ##openvpn 20:16 -!- constchar [i=constcha@204.116.124.133] has joined ##openvpn 20:26 -!- syntaxx [n=syntaxx@unaffiliated/syntaxx] has joined ##openvpn 20:26 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit [No route to host] 20:26 < syntaxx> is it possible to use username authentication at the same time with ssl certification? 20:26 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:27 -!- tjz [n=tjz@bb121-7-106-87.singnet.com.sg] has joined ##openvpn 20:39 < iamamoron> krzie: familiar with http-proxy on openvpn? 20:39 < iamamoron> how can i use it 20:40 < krzie> iamamoron no, but the manual is 20:40 < krzie> !betaman 20:40 < vpnHelper> krzie: "betaman" is http://www.openvpn.net/man-beta.html 20:49 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 20:57 -!- PokerFacePenguin [n=joe@68.16.15.79] has joined ##openvpn 20:58 -!- syntaxx [n=syntaxx@unaffiliated/syntaxx] has quit ["My damn controlling terminal disappeared!"] 21:29 -!- protocols [n=protocol@p5791FCDA.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:29 -!- protocols [n=protocol@p5791FB6A.dip.t-dialin.net] has joined ##openvpn 21:57 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit [No route to host] 22:08 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 22:45 -!- PokerFacePenguin [n=joe@68.16.15.79] has left ##openvpn [] 23:22 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Read error: 60 (Operation timed out)] 23:26 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 23:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:45 -!- syntaxx [n=syntaxx@unaffiliated/syntaxx] has joined ##openvpn 23:45 < syntaxx> is it possible both user auth and ssl be used in openvpn? 23:57 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit [Connection timed out] --- Day changed Fri Dec 19 2008 00:08 < krzee> syntaxx, sure 00:09 < krzee> tried looking in the manual? 00:14 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 00:14 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 00:35 < lolipop> hello krzeeee 00:40 -!- BadPtr [i=42fe2542@gateway/web/ajax/mibbit.com/x-e608ea6df022bcf0] has quit ["http://www.mibbit.com ajax IRC Client"] 01:06 -!- onats [n=onats@unaffiliated/onats] has quit [Nick collision from services.] 01:11 -!- constchar [i=constcha@204.116.124.133] has quit [] 01:30 * lolipop is licking tomato 02:12 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 02:15 < lolipop> krzeeeeeeeeeeeeeee 02:27 < reiffert> krzee: basic networking ... 02:28 < reiffert> sigh 02:29 < lolipop> sigh 03:59 -!- iamamoron [n=iamamoro@210.238.181.187] has quit [] 04:46 -!- ikevin_ [n=kevin@ANancy-256-1-37-26.w90-26.abo.wanadoo.fr] has quit [Read error: 60 (Operation timed out)] 04:47 -!- ikevin [n=kevin@ANancy-256-1-37-26.w90-26.abo.wanadoo.fr] has joined ##openvpn 04:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:10 -!- lolipop [n=soontak@219.94.54.133] has quit ["Konversation terminated!"] 06:34 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 06:54 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Ex-Chat"] 06:57 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 06:57 -!- ikevin [n=kevin@ANancy-256-1-37-26.w90-26.abo.wanadoo.fr] has quit [Read error: 113 (No route to host)] 07:02 -!- protocols [n=protocol@p5791FB6A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 07:05 -!- protocols [n=protocol@p5791FB6A.dip.t-dialin.net] has joined ##openvpn 07:29 -!- waKKu [n=ugabuga@unaffiliated/wakku] has joined ##openvpn 07:29 < waKKu> hi folks.. 07:29 < waKKu> could someone there guide me to a good and basic link about Diffie Hellman ? Where, when and how it is used 07:39 < reiffert> generally or openvpn particularily 07:42 < reiffert> http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange 07:42 < vpnHelper> Title: Diffie-Hellman key exchange - Wikipedia, the free encyclopedia (at en.wikipedia.org) 07:45 -!- iT|Free [n=iT|Free@192.108.73.209] has joined ##openvpn 07:45 < iT|Free> Hi @ all 07:46 < waKKu> checking.. thansk ;) 07:46 < iT|Free> i have some routers, that connect to my server, the routes are pushed, and every client behind of one of this routers can reach every other client 07:47 < iT|Free> now i am wondering, whether it is possible, that i run a dhcp server on my openvpn server, and that server manages all the ips in the whole network 07:47 < waKKu> a doubt.. once DH is established, then starting a new negotiation about SSL/cypher/MAC .... ? 07:47 < iT|Free> so my question is, is it possible? 07:47 < iT|Free> and: will wifi still work? 07:48 < waKKu> iT|Free maybe using a tap (bridge) connection 07:48 < waKKu> once dhcp uses broadcast 07:48 < reiffert> iT|Free: when using a routed configuration, dhcp is not possible. 07:49 < reiffert> iT|Free: because dhcp works with broadcast where as openvpn uses pointtopoint in routed setup. 07:49 < iT|Free> but is it possible that the client will ask the openvpn server for its ip? 07:49 < reiffert> iT|Free: yes, that is possible. I was asuming that you already do that. 07:49 < iT|Free> and will the dhcp server broadcast the packages to all clients? 07:49 < reiffert> iT|Free: sigh. 07:50 < reiffert> iT|Free: openvpn itself assigns IP addresses to openvpn clients. 07:50 < iT|Free> i am already using tap connection 07:50 < iT|Free> and my router get's an ip (pushed) 07:50 < reiffert> And did you bridge the tap adapter? 07:50 < iT|Free> yes 07:50 < reiffert> then you can use a dhcp server instead. 07:50 < reiffert> see the howto. 07:50 < reiffert> !howto 07:50 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:51 < iT|Free> and what will happen, if a new wifi client connects to the net? 07:51 < iT|Free> i dont want the router to have a dhcpd 07:52 < reiffert> I have no idea about your special setup, so I cant tell. 07:52 < iT|Free> okay... 07:52 < reiffert> read the fucking howto 07:52 < iT|Free> i'll thx 07:54 < reiffert> http://openvpn.net/index.php/documentation/install.html?start=1#dhcp 07:54 < vpnHelper> Title: Installation (Win32) - Page 2 (at openvpn.net) 07:54 < reiffert> Notes -- Setting TAP-Win32 address/subnet automatically via DHCP 07:58 -!- ikevin [n=kevin@ANancy-256-1-37-26.w90-26.abo.wanadoo.fr] has joined ##openvpn 08:19 < ecrist> good morning, fuckers 08:19 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 08:36 -!- unixSnob [n=jj@66-81-64-146.bayarea.dialup.o1.com] has joined ##openvpn 08:37 -!- unixSnob [n=jj@66-81-64-146.bayarea.dialup.o1.com] has quit [Client Quit] 08:37 < ropetin> ecrist: how did you know my nickname?! 08:40 < ropetin> So, any experience with port knocking? 08:40 -!- icebrian [n=icebrian@195-23-23-93.static.net.novis.pt] has joined ##openvpn 08:40 < icebrian> hi all... quick question... i've got OpenVPN running just fine! everything is as expected, however, there is one small thing that is bugging me. 08:41 < icebrian> Basically, I can connect to the VPN when I am within the LAN 08:41 < icebrian> the first time I set-up OpenVPN this was not the case, and, ideally (due to firewall restrictions) I would also like to block VPN connections when within the LAN 08:42 < icebrian> any help (or point in the right direction) will be much apreciated. 08:42 < icebrian> damn.... go to go... ill be back thou! :) 08:43 -!- icebrian [n=icebrian@195-23-23-93.static.net.novis.pt] has quit [Client Quit] 08:44 -!- iT|Free [n=iT|Free@192.108.73.209] has quit [] 09:10 -!- Grandia [i=Error@d207-216-195-187.bchsia.telus.net] has joined ##openvpn 09:46 < ecrist> ropetin: not a lot, why? 09:46 < ropetin> I was thinking of setting up port knocking on a infrequently used VPN server and wondered if anyone had tried it 09:50 < waKKu> iptables -m recent -h and be happy .. 09:51 < waKKu> btw, there is a lot of daemons and tools to set port knocking.. but using iptables module "recent" is easy and quick 09:52 -!- lipatden [n=ldennehy@sbpofw1.schubergphilis.com] has joined ##openvpn 09:54 < lipatden> Hi all, I have a firewall/iptables issue. No, it's not that I have no connectivity, it's that my firewall rules say to drop all forward packets, yet I'm forwarding client-to-client 09:55 < waKKu> lipatden it works if you put your firewall rules down ? 09:55 < lipatden> what do you mean down? 09:56 < waKKu> lipatden allow all traffig through your firewall 09:57 < waKKu> itpables -P INPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT; iptables -F ... (dont do it if you dont know what it do) 09:57 < lipatden> That's not my problem, like I say I am successfully communicating 09:58 < waKKu> heh 09:58 < lipatden> My FORWARD rule says REJECT on all traffic, so why is openvpn still forwarding 09:58 < lipatden> ? 10:00 < lipatden> The traffic is bypassing my firewall rules that say it should REJECT all traffic 10:02 < lipatden> Any clues? I know the usual problem is that the firewall gets in the way, but my problem is that its being ignored... 10:03 < ecrist> lipatden: because it's all openvpn-internal stuff 10:03 < ecrist> if you want to reject client-to-client, remove that option for your server config 10:04 < lipatden> It's not that I want to reject it, I want to control it using firewall rules 10:05 < lipatden> e.g. I want to allow ssh for admin traffic, but reject port 80 except when coming from a proxy server, the normal LAN admin type rules 10:07 < waKKu> r u using tap or tun ? 10:08 < lipatden> tun 10:08 -!- protocols [n=protocol@p5791FB6A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 10:09 -!- protocols [n=protocol@p5791FB6A.dip.t-dialin.net] has joined ##openvpn 10:18 -!- tjz [n=tjz@bb121-7-106-87.singnet.com.sg] has quit ["GG. X_X"] 10:28 < lipatden> so, any clues how I can firewall between the different network segments of my clients? 10:29 -!- mRCUTEO [n=info@96.9.131.182] has joined ##openvpn 10:32 -!- mRCUTEO [n=info@96.9.131.182] has quit [Client Quit] 11:01 -!- protocols [n=protocol@p5791FB6A.dip.t-dialin.net] has quit ["Leaving"] 11:06 < ecrist> are you filtering on tunX? 11:15 -!- Grandia [i=Error@d207-216-195-187.bchsia.telus.net] has quit [Nick collision from services.] 11:15 -!- Grandia [i=Error@d207-216-195-187.bchsia.telus.net] has joined ##openvpn 11:15 * ecrist pokes lipatden 11:16 < lipatden> ecrist: sorry, stepped out... 11:16 < lipatden> filtering? iptables is applied globally in the IP stack, so I don't specify ports... 11:19 < ecrist> I'd question your ruleset - tunX isn't a port, it's a virtual interface. 11:21 -!- icebrian [n=icebrian@195-23-23-93.static.net.novis.pt] has joined ##openvpn 11:21 < icebrian> back :) 11:21 < icebrian> ok so back to my question... 11:21 < icebrian> i've got OpenVPN running just fine! everything is as expected, however, there is one small thing that is bugging me. 11:21 < icebrian> Basically, I can connect to the VPN when I am within the LAN 11:21 < icebrian> the first time I set-up OpenVPN this was not the case, and, ideally (due to firewall restrictions) I would also like to block VPN connections when within the LAN 11:21 < icebrian> any help (or point in the right direction) will be much apreciated. 11:22 < icebrian> so... im short... I want to block VPN connection when inside the lan 11:22 < icebrian> im = in 11:22 < icebrian> :P 11:23 < ecrist> setup a firewall on the vpn server 11:24 < icebrian> I was hopeing there was some config option in openvpn that would do this for me 11:24 < ecrist> no 11:24 < ecrist> there isn't 11:24 < icebrian> :( 11:25 < icebrian> the weird thing is that the first time I set-up openvpn I couldn't connect when inside the LAN 11:25 < icebrian> I have no idea how I managed this 11:25 < ecrist> I don't know what your original setup was, so I can't tell you why it worked that way 11:25 < icebrian> yeah i know... and I can't remember 11:26 < icebrian> well thanks anyways 11:38 < lipatden> ecrist: my ruleset is simple: drop all forward traffic 11:38 < lipatden> ecrist: tun is a virtual interface, but firewalled nonetheless - if I block INPUT traffic on the interface, it's blocked 11:41 < lipatden> icebrian: you running on windows or Linux? 11:46 < icebrian> linux 11:49 < lipatden> Why don't you want to use firewalling? insert a rule to drop packets from your local lan subnet just before the rule that accepts other connections, or accept not (!) your LAN 11:52 < icebrian> yes I know, I am using IPCop as a firewall thou which provides a webinterface, changing the rules directly wont work since any other change in the web interface will erase those rules. 11:53 < icebrian> I am looking and addons for IPCop so that I can write my own rules 11:53 < icebrian> and = for 11:57 < lipatden> is your client Linux? You might want to use an OUTPUT rule there if you're not running IPCop on it 12:01 < ecrist> lipatden: I still stand that your firewall is misconfigured. 12:02 < ecrist> I don't have any problems filtering tun traffic on freebsd with pf 12:07 < lipatden> ecrist: Case in point, if I ping the host itself (on the tunX address), ifconfig bytes counters increase/. If I ping a host in another client connection, the counters stay static. The traffic never hits the host interface, so openvpn is now my router for that connection 12:08 < lipatden> So, I have client1, router, client 2. Pinging router's tunX address generates interface traffic counted by the IP stack, pining client2 (which pases through router's openvpn) never touches the tunX counters, which means it's invisible to the host. since when is openvpn a router? 12:24 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: Dryanta 12:25 -!- Netsplit over, joins: Dryanta 12:53 < krzee> reiffert, whats up 12:53 < krzee> i was asleep 12:56 < reiffert> dinnertime 12:58 < reiffert> savoy cabbage, potatoes, carrots and some veal 12:58 -!- icebrian [n=icebrian@195-23-23-93.static.net.novis.pt] has quit ["Leaving"] 13:09 -!- bartmon [n=bartman@89-212-179-3.dynamic.dsl.t-2.net] has joined ##openvpn 13:22 < bartmon> Hello! In the howtos I've come across OpenVPN is used both as a server and as a client. I want to connect to my router road warrior style through an IPSec tunnel (I have set up a usernames and password). Can OpenVPN be used as a client for this? 13:24 < reiffert> openvpn can connect to openvpn only. 13:25 < bartmon> I see. Thanks for the reply though! 13:25 -!- bartmon [n=bartman@89-212-179-3.dynamic.dsl.t-2.net] has left ##openvpn [] 13:41 -!- l2trace99 [n=jr@static-71-251-65-16.tampfl.fios.verizon.net] has quit [Remote closed the connection] 13:55 < krzee> !mail 13:55 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 13:55 < cpm> openvpn is openvpn, it is not ipsec. 13:55 < krzee> cpm, hehe ya 13:56 < cpm> hey krzee how U? 13:56 -!- waKKu [n=ugabuga@unaffiliated/wakku] has left ##openvpn [] 13:57 < krzee> good man, how bout you? 13:57 < cpm> ready for this day to be over 13:57 < krzee> !learn pushdns as http://sourceforge.net/mailarchive/forum.php?thread_name=494B5FFC.6080502%40nikhef.nl&forum_name=openvpn-users see that mail archive for some info on pushing dns 13:57 < vpnHelper> krzee: Joo got it. 13:57 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has joined ##openvpn 13:57 < krzee> im getting ready to start my day 13:57 < krzee> gunna get some beers and see whats up with the sexy twin sisters =] 13:58 < ecrist> krzee: you need to share with me 13:58 < krzee> hehe 13:58 < ecrist> I'll bring the beer, if it helps. 13:58 < krzee> you gotta wifey! 13:58 < ecrist> so? 13:58 < ecrist> we swing... 13:58 < krzee> oh thats awesome 13:58 < krzee> ok ill take wifey you take the twins 13:58 * krzee ducks and covers 13:59 < ecrist> sweet, dog pile afterwards? 13:59 < krzee> hahaha alright 13:59 -!- mRCUTEO [n=info@96.9.131.182] has joined ##openvpn 13:59 < mRCUTEO> hiya all 13:59 < krzee> we'll keep her twords the top of the pile so we dont hurt the baby crist 13:59 < mRCUTEO> !menu 13:59 < vpnHelper> mRCUTEO: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 14:00 < ecrist> krzee: works for me! 14:02 < mRCUTEO> hiya ecrist 14:02 < mRCUTEO> hiya krzee 14:09 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has quit [Connection reset by peer] 14:12 < ecrist> howdy 14:14 < krzee> heyhey 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:51 -!- apg88 [n=apg88@wdz.rit.edu] has joined ##openvpn 14:51 -!- mpetersen [n=mpeterse@c-71-194-132-69.hsd1.il.comcast.net] has joined ##openvpn 14:51 < apg88> So I guess I need firewall help, requests from remote machine are received on network, but nothing makes it back 14:52 < krzee> !linfw 14:52 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 14:52 < apg88> I'll try that 14:52 < apg88> thanks 14:52 < krzee> ild help more, but im out the door 14:52 < krzee> np 15:01 -!- mpetersen [n=mpeterse@c-71-194-132-69.hsd1.il.comcast.net] has quit [Nick collision from services.] 15:01 < reiffert> krzee: please replace $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT 15:01 -!- mpetersen [n=mpeterse@c-71-194-132-69.hsd1.il.comcast.net] has joined ##openvpn 15:01 < reiffert> by 15:01 < mpetersen> IRC hates me today. 15:02 < reiffert> for chain in INPUT FORWARD OUTPUT; do iptables -P $chain ACCEPT; iptables -F $chain; done; 15:10 -!- mpetersen [n=mpeterse@c-71-194-132-69.hsd1.il.comcast.net] has quit [Nick collision from services.] 15:10 < apg88> ok, so accepting forwards fixes the problem 15:10 < apg88> iptables -P FORWARD ACCEPT 15:10 < apg88> but that's not safe is it? 15:10 -!- mpetersen [n=mpeterse@c-71-194-132-69.hsd1.il.comcast.net] has joined ##openvpn 15:33 -!- Dougy [n=doug@174.34.138.158] has joined ##openvpn 15:33 < Dougy> heyyyyyyyyyy 15:34 < Dougy> ecrist: poke poke 15:35 < Dougy> sup troy- 15:43 -!- apg88 [n=apg88@wdz.rit.edu] has quit [Remote closed the connection] 16:04 < troy-> Dougy, nm 16:06 < Dougy> fun stuff 16:06 < Dougy> ecrist: wake up daaaaaaaaamnitttttttttttttt 16:08 -!- Dougy [n=doug@174.34.138.158] has quit ["leaving"] 16:08 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Client Quit] 16:09 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 16:16 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:16 < Dougy> ey yooooooo 16:20 < ecrist> what? 16:20 < Dougy> ecrist: forum doesn't work 16:21 < ecrist> oh, my ip address changed. 16:21 < Dougy> i assumed that was the case 16:22 < Dougy> what do i need to change 16:22 < ecrist> make ovpnforum.com and www.ovpnforum.com a CNAME for kenny.secure-computing.net 16:22 < ecrist> or, set it to 173.8.118.210 16:23 < Dougy> changed to cname 16:26 < Dougy> bbl 16:26 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 16:29 -!- lipatden [n=ldennehy@sbpofw1.schubergphilis.com] has quit [Read error: 54 (Connection reset by peer)] 16:30 -!- mRCUTEO [n=info@96.9.131.182] has quit [] 17:15 -!- mpetersen [n=mpeterse@c-71-194-132-69.hsd1.il.comcast.net] has left ##openvpn [] 17:45 -!- grendal_prime [n=grendal_@dsl-12-44-166-053.arpa2.caltel.com] has joined ##openvpn 17:46 < grendal_prime> i got this opepnvpn setup and it works but my dns gets droped on the client side and i cant browser the internet anymore. the connection is up and working...but, no dns..im using an ubuntu system for this and the openvpn network manager plugin. 17:59 -!- grendal_prime [n=grendal_@dsl-12-44-166-053.arpa2.caltel.com] has quit [Remote closed the connection] 17:59 -!- grendal_prime [n=grendal_@dsl-12-44-166-053.arpa2.caltel.com] has joined ##openvpn 18:07 < ecrist> http://failblog.files.wordpress.com/2008/12/fail-owned-eharmony-online-dating-fail.jpg 18:07 < ecrist> grendal_prime: are you using redirect-gateway? 18:19 -!- grendal_prime [n=grendal_@dsl-12-44-166-053.arpa2.caltel.com] has quit [Read error: 113 (No route to host)] 18:28 < ecrist> http://failblog.files.wordpress.com/2008/11/fail-owned-newspaper-infidelity-911-fail.jpg 19:22 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has joined ##openvpn 19:24 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has quit [SendQ exceeded] 19:26 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has joined ##openvpn 19:52 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has left ##openvpn ["Leaving"] 20:29 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 20:47 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 22:12 -!- skatista [i=marcus@189.102.240.229] has joined ##openvpn 22:12 < skatista> !route 22:12 < vpnHelper> skatista: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 22:32 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 22:40 < mRCUTEO> !route 22:40 < vpnHelper> mRCUTEO: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 22:42 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [] 22:50 -!- skatista [i=marcus@189.102.240.229] has quit [] --- Day changed Sat Dec 20 2008 00:59 -!- krzee [i=nobody@unaffiliated/krzee] has left ##openvpn ["Leaving"] 00:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:59 < krzee> LOL ecrist 01:00 < krzee> infidelity fail 01:00 < krzee> lolz 01:15 < krzee> !/30 01:15 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 01:16 < krzee> !nat 01:16 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 01:16 < krzee> !factoids search forward 01:16 < vpnHelper> krzee: 'winipforward' and 'linipforward' 01:16 < krzee> !factoids search linipf 01:16 < vpnHelper> krzee: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 01:17 < krzee> !topology 01:17 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 01:21 < krzee> !def1 01:21 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 01:22 < krzee> sorry for the scroll, i use my bot to answer mail list questions occasionally too 01:51 -!- iamamoron [n=iamamoro@210.238.181.187] has joined ##openvpn 01:51 < iamamoron> hi there 01:51 < iamamoron> i am attemping http-proxy on my openvpn 01:51 < iamamoron> problem is i get this error in the log HTTP proxy returned bad status 01:51 < iamamoron> what does it happened? 01:53 < krzee> im guessing your http proxy returned an error ;] 01:53 < krzee> look in the proxy logs 01:54 < iamamoron> in the server? 01:54 < iamamoron> httpd log? 01:54 < krzee> the proxy server 01:54 < krzee> the logs for the proxy app 01:55 < iamamoron> i just pointed it in my server 01:55 < iamamoron> i created a simple .htaccess list 01:56 < krzee> are you running a proxy server? 01:56 < krzee> like quid for example 01:56 < krzee> squid 01:56 < krzee> oh god, you're trying to proxy by connecting to a normal httpd server 01:56 < iamamoron> no i am not 01:56 < krzee> ? 01:57 < iamamoron> i followed this 01:57 < iamamoron> http://blog.foppiano.org/2008/07/24/how-to-openvpn-over-proxy/ 01:57 < vpnHelper> Title: How to OpenVPN over Proxy « fucking the white bunny rabbit (at blog.foppiano.org) 01:57 < iamamoron> i want openvpn to run even in those areas where the router blocks all 01:57 < krzee> lol 01:58 < iamamoron> thats my objective 01:58 < krzee> the part it doesnt mention is you need to be running a httpd proxy 01:58 < iamamoron> what should i do 01:58 < iamamoron> please shed light 01:58 < krzee> i told you yesterday 01:58 -!- tjz [n=tjz@bb121-7-106-87.singnet.com.sg] has joined ##openvpn 01:58 * tjz swim in 01:58 < krzee> most likely way to connect to openvpn while behind a restrictive firewall is by running openvpn on port 53 udp or 443 tcp 01:58 < iamamoron> i tried runnong on port ffot 01:59 < iamamoron> i tried runnong on port 443 01:59 < iamamoron> enable tcp 01:59 < krzee> as those are the most common open in firewalls 01:59 < iamamoron> yes how? 01:59 < iamamoron> server config now runs on tcp 01:59 < iamamoron> port 1194 01:59 < iamamoron> i do DNAT 01:59 < krzee> proto tcp, port 443 01:59 < iamamoron> from 443 to 1194 02:00 < krzee> or proto udp, port 53 02:00 < iamamoron> thats all i will add/ 02:00 < iamamoron> ? 02:00 < krzee> what exactly did you expect when you added an .htaccess and tried telling openvpn to connect to the webserver? 02:00 < iamamoron> i misunderstand it sorry 02:00 < iamamoron> what should be done anyway 02:00 < iamamoron> please shed light 02:01 < iamamoron> all that 02:01 < iamamoron> port 443 02:01 < iamamoron> tcp? 02:01 < iamamoron> or udp 53? 02:01 < krzee> ive said it 3 times now 02:01 < krzee> maybe 4 02:01 < krzee> im gunna go watch a movie 02:01 < krzee> bbl 02:14 < reiffert> moin 02:19 < tjz> where are all the openvz users.. 02:19 < tjz> :( 03:39 -!- gallatin [n=gallatin@dslb-092-073-113-214.pools.arcor-ip.net] has joined ##OpenVPN 03:48 < iamamoron> hi there 03:48 < iamamoron> can i copy the keys folder to the new server? 03:48 < iamamoron> would it work as in old server 03:48 < iamamoron> i am doing server migration 03:49 < iamamoron> i dont want to recreate the certs again 03:53 -!- iamamoron [n=iamamoro@210.238.181.187] has quit [] 04:01 < tjz> d 04:02 -!- prxtien [n=proleone@ppp121-45-91-147.lns10.adl6.internode.on.net] has joined ##openvpn 04:03 < krzee> !learn lintrafaccnt as http://www.catonmat.net/blog/traffic-accounting-with-iptables/ for a walkthrough on using iptables for traffic accounting 04:03 < vpnHelper> krzee: Joo got it. 04:03 < krzee> not openvpn territory but we get asked about it 04:04 < krzee> since people seem to think ovpn should do * 04:04 < krzee> (instead of the many tools they already have but dont know how to use) 04:04 < prxtien> eheh krzee working hard 04:04 < krzee> lol 04:04 < krzee> fending off a hangover by not passing out yet 04:04 < krzee> the page was a good read tho ;] 04:04 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 60 (Operation timed out)] 04:04 < krzee> hows it goin pro? 04:05 < prxtien> alright, just setup freeswitch, working on getting wikipbx working 04:05 < krzee> ahh nice 04:05 < prxtien> hit a snag, so ill come back to it later 04:05 < krzee> FS was surprisingly easy to setup the first time wasnt it? 04:05 < prxtien> well freeswitch itself yeah, wikipbx is alot more complicated to install 04:06 < krzee> never heard of it 04:06 < prxtien> infact the install wont finish for me, so ill give it a rest and try hard later 04:06 < prxtien> its a web management interface, for fs 04:06 < krzee> oh, lol 04:06 < krzee> nice 04:06 < krzee> im more the type to shell script stuff like that 04:06 < krzee> ive never been a web UI truster 04:07 < prxtien> i really dont want to learn a whole new pabx system eheh 04:07 < krzee> running a web ui on something without understanding what its doing is asking for problems 04:07 < krzee> i always try to tell that to the ubuntu folks in here 04:07 < krzee> !ubuntu 04:07 < vpnHelper> krzee: "ubuntu" is dont use network manager! 04:07 < prxtien> lol yep 04:08 < tjz> lol 04:08 < tjz> ubuntu is good 04:08 < tjz> windows version of linux 04:08 < tjz> :) 04:08 < krzee> tjz, hows your vpn working? 04:08 < tjz> haven't touch on it 04:08 < tjz> dougy MIA 04:08 < krzee> aww i thought youd say it wasnt working 04:08 < tjz> chaos did not get back yet 04:08 < krzee> so i could say "i rest my case: 04:09 < krzee> " 04:09 < tjz> lol 04:09 < krzee> hahahah 04:09 < tjz> well 04:09 < krzee> (even tho its not your fault, it would have been funny to me 04:09 < krzee> ;] 04:09 < tjz> i have to figure out again 04:09 < tjz> lol 04:09 < prxtien> i like web guis for things like fs, so when i come back 6 months later and want to add an extension, i dont take an hour relearning all the syntax 04:10 < krzee> prxtien, werd 04:10 < krzee> i like learning things and scripting them 04:10 < krzee> that way if i ever forget i checkout my own script 04:10 < prxtien> yeah i follow the same token sometimes 04:10 < krzee> (or use it for the quick job) 04:10 < prxtien> others i cbb 04:11 < krzee> but ya FS is something ild checkout a web UI for too, lan access only of course 04:11 < krzee> (but only after understanding what it is doing behind the scenes) 04:13 < krzee> that actually looks pretty badass 04:13 < krzee> makes me wanna setup a pbx at my house to play with 04:14 < krzee> (i already have one on the net, but dont wanna setup a gui on a colo pbx 04:14 < krzee> ) 04:14 < prxtien> lol yeah 04:14 < prxtien> all im setting mine up for is at home pbx 04:14 < prxtien> do a bit of dial plans and such 04:15 < krzee> i cant cause my outbound is skype 04:15 < krzee> ($30/yr unlimited minutes to usa and canada) 04:15 < krzee> of course i must make skype think im in usa... but we are in a channel dedicated to vpns, so that shouldnt be very hard ;] 04:17 < krzee> ecrist, before you ask when you wakeup, no i didnt get to knock the twins last night =[ also, nice hostname! 04:30 -!- tjz [n=tjz@bb121-7-106-87.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 04:34 -!- tjz [n=tjz@bb116-15-160-155.singnet.com.sg] has joined ##openvpn 04:34 < tjz> which company offer $30/yr? 04:44 < tjz> .. 04:45 < krzee> if you saw tnhat line, how did you not see the line before it? 04:45 < krzee> [06:16] <krzee> i cant cause my outbound is skype 04:45 < krzee> [06:16] <krzee> ($30/yr unlimited minutes to usa and canada) 04:45 < krzee> [06:17] <krzee> of course i must make skype think im in usa... but we are in a channel dedicated to vpns, so that shouldnt be very hard ;] 04:48 < tjz> i got d/c 04:48 < tjz> and all the text got wipe out 04:48 < tjz> :( 04:48 < tjz> krzee never sleep 04:48 < tjz> NY never sleep 04:48 < tjz> hehe 05:36 -!- prxtien [n=proleone@ppp121-45-91-147.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 05:58 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 05:59 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [Client Quit] 06:06 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:17 -!- ikevin [n=kevin@ANancy-256-1-37-26.w90-26.abo.wanadoo.fr] has quit [Read error: 113 (No route to host)] 06:20 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 06:49 -!- J4nus [n=janus@78-22-33-101.access.telenet.be] has quit ["Leaving"] 08:21 -!- drcode [n=chatzill@bzq-84-108-250-27.cablep.bezeqint.net] has joined ##openvpn 08:21 < drcode> hi all 08:21 < drcode> how can I tell openvpn to act like SSL or http ? 08:22 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 08:45 -!- gallatin [n=gallatin@dslb-092-073-113-214.pools.arcor-ip.net] has quit ["Client exiting"] 09:44 < et> drcode: care to elaborate? 09:44 < drcode> hi et 09:44 < drcode> can I run openvpn in ssl mode? 09:44 < drcode> like https 09:45 < et> your question makes no sense, that's why i asked you to explain what you want to do 09:53 < drcode> \u05dc 09:54 < drcode> k 09:54 < drcode> I am using stunnel 09:54 < drcode> it make tunnel like ssl 09:54 < ecrist> krzee: if you like my hostname on this box, you should see the one I use for my WAP at home... 09:54 < drcode> I mean can openvpn use mask like ssl tunnel? 09:54 < ecrist> 221.118.8.173.in-addr.arpa domain name pointer ms.choksondik.secure-computing.net. 09:54 < drcode> I have stronge firewall that I need to pass 09:56 < drcode> et? 09:58 < ecrist> drcode: openvpn *is* ssl 09:58 < et> he doesn't mean ssl 09:59 < drcode> I can use port 443 and it will pass it in strong fw? 09:59 < ecrist> sure, if they have port 443 open 09:59 < et> so you want to route your traffic over the vpn? or want to use openvpn over a nonstandard port? 10:00 < drcode> yes 10:00 < ecrist> he wants to know if he can run OpenVPN on port 443 to punch through restrictive firewalls 10:00 < ecrist> the answer is yes 10:01 < drcode> thats right 10:01 < drcode> I know there is also somthing like proxyssl 10:01 < drcode> proxytunnel 10:01 < drcode> but I had bad time with apache 10:23 -!- DarkAnt [n=DarkAnt@smi28-129-63-28-126.dhcp.uml.edu] has joined ##openvpn 10:27 < ecrist> ah, video mashups are great 10:27 < ecrist> http://www.youtube.com/watch?v=Vxm6KGEGIeE 10:27 < vpnHelper> Title: YouTube - LazyTown Mashup (at www.youtube.com) 10:27 < ecrist> NSFW 10:31 -!- drcode [n=chatzill@bzq-84-108-250-27.cablep.bezeqint.net] has quit ["ChatZilla 0.9.84 [Firefox 2.0.0.20/2008121709]"] 10:46 < DarkAnt> does anyone here have experience with anonet? 10:46 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 10:46 < plaerzen> hello ovpn 10:54 -!- tjz [n=tjz@bb116-15-160-155.singnet.com.sg] has quit ["GG. X_X"] 11:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 113 (No route to host)] 11:53 -!- teratoma [n=teratoma@i.dont.get.mad.i.get.stabby.net] has joined ##openvpn 11:54 < teratoma> how do i make all of my traffic go through my openvpn client configuration ? 12:17 -!- Grandia [i=Error@d207-216-195-187.bchsia.telus.net] has quit [] 12:27 -!- wdw [n=williamd@host-84-9-165-110.dslgb.com] has joined ##openvpn 12:33 < wdw> !route 12:33 < vpnHelper> wdw: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:43 < wdw> !menu 12:43 < vpnHelper> wdw: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 13:01 -!- ikevin [n=kevin@ANancy-256-1-37-26.w90-26.abo.wanadoo.fr] has joined ##openvpn 13:33 < krzee> !factoids search * 13:33 < vpnHelper> krzee: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'tls-cipher', 'multi', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', '', 'forum', 'secure', 13:33 < vpnHelper> krzee: 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'hmac', 'winipforward', 'help', 'fragment', '2.1-winpass-script', 'activedirectory', 'net30', 'someclient2client', 'local', 'dhcp', 'chooseip', 'irclogs', 'noenc', 'iptables', 13:33 < vpnHelper> krzee: 'all', 'mactuntap', 'nobind', 'pwfile', 'servercert', 'mitm', 'fbsdbridge', 'easy-rsa-unix', 'certs', 'bridge-fw', 'linipforward', 'linnat', 'man', 'webgui', 'wintaphide', 'topology', 'configs', 'linfw', 'firewall', 'nocert', 'pushlimit', 'solaris', 'ipp', 'pushdns', and 'lintrafaccnt' 13:33 < krzee> teratoma, 13:33 < krzee> !def1 13:33 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:33 < et> !ubuntu 13:33 < vpnHelper> et: "ubuntu" is dont use network manager! 13:34 < et> !gentoo 13:34 < vpnHelper> et: "gentoo" is http://gentoo.linuxhowtos.org/openvpn/openvpn.htm 13:34 < krzee> teratoma, you will also need !nat 13:34 < teratoma> krzee: works for me on a linux client, doesnt in a windows vista client 13:34 < krzee> teratoma, checked the logfile? 13:34 < et> !insanity 13:34 < vpnHelper> et: "insanity" is doing the same thing over and over expecting different results 13:38 < krzee> teratoma, 13:38 < krzee> !logs 13:38 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:59 -!- ikevin_ [n=kevin@ANancy-256-1-61-139.w90-26.abo.wanadoo.fr] has joined ##openvpn 14:14 -!- ikevin [n=kevin@ANancy-256-1-37-26.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 15:05 < plaerzen> so, how is everyone's saturday? 15:05 < wdw> not bad 15:05 * plaerzen is applying 248 patches to a server. 15:05 < wdw> working, but other than that 15:05 < plaerzen> would rather not be at work 15:05 < wdw> ouch 15:06 < wdw> old server? or a regular MS patch tuesday? ;) 15:06 < plaerzen> internal groupware server 15:07 < plaerzen> rhel5, just haven't updated it in a while 15:07 < wdw> ah, gotcha 15:30 < DarkAnt> 248? 15:30 < DarkAnt> did you miss a year or something? 15:32 < plaerzen> or something 15:32 < DarkAnt> heh 15:32 < plaerzen> I'm new to this job. The other sysadmin wasn't a Linux admin. The IT manager just didn't update it for a while, I guess. 15:33 < plaerzen> but now it's taking fu**ing forever, and it's a saturday, and I have things to do.... baah! 15:34 < wdw> leave it overnight? 15:34 < wdw> ssh in from home? 15:34 < plaerzen> I need to make sure it completes. I can check it on my blackberry I guess. 15:35 < wdw> there ya go.. much more weekend-friendly 15:35 < plaerzen> just moved, no internet at home yet =/ although I live 2 blocks from work. Going outside uscks 15:35 < plaerzen> sucks 15:35 < wdw> you live in a city.. no nearby wifi to borrow? :-/ 15:36 < plaerzen> surprisingly... no =/ 15:36 < plaerzen> it's not such a big deal, or I would be gone 15:37 < plaerzen> I just really don't want to go outside. freaking -30 celsius 15:37 < DarkAnt> gah 15:37 < plaerzen> yeah 15:37 < DarkAnt> why would you move there?! 15:37 < DarkAnt> :P 15:37 < wdw> maybe it keeps the servers cool 15:37 < plaerzen> I didn't move here! I just moved from a condo to an appt 15:37 < plaerzen> wdw, lol 15:37 < DarkAnt> hehe 15:38 < plaerzen> If I had my choice, I'd live in costa rica 15:38 < plaerzen> or something 15:38 < wdw> gah, the connectivity might not be great there 15:38 < DarkAnt> hawaii 15:38 < plaerzen> psh 15:38 < plaerzen> hawaii is too full of itself 15:38 < plaerzen> imo 15:38 < DarkAnt> good connectivity and plenty of goodness 15:38 < DarkAnt> have you been? 15:38 < plaerzen> I have a ex gf that lives there who I talk to almost daily 15:38 < plaerzen> (who is from here) 15:38 < DarkAnt> cause each island is very different 15:39 < plaerzen> yeah? 15:39 < plaerzen> I think she's on oahu .... the island with the medical school anyway. 15:40 < plaerzen> I need laid back people in my tropical paradise. No egos, no deadlines, just laid back. oh, and sexy women. 15:40 < DarkAnt> yeah, hono is the main island that stuff gets done 15:40 < DarkAnt> its the island that is the most like the rest of the US 15:40 < plaerzen> ahh, ok 15:40 < DarkAnt> the big island is...volcanic rock 15:40 < DarkAnt> that's about it 15:41 * plaerzen nods. 15:41 < DarkAnt> maui is really nice if you like the whole relaxation thing 15:41 < DarkAnt> but the best one is kauai 15:41 < DarkAnt> imo 15:41 < plaerzen> why? 15:41 < DarkAnt> lots of jungle, low population 15:41 < DarkAnt> they filmed chunks of jurasic park there 15:41 < plaerzen> ah cool 15:42 < plaerzen> expensive ? 15:43 < DarkAnt> i've only been to that island once i think, but they have this awesome 4-wheeling tour that you can go on through the jungle 15:43 < DarkAnt> the farther you get away from hono and maui the cheaper 15:43 < DarkAnt> but its still expensive as hell 15:43 < DarkAnt> everyone wants to live there and lots of stuff has to be imported 15:43 < plaerzen> yeah... that's another reason I would prefer south america 15:43 < plaerzen> $$ 15:45 < DarkAnt> the national intelligence council said things are going to be looking up for brazil 15:45 < plaerzen> yeah? From what I understand, the people in brazil hate foreigners 15:45 < DarkAnt> i wouldn't know, i've never been 15:45 < plaerzen> but I'm no expert - haven't travelled much at all 15:47 < DarkAnt> it always depends on what kind of population density you're looking at. The french in the cities don't like US citizens so much as far as i can tell, but the people out in the country are really great 15:48 < plaerzen> That reminds me of a conversation I was having with a coworker regarding population density. It seems the more dense a population (in general), the more ornery the people are. 15:49 < DarkAnt> i suppose it might be a combination of people needing their space and groupthink 15:49 < plaerzen> yeah 16:03 < DarkAnt> hey, could somone tell me what i'm doing wrong here: http://rafb.net/p/dQqdic30.html 16:03 < vpnHelper> Title: Nopaste - openvpn not connecting (at rafb.net) 16:24 -!- DarkAnt [n=DarkAnt@smi28-129-63-28-126.dhcp.uml.edu] has quit ["Trillian (http://www.ceruleanstudios.com"] 16:28 -!- DarkAnt [n=DarkAnt@smi28-129-63-28-126.dhcp.uml.edu] has joined ##openvpn 16:54 < krzie> DarkAnt rebuild your certs 16:54 < krzie> if you use fbsd or linux maybe check out ssl-admin 16:54 < krzie> !ssl-admin 16:54 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn 16:55 < krzie> !learn ssl-admin as if you use freebsd, it is in ports 16:55 < vpnHelper> krzie: Joo got it. 16:56 < DarkAnt> thanks 16:58 < krzie> np 17:01 < krzie> <plaerzen:##openvpn> yeah? From what I understand, the people in brazil hate 17:01 < krzie> foreigners 17:01 < DarkAnt> secure-computing uses an invalid cert....haha 17:01 < krzie> hopefully ill be able to tell you soon 17:01 < krzie> hoping to goto rio for carnival 17:01 < DarkAnt> cool 17:01 < krzie> DarkAnt hes not going to pay for a cert for that 17:01 < krzie> just accept the cert 17:01 < DarkAnt> i know, but i find it amusing 17:01 < krzie> its not invalid, its just signed by him 17:02 < krzie> like your vpn will likely be 17:04 < DarkAnt> i'm trying to get onto anonet, it sure is a hassle 18:35 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:35 < Dougy> Hey guys 18:36 < Dougy> To set a password when you connect to a VPN, where do you need to set it 18:38 < krzie> depends 18:39 < krzie> you want the server to control it? or want it built in to cert? 18:39 -!- wdw [n=williamd@host-84-9-165-110.dslgb.com] has left ##openvpn [] 18:46 < Dougy> krzie: server 18:46 < Dougy> its a single client vpn 18:51 * Dougy pokes krzie repeatedly 18:58 < krzie> 1sec 18:58 < krzie> !man 18:58 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:59 < krzie> read up on this: 18:59 < krzie> --auth-user-pass-verify script method 19:00 < Dougy> blah 19:00 < Dougy> im so fried 19:00 < Dougy> gonna take forever for me to read that 19:02 < Dougy> krzie: if i want to do it via cert 19:02 < Dougy> do i just set a challenge password> 19:02 < Dougy> ? 19:03 < krzie> you make it when making the cert 19:03 < Dougy> yes 19:03 < Dougy> when it asks if i wanna set a challenge pass 19:03 < krzie> with ssl-admin iot asks if you want to set one 19:03 < Dougy> thats it right? 19:04 < krzie> \with easy-rsa you use a diff script as the howto says 19:04 < Dougy> ahh 19:28 -!- tjz [n=tjz@121.7.103.41] has joined ##openvpn 19:33 * tjz swim in 19:34 < tjz> dougy!!! 19:34 < tjz> ^_^ 19:36 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 19:48 < tjz> omg 20:10 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 20:27 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 20:37 < ecrist> lol 20:48 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit [Remote closed the connection] 21:49 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:49 < Dougy> krzie: hep 21:49 < Dougy> http://rafb.net/p/Fpd01870.html 21:49 < vpnHelper> Title: Nopaste - No description (at rafb.net) 21:49 < Dougy> CentOS 5 server / Vista client 21:49 < Dougy> its running as administrator, i added route-method exe and the delay to 10 seconds, still getting that 21:49 < Dougy> if i could pinpoint where its erroring i could google it, but i got nothin 21:52 < tjz> dougy~~~~~~~~~~~~~~~~~~~~~~~~~ 21:53 < Dougy> hi 21:54 < krzee> Sat Dec 20 22:45:16 2008 us=80416 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv ) 21:54 < vpnHelper> Title: OpenVPN FAQ (at openvpn.net) 21:54 < Dougy> already looked at that 21:54 < krzee> not only did it give an error, it gave a link 21:54 < Dougy> he said he checked and its running 21:54 < Dougy> yes 21:54 < krzee> haha its not even you 21:54 < krzee> im going out 21:54 < Dougy> what? 21:54 < krzee> bbl 21:54 < Dougy> :( 21:54 < tjz> dougy, did you manage to get openvpn on openvz? 21:54 < Dougy> tjz: of course 21:54 < krzee> its impossible to troubleshoot 3rd person 21:54 < tjz> working 21:55 < Dougy> krzee: i know 21:55 < tjz> hmm 21:55 < Dougy> i dont have access to the client 21:55 < Dougy> only the server 21:55 < krzee> bbl 21:55 < tjz> do you know what did the provider enable on hardware node? 21:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 21:56 < Dougy> tjz: just openvpn or with masquerading 21:56 < Dougy> and stuff 22:03 < tjz> :( 22:03 < tjz> i have them 22:03 < tjz> :( 22:04 < Dougy> question 22:04 < Dougy> on that link krzee linked 22:04 < Dougy> it says something about ip-win32 22:04 < Dougy> is that a config directive? 22:04 < Dougy> client/server? 22:17 -!- Dougy [n=doug@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 23:03 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] --- Day changed Sun Dec 21 2008 00:02 -!- tjz [n=tjz@121.7.103.41] has quit ["GG. X_X"] 00:22 -!- Grandia [i=Error@d207-216-195-187.bchsia.telus.net] has joined ##openvpn 00:30 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: kreg, vpnHelper, Typone 00:31 -!- Netsplit over, joins: kreg, Typone, vpnHelper 00:55 -!- DarkAnt [n=DarkAnt@smi28-129-63-28-126.dhcp.uml.edu] has quit ["Trillian (http://www.ceruleanstudios.com"] 02:54 -!- protocols [n=protocol@ip-88-152-40-90.unitymediagroup.de] has joined ##openvpn 03:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:31 -!- b52laptop [n=b52lapto@41.249.27.243] has joined ##openvpn 04:31 < b52laptop> hi 04:31 < b52laptop> ppl do yu know a tool for managing the certificate ? 04:34 < reiffert> like as e.g.? 04:36 < b52laptop> e.g. 04:36 < b52laptop> = ? 04:36 < b52laptop> freysteinn, http://sourceforge.net/project/screenshots.php?group_id=131667 04:36 < reiffert> for example 04:36 < vpnHelper> Title: SourceForge.net: OpenVPN Web GUI: Screenshots (at sourceforge.net) 04:36 < b52laptop> this one seems to the the job 04:36 < b52laptop> but php one :d 04:37 < b52laptop> any alternattiv :d 05:12 < krzee> !ssl-admin 05:12 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 05:13 < krzee> that is a tool for managing the certs 05:17 < b52laptop> hm ok thks 06:11 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 06:13 -!- znh [n=LordFlap@unaffiliated/znh] has joined ##openvpn 06:13 < znh> Hello. 06:14 < znh> I'm trying to connect to a VPN server, but im some times connecting using real slow connections and it gives up after 60 seconds. The line is just really slow, is there some way to increase that timeout? 06:14 < znh> "TLS key negotiation failed to occur within 60" 06:39 -!- znh [n=LordFlap@unaffiliated/znh] has quit [] 06:48 -!- znh [n=LordFlap@unaffiliated/znh] has joined ##openvpn 06:48 < znh> I tried --tls-timeout, but that didnt have any effect 06:48 < znh> it still gives up after 60 seconds 06:58 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 09:05 -!- DarkAnt [n=DarkAnt@smi28-129-63-28-126.dhcp.uml.edu] has joined ##openvpn 09:06 < DarkAnt> I've a question. Does the guy running the vpn server generate certificates for the clients or do the clients generate their own certificates? 09:06 < ecrist> if it doesn'g negotiate within 60 seconds, you have a connectivity problem. 09:06 < ecrist> a little of both, DarkAnt 09:07 < ecrist> technically, with SSL, the client should generate a CSR (certificate signing request) which will produce a csr and a key 09:07 < ecrist> you would send the csr to the CA root, who signs the csr and sends you back the certificate 09:08 < ecrist> in reality, however, the one running the vpn server usually does both steps and sends you the key and certificate. 09:08 < DarkAnt> ok 09:08 < DarkAnt> thanks 09:15 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 09:29 -!- b33r [n=b33r@unaffiliated/b33r] has joined ##openvpn 09:30 < b33r> Hello 09:36 -!- gregHome [n=gleblanc@75.108.7.23] has joined ##openvpn 09:39 < b33r> !route 09:39 < vpnHelper> b33r: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:45 < gregHome> Seems like everybody wants to know about routing 09:46 < b33r> can anyone tell me why am I getting this error 09:46 < b33r> Sun Dec 21 17:45:35 2008 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system 09:48 < gregHome> Maybe you don't have permission to view the current routing table? 09:48 < gregHome> That or the default gateway is misconfigured 09:50 < b33r> gregHome, if you can help me I'll appreciate it http://pastebin.ubuntu.com/90055/ 10:03 < gregHome> Uh, oh, so there's some routing tables 10:04 < ecrist> !configs 10:04 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:05 -!- Grandia [i=Error@d207-216-195-187.bchsia.telus.net] has quit [Read error: 104 (Connection reset by peer)] 10:10 * ecrist goes away 11:00 -!- b52laptop [n=b52lapto@41.249.27.243] has quit [Read error: 104 (Connection reset by peer)] 11:32 -!- b33r [n=b33r@unaffiliated/b33r] has quit [Read error: 104 (Connection reset by peer)] 11:44 -!- ThePeach [n=peach@81-208-83-250.fastres.net] has joined ##openvpn 11:44 < ThePeach> hi all 11:46 < ThePeach> !menu 11:46 < vpnHelper> ThePeach: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 11:47 < ThePeach> !factoids search * 11:47 < vpnHelper> ThePeach: 'howto', 'tcp', 'bridge', 'faq', 'sample', 'insanity', 'mail', 'tls-verify', 'mtu', 'ccd', 'ask', 'winroute', 'winpass', 'pastebin', 'bsdnat', 'logs', 'vpn', 'gentoo', 'privledges', 'ubuntu', 'iroute', 'lans', '1918', 'router', 'netman', 'notopenvpn', 'path', 'keys', 'ssl-admin', 'push', 'tls-cipher', 'multi', 'tls-auth', 'cidr', '/30', 'samba', 'betaman', 'download', '', 'forum', 'secure', 11:47 < vpnHelper> ThePeach: 'ifconfig', 'security', 'custom', 'push-reset', 'def1', 'tap', 'mac', 'menu', 'bridge-dhcp', 'win_noadmin', 'static', 'dynamicfirewall', 'iporder', 'pfsense', 'route', 'freebsd', 'wiki', 'policy', 'win_rollup', 'nat', 'hmac', 'winipforward', 'help', 'fragment', '2.1-winpass-script', 'activedirectory', 'net30', 'someclient2client', 'local', 'dhcp', 'chooseip', 'irclogs', 'noenc', 'iptables', 11:47 < vpnHelper> ThePeach: 'all', 'mactuntap', 'nobind', 'pwfile', 'servercert', 'mitm', 'fbsdbridge', 'easy-rsa-unix', 'certs', 'bridge-fw', 'linipforward', 'linnat', 'man', 'webgui', 'wintaphide', 'topology', 'configs', 'linfw', 'firewall', 'nocert', 'pushlimit', 'solaris', 'ipp', 'pushdns', and 'lintrafaccnt' 11:48 < ThePeach> !tap 11:48 < vpnHelper> ThePeach: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, 11:48 < vpnHelper> ThePeach: anything where the protocol uses MAC addresses instead of IP addresses. 11:50 < ThePeach> !route 11:50 < vpnHelper> ThePeach: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:29 < DarkAnt> for such a small wiki page route does get called up a lot 12:30 -!- A-KO [i=as@unaffiliated/a-ko] has joined ##openvpn 12:33 < A-KO> I have a question about the default gateway....My server's TUN adapter is 10.8.0.1, and my client's tun adapter is 10.8.0.10.....the client gets pushed a default route with gw set to 10.8.0.9.....I can't find anywhere where 10.8.0.9 is configured? It works, the route works....(the server is also acting as a router) Could anyone here point me in the right direction? 12:34 < A-KO> I just would like to know more about what it's doing with that 12:39 < ThePeach> are you pushing the route to *.9 to the client or not? didn't understand 12:40 < A-KO> well in my server config all it has is "push redirect-gateway def1" 12:40 < A-KO> but I don't exaclty know how it's configuring that gateway at all 12:40 < A-KO> what's "def1"? 12:40 < ThePeach> never heard about it 12:41 < ThePeach> I'm not that ovpn expert 12:41 < ThePeach> I think you can push the route in the config of the client, that's all 12:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:48 < ThePeach> A-KO: sorry, the options should be set in the server conf 12:50 < ThePeach> Instead I need some help for configuring the server for the client being able to explort services to the server lan 12:51 < ThePeach> if anyone can help me, it will be greatly appreciated 13:06 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 13:09 < reiffert> explort services? 13:10 < ThePeach> lol, export 13:11 < reiffert> Well, you want the openvpn server to export services to the client? 13:11 < ThePeach> the opposite 13:12 < reiffert> Well then, for example: the client runs the service ssh and now it connects to the openvpn server, what should then happen to the service? 13:13 < ThePeach> that he needs to know where to route the packets to the ssh client connecting 13:13 < krzee> export services? 13:13 < krzee> someone spent too much time with windows =[ 13:14 < ThePeach> lol how do you call that? 13:14 < reiffert> Not sure if mdns supports such things. 13:14 < krzee> unless that was a typo and you run an escort service! 13:14 < krzee> ThePeach, i dont understand the example 13:15 < krzee> you just want to run some apps listening on openvpn port, right? 13:15 < reiffert> ThePeach: however, in you client connect/disconnect script on the server side, do whatever it takes to have your firewall forward packets to the right place. 13:15 < krzee> err 13:15 < krzee> on vpn i i mean 13:15 < krzee> ip 13:15 < ThePeach> well, right now packets arrives to the client port, but they don't come back 13:16 < reiffert> krzee: he wants to add dynamic port forwarding rules to his firewall. 13:16 < ThePeach> no wait 13:16 < reiffert> but you talk like that, so either improve or ... 13:16 < ThePeach> sure I will 13:17 < krzee> im a little slow to get the goal here 13:17 < ThePeach> currently I have the following situation: client connecting to ovpn server, client with ssh (just as example) server 13:17 < krzee> ok 13:17 < ThePeach> currently I can reach the ssh server from the lan 13:17 < ThePeach> but since I'm port forwarding the service to the router of the ovpn server... 13:18 < ThePeach> if I try to connect from the outside I can see packets going to the ovpn client, but not coming back 13:18 < krzee> port forwarding the service to the router of the openvpn server... 13:18 < krzee> thats the part you lose me at, what exactly is it you are doing there... 13:18 < reiffert> krzee: you seem to type what I think. 13:18 < krzee> lol reiffert 13:19 < ThePeach> :D 13:19 < ThePeach> I'm just port forwarding the client to the router of the lan of the ovpn server 13:19 < ThePeach> is that comprehensible? 13:19 < krzee> gimme the command you do that with 13:19 < reiffert> no. 13:19 < ThePeach> lol 13:19 < krzee> no, its not 13:19 < reiffert> yeah. how do you do that? 13:19 < reiffert> how _exactly_ 13:20 < ThePeach> the router is the router/modem in the server LAN 13:20 < ThePeach> right? 13:20 < krzee> k 13:20 < krzee> and port 22 on that modem is forwarded to LAN ip 22 13:20 < krzee> thats what you're saying? 13:21 < reiffert> "the router is the router". 13:21 < krzee> that doesnt matter AT ALL because everything going to client over vpn is tunneled 13:21 < ThePeach> well, actually, if I remember correctly, I'm ip aliasing the ovpn client to a public ip of the router 13:21 < ThePeach> that should be more correct 13:21 < krzee> NAT 13:21 < ThePeach> yep 13:21 < reiffert> I'm off at that place. .oO If I remember correctly != how exactly. 13:21 < krzee> you saying your openvpn server is running NAT? 13:21 < reiffert> have fun guessing. 13:22 < krzee> no kidding reiffert 13:22 < krzee> ThePeach, what is your goal 13:22 < ThePeach> no the router is doing nat 13:22 < reiffert> pointless blah blah blah 13:22 < krzee> the fact your client is behind a NAT does not matter at all 13:23 < ThePeach> currently I can see the ack to the ssh server of the client passing through the ovpn server, but nothing's coming back 13:23 < krzee> not even a tiny bit 13:23 < krzee> ThePeach, you trying to reach the inet ip or the vpn ip for ssh? 13:23 < krzee> or the LAN ip 13:24 < ThePeach> the lan ip, the client ip 13:24 < krzee> umm 13:24 < krzee> those are 2 diff things 13:24 < krzee> the client's lan ip, or the clients vpn ip? 13:24 < ThePeach> the packets are being correctly sent to the client 13:24 < ThePeach> but the client seems to have problems replying 13:24 < krzee> then you broke routing 13:25 < krzee> !configs 13:25 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:25 < ThePeach> ccd? 13:25 < krzee> !ccd 13:25 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name 13:29 < ThePeach> here's server: ovpn 2.0.7 on gentoo kernel 2.6.23 - http://dpaste.com/101321/ 13:30 < ThePeach> whoops sorry forgot to strip the comments off 13:33 < ThePeach> here's client config: http://dpaste.com/101322/ 13:34 < krzee> wheres the server config without comments... 13:34 < ThePeach> I'll repaste 13:34 < krzee> why are you using tap? 13:34 * krzee points to the topic 13:35 < ThePeach> I've already a tun server, but I thought that routing could be messy 13:35 < ThePeach> to do what I'm doing I mean 13:36 < krzee> what, sharing the lan behind the client/server? 13:36 < ThePeach> that's natting an ip out of the lan on that damn router 13:37 < ThePeach> and more than that I'd like not to modify it 13:37 < krzee> i sill dont get what you are trying to say 13:37 < krzee> lol 13:38 < krzee> you want the client to redirect all traffic through the vpn? 13:38 < reiffert> that conversation reminds me that of a forum.. blah blah blah 13:39 < krzee> or you just saying that the client is behind a nat before connecting to the vpn? 13:39 < reiffert> you still dont know what he's got nor what he wants. 13:39 < krzee> totally 13:39 < krzee> and hes got about 5 min for me to figure that out 13:40 < krzee> cause im showered (showered after asking for configs, still dont have server config) 13:40 < krzee> and im almost dressed 13:40 < krzee> when i finish that, i leave 13:40 < ThePeach> here's server config . http://dpaste.com/101325/ , btw was linked above 13:40 < krzee> was linked above with comments 13:41 < ThePeach> sorry krzee for being unable to express myself correctly 13:41 < ThePeach> oh again 13:41 < ThePeach> sorry 13:41 < krzee> push route to same lan as the ips you're handing out? 13:41 < krzee> im 99% sure you dont even want a bridge 13:41 < krzee> but i still dont fully understand the goal... 13:42 < ThePeach> http://dpaste.com/101327/ 13:42 -!- teratoma [n=teratoma@i.dont.get.mad.i.get.stabby.net] has quit ["leaving"] 13:42 < ThePeach> here it is 13:42 < krzee> server-bridge 192.168.1.30 255.255.255.0 192.168.1.70 192.168.1.80 13:42 < ThePeach> I'm neither sure about this 13:42 < ThePeach> :P 13:42 < krzee> push "route 192.168.1.0 255.255.255.0" 13:42 < krzee> thats lulz 13:43 < ThePeach> that was my first time on ovpn try to understand 13:43 < ThePeach> you just mean that that push command is futile? 13:44 < krzee> yup, pointless 13:44 < ThePeach> allright 13:44 < ThePeach> wiping that out 13:44 < krzee> when you bridge you arent even routing by IP 13:44 < ThePeach> all right 13:44 < krzee> you are on the same LAN at that point, and use ARP to find people on your subnet 13:44 < krzee> (mac addresses, not IPs) 13:44 < krzee> and... 13:44 * krzee points to the topic again 13:45 < ThePeach> right... 13:45 < ThePeach> got it 13:45 < krzee> why are you bridging? 13:45 < ThePeach> so the client will never be able to find a mac address that's outside the LAN 13:45 < reiffert> I always ask myself how such people successfully manage to set up a bridge correctly for themselfes. 13:45 < ThePeach> I thought it was easy to "export" a ovpn client outside the LAN of the ovpn server 13:45 < krzee> reiffert, google has walkthroughs, which i hate cause most people that use them shouldnt even be bridging 13:46 < krzee> ThePeach, what is your first language? 13:46 < ThePeach> ita 13:46 < ThePeach> italian sry 13:46 < krzee> ahh, i guess we must stick to english 13:46 < krzee> ya 13:46 < krzee> i dont speak enough of that 13:46 < krzee> my grandpa does, but he doesnt know openvpn, lol 13:47 < ThePeach> lol 13:47 < reiffert> krzee: it's very close to spanish. 13:47 < ThePeach> where're ya from? 13:47 < krzee> california orig 13:47 < krzee> family is from napoli 13:47 < ThePeach> wow 13:47 < krzee> reiffert, tru 13:48 < krzee> reiffert, but if he said german for example... ;] 13:48 < reiffert> than I'd leave immediatly :p 13:48 < ThePeach> Ich sprache nur ein bischen deutsch, and I'm very sloppy at it ;) 13:48 < krzee> LOL 13:48 < krzee> anyways, im out of here 13:48 < reiffert> have fun 13:48 < krzee> you prolly want to lose the bridge 13:48 < krzee> and prolly want to use routed, and read this 13:49 < krzee> !route 13:49 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:49 < ThePeach> already reading :) 13:49 < krzee> i just guessing here, but thats all i can do 13:49 < krzee> chow 13:49 < ThePeach> thanks a lot, I'll read more and come back... 13:49 < ThePeach> cya ;) 15:02 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 15:02 < diazepam> !menu 15:02 < vpnHelper> diazepam: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 15:03 < diazepam> #1 15:03 < diazepam> !factoids search office to office 15:03 < vpnHelper> diazepam: No keys matched that query. 15:12 -!- thei0s [n=G0D@BSN-61-44-104.dial-up.dsl.siol.net] has joined ##openvpn 15:17 < thei0s> hi, is it possible to use an openvpn server that runs only in user mode and interconnects all clients? in such a way that the server isn't part of the virtual network, it's just a deamon that doesn't use it's systems tun/tap devices 15:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:29 < diazepam> theiOs - im no expert but i would say no. 15:32 < thei0s> :( then this is a missing feature and imho it should not be stated everywhere that it is a user mode daemon, because you need kernel support for tun/tap for it to work in server mode (altough there is no reason why the server should be inside the virtual network too -- he should just accept connections from clients and route them correctly) 15:42 < krzie> its a shortcomming of SSL, not openvpn (if you need to call it a shortcomming) 15:43 < krzie> oh wait i see what you're saying 15:43 < krzie> no its not possible like that 15:43 < reiffert> ^w/topic 15:44 < krzie> thei0s, ild figure the firewall on the server could make that happen 15:44 < krzie> could forward packets without accepting them to itself 15:45 < thei0s> am, but then there is no vpn... just some complex rules in the firewall for forwarding packets 15:46 < krzie> if there is no vpn, you're in the wrong channel 15:46 < thei0s> I understood your idea like that... 15:47 < thei0s> so, I would like to have multiple clients interconnected in a virtual network that is being hosted on a server (that is not part of this network) 15:47 < krzie> you setup the vpn like normal, then you make firewall rules to not accept the packets but to allow forward them to other clients 15:48 < thei0s> so I will still need to use tun/tap devices on the server 15:48 < krzie> of course 15:48 < krzie> you will not get openvpn up without a tun or tap device 15:48 < krzie> ever 15:48 < krzie> but you can still not let clients use anything on the server 15:48 < krzie> if you so choose 15:49 < thei0s> hm, do you know if any other vpn software enables such usage? 15:49 < krzie> no 15:49 < krzie> hamachi allows clients to communicate directly 15:50 < krzie> but EVERY vpn the server is part of the network 15:53 < krzie> ipsec also allows client to client without going through server 15:53 < krzie> but again, the server is always part of the network 15:54 < thei0s> yes... the problem I want to solve with vpn in nat traversal, so direct client-to-client is not possible 15:54 < thei0s> it then seems my openvpn in a jail solution is going to be ugly 15:55 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has quit [Remote closed the connection] 15:55 < thei0s> (part outside, part inside or sth.. don't know yet) 15:58 < krzie> you cant give the jail a tun device? 15:59 < thei0s> hm, giving a jail a unassigned/unconfigured tun device? 16:05 < krzie> thei0s openvpn --mktun makes it a static device 16:06 < krzie> instead of the normazl behavior of making/destroying based on when its used 16:06 < krzie> that may help 16:07 < thei0s> probably, but I figured out some hours ago, that on this damn freebsd you can't use mknod in arbitrary directories, you must mount a devfs there and use devfs utility to set the ruleset you want 16:08 < thei0s> (had problems compiling openvpn in a chroot inside a jail (this is the actual layout I want to achieve :) ), because /dev/random didn't work 16:08 < A-KO> Quick question here with OpenVPN. I am looking for more info on how it handled my default gateway. Most of my configuration is exactly like the howto, and everything works. But it was pushing the default gw of "10.8.0.9" to my client, and I can't find where 10.8.0.9 is configured anywhere. The IP of the TUN interface on the openvpn server was 10.8.0.1, and on my client it's 10.8.0.10. And I havent' configured .9 in any config file. Does anyone have any insig 16:10 < krzie> !/30 16:10 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:11 < krzie> .9 is a virtual ip, as described in the link above 16:11 < krzie> it was made that way as a work-around for windows lameness 16:11 < krzie> they found a new way to do it tho, as described in !topology 16:12 < A-KO> ahh ok krzie 16:12 < A-KO> thanks for that 16:12 < krzie> np =] 16:12 < A-KO> I was wondering about that like wtf? lol 16:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:15 < thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas 17:18 -!- thei0s [n=G0D@BSN-61-44-104.dial-up.dsl.siol.net] has quit ["Leaving."] 17:21 -!- tjz [n=tjz@bb121-7-26-72.singnet.com.sg] has joined ##openvpn 17:32 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 17:39 -!- znh [n=LordFlap@unaffiliated/znh] has quit [] 17:42 -!- A-KO [i=as@unaffiliated/a-ko] has left ##openvpn [] 18:12 -!- tjz [n=tjz@bb121-7-26-72.singnet.com.sg] has quit ["GG. X_X"] 18:16 -!- tjz [n=tjz@bb121-7-26-72.singnet.com.sg] has joined ##openvpn 18:16 < tjz> jefffffffffffffffffff~ 18:16 < tjz> i solve my openvz problem!!!!!!!!!!!!!!! 18:16 * tjz slaps krzee around a bit with a large trout 18:16 * tjz slaps krzie around a bit with a large trout 18:18 * DarkAnt complaines to the fish and wildlife services about tjz's trout abuse 18:19 < tjz> lol 18:19 < tjz> the problem had been haunting me for over 1 month! 18:19 < tjz> X_X 18:20 < tjz> i have finally solved it!! 18:20 < DarkAnt> haha, congrats i suppose 18:20 < tjz> yesssssssssssssssssssssssssss 18:20 < tjz> 1 month!!!!!!!!! 18:20 < tjz> XX_XX 18:20 < tjz> and.... 18:20 < tjz> it is a small change that fix it... 18:20 < DarkAnt> great, now you can measure your life in terms of bytes 18:20 < tjz> lol 18:21 < DarkAnt> how many bytes is one month worth? 18:21 < DarkAnt> :P 18:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 18:21 < tjz> it is killing me 18:21 < tjz> x_x 18:24 < tjz> it is a christmas GIFT for me!!! 18:24 < tjz> really!! 18:24 < DarkAnt> haha 18:24 < DarkAnt> a well earned one at that 18:26 < tjz> ^^ 18:26 -!- ThePeach [n=peach@81-208-83-250.fastres.net] has quit ["nite"] 18:47 -!- DarkAnt [n=DarkAnt@smi28-129-63-28-126.dhcp.uml.edu] has quit ["Trillian (http://www.ceruleanstudios.com"] 18:54 < krzie> tjz what was it!? 18:55 < krzie> ild like to tell the bot, and answer my own message to the mail list 19:24 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 19:38 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 20:03 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 20:11 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:20 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 20:23 < tjz> jeff~~!!!!!!!!!!!!!! 20:24 < tjz> i used the wrong network interface. it should be venet0 20:24 < tjz> but i issue vnet0 for iptable ... 20:24 < tjz> x_x 20:36 < lolipop> lalalala, krzee? 20:37 < tjz> lol 20:38 < tjz> i wana pop a champagne 20:38 < tjz> :) 20:42 < krzie> lol, i guess thats not something i can put in the bot 20:45 < tjz> lol 20:45 < tjz> :P 20:46 < tjz> human error 20:46 < tjz> :P 20:48 < krzie> hehe 20:48 < krzie> too bad i never asked for an ifconfig 20:52 < tjz> ya 20:52 < tjz> i went to do a ifconfig 20:52 < tjz> and realise something is fishy 20:52 < tjz> :P 20:55 < tjz> i nearly give up openvz for xen 20:55 < ecrist> evening, folks 20:55 < tjz> hey ecrist 20:55 < tjz> :) 20:56 < ecrist> <- Jagermeister + Red Bull FTW 20:56 < ecrist> howdy tjz 20:57 < tjz> lol 21:02 < ecrist> krzie: did you see the hostname for my WAP at home? 21:03 < ecrist> \/exec -o host 173.8.118.221 21:03 < ecrist> hrm 21:03 < ecrist> 221.118.8.173.in-addr.arpa domain name pointer ms.choksondik.secure-computing.net. 21:03 < lolipop> krzie..... 21:04 < ecrist> how goes lolipop? 21:04 < lolipop> excellent ~ 21:05 < ecrist> you looking for help on something? 21:06 < ecrist> maybe I can help 21:06 < lolipop> i just want to let krzie know how i solved my problem 21:07 < lolipop> :P 21:08 < ecrist> FINE!!!1!1 I didn't wanna help you anyway. 21:08 < lolipop> lol 21:08 < lolipop> sorry ecrist 21:08 < lolipop> maybe u can help me on another question 21:09 < lolipop> ecrist: is this the config to join the domain? push "dhcp-option DOMAIN <DNS_name_1>" 21:09 < ecrist> no idea. I try as hard as possible to *not* be a windows admin 21:11 < lolipop> ecrist: another question, let say from my vpn server side, i can ping hostname like machineA , so is that possible to make my vpn client side be able to ping machineA and resolve to the same ip 21:11 < ecrist> sure 21:11 < ecrist> that's going to involve proper routing and DNS setup 21:12 < lolipop> yeah, the dns setup 21:12 < lolipop> so is there any guide for me to refer? 21:13 < ecrist> not really, specific to your question. we can try to help you a bit, but we try to keep it on topic here as much as possible. 21:13 < ecrist> first, get a vpn setup and routing, DNS is easy. 21:14 < lolipop> my vpn server and client connected succesfully 21:15 < lolipop> and from vpn client, i can access all the lan machine on vpn server side 21:15 < ecrist> ok, what do you need to have access to through the VPN? that would be the next step 21:15 < ecrist> ok 21:15 < ecrist> if you've got pingability through vpn to all the hosts, just setup DNS 21:15 < lolipop> by using IP 21:15 < ecrist> right 21:15 < lolipop> how to setup the dns 21:16 < ecrist> so, using a push statement, push the lan DNS server to your clients. 21:16 < lolipop> example of the push statement? 21:16 < ecrist> http://openvpn.net/howto.html#dhcp 21:16 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 21:17 < ecrist> they give the specific example there. 21:17 < lolipop> thank you so much 21:17 < ecrist> np 21:22 * ropetin hates the Intarweb 21:23 < ropetin> Well actually all things computer, but mostly the internet 21:23 < ropetin> It's been a tough day 21:26 < ecrist> sorry ropetin 21:27 < ropetin> Hehhe, not your fault 21:27 < ropetin> Unless you're the one who hacked one of my servers 21:27 < ropetin> :P 21:28 < ecrist> perhaps... 21:28 < ecrist> muahahaha 21:28 < ecrist> funny story on that, though. 21:28 < ropetin> In which case, it is my sworn duty to take you out, Ninja style 21:28 < ecrist> some dude hacked (read: exploited) an old phpBB site I had about a year ago. 21:28 < ropetin> Prepare to be disemboweled 21:29 < bsdbandit> what happend ropetin 21:29 < bsdbandit> ? 21:29 < ecrist> took me three hours to track the fucker down - I had his boss' phone number and email when I was done with him - he had no job. He was from Sri Lanka. 21:30 < bsdbandit> wow thats wild 21:30 < krzee> haha sweet 21:30 < ropetin> I haven't quite figured it out bsdbandit, I've found some evidence of exploit, so I'm nervous as to the exact extent 21:30 < ecrist> see, he put a php-based irc bot on my server, which had the connection information to the irc net, and some code so his nick could control it. 21:30 < ropetin> ecrist: :) Well done 21:31 < ecrist> problem was, it was a nick he used all the time, and he had his real name in the /whois info. 21:31 < ecrist> stupid fucker. 21:31 < krzee> bahahah 21:31 < krzee> thats hallarious 21:37 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 21:54 * ecrist is so bored, he just made facebook accounts for his pets. 21:54 < krzee> haha 21:55 < krzee> time for me to go help some dude with his laptop 21:55 < krzee> ill bbiab 21:55 < ecrist> l8r 22:19 < tjz> hmm 22:19 < tjz> i never trust outsource especially from indian 22:19 < tjz> they say he can do it 22:19 < tjz> but it is taking him forever to finish it 22:20 < tjz> * ecrist is so bored, he just made facebook accounts for his pets.<---- LOL 22:21 -!- mathuin [n=chatzill@c-24-6-107-176.hsd1.ca.comcast.net] has joined ##openvpn 22:29 -!- mathuin [n=chatzill@c-24-6-107-176.hsd1.ca.comcast.net] has left ##openvpn [] 22:57 -!- tjz [n=tjz@bb121-7-26-72.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 23:48 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Mon Dec 22 2008 00:15 -!- tjz [n=tjz@bb116-15-92-104.singnet.com.sg] has joined ##openvpn 00:33 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 00:54 -!- tjz [n=tjz@bb116-15-92-104.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 01:25 < krzee> !seen vagina 01:25 < vpnHelper> krzee: I have not seen vagina. 01:25 < krzee> aww poor bot =[ 01:31 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 01:46 -!- stickman14 [n=jules@S01060016b620f1d7.vc.shawcable.net] has joined ##openvpn 01:53 -!- stickman14 [n=jules@S01060016b620f1d7.vc.shawcable.net] has quit ["Leaving"] 02:36 -!- gregHome [n=gleblanc@75.108.7.23] has quit [Read error: 113 (No route to host)] 02:40 < lolipop> if 172.16.4.1 is my dns server, then is this the correct push on vpn server? push "dhcp-option DNS 172.16.4.1" 03:07 < krzee> yes 03:07 < krzee> but 03:07 < krzee> !pushdns 03:07 < vpnHelper> krzee: "pushdns" is http://sourceforge.net/mailarchive/forum.php?thread_name=494B5FFC.6080502%40nikhef.nl&forum_name=openvpn-users see that mail archive for some info on pushing dns 03:08 < krzee> aww weak 03:08 < krzee> lemme find the post better for the bot 03:15 < krzee> !forget pushdns 03:15 < vpnHelper> krzee: Joo got it. 03:15 -!- tjz [n=tjz@bb116-15-92-104.singnet.com.sg] has joined ##openvpn 03:15 < krzee> !learn pushdns as http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 03:15 < vpnHelper> krzee: Joo got it. 03:16 < krzee> !learn pushdns as push "dhcp-option DNS a.b.c.d" to push dns to the client 03:16 < vpnHelper> krzee: Joo got it. 03:16 < krzee> !forget pushdns 1 03:16 < vpnHelper> krzee: Joo got it. 03:16 < krzee> !learn pushdns as http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 03:16 < vpnHelper> krzee: Joo got it. 03:16 < krzee> !pushdns 03:16 < vpnHelper> krzee: "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 03:16 < krzee> grr 03:16 < lolipop> lol 03:16 < krzee> !learn pushdns as push \"dhcp-option DNS a.b.c.d\" to push dns to the client 03:16 < vpnHelper> krzee: Joo got it. 03:16 < krzee> !pushdns 03:16 < vpnHelper> krzee: "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) push \"dhcp-option DNS a.b.c.d\" to push dns to the client 03:17 < krzee> bleh 03:17 < krzee> !forget pushdns 03:17 < vpnHelper> krzee: Error: 3 factoids have that key. Please specify which one to remove, or use * to designate all of them. 03:17 < krzee> !forget pushdns * 03:17 < vpnHelper> krzee: Joo got it. 03:18 < krzee> !learn pushdns as push "dhcp-option DNS a.b.c.d" to push dns to the client 03:18 < vpnHelper> krzee: Joo got it. 03:18 < krzee> !learn pushdns as push \"dhcp-option DNS a.b.c.d\" to push dns to the client 03:18 < vpnHelper> krzee: Joo got it. 03:18 < krzee> !pushdns 03:18 < vpnHelper> krzee: "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) push \"dhcp-option DNS a.b.c.d\" to push dns to the client 03:19 < lolipop> then can i push dns from client to the server? 03:20 < krzee> from client to server? 03:20 < krzee> you cant push ANYTHING from client to server 03:21 < krzee> !forget pushdns * 03:21 < vpnHelper> krzee: Joo got it. 03:21 < lolipop> oh 03:27 < krzee> !random 03:27 < vpnHelper> krzee: "nat": dont forget to turn on ip forwarding; "winpass": openvpnGUI for windows has a change password feature that will change the passphrase on your .key files; "bridge": http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 03:27 < krzee> heh 03:27 < krzee> cool for bordem 03:28 < lolipop> !random 03:28 < vpnHelper> lolipop: "ipp": Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !static; "iroute": does not bypass or alter the kernel's routing table, it allows openvpn to know it should 03:28 < vpnHelper> lolipop: handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd; "vpn": http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 03:28 < krzee> whaaaat 03:28 < krzee> !ipp 03:28 < vpnHelper> krzee: "ipp" is Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !static 03:28 < krzee> wierd 03:29 < krzee> it gave you 2 03:29 < lolipop> lol 03:29 < lolipop> yeah 03:29 < krzee> oh it gave me 2 as well 03:29 < lolipop> where ? 03:29 < krzee> !bridge 03:29 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 03:29 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 03:29 < krzee> it gave me #1 from bridge 03:29 < krzee> i guess theres a bug in !random 03:29 < lolipop> !seen lolipop 03:29 < vpnHelper> lolipop: lolipop was last seen in ##openvpn 24 seconds ago: <lolipop> where ? 03:29 < lolipop> lol 03:30 < krzee> !seen vpnHelper 03:30 < vpnHelper> krzee: I have not seen vpnHelper. 03:30 < krzee> i guess he doesnt have a mirror 03:30 < lolipop> haha 03:30 < krzee> [03:27] <krzee> !seen vagina 03:30 < krzee> [03:27] <vpnHelper> krzee: I have not seen vagina. 03:30 < krzee> [03:27] <krzee> aww poor bot =[ 03:30 < lolipop> !seen britney spears 03:30 < vpnHelper> lolipop: (seen [<channel>] <nick>) -- Returns the last time <nick> was seen and what <nick> was last seen saying. <channel> is only necessary if the message isn't sent on the channel itself. 03:31 < lolipop> !seen britney 03:31 < vpnHelper> lolipop: I have not seen britney. 03:31 < lolipop> aw.. 03:31 < krzee> !learn pushdns as push \"dhcp-option DNS a.b.c.d\" (remove the \'s) to push dns to the client 03:31 < vpnHelper> krzee: Joo got it. 03:31 < krzee> !learn pushdns as http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 03:31 < vpnHelper> krzee: Joo got it. 03:31 < krzee> that will have to do for now 03:31 < krzee> !push 03:31 < lolipop> !pushdns 03:31 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 03:31 < vpnHelper> lolipop: "pushdns" is (#1) push \"dhcp-option DNS a.b.c.d\" (remove the \'s) to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 03:32 < lolipop> !ping 03:32 < vpnHelper> pong 03:32 < lolipop> hehe 03:32 < krzee> lol 03:32 < krzee> howd you know to try that? 03:33 < lolipop> i guess 03:33 < lolipop> haha 03:34 < krzee> i didnt even know that existed 03:34 < krzee> lol 03:34 < lolipop> haha 03:34 < lolipop> !whois lolipop 03:34 < vpnHelper> lolipop: Error: "whois" is not a valid command. 03:35 < lolipop> :( 03:35 < krzee> !whoami 03:35 < vpnHelper> krzee: krzee 03:35 < lolipop> !find lolipop 03:35 < vpnHelper> lolipop: Error: "find" is not a valid command. 03:35 < krzee> !whois krzee 03:35 < vpnHelper> krzee: Error: "whois" is not a valid command. 03:35 < krzee> o right 03:36 < lolipop> !exit 03:36 < vpnHelper> lolipop: Error: "exit" is not a valid command. 03:36 < lolipop> haha 03:37 < lolipop> !vpn 03:37 < vpnHelper> lolipop: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 03:37 < lolipop> !dance 03:37 < vpnHelper> lolipop: Error: "dance" is not a valid command. 03:38 < lolipop> o...u should learn dancing 03:38 < krzee> !learn mail as http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 03:38 < vpnHelper> krzee: Joo got it. 03:39 < lolipop> !learn help as Please ask your question 03:39 < vpnHelper> lolipop: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 03:39 < lolipop> hehe 03:40 < krzee> !learn fbsdjail as [19:17] <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas 03:40 < vpnHelper> krzee: Error: "19:17" is not a valid command. 03:40 < krzee> grr 03:40 < krzee> !learn fbsdjail as <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas 03:40 < vpnHelper> krzee: Joo got it. 03:40 < krzee> !fbsdjail 03:40 < vpnHelper> krzee: "fbsdjail" is <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas 03:40 < krzee> lolipop, 03:40 < krzee> !ask 03:40 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/ 03:42 < krzee> thats basically !help 03:42 < lolipop> oh 03:42 < krzee> hey try menu, see if you get it 03:42 < lolipop> !drink beer 03:42 < vpnHelper> lolipop: Error: "drink" is not a valid command. 03:42 < lolipop> !menu 03:42 < vpnHelper> lolipop: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 03:42 < lolipop> :( 03:42 < krzee> damn, nobody gets it 03:42 < krzee> im trying to tell people to type !factoids search * 03:43 < krzee> people type !menu, but nobody then types !factoids search * 03:43 < lolipop> !factoids search * 03:43 < vpnHelper> lolipop: More than 100 keys matched that query; please narrow your query. 03:43 < krzee> WHAT!? 03:43 < lolipop> lol 03:43 < krzee> 100 keys!? 03:43 < lolipop> !factoids search sex 03:43 < vpnHelper> lolipop: No keys matched that query. 03:44 < lolipop> haha 03:44 < krzee> !factoids search * 03:44 < vpnHelper> krzee: More than 100 keys matched that query; please narrow your query. 03:44 < krzee> wtf 03:44 < lolipop> !give me your money 03:44 < vpnHelper> lolipop: Error: "give" is not a valid command. 03:44 < lolipop> lolz 03:47 < tjz> <lolipop> !factoids search sex <-- 03:47 < tjz> X_X 03:47 < lolipop> haha 03:47 < krzee> he needs help with having sex with his vpn 03:47 < krzee> safe sex for the win! 03:47 < lolipop> yeah 03:47 < tjz> lol 03:48 < lolipop> vpnHelper has been online since 11/23/2008 03:20:19 AM. 03:48 < vpnHelper> lolipop: Error: "has" is not a valid command. 03:48 < lolipop> almost 1 month 03:49 < lolipop> vpnHelper ping krzie 03:49 < vpnHelper> pong 03:49 < krzee> [root@joogot /home/vpn/vpnhelper]# uptime 03:49 < krzee> 1:51AM up 97 days, 56 mins, 3 users, load averages: 0.00, 0.00, 0.00 03:49 < krzee> i had to take the bot down to take away learn privs for public 03:49 < krzee> cause people were adding stupid stuff, and repeating stuff by accident 03:50 < lolipop> haha 03:50 < lolipop> became stupid bot 03:52 < lolipop> krzee, i din add any routing rules on my m0n0wall, i run this on my openvpn server and it solved my problem, "sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" 03:53 < krzee> ya i told you that was the ugly way 03:53 < krzee> i did mention there was 2 ways 03:53 < krzee> NATing the traffic, and making correct routes 03:53 < lolipop> hehe 03:53 < krzee> correct routes being the more correct way 03:54 < krzee> but hey, you're happy and thats all that matters in your setup 03:54 < lolipop> !time 03:54 < vpnHelper> lolipop: Error: "time" is not a valid command. 03:54 < krzee> !date 03:54 < vpnHelper> krzee: Error: "date" is not a valid command. 03:54 < krzee> *shrug* 03:54 < lolipop> yeah, thanks a lot 03:54 < lolipop> !today 03:55 < vpnHelper> lolipop: Error: "today" is not a valid command. 03:55 < lolipop> !now 03:55 < vpnHelper> lolipop: Error: "now" is not a valid command. 03:55 < lolipop> !valid 03:55 < vpnHelper> lolipop: Error: "valid" is not a valid command. 03:56 < krzee> !krzee 03:56 < vpnHelper> krzee: Error: "krzee" is not a valid command. 03:56 < lolipop> !whisky 03:56 < vpnHelper> lolipop: Error: "whisky" is not a valid command. 03:57 < lolipop> !why_it 03:57 < vpnHelper> lolipop: Error: "why_it" is not a valid command. 03:57 < lolipop> wow, vpnHelper is asking a question 04:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:09 < tjz> LOL 04:37 < tjz> . 04:38 < tjz> . 04:38 < tjz> . 04:39 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:51 < tjz> anyone around 04:56 < tjz> ah 04:56 < tjz> i never enable my ccd directory 04:56 < tjz> slved the problem again 04:56 < tjz> merry xmas!! 05:01 < reiffert> welcome, same for you! 05:05 < tjz> x_x 05:43 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 05:44 < mRCUTEO> hiya 05:45 < tjz> hey 05:45 < tjz> ^^ 05:45 < mRCUTEO> :) whats up tjz 05:47 < mRCUTEO> openvpn works great in openvz/xen/vbox/vserver :D yipee 05:54 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [] 05:54 < tjz> how are you doing ? 06:04 < tjz> hmmm 06:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 07:09 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:27 < ecrist> good morning 07:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 07:54 -!- freysteinn [n=freystei@ailab-gw.ru.is] has quit ["Leaving"] 08:15 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:20 -!- tjz [n=tjz@bb116-15-92-104.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:27 -!- mRCUTEO [n=info@96.9.131.182] has joined ##openvpn 08:28 -!- mRCUTEO [n=info@96.9.131.182] has quit [Client Quit] 08:31 -!- mRCUTEO [n=info@96.9.131.182] has joined ##openvpn 08:32 -!- mRCUTEO [n=info@96.9.131.182] has quit [Client Quit] 08:33 -!- tjz [n=tjz@bb116-15-92-104.singnet.com.sg] has joined ##openvpn 08:55 < plaerzen> morning irc 08:55 < ecrist> morning, plaerzen 08:55 < ecrist> it's really friggin cold here. 08:56 < ecrist> -15*F 08:56 < cpm> nice 08:56 < cpm> where's here? 08:56 < ecrist> Minneapolis, MN 08:56 < cpm> Ah, yes. But ya'll r supposed to be used to that 08:56 < ecrist> sure, but it's still cold 08:56 < cpm> Coldest I've ever seen was in mpls mn 08:56 < cpm> -28 08:57 < cpm> was out on the back porch, blowing soap bubbles, watching the shatter on the floor 08:57 < ecrist> oh, no, Bemidji, MN a couple years ago, I was up there. -36, with a windchill dropping it to -50 08:57 < cpm> bah, windchill, 09:02 < plaerzen> it's been -30 here for the past 10 days 09:03 < plaerzen> sucks 09:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:11 < tjz> is it possible to limit to 1 connection per openvpn? 10:27 -!- gleblanc [n=chatzill@216.30.212.117] has joined ##openvpn 10:30 < gleblanc> !route 10:30 < vpnHelper> gleblanc: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 10:58 -!- tjz [n=tjz@bb116-15-92-104.singnet.com.sg] has quit ["GG. X_X"] 11:51 -!- mode/##openvpn [+o ecrist] by ChanServ 11:51 -!- mode/##openvpn [-b *!*@unaffiliated/jeev] by ecrist 11:51 -!- mode/##openvpn [-o ecrist] by ecrist 11:58 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 12:05 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 60 (Operation timed out)] 12:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:45 -!- stickman14 [n=jules@mail.layer7tech.com] has joined ##openvpn 13:50 -!- stickman14 [n=jules@mail.layer7tech.com] has left ##openvpn ["Leaving"] 13:53 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 13:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:14 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:46 -!- olarva [n=olarva@189.0.31.236] has joined ##openvpn 14:46 -!- gleblanc [n=chatzill@216.30.212.117] has quit [Read error: 104 (Connection reset by peer)] 14:47 < olarva> !menu 14:47 < vpnHelper> olarva: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 14:48 < olarva> !route 14:48 < vpnHelper> olarva: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 14:53 < olarva> shaper + redirect-gateway def1 work fine? I have trouble in this conf, if set shaper in both side, the max transfer no more than 2,4kbps... 14:54 < ecrist> I haven't tried that. 15:20 -!- gregHome [n=gleblanc@75.108.7.23] has joined ##openvpn 15:22 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 15:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:28 -!- agampher [n=mail@66.49.105.179.nw.nuvox.net] has joined ##openvpn 15:32 < agampher> Hello. I am trying to make the openvpn-auth-pam script by running the make command in the plugin/auth-pam directory within the source distribution. I am getting many different errors, the start of which is: pamdl.h:2:31: error: security/pam_appl.h: No such file or directory. Any ideas? 15:33 < agampher> This is on a fresh installation of Ubuntu Server 8.10, with make and gcc installed. 15:55 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has quit [Remote closed the connection] 16:20 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:21 < krzie> do you have security/pam_appl.h on your system? for me (freebsd) its in /usr/include/security/pam_appl.h 16:21 < krzie> aka, not part of openvpn... 16:24 < agampher> krzie: i looked around and couldn't find one 16:24 < agampher> *couldn't find that directory 16:24 < krzie> you sure you even have PAM on that box? 16:24 < krzie> what os? 16:24 < agampher> Ubuntu Server 8.10 16:25 < agampher> I'm a noob, so probably not 16:25 < krzie> CAVEATS 16:25 < krzie> This module will only work on *nix systems which support PAM, 16:25 < krzie> not Windows. 16:25 < agampher> clients? 16:25 < krzie> from README.openvpn-auth-pam 16:26 < krzie> the server would need to support pam 16:26 < krzie> possibly client too, dunno 16:26 < agampher> right, it's Ubuntu Server, so I assume I could install it 16:26 < agampher> checking the packages in Ubuntu 16:26 < krzie> whats the client? 16:27 < agampher> well, for now I'm just playing around, but openVPN GUI for Windows works well 16:27 < agampher> I'm using the auth-pam.so now, and it works great 16:27 < agampher> thought I would move up to the better script 16:28 < krzie> ahh 16:28 < krzie> if it works now why is the other script better? 16:28 < krzie> (it might be and i just dont know, i dont use pam with ovpn) 16:29 < agampher> so I can restrict users, right now any user on the system can connect 16:29 < krzie> use certs 16:29 < krzie> in addition 16:29 < agampher> I do 16:29 < agampher> again, it works fine 16:29 < agampher> Just playing around 16:30 < krzie> ahh gotchya 16:30 < krzie> i take it you built the script yourself right? 16:30 < krzie> err the module 16:30 < krzie> BUILD 16:30 < krzie> To build openvpn-auth-pam, you will need to have the pam-devel 16:30 < krzie> package installed. 16:30 < krzie> Build with the "make" command. The module will be named 16:30 < krzie> openvpn-auth-pam.so 16:30 < agampher> no, that comes in the openvpn source 16:30 < agampher> distribution 16:31 < krzie> did you read the README for it? 16:31 < krzie> While PAM supports 16:31 < krzie> username/password authentication, this can be combined with X509 16:31 < krzie> certificates to provide two indepedent levels of authentication. 16:32 < agampher> The README assumes the make command works :D 16:33 < agampher> when I run the make command, it throws around 30 errors, the first of which references appl.h 16:34 < agampher> It's alright, I'll play around with it until I figure it out. I just wanted to rule out an easy answer, like "install X noob" 16:34 < krzie> im assuming you dont have the pam-devel package installed 16:34 < krzie> the README didnt assume anything, it told you you need that 16:34 < krzie> ok 16:34 < krzie> install pam-devel noob 16:34 < krzie> lol ;] 16:35 < agampher> haha 16:35 < krzie> i wouldnt call you a noob tho, you already have a working vpn setup with pam, and ive never seen you here asking before 16:35 < krzie> much less noobish than many 16:36 < agampher> thanks for your help. Ubuntu doesn't seem to have a PAM development package that I can see, so I'll do a bit more hunting 16:36 < krzie> you just missed the README 16:36 < agampher> well thanks for that, it works really well 16:36 < agampher> I especially like that you can push the local network to the client 16:36 < krzie> http://www.google.com.pe/search?hl=en&q=ubuntu+pam-devel&btnG=Google+Search 16:36 < agampher> nice to have access to the home network at work 16:36 < vpnHelper> Title: ubuntu pam-devel - Google Search (at www.google.com.pe) 16:37 < krzie> i agree agampher, see !route if you ever need help with that 16:37 < krzie> the !route command is a writeup i made for sharing networks in lans across vpn 16:39 < agampher> Nice. I have found, though, that I'll need to change my subnet at home. The other day I was at a friend's house trying to show him the VPN and it wouldn't work as we were both on 192.168.x.x 16:39 < agampher> whoops 16:39 < agampher> well, pieces of it wouldn't work 16:39 < agampher> the VPN itself was fine 16:42 < agampher> Just in case anyone was curious (vpnHelper, krzie), the package in Ubuntu Server is libpam0g-dev 16:42 < agampher> Thanks for the link earlier, btw 16:43 < agampher> gotta run, have a nice evening 16:44 < krzie> 192.168.x.x 16:44 < krzie> should be fine 16:45 < krzie> 192.168.x.y will not if x is the same on both 16:45 < krzie> nm thats what you said, lol 16:56 -!- Geomancer626 [n=derek@adsl-76-213-115-27.dsl.okcyok.sbcglobal.net] has joined ##openvpn 16:56 < olarva> I need shaper, but, all tests wrong... 16:57 < krzie> "wrong" 16:57 < krzie> ...? 17:03 -!- P4k3 [i=P4k3@c-0c34e255.014-33-6b6c7810.cust.bredbandsbolaget.se] has quit ["I was online for 4days 5hrs 51mins"] 17:04 -!- Geomancer626 [n=derek@adsl-76-213-115-27.dsl.okcyok.sbcglobal.net] has left ##openvpn [] 17:15 -!- olarva [n=olarva@189.0.31.236] has quit [Read error: 113 (No route to host)] 17:19 < krzie> hah, or that 18:27 -!- oc80z [i=oc80z@89.46.100.91] has joined ##openvpn 19:01 * ecrist wonders what shaper is 19:01 < krzie> 2.1 has --shaper 19:02 < ecrist> what is it? 19:02 < krzie> but since he wouldnt define "wrong" who knows what his problem was 19:02 < krzie> packet shaper 19:02 < ecrist> why not use pf or similar? 19:02 < krzie> it works a lil diff, 1sec 19:03 < krzie> but ya ild use pf 19:03 < ecrist> you should write a wiki page on it. ;) 19:03 < ecrist> I'm going to mess around with freeswitch next week, I think, btw 19:03 < krzie> ive never used it and dont fully understand it 19:03 < krzie> what i should write a wiki page on is --redirect-gateway 19:03 < ecrist> lol, for sure 19:03 < ecrist> and I should write one on subnetting 101 19:04 < krzie> haha ya man 19:04 < ecrist> and one of us should write one on how to disable your firewall 19:05 < krzie> --shaper n 19:05 < krzie> Limit bandwidth of outgoing tunnel data to n bytes per second on the TCP/UDP port. If you want to limit the bandwidth in both directions, use this option on both peers. 19:05 < krzie> OpenVPN uses the following algorithm to implement traffic shaping: Given a shaper rate of n bytes per second, after a datagram write of b bytes is queued on the TCP/UDP port, wait a minimum of (b / n) seconds before queuing the next write. 19:05 < krzie> It should be noted that OpenVPN supports multiple tunnels between the same two peers, allowing you to construct full-speed and reduced bandwidth tunnels at the same time, routing low-priority data such as off-site backups over the reduced bandwidth tunnel, and other data over the full-speed tunnel. 19:05 < krzie> Also note that for low bandwidth tunnels (under 1000 bytes per second), you should probably use lower MTU values as well (see above), otherwise the packet latency will grow so large as to trigger timeouts in the TLS layer and TCP connections running over the tunnel. 19:05 < krzie> OpenVPN allows n to be between 100 bytes/sec and 100 Mbytes/sec. 19:06 < ecrist> hrm, I think that's a little reaching for openvpn 19:06 < krzie> ya 19:06 < krzie> but this does allow for the client to control it 19:06 < krzie> which would be harder to hack up when not be given a static ip 19:07 < ecrist> not with proper subnetting 19:07 < ecrist> I think they should spend their time on IP address assignment protocols, rather than traffic shaping 19:07 < ecrist> there's a lot to be desired in how openvpn handles static IPs 19:08 < protocols> thanks for waking me up... 19:08 < ecrist> lol 19:11 < krzie> hahahahahah 19:11 < krzie> thats great 19:12 < krzie> <krzie> aq <ecrist> I think they should spend their time on IP address 19:12 < krzie> assignment protocols, rather than traffic shaping <protocols> thanks 19:12 < krzie> for waking me up... 19:12 < krzie> <ubernerd> Inserted quote #97 19:12 < ecrist> lol 19:13 < protocols> hmm maybe I should choose a more unique nick.. 19:14 < ecrist> well, if you were in #barney_and_friends you'd be OK. 19:14 < krzie> lol 19:14 < krzie> prolly be alone too 19:14 < ecrist> aside from some creepy old dude. 19:15 < ecrist> speaking of creepy 19:15 < ecrist> I thought this gal was cute, but she was only ten. found out she's 17. so I feel less creepy 19:15 < ecrist> http://www.imdb.com/name/nm1559611/bio 19:15 < vpnHelper> Title: Julianna Rose Mauriello - Biography (at www.imdb.com) 19:15 < ecrist> Height 19:15 < ecrist> 4' 9 1/2 " 19:15 < ecrist> lol 19:17 < krzie> ild hit it 19:18 < krzie> *shrug* 19:18 < krzie> im kinda a dirty man tho 19:18 < ecrist> for sure 19:18 < krzie> whoawhoawhoa 19:18 < krzie> dude hell no 19:18 < krzie> fuck no 19:18 < krzie> Date of Birth 19:18 < krzie> 26 May 1991, Irvington, New York, USA 19:18 < ecrist> 17 19:18 < krzie> thats just WRONG 19:18 < krzie> 91 19:19 < ecrist> 17 19:19 < krzie> oh shit its about 2009 19:19 < krzie> damn wheres the time go 19:19 < ecrist> lol 19:19 < ecrist> she'll be 18 in May 19:19 < ecrist> age of consent in MN is 16 19:19 < krzie> nice 19:19 < ecrist> http://www.youtube.com/watch?v=Vxm6KGEGIeE 19:19 < vpnHelper> Title: YouTube - LazyTown Mashup (at www.youtube.com) 19:19 < krzie> age of consent here might be old enough to say yes 19:19 < ecrist> that video is what did it for me. 19:20 < ecrist> according to that senator in AL, 'Consent is puberty.' 19:21 < ecrist> oh, video is NSFW 19:21 < krzie> i wouldnt work in a place where theres a such thing as NSFW 19:21 < krzie> no fucking way 19:21 < krzie> that video is what did it for you? 19:21 < ecrist> lol 19:22 < krzie> you are a bad bad man 19:22 < krzie> lol 19:23 < Dryanta> wat 19:23 < krzie> sup dry 19:23 < Dryanta> chillin brah 19:24 < ecrist> at least you weren't so bored last night that you made facebook accounts for your pets 19:25 < krzie> haha this is tru 19:25 < Dryanta> haha 19:25 < Dryanta> that was so lulzy 19:25 < Dryanta> that video 19:25 < krzie> i laid on the beanbag and watched movies while smoking the hookah 19:25 < Dryanta> who made facebook accounts for their pets 19:25 * krzie points at ecrist 19:25 < Dryanta> im interneting and smokin pot nao 19:25 * ecrist did 19:25 < krzie> Dryanta, im jealous 19:26 < krzie> the pot here isnt worth smoking 19:26 < Dryanta> i live in la 19:26 < Dryanta> clubs and all 19:26 < krzie> i used to sell to the la clubs 19:26 < krzie> i used to work in a club up north 19:26 < Dryanta> damn b then you know what im talkin bout 19:26 < krzie> yup 19:27 < krzie> we used to grow with tractors =] 19:27 < ecrist> ahem... lol 19:27 < ecrist> <-- reserve sheriff's deputy in MN... 19:28 < krzie> its public record we had 3454 12 - 15 ft tall plants when the feds shut us down 19:28 < krzie> ecrist, im not saying anything that the feds dont know about 19:28 < Dryanta> ecrist: awesome dude, legal for me over here :D 19:28 < krzie> ya i still have my california medical too 19:28 < ecrist> I'm just trying to participate in the convo 19:28 < krzie> lol 19:29 < Dryanta> do you bust pothead teenagers or let em go is the only real question i have haha 19:29 < ecrist> Dryanta: depends on age, qty, and record 19:29 < Dryanta> makes sense 19:30 < krzie> i thought you only did tech work for the po-pos 19:30 < krzie> you bust people too? 19:30 < ecrist> krzie: I don't do tech work for them. I work in enforcement. 19:30 < Dryanta> he said reserve deputy 19:31 < Dryanta> thats a fully sworn peace officer broseph 19:31 < krzie> see, this is why i love the inet 19:31 < krzie> 2 people who would never have been friends IRL end up being cool online... cause things here only have to do with what you know and how you think 19:32 < krzie> im a 2x felon 19:32 -!- mRCUTEO [n=info@96.9.131.182] has joined ##openvpn 19:32 < krzie> hes a deputy 19:32 < krzie> yet we get along fine ;] 19:32 < mRCUTEO> hiya 19:32 < ecrist> krzie: I'm cool though, regardless. 19:32 < krzie> tru 19:32 < Dryanta> im just some dude haha 19:32 < krzie> well plus i dont break any laws anymore 19:33 < krzie> i was just a pot salesman, not like i was hurting people 19:33 < Dryanta> about the worst i do is occasional recreational drug use 19:33 < Dryanta> no that is the worst i do haha 19:33 < Dryanta> and get tickets, man they like to give me tickets 19:33 * ecrist thinks pot should be legal, anyways. 19:33 < krzie> ya thats LA 19:33 < krzie> totally 19:33 < Dryanta> krzie: central valley is where i got those mostly 19:34 < Dryanta> and bay area 19:34 < krzie> in fact i hate all victimless crimes 19:34 < Dryanta> and sacto 19:34 < Dryanta> and oregon 19:34 < Dryanta> lol 19:34 < krzie> the drug war leads to violence and organized crime, youd think we woulda learned that from the alcy prohibition 19:34 < krzie> but it sure does make a lot of jobs and very profitable privately owned prisons 19:34 < krzie> *shrug* 19:35 < Dryanta> at the same time you dont want to have heroin freely available at every convenience store 19:35 < Dryanta> it gets to a point where the line is hard to draw 19:35 < krzie> what i really get lulz from, is back when they made alcy prohibition, they amended the constitution for it, cause they knew it didnt give them the right to 19:35 < krzie> then they amended it again to get rid of it 19:36 < krzie> but for all they prohibit now, no amendment 19:36 < krzie> actually dry, ild prefer it was there 19:36 < krzie> that way there wouldnt be drug wars over it 19:36 < krzie> i promise you i still wouldnt do heroin if it were there 19:36 < Dryanta> i dont know 19:36 < krzie> amnsterdam is actually a good example of that working well 19:37 < krzie> attacking supply will NEVER work 19:37 < Dryanta> amsterdam is shutting down the red light district 19:37 < krzie> you must educate and attack demand 19:37 < krzie> because supply will ALWAYS meet demand, its only prices that change from that 19:37 < mRCUTEO> :) 19:37 < krzie> and with the change in price comes much violence over who controls the market 19:38 < krzie> just from selling weed i knew where i could buy ANY weapons, and i could afford to 19:38 < krzie> grenades, automatic weapons, etc 19:38 < krzie> i am not that kind of person tho 19:38 < krzie> but that stuff wouldnt be avail if it werent for the drug war 19:38 < krzie> and gangs wouldnt have better weapons than cops 19:38 < Dryanta> i can buy my stuff freely at the store cos im a good kid and never got in trouble 19:39 < krzie> in fact theyd prolly have no weapons 19:39 < Dryanta> not so anymore, most patrolcars around here roll with ar15s 19:39 < krzie> Dryanta you can buy a mack-11 at the store? 19:39 < Dryanta> then again thats la and htat bank heist 19:39 < krzie> DAMN, crazy 19:39 < Dryanta> not in california, but i can other places 19:39 < Dryanta> i could buy one in idaho no problem 19:39 < krzie> right 19:39 < krzie> how bout grenades? 19:40 < Dryanta> yes i can get grenades 19:40 < krzie> legally? 19:40 < Dryanta> classified as AOW (any other weapon) in batfe talk 19:40 < Dryanta> you just have to file the right paperwork 19:40 < krzie> ahh 19:40 < Dryanta> its spendy, but can be done 19:40 < Dryanta> suppressors as well 19:40 < krzie> or you just hafta go to the right guy in cali 19:41 < mRCUTEO> <Dryanta> yes i can get grenades ? what? 19:41 < mRCUTEO> where u from Dryanta? 19:41 < krzie> my point is this: 19:41 < Dryanta> mRCUTEO: truth 19:41 < Dryanta> america 19:41 < krzie> the drug war causes MUCH more crime than it prevents 19:41 < Dryanta> i live in ca 19:41 < mRCUTEO> ic 19:41 < Dryanta> krzie: i will not dispute that fact, itd be foolish to 19:41 < krzie> mRCUTEO he means california, usa 19:41 < krzie> not canada 19:42 < mRCUTEO> yerp 19:42 < Dryanta> yeah, ca not .ca 19:42 < mRCUTEO> oh 19:42 < mRCUTEO> :) 19:43 < mRCUTEO> you working with the navy or military dept before Dryanta? 19:43 < Dryanta> no 19:43 < mRCUTEO> and who is your supplier? a normal citizen cant be eh.. 19:43 < Dryanta> its known as a level iii ffl holder 19:43 < mRCUTEO> you must have someone who is linked with the army i guess 19:44 < Dryanta> not linked to the army at all 19:44 < mRCUTEO> oh never heard of level iii ffl folder 19:44 < mRCUTEO> what is that? 19:45 < krzie> mRCUTEO in cali the gangs can supply you with damn near anything, as a result of the drug war in my opinion 19:45 < Dryanta> http://en.wikipedia.org/wiki/Federal_Firearms_License#Special_Operations_Tax_Classes 19:45 < vpnHelper> Title: Federal Firearms License - Wikipedia, the free encyclopedia (at en.wikipedia.org) 19:45 < krzie> take away the black market on drugs, you take away their funding 19:45 < krzie> but then you also end up with empty prisons (one of the most profitable industries in america) 19:45 < mRCUTEO> ic 19:45 < krzie> and a surplus of law enforcement 19:46 < mRCUTEO> "the gang" - means the gangster ? 19:46 < mRCUTEO> or the good guy.. 19:46 < krzie> gangs 19:46 < krzie> gangsters 19:46 < krzie> like bloods, crips, nortenos, surenos, latin kings... etc 19:47 < mRCUTEO> but how do they get their supply of arms and weapons? there must be somewhere, a weapon factory? 19:47 < krzie> mRCUTEO, dunno 19:47 < krzie> but if you cut their supply, someone else will supply 19:47 < krzie> just like with drugs 19:47 < mRCUTEO> i assume they get it from someone who work with the army forces or maybe smuggle from latin 19:47 < krzie> supply will always meet demand when the $ is there 19:48 < mRCUTEO> yep 19:48 * ecrist goes away. 19:49 < mRCUTEO> my uncle lives in ohio and he bought a magnum for only $100 19:49 < mRCUTEO> i wish i can buy a machine gun with $100 :"D 19:50 < mRCUTEO> krzie: do you know how to contact this "the gang" guys? 19:50 < krzie> mRCUTEO, why? 19:50 < mRCUTEO> just curios 19:50 < krzie> if i needed to, sure 19:50 < mRCUTEO> oh :) 19:51 < krzie> a few of them owe me a favor or 2 19:51 < krzie> which i plan on never using 19:51 < mRCUTEO> wow you must be someone 19:51 < krzie> nah im nobody special 19:51 < mRCUTEO> do they sales automatic gun 19:51 < krzie> i just always knew how to get along with people 19:52 < mRCUTEO> :) 19:52 < krzie> most the people high up in gangs are good business men 19:52 < mRCUTEO> yerp maybe its becoz of $ 19:52 < mRCUTEO> the more $ you have the stronger you become 19:52 < mRCUTEO> :) 19:52 < krzie> well, a favor is always better than $ 19:53 < krzie> favors usually have more to do with who and what you know 19:53 < krzie> ive always been strong in both those departments 19:53 < mRCUTEO> ic 19:53 < mRCUTEO> ah good for you :) 19:53 < krzie> *shrug* im glad i left cali tho 19:53 < krzie> all that stuff is behind me 19:53 < mRCUTEO> oh .. 19:54 < mRCUTEO> krzie have u been nevada oh texas? western area? 19:54 < krzie> i been most places in usa 19:54 < krzie> including those 19:54 < krzie> in fact im not allowed in texas ;] 19:54 < mRCUTEO> why? 19:54 < mRCUTEO> you're banned from texas? 19:54 < mRCUTEO> :D 19:55 < krzie> unpaid fines, i knew a cop from there who said just dont go back and i could forget about it 19:55 < mRCUTEO> ic 19:56 < mRCUTEO> in thailand you can get firearm easily 19:56 < mRCUTEO> some of my friends bought a magnum for only $5 19:57 < mRCUTEO> fully equipped with 40 bullets 19:57 < mRCUTEO> hehe 19:57 < mRCUTEO> but its different situation here in malaysia, you owned a gun without a license you are sentenced to death 19:57 < mRCUTEO> lol 20:00 * mRCUTEO bbl 20:00 -!- mRCUTEO [n=info@96.9.131.182] has quit [] 20:04 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 20:38 -!- gregHome [n=gleblanc@75.108.7.23] has quit [Read error: 110 (Connection timed out)] 20:49 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:51 -!- stickman14 [n=jules@S01060016b620f1d7.vc.shawcable.net] has joined ##openvpn 21:06 -!- thei0s [n=G0D@BSN-61-47-105.dial-up.dsl.siol.net] has joined ##openvpn 21:12 < thei0s> hi, I am using OpenVPN 2.1_rc15 in --mode server and am wondering if it is somehow possible to use the udp and tcp port for the same network? with other words: is it possible to interconnect the udp server and tcp server? (using same tun device would do the trick?) 21:12 < krzie> not the same subnet, but you can use 2 daemons, 2 subnets, and push the route to each other 21:14 < thei0s> hm, how to push the route to each other? 21:14 < krzie> !push 21:14 < vpnHelper> krzie: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 21:15 < krzie> so push "route 10.8.0.0 255.255.255.0" for example 21:15 < krzie> on the server that is using server 10.9.0.0 21:15 < krzie> so push "route 10.9.0.0 255.255.255.0" for example 21:16 < krzie> on the server that is using server 10.8.0.0 21:16 < krzie> (for example) 21:16 < thei0s> and this will work -- the servers would just exchange packets? (for clients it doesnt matter to which they connect and can see each other?) 21:22 < krzie> right, but they will see eachother by the vpn ip 21:23 < krzie> and make sure they dont use same tun device 21:24 < thei0s> aha 21:25 < thei0s> what about this solution: using a tcp to udp tunnel daemon locally on the server 21:26 -!- tjz [n=tjz@bb116-15-92-104.singnet.com.sg] has joined ##openvpn 21:27 * tjz rock in 21:27 < thei0s> (that is: listening on tcp port and for each connection redirecting it's output to udp port and back) 22:01 < tjz> , 22:03 < tjz> anyone around? 23:10 -!- thei0s [n=G0D@BSN-61-47-105.dial-up.dsl.siol.net] has quit ["Leaving."] 23:21 -!- oc80z [i=oc80z@89.46.100.91] has quit [Remote closed the connection] 23:22 -!- mRCUTEO [n=info@64.235.47.77] has joined ##openvpn 23:22 -!- mRCUTEO [n=info@64.235.47.77] has quit [Client Quit] 23:54 < tjz> x. --- Day changed Tue Dec 23 2008 00:17 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 00:50 < tjz> welcome 00:51 < lolipop> welcome 00:54 < lolipop> !menu 00:54 < vpnHelper> lolipop: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 00:54 < lolipop> !factoids search lobsters 00:54 < vpnHelper> lolipop: No keys matched that query. 00:54 < lolipop> lol 01:00 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 01:06 < tjz> ercist search for 'sex' yesterday 01:06 < tjz> no key match that query as well 01:07 < tjz> lol 01:07 < lolipop> i tot i'm the 1 who searched for sex? 01:07 < lolipop> are you sure is ercist or me? 01:09 < tjz> omg 01:09 < tjz> i think it is you 01:09 < tjz> errr 01:09 < tjz> i can't remember 01:10 < lolipop> lol 01:10 < tjz> ercist did make a facebook account for his pet though 01:10 < tjz> hehehehe 01:10 < lolipop> haha 01:10 < lolipop> tjz from singapore? 01:11 < tjz> ya 01:11 < tjz> :P 01:12 < lolipop> hehe 01:12 < lolipop> we are neighbour 01:12 < tjz> X_X 01:12 < tjz> r u fr ommalaysia? 01:13 < lolipop> yes 01:13 < tjz> coool 01:13 < lolipop> haha 01:13 < tjz> do you know mrcuteo? 01:14 < lolipop> the 1 from sarawak? 01:14 < tjz> mRCUTEO <- 01:14 < lolipop> yeah 01:14 < tjz> :) 01:14 < lolipop> !seen mrcuteo 01:14 < vpnHelper> lolipop: mrcuteo was last seen in ##openvpn 5 hours, 14 minutes, and 3 seconds ago: * mRCUTEO bbl 01:14 < tjz> he complain about streamxy 01:14 < tjz> :P 01:14 < tjz> haha 01:14 < lolipop> yeah, submarine cable broken 01:14 < lolipop> streamyx is fixing it 01:14 < tjz> oh 01:15 < tjz> even before the cable broken 01:15 < tjz> he had already complain 01:15 < tjz> hahaha 01:15 < lolipop> lol 01:15 < lolipop> stremayx works fine on my area 01:15 < lolipop> maybe because he is from sarawak 01:15 < lolipop> even tho i'm using 1mb package, but i can get 1.27 - 1.29mbps 01:15 < lolipop> hehe 01:16 < tjz> OMG 01:16 < tjz> WTF 01:16 < lolipop> speed test on speedtest.net 01:16 < tjz> another malaysian getting the same speed like yours 01:16 < tjz> quite good too 01:16 < lolipop> yeah 01:17 < tjz> ^^ 01:17 < lolipop> because of stupid submarine cable broekn, whenever i do sudo apt-get install or upgrade on my kubuntu, it slow like hell, rate around 1- 3kbps 01:19 < tjz> x_x 01:19 < tjz> have you try another mirror? 01:20 < lolipop> nope 01:20 < tjz> hmm 01:20 < tjz> grab from another mirror lor 01:20 < lolipop> haha 01:20 < lolipop> nvm, its okay 01:20 < tjz> or.. 01:20 < tjz> use openvpn 01:20 < tjz> :) 01:20 < tjz> bypass 01:20 < lolipop> stremayx promised will be fix on 31st 01:21 < lolipop> ok, why not i tunnel to ur place? hahaha 01:21 < tjz> X_X 01:21 < tjz> you can tunnel from your desktop meh 01:21 < tjz> use openvpn 01:21 < tjz> :) 01:21 < tjz> you got any remote server? 01:21 < lolipop> can... 01:22 < lolipop> got, but at US 01:22 < lolipop> hahaha 01:22 < lolipop> so the best is vpn tunnel to ur place 01:22 < lolipop> haha 01:23 < lolipop> then i can surf net from ur connection 01:29 < tjz> ... 01:29 < tjz> surf from US 01:29 < tjz> ^_^ 01:29 < tjz> save my bw 01:29 < lolipop> sienz.... 01:29 < lolipop> what r u doing 01:31 < tjz> chatting 01:31 < tjz> doing server stuffs 01:31 < tjz> :( 01:31 < lolipop> wow 01:31 < lolipop> so nice 01:31 < tjz> x_x 01:31 < lolipop> server stuff ah 01:31 < tjz> r u a student? 01:31 < lolipop> nope 01:31 < lolipop> why? i sound like a student? 01:32 < tjz> no la 01:32 < tjz> sch holiday 01:32 < tjz> many students lurkering around 01:32 < tjz> hehe 01:32 < tjz> :P 01:32 < lolipop> hahaha 01:32 < lolipop> i'm working 01:33 < lolipop> i'm a web developer, but now have to handle sys admin and network admin's job :( 01:34 < tjz> omg 01:34 < tjz> almost the same as me 01:35 < tjz> x_x 01:35 < tjz> are you working for some company? 01:35 < lolipop> working for a company 01:36 < tjz> ok 01:36 < lolipop> sob sob 01:37 < tjz> run your own la 01:37 < lolipop> no $$$$ 01:37 < tjz> lol 01:37 < tjz> you seem to be handle everything in your company 01:37 < tjz> :P 01:37 < tjz> the most important IT guy in the company 01:38 < lolipop> haha 01:38 < lolipop> not really 01:38 < lolipop> my manager and CTO a lot more pro 01:38 < tjz> wa 01:38 < tjz> errr 01:38 < tjz> are you at work now? 01:38 < lolipop> kakaka 01:39 < lolipop> yeap 01:39 < tjz> hahaha 01:39 < tjz> darn 01:39 < tjz> eating snake! 01:39 < tjz> :P 01:39 < lolipop> hahaha 01:39 < lolipop> no la 01:40 < tjz> hehe 01:40 < tjz> how old r u? 01:40 < lolipop> because i will need to go to setup java and glasswish on a IBM aix server tomolo 01:40 < lolipop> so finished to prepare everything, now nothing to do lo 01:40 < lolipop> 24 01:41 < lolipop> last year december finished my studies 01:41 < lolipop> kakaka 01:41 < lolipop> my fresh grads license just gone 01:41 < lolipop> :( 01:42 < lolipop> u ? 01:42 < lolipop> how old r u ? 01:46 < tjz> 26 01:46 < tjz> :P 01:46 < tjz> haha 01:46 < tjz> hmm 01:46 < tjz> java and glasswish.. 01:47 < lolipop> yeah 01:47 < lolipop> hehe 01:48 < lolipop> my company just bought a prod server for a project 01:48 < lolipop> i need to go and setup everything on that aix machine 01:48 < lolipop> :( 01:48 < tjz> power 01:48 < tjz> IBM aix server 01:49 < tjz> is it necessary to get so powerful? 01:49 < lolipop> yeap 01:49 < lolipop> my company client normally are bank and insurance 01:49 < tjz> you need it for virtualisation? 01:49 < tjz> wa 01:49 < lolipop> nope 01:50 < lolipop> thats why they need power server 01:50 < tjz> your company is quite big 01:50 < lolipop> no la 01:50 < lolipop> very small only 01:51 < lolipop> fortunately i'm not on java team 01:51 < lolipop> hehe 01:51 < lolipop> i'm under php team 01:51 < lolipop> which only do those small project for bank and insurance 01:51 < lolipop> big project will be using java 01:52 < tjz> i don't like java also 01:52 < tjz> quite tough 01:52 < tjz> PHP rocks though :) 01:52 < lolipop> kakaka 01:52 < lolipop> yeah 01:52 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 01:53 < lolipop> which framework do u use? 01:53 < lolipop> we use symfony 01:53 < lolipop> normally we use symfony + jquery 01:53 < tjz> hmmm 01:54 < tjz> i am just novie php programmer 01:54 < tjz> did not check out those framework yet.. 01:54 < lolipop> oh 01:54 < lolipop> symfony frame is nice 01:54 < lolipop> framework 01:55 < tjz> i must check it out 01:55 < lolipop> yeah 01:55 < tjz> why do we need framework 01:55 < tjz> make life easier? 01:55 < lolipop> yeap 01:55 < lolipop> also better security, sometimes 01:55 < tjz> better security.. 01:55 < tjz> how so? 01:56 < lolipop> like if can use propel db framework with symfony 01:57 < lolipop> it will handle those sql injection like 'OR '1='1' 01:57 < tjz> great 01:57 < tjz> one thing i scare is sql injection & those hacking 01:57 < tjz> because i am not sure if my coding is safe or not 01:57 < tjz> :P 01:57 < lolipop> symfony, u just need to type a command, and a plugin for login can be install easily 01:57 < lolipop> and it is secure 01:58 < lolipop> kakaka 01:58 < tjz> wa 01:58 < tjz> so easy 01:58 < tjz> really better time now 01:58 < lolipop> to secure a page, u just need to modify the yml file, set security is on, then the page will be lock for logged in user only 01:59 < lolipop> also for validation, u just need to edit the configuration file, u dun need to hardcode 01:59 < lolipop> kakak, easy to manage code also, because its on MVC model 01:59 < lolipop> and then u can swtich ur db to oracle or postgresql anytime, without affecting ur code 02:00 < tjz> wa 02:00 < tjz> really make life alot easier 02:00 < lolipop> yeah 02:00 < tjz> what is jquery for? 02:00 < lolipop> then also try jquery, javascript library 02:00 < lolipop> use it to write ajax 02:01 < lolipop> if javascript need around 10 lines, maybe jquery need 1 line 02:02 < tjz> X_X 02:02 < tjz> so good 02:02 < lolipop> example, $('#reset').toggle('fast'); 02:02 < lolipop> then the id with reset, user can click and it will toggle 02:02 < lolipop> 1 line only 02:04 < tjz> x_x 02:04 < tjz> must really go check them out 02:04 < lolipop> haha 02:04 < lolipop> yeah 02:04 < tjz> this make programming so much easier 02:04 < lolipop> the login plugin for symfony is sfGuard 02:05 < tjz> ok 02:05 < tjz> must have many other plugins to use too 02:05 < lolipop> yeap 02:05 < lolipop> its really easy 02:06 < lolipop> to overriding a method 02:06 < lolipop> overriding a db object, easy to manage 02:06 < lolipop> forgot to u 1 more thing, more easier 02:06 < lolipop> haha 02:07 < lolipop> u just need to edit a schema.yml, and define ur db table name, columns 02:07 < lolipop> example name varchar , age integer 02:08 < lolipop> then just type a command, it will generate all the db model code and create all the table on ur database 02:08 < lolipop> kakaka 02:08 < tjz> X_X 02:08 < tjz> omg 02:08 < lolipop> so u dun need to do create table name { name varcharchar like that 02:09 < tjz> really cut down alot of work 02:09 < lolipop> yeap 02:09 < lolipop> now u know why framework leh 02:09 < tjz> must try them out 02:09 < tjz> ^^ 02:10 < lolipop> u r working now or? 02:11 < tjz> working 02:11 < tjz> & chatting 02:11 < tjz> keke 02:12 < lolipop> haha 02:12 < lolipop> thats mean u also snakes la... 02:14 < tjz> X_X 02:14 < tjz> hahaha 02:14 < tjz> i am a hardworking worker 02:14 < tjz> :P 02:14 < lolipop> i dun believe 02:16 < tjz> lol 02:16 < tjz> actually run my small company 02:17 < tjz> :P 02:17 < tjz> <- boss 02:17 < lolipop> lol 02:17 < tjz> you are fire! 02:17 < tjz> :P 02:17 < lolipop> haha 02:17 < lolipop> wow 02:17 < lolipop> cool 02:17 < lolipop> haha 02:17 < tjz> haha 02:17 * tjz eat unlimited snakes 02:17 < tjz> lol 02:17 < lolipop> haha 02:17 < lolipop> ur business nature? 02:18 < tjz> deal more with web hosting, dedicated server.. 02:18 < lolipop> oh 02:19 < tjz> :) 02:19 < lolipop> learn symfony and propel, then u will how easy and fast to develop a customized system for ur client, then u can provide software conulting service 02:19 < tjz> ya 02:19 < lolipop> u will know* 02:19 < tjz> but i feel so stressful 02:19 < tjz> :( 02:19 < lolipop> oh 02:19 < tjz> haha 02:19 < lolipop> how come 02:19 < tjz> programming X_X 02:20 < lolipop> aiyo.... hire staff 02:20 < lolipop> force them to learn 02:20 < lolipop> u sit and bli bla bli bla only 02:20 < tjz> I hope i can hire staff soon 02:20 < tjz> X_X 02:21 < lolipop> haha 02:21 < lolipop> why 02:21 < tjz> small company lor 02:21 < lolipop> oh 02:21 < tjz> don't have big project like banks or insurance kind 02:21 < lolipop> small project also can 02:21 < lolipop> also make money wat 02:21 < tjz> ya 02:22 < tjz> i know my weak point 02:22 < tjz> lack of marketing 02:22 < lolipop> recently i'm doing a freelance system for a private magnum boss 02:22 < lolipop> also can get an amount of money 02:22 < lolipop> sg got magnum or not? 02:22 < lolipop> or only toto? 02:22 < tjz> what is magnum? 02:22 < lolipop> magnum4d 02:23 < tjz> is it a company? 02:23 < lolipop> magnum4d is a company 02:23 < lolipop> betting 4 digit number ah 02:23 < lolipop> like singaporepools 02:24 < tjz> wa 02:24 < tjz> ohok 02:24 < lolipop> for those private 1 02:24 < tjz> wa 02:24 < tjz> illegal? 02:24 < lolipop> yeap 02:24 < tjz> X_X 02:24 < lolipop> i charge them 12k 02:24 < lolipop> since they r so rich 02:24 < tjz> of course la 02:24 < tjz> i will charge alot too 02:24 < tjz> they make alot $$ 02:25 < tjz> 12k maybe is their 2-3 hours income 02:25 < tjz> x_x 02:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:56 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 04:46 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 05:19 -!- prxtien [n=proleone@ppp121-45-252-177.lns11.adl6.internode.on.net] has joined ##openvpn 05:19 < prxtien> hey krzee you around? 05:24 < tjz> hmm 05:24 < tjz> do you have problem with openvpn? 05:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:51 < prxtien> yeah mate 05:52 < prxtien> setting up openvpn in a freebsd jail ,krzee got alot of experience with it 05:52 < prxtien> was going to ask how to setup tun0 06:02 -!- lilalinux is now known as lilalinux_ 06:03 -!- lilalinux_ is now known as lilalinux 06:05 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 06:21 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 06:24 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 06:24 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 06:45 < ecrist> good morning, openvpn 07:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:07 -!- gleblanc [n=chatzill@216.30.212.117] has joined ##openvpn 07:14 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 07:14 < deever> hi 07:15 < deever> can i somehow use openvpn with tapX devices named vpnX instead? 07:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:20 -!- thefish [n=thefish@unaffiliated/thefish] has joined ##openvpn 07:22 < gleblanc> Why does it matter what they're called? 07:23 < gleblanc> If I have "route 192.168.1.0 255.255.255.0" in my server config file, should that show up on the kernel routing table when OpenVPN is running? 07:26 < deever> i'm using ifupdown (the debian networking infrastructure) and would like to have a more verbose name than tap0 07:26 -!- gstaniak [n=gstaniak@gwz82.internetdsl.tpnet.pl] has joined ##openvpn 07:26 < gstaniak> hi 07:27 < gstaniak> i have a problem with an ipcop installation - i use zerina to access the internal network through openvpn. i am able to access the firewall through vpn. i have a test machine in the internal network: i can ping the geteway/fwall from it, i can ping it from the gateway/fwall, but i can't ping the test machine from my station (the other end of tunnel). my station has the routes to the tunnel endpoint and internal network. what might be the 07:27 < gstaniak> reasons the internal network is not accessible? 07:30 < deever> gstaniak: seems more ipcop-related than ovpn-related to me...;) 07:30 < gstaniak> deever: well, at the ipcop channel they say it's about openvpn, not ipcop ;) 07:31 < deever> lol..ok 07:31 < deever> do you have access to the server's config file? 07:33 < gleblanc> !menu 07:33 < vpnHelper> gleblanc: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 07:37 < gstaniak> deever: yes, i have access to the shell 07:43 < gstaniak> also, is there a default timeout in openvpn? it seems i get disconnected after a few minutes of inactivity 07:43 < deever> yes 07:45 < gleblanc> ok, so I see this in the server.log file... Tue Dec 23 08:30:20 2008 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.54.20.2 07:45 < gleblanc> but there is no route to 192.168.1.0 in the output from netstat -rn 07:51 -!- brutopia [n=user@backport.ri.fi] has left ##openvpn [] 07:53 < gleblanc> You'd think that putting "route 192.168.1.0 255.255.255.0" in the config file, and seeing "Tue Dec 23 08:30:20 2008 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.54.20.2" in the log file would mean that there was a route to 192.168.1.0 08:00 < gleblanc> OK, so maybe the problem is that I need to use --route-method exe instead of adaptive 08:03 < gleblanc> Hey look, routes! 08:11 < reiffert> moin 08:15 -!- stickman14 [n=jules@S01060016b620f1d7.vc.shawcable.net] has quit ["Leaving"] 08:40 < gstaniak> ok, so this will be a more strictly openvpn question: i need a separate subnet for tunnel connections, right? so, when i make a connection to a, say, 192.168.1.0/24 green network, using, say, 10.1.1.0/24 as the vpn subnet, how do the hosts in 192.168.1.0/24 know that they need to send responses to pings from e.g. 10.1.1.100 to their gateway address, e.g. 192.168.1.1? how do i push routes to the green network hosts? 08:42 < gleblanc> gstaniak: Depends on some things 08:42 < gstaniak> gleblanc: what things? is there a way to do it through dhcp? 08:42 < gleblanc> gstaniak: if your OpenVPN boxes are already the default gateways, then things should go without much monkeying around 08:43 < gstaniak> gleblanc: yes, they are default gateways 08:43 < gleblanc> gstaniak: then client machines should just send any packet it doesn't know what to do with to the default gateway 08:43 < gleblanc> and the default gateway should send it where it needs to go 08:44 < gstaniak> gleblanc: you're right 08:44 < gstaniak> gleblanc: and still i see pings going to them, but not returning 08:44 < gleblanc> gstaniak: firewall? 08:44 < ecrist> morning, kids 08:47 < gstaniak> gleblanc: yes, but icmp not blocked in any way 08:47 < ecrist> try disabling the firewall. 08:47 < gstaniak> ecrist: ok. perhaps there's some iptables magic going on. 08:48 < ecrist> when troubleshooting, it often easier to just disable the thing, get everything working, and re-enable it. 08:49 < ecrist> gstaniak: take a look here: 08:49 < ecrist> !routing 08:49 < vpnHelper> ecrist: Error: "routing" is not a valid command. 08:49 < ecrist> !route 08:49 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 08:50 < gstaniak> ecrist: thabks 08:50 < gstaniak> thanks 08:58 < ecrist> np 09:04 -!- tjz [n=tjz@bb116-15-92-104.singnet.com.sg] has quit [Read error: 131 (Connection reset by peer)] 09:19 -!- gstaniak [n=gstaniak@gwz82.internetdsl.tpnet.pl] has left ##openvpn ["Leaving"] 09:25 -!- prxtien [n=proleone@ppp121-45-252-177.lns11.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 10:28 < gleblanc> So very very close! 10:45 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 11:19 * plaerzen sighs. 11:20 < plaerzen> half of our POTS phones are down. 11:20 < gleblanc> VoIP to the rescue! 11:20 < plaerzen> 1/2 the company is on voip phones, that still means ~25 people are without phones. 11:21 < gleblanc> Sounds like you need a bridge 11:23 < agampher> our POTS lines are constantly down 11:23 < agampher> well, not constantly 11:23 < agampher> :P 11:23 < gleblanc> Qwest? :-) 11:23 < agampher> Nuvox 11:24 < agampher> yay for going with the cheapest evar 11:30 < ecrist> lol 12:09 -!- gregHome [n=gleblanc@75.108.7.23] has joined ##openvpn 12:10 -!- wubrgamer [n=guptaxpn@unaffiliated/wubrgamer] has joined ##openvpn 12:11 < wubrgamer> hey guys 12:24 < Dryanta> yay cheep 12:29 < wubrgamer> hey guys 12:30 < wubrgamer> can you link me to a guide that will let me setup openvpn 12:30 < wubrgamer> FOR 12:30 < wubrgamer> a use case involving a remote laptop user dialing into a home server with one eth port that is publically routable? 12:30 < wubrgamer> !route 12:30 < vpnHelper> wubrgamer: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:31 < wubrgamer> !menu 12:31 < vpnHelper> wubrgamer: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 12:32 < wubrgamer> i don't need a bridge do I? 12:33 < wubrgamer> i'm just trying to forward all of my laptops traffic into my home LAN when i'm at coffee shops and such 12:33 < wubrgamer> "coffee shops" 12:33 < wubrgamer> (coffee shops = other networks) 12:34 < gleblanc> No, you don't need bridging 12:35 < wubrgamer> okay 12:35 < wubrgamer> so which guide should this ubuntu user use? 12:35 < wubrgamer> i'm kind of stupid when it comes to setting things like this up, i've never done it before 12:36 < wubrgamer> anybody? 12:39 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has joined ##openvpn 12:39 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has left ##openvpn ["Leaving"] 12:55 < gleblanc> wubrgamer: You should start with the howto, like everybody else 12:56 < gleblanc> OK, so I fixed this yesterday, but now it's broken in the opposite direction 12:57 < gleblanc> I can now connect from machines on the OpenVPN server's lan to machines on the OpenVPN client's lan, but not vice-versa 12:58 < gleblanc> If I'm at the OpenVPN client, or a machine on it's LAN, I can connect to the OpenVPN server 12:58 < gleblanc> but I can't connect to clients behind it 12:59 < gleblanc> I can't even ping from the openvpn client to a machine on the openvpn server's network 13:45 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:34 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:37 < ecrist> afternoon, folks 14:39 < ecrist> wubrgamer: read the howto, that'll get you started. come here for specific questions 14:39 < gleblanc> OK, so it's my firewall again 14:39 -!- mode/##openvpn [+o ecrist] by ChanServ 14:40 -!- ecrist changed the topic of ##openvpn to: Your problem is probably your firewall. Seriously. || HowTo: http://openvpn.net/howto || Bridging is for ethernet, routing is for IP || lans behind openvpn? see !route || !menu 14:40 -!- mode/##openvpn [-o ecrist] by ecrist 14:44 < gleblanc> heh 14:46 < gleblanc> I added a couple of rules that were supposed to let me connect both ways, but they only let me connect one way, somehow 15:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:53 -!- gleblanc [n=chatzill@216.30.212.117] has quit [Read error: 104 (Connection reset by peer)] 15:58 -!- kreg [n=kreg@208-98-188-95.directcom.com] has quit ["Leaving"] 16:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 18:17 < wubrgamer> is the server configuration located at /etc/openvpn/server.conf or /etc/openvpn/openvpn.conf on an ubuntu system? 18:22 < wubrgamer> hello? 18:24 < krzie> its located wherever you put it 18:28 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 19:23 -!- prxtien [n=proleone@ppp121-45-252-177.lns11.adl6.internode.on.net] has joined ##openvpn 19:23 < prxtien> !fbsdjail 19:23 < vpnHelper> prxtien: "fbsdjail" is <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas 19:54 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 19:57 < prxtien> Wed Dec 24 10:59:06 2008 /sbin/ifconfig tun0 10.8.1.1 10.8.1.2 mtu 1500 netmask 255.255.255.255 up 19:57 < prxtien> ifconfig: ioctl (set mtu): Operation not permitted 19:57 < prxtien> ifconfig: up: permission denied 19:58 < prxtien> tun0 freebsd jail 19:58 < prxtien> permissioning problem im guessing eh 20:00 -!- dmz [n=dmz@64.203.203.232.dyn-cm-pool-64.hargray.net] has quit ["Leaving"] 20:12 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 20:23 -!- Grandia [i=Error@d207-216-195-187.bchsia.telus.net] has joined ##openvpn 20:36 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit [Read error: 60 (Operation timed out)] 20:40 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 22:17 -!- prxtien [n=proleone@ppp121-45-252-177.lns11.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 22:38 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit [Read error: 148 (No route to host)] 22:55 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 22:58 -!- protocols [n=protocol@ip-88-152-40-90.unitymediagroup.de] has quit [Remote closed the connection] 22:59 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 23:36 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit [No route to host] --- Day changed Wed Dec 24 2008 00:28 < Grandia> question on how openvpn interacts with windows 00:29 < Grandia> if I log on to a home machine through openvpn does the home machine see me as 127.0.0.1 at all? 00:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:10 -!- ikevin_ [n=kevin@ANancy-256-1-61-139.w90-26.abo.wanadoo.fr] has quit [Remote closed the connection] 03:31 -!- mne [n=mne@unaffiliated/mne] has joined ##openvpn 03:32 < mne> !route 03:32 < vpnHelper> mne: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 03:35 < mne> Hi, I have a wireless router which has to run either WEP or no encryption (some wireles devices are not WPA capable). For this reason I would like to place an openvpn tunnel ontop of the insecure wireless network connection. I would like to use statis keys (i.e. secret secretfile.key). At the same time I would like the server to assign a VPN ip address to every openvpn client. So far I got a little stuck, can you help ? 03:37 < mne> Thus a concrete case could look like this: wireless DHCP client (192.168.0.123) <--> wireless router (192.168.0.1). Ontop of that should be the openvpn link: openvpn client (10.0.0.123) <--> wireless interface (192.168.0.123) <------wireless link---> wireless router (192.168.0.1) <--> openwrt server (10.0.0.1) 03:49 -!- mne [n=mne@unaffiliated/mne] has quit ["Ex-Chat"] 04:49 < lolipop> !routes 04:49 < vpnHelper> lolipop: Error: "routes" is not a valid command. 04:49 < lolipop> !route 04:49 < vpnHelper> lolipop: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:50 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 05:00 -!- Grandia [i=Error@d207-216-195-187.bchsia.telus.net] has quit [] 05:35 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Client Quit] 05:39 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:40 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 05:48 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 05:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:19 < ecrist> good morning, folks 07:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:58 -!- joelsolanki [i=joelsola@124.125.151.37] has joined ##openvpn 07:58 < joelsolanki> Hi all 07:58 < joelsolanki> need a quick help. 07:58 < ecrist> hi 07:59 < joelsolanki> i have a vpn server working from long time and clients are already connected. 07:59 < joelsolanki> i was just adding a remote client and getting below error 07:59 < joelsolanki> Options error: Parameter ca_file can only be specified in TLS-mode 07:59 < joelsolanki> any hints for solution ? 07:59 < ecrist> that's an error you're getting from OpenVPN, or easy-rsa? 08:00 < joelsolanki> Dec 24 07:10:35 khirod ovpn-client[5752]: Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. 08:00 < joelsolanki> this is the log in syslog 08:00 < joelsolanki> it seems openvpn client 08:00 < ecrist> oh, lemme see your client config 08:00 < joelsolanki> ok 1 sec 08:01 < joelsolanki> http://www.pastebin.ca/1292994 08:02 < ecrist> I can't see pastebin.ca - some firewall issue on their end. I think my class-a was blocked. 08:02 < joelsolanki> oh 08:03 < joelsolanki> tell me any other works you then. 08:03 < joelsolanki> ? 08:03 < ecrist> pastebin.com 08:03 < joelsolanki> ok 1 sec 08:03 < ecrist> sorry for the trouble 08:04 < joelsolanki> http://pastebin.com/m6c14686c 08:04 < joelsolanki> ahh no problem :) 08:06 < ecrist> has that config worked on other systems? 08:06 < joelsolanki> yes 08:07 < joelsolanki> do you see anything wrong ? 08:07 < ecrist> no 08:08 < joelsolanki> hmm. 08:09 < ecrist> especially if it's worked elsewhere. 08:10 < joelsolanki> hmm. yesterday it was other error 08:10 < joelsolanki> i am asking the remote guy to check again 08:10 < joelsolanki> 1 sec 08:13 < joelsolanki> give me 20 mins. just middle of conversation. 08:13 < joelsolanki> brb 08:34 < joelsolanki> back 08:34 < joelsolanki> Dec 24 07:42:25 khirod ovpn-client[5881]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. 08:34 < joelsolanki> Dec 24 07:42:25 khirod ovpn-client[5881]: Cannot load private key file khirod_patra.key: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib 08:35 < joelsolanki> Dec 24 07:42:25 khirod ovpn-client[5881]: Error: private key password verification failed 08:35 < joelsolanki> ecrist: u there ? 08:35 < ecrist> yep 08:35 < ecrist> sounds like a problem with the private key 08:37 < joelsolanki> hmm 08:37 < joelsolanki> means i have to create the key again 08:37 < joelsolanki> let me check 08:37 < ecrist> joelsolanki: what OS is the VPN server on? 08:38 < joelsolanki> debian 08:38 < ecrist> what do you use for certificate management? (unrelated, just curious) 08:39 < joelsolanki> openssl 08:39 < ecrist> you do everything direct? 08:40 < joelsolanki> means ? 08:40 < joelsolanki> i worked on console mode 08:40 < ecrist> most people use a script of some sort - openssl is a bit obtuse in it's command-line arguments. 08:40 < joelsolanki> i use directly. 08:41 < ecrist> I would guess that most people use easy-rsa 08:41 < ecrist> I hate it, so I wrote a perl script to handle my certificates. 08:41 < joelsolanki> yes lot of people use it. 08:41 < joelsolanki> i do use easy-rsa for windows vpn server. 08:42 < joelsolanki> but i had this debian running from long without any problem so didnt do any thing on it. 08:42 < joelsolanki> :) 08:42 < joelsolanki> hmm interesting. how do manage with it perl script ? 08:42 < ecrist> !ssl-admin 08:42 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 08:43 < ecrist> that script isn't windows-friendly, as you'd need to adjust pathing and such. I've had it ported into the freebsd ports tree and it's going to soon be available as a gentoo package. 08:43 < ecrist> ebuild I think they call it. 08:43 < ecrist> havne't talked to the debian folks, yet. 08:45 < joelsolanki> hmm 08:45 < joelsolanki> where are you from ? 08:46 < ecrist> the script is a bit crude, as it actually calls openssl command, I've gotta rework it to use the perl library 08:46 < ecrist> Minnesota, why? 08:46 < joelsolanki> just asking. i am from india 08:47 < joelsolanki> i work as systems manager. generally working on linux platform majorly and some windows box :) 08:47 < ecrist> did that SEA-ME-WEI (sp?) cable cut affect you at all this time? 08:47 < joelsolanki> oh yes very badly. 08:47 < joelsolanki> internet is damm slow. 08:48 < ecrist> news reports say one of them may be fixed by the end of the day today. 08:48 < joelsolanki> cool. 09:15 -!- agampher [n=mail@66.49.105.179.nw.nuvox.net] has quit ["wat"] 09:38 -!- gleblanc [n=chatzill@216.30.212.117] has joined ##openvpn 09:40 < ecrist> glad to help, joelsolanki 09:43 -!- joelsolanki [i=joelsola@124.125.151.37] has quit [] 10:16 < wubrgamer> gleblanc: I did , I asked a specific question I couldn't find an answer to, it was a yes/no answer to, i understand telling people to JFGI, but come on... 10:16 < wubrgamer> nn 10:16 < gleblanc> Uh 10:16 < wubrgamer> 3 10:17 < gleblanc> 28 10:18 < wubrgamer> gleblanc: sorry, I was scrolling with my irc client, learning new key commands and such, weechat 10:19 < gleblanc> heh 10:24 -!- wubrgamer [n=guptaxpn@unaffiliated/wubrgamer] has quit ["WeeChat 0.2.6"] 10:25 -!- unixSnob [n=jj@66-81-69-218.bayarea.dialup.o1.com] has joined ##openvpn 10:28 < unixSnob> it looks like my isp has started blocking tunnels.. either that, or my tunnel provider is down. How would I know the difference? 10:35 < ecrist> hrm 10:36 < ecrist> check the tunnel provider from another source 10:37 < unixSnob> ecrist: i was hoping for a more convenient approach.. something I could do without driving to a friends house 10:37 < gleblanc> Call a friend on the phone. :-) 10:37 < ecrist> tell me what to check, I'll check it for you 10:37 < unixSnob> The openvpn log shows a successful connection; but all my internet apps time out 10:38 < unixSnob> gleblanc: and give them my keys? 10:38 < ecrist> if you've got an openvpn connection, your ISP isn't blocking traffic 10:38 < gleblanc> unixSnob: uh 10:38 < gleblanc> yeah, what ecrist said 10:39 < unixSnob> yesterday, i connected successfully, and also my internet apps worked. Today I connect successfully, but all the internet apps time out, as if all the packets are being dropped 10:39 < unixSnob> also, i suspect that my ISP does not want tunneling going on.. it's a free dialup provider 10:40 < ecrist> why would they care about tunneling? 10:40 < ecrist> that doesn't make sense 10:41 < ecrist> https is essentially the same thing, only really-short duration tunnels 10:46 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 10:46 < mRCUTEO> merry crhistmas everyone 10:46 < ecrist> merry christmas eve, mRCUTEO 10:47 < mRCUTEO> its 25th already here in asia :) 10:47 < mRCUTEO> well merry xmas eve then :) 10:47 < ecrist> really? aren't you behind there? 10:47 < ecrist> I'm -5 GMT 10:48 < mRCUTEO> im +8 GMT 10:48 < ecrist> oh 10:48 < mRCUTEO> Malaysia/Singapore time 10:48 < mRCUTEO> :) 10:48 < mRCUTEO> its 12:50 AM now 10:48 * ecrist fucktard sometimes 10:48 < mRCUTEO> :) 10:49 < mRCUTEO> whats the time in your place ecrist? 10:49 < ecrist> Wed Dec 24 10:49:17 CST 2008 10:49 < mRCUTEO> 10 AM ? 10:49 < ecrist> yep 10:50 < gleblanc> Isn't that GMT-6? 10:50 < mRCUTEO> i can travel back to your place and celebrate xmas twice then, who says we cant back to the future :P 10:51 < ecrist> heh 10:52 < mRCUTEO> crhistmas is very quite in my place 10:52 < mRCUTEO> its not the way it used to be.. 10:52 < ecrist> why's that? 10:52 < gleblanc> you know anything about iptables firewalls, ecrist? 10:52 < mRCUTEO> maybe because of the current economy situation 10:53 < ecrist> gleblanc: no, linux is for losers. 10:53 < mRCUTEO> most people prefers to stay at home celebrate with family. 10:53 < ecrist> nothing but windows 98 or ME for me. 10:53 < gleblanc> What about 98SE? 10:54 < ecrist> only for the USB support 10:54 < gleblanc> Heh 10:54 < ecrist> seriously, no, I know nothing about iptables 10:54 < ecrist> ipfw and pf, I can do. 10:54 < gleblanc> I wonder if I need eth0 in addition to br0 10:55 * gleblanc ponders aloud 10:55 < mRCUTEO> gleblanc : br0:2 10:55 < mRCUTEO> :D 10:55 < gleblanc> Nah, I don't have a third bridge configured 10:56 < gleblanc> Nor even a second 10:56 < gleblanc> The first one is configured out of the box 10:57 < gleblanc> I guess I'll reboot, since I can't see how else to restore the iptables rules 10:58 < mRCUTEO> gleblanc what do you mean? 10:58 < mRCUTEO> there is a way to restore iptables 10:58 < gleblanc> mRCUTEO: I can't find the script that gets run on startup on this box 10:58 < mRCUTEO> iptables -t filter -F; iptables -t nat -F; iptables -t mangle -F 10:58 < mRCUTEO> try that 10:58 < mRCUTEO> it will restore your iptables back to default 10:59 < gleblanc> no, that flushes all rules from the tables 10:59 < gleblanc> I need to get back to the ones that get run on bootup 10:59 < mRCUTEO> ic.. 11:00 < gleblanc> Normally they're in /etc/rc.d I think 11:00 < mRCUTEO> do you have special configuration on the iptables? 11:00 < mRCUTEO> .../etc/rc.local 11:00 < gleblanc> Just the default from dd-wrt 11:00 < mRCUTEO> oh.. 11:00 < mRCUTEO> whats your distro? 11:00 < gleblanc> well, there's no rc.local either. :-( 11:00 < gleblanc> dd-wrt 11:00 < mRCUTEO> oh.. 11:00 < gleblanc> It's very lean. :) 11:01 < gleblanc> 5.9M, with everything installed 11:01 < mRCUTEO> wow 11:01 < mRCUTEO> :) 11:01 < gleblanc> (Of course, most of the boxes it runs on have only 4MB of "disk" 11:03 < gleblanc> wow, yeah, so it's one of the scripts in /etc/config 11:03 < gleblanc> I just don't know which one 11:03 < gleblanc> and there's 90 of them 11:06 < mRCUTEO> phew~ 11:06 < mRCUTEO> hehe 11:06 -!- unixSnob [n=jj@66-81-69-218.bayarea.dialup.o1.com] has quit [Read error: 113 (No route to host)] 11:07 < gleblanc> at least it takes < 30 seconds to reboot 11:10 < mRCUTEO> aha :) 11:19 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [] 11:31 -!- unixSnob [n=jj@66-81-68-91.bayarea.dialup.o1.com] has joined ##openvpn 11:32 < unixSnob> wow.. what a pain in the ass it is to get in this channel. the registered nick requirement causes a lot of harassment 11:33 < unixSnob> half the time I'm logged in with a secondary nick because of a netsplit type of thing 11:33 < gleblanc> unixSnob: uh, so register your secondary nick, and associate it with your main? 11:33 < unixSnob> gleblanc: i recall starting down that path.. not sure why I had problems with that 11:34 < unixSnob> it's hell to work with nickserv for me. I think there are some bugs in the otr-irssi plugin that interfere 11:34 * gleblanc is too lazy to use plugins 11:35 < unixSnob> gleblanc: plugins are for the lazy, no? 11:35 < gleblanc> Not when they're that hard to get working. :) 11:35 < unixSnob> i couldn't imagine trying to use OTR manually 11:35 < gleblanc> old time radio? 11:36 < unixSnob> off-the-record 11:36 < unixSnob> it generally works in conjunction with another plugin: bitlbee 11:36 < unixSnob> it's all PFM to me 11:37 < unixSnob> (pure fucking magic) 11:37 < gleblanc> Heh 11:37 < gleblanc> being an RF engineer by trade, it's all FM. :) 11:45 < unixSnob> anyway.. what I was saying earlier when i got kicked off my dialup, is that i'm not sure if my vpn provider is broken, or if my isp is blocking the tunnel 11:45 < unixSnob> the isp might not like users with tunnels, because it's a free dialup isp 11:45 < unixSnob> however, openvpn initializes 11:46 < unixSnob> it's just that every internet app times out, as if the packets are getting blackholed 11:47 < unixSnob> if I do a traceroute, i never see anything past my router.. just * * * * 11:47 < unixSnob> but i see several rows of * * * * 11:48 < unixSnob> does that mean the traceroute packets are getting dropped at the ISP? 11:48 < unixSnob> or the vpn server? 11:50 < unixSnob> hmm.. the VPN provider just replied to me. None of their users have complained. So I guess my ISP got smart in the past day, and started blocking the tunnel 11:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:02 < ecrist> unixSnob: if the tunnel was blocked, you wouldn't be able to connect at all 12:10 -!- Geomancer626 [n=derek@adsl-76-213-115-27.dsl.okcyok.sbcglobal.net] has joined ##openvpn 12:11 < Geomancer626> Hello everyone 12:12 < ecrist> sup? 12:13 -!- unixSnob [n=jj@66-81-68-91.bayarea.dialup.o1.com] has quit [Read error: 113 (No route to host)] 12:13 < gleblanc> yay for vi segfaults! 12:14 < ecrist> lol 12:14 < ecrist> http://failblog.files.wordpress.com/2008/04/dairy-fail.jpg?w=500&h=635 12:14 < ecrist> taking advantage of a situation... 12:16 < Geomancer626> Not much. I was just wondering if I could get some help with a small problem I'm having. 12:16 < ecrist> sure, we need to know what's wrong, first, though 12:17 < Geomancer626> Well, I have my server up and running with no problems connecting. Afterwards though, I don't have an internet connection. 12:28 < Geomancer626> I've been looking around online for a couple of days, but haven't found anything that's worked. 12:29 -!- unixSnob [n=jj@66-81-69-71.bayarea.dialup.o1.com] has joined ##openvpn 12:33 < Geomancer626> I've got the proper routing configuration on my router. 12:41 -!- gallatin [n=gallatin@dslb-092-072-071-024.pools.arcor-ip.net] has joined ##OpenVPN 12:41 < gallatin> join #grub 12:48 -!- Geomancer626 [n=derek@adsl-76-213-115-27.dsl.okcyok.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 12:49 -!- Geomancer626 [n=derek@adsl-76-213-115-27.dsl.okcyok.sbcglobal.net] has joined ##openvpn 12:51 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 12:53 -!- unixSnob [n=jj@66-81-69-71.bayarea.dialup.o1.com] has quit ["leaving"] 12:54 < ecrist> Geomancer626: are you using redirect-gateway? 12:56 -!- Dryanta is now known as DryXMAS 13:00 < Geomancer626> yeah 13:00 < ecrist> are you using a 1918 address space for your tunnel? 13:01 < Geomancer626> ecrist: 1918? 13:02 < ecrist> !1918 13:02 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 13:03 < Geomancer626> ecrist: the tunnel is configured to use 10.0.0.0 13:03 < ecrist> ok, are you doing NAT on your vpn server for vpn clients? 13:04 < Geomancer626> Yes 13:05 < ecrist> I'm guessing there's a problem with it 13:05 < Geomancer626> Hmm, okay 13:09 -!- DryXMAS [i=dryanta@dev.hockingits.com] has quit ["Changing server"] 13:09 -!- Geomancer626 [n=derek@adsl-76-213-115-27.dsl.okcyok.sbcglobal.net] has left ##openvpn [] 13:13 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 13:13 < bigjohnto> SIGINT[hard,] received, process exiting 13:13 < bigjohnto> when i restart openvpn 13:13 < bigjohnto> it doesn't come back up whyu 13:14 < ecrist> anything in the logs, more than that? 13:14 < bigjohnto> Can't unlink interface: Not owner (errno=1) 13:14 < bigjohnto> when i do 13:14 < bigjohnto> ps -eaf | grep openvpn 13:14 < bigjohnto> no processes 13:14 < ecrist> are you running as root? 13:14 < bigjohnto> yea 13:14 < bigjohnto> bad? 13:14 < ecrist> no, you need to run as root. 13:14 < ecrist> what OS? 13:15 < bigjohnto> solaris 13:15 < bigjohnto> solaris 10 13:15 < ecrist> tun or tap? 13:15 < bigjohnto> tun 13:15 < bigjohnto> tun0 13:15 < bigjohnto> so i just started it 13:15 < bigjohnto> shows intialization sequence complete 13:15 < bigjohnto> after a few minutes 13:15 < ecrist> hrm, I seem to recall there being a problem on Solaris with tun 13:16 < bigjohnto> its been working for over 2 years now 13:16 < ecrist> as in, it's not supported 13:16 < ecrist> oh 13:16 < ecrist> what version of openvpn 13:16 < bigjohnto> maybe its tap but i called the connection tun 13:16 < bigjohnto> lol 13:16 < bigjohnto> one sec 13:16 < bigjohnto> so 1 minute later 13:16 < bigjohnto> process dies 13:16 < bigjohnto> if i reboot it solves the problem 13:17 < bigjohnto> but i thought i could just start the processes without a reboot 13:17 < ecrist> pastebin.com your logs and both server and client config 13:17 < ecrist> you should be able to, unless there's some zombie holding the tun0 interface 13:17 < bigjohnto> if openvpn dies 13:17 < ecrist> try specifying just tun, rather than tun0 13:17 < bigjohnto> shouldn't the tun0 interface dissapear too? 13:18 < ecrist> see, tun0 is actually created by the kernel, from a request by openvpn 13:18 < ecrist> you could be seeing a bug in a number of things 13:18 < bigjohnto> meh i just rebooted 13:21 < bigjohnto> i'll get back to you with the configs 13:21 < bigjohnto> i just have to run off for a bit 13:21 < bigjohnto> i really appreciated your help 13:22 < ecrist> np 14:50 -!- gallatin [n=gallatin@dslb-092-072-071-024.pools.arcor-ip.net] has quit ["Client exiting"] 15:03 -!- gleblanc [n=chatzill@216.30.212.117] has quit [Read error: 104 (Connection reset by peer)] 16:46 -!- pa [n=pa@unaffiliated/pa] has quit ["Sto andando via"] 17:19 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Remote closed the connection] 17:33 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 17:57 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit [No route to host] 18:09 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 18:28 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit [Read error: 113 (No route to host)] 18:29 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 19:56 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 20:12 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [Read error: 145 (Connection timed out)] 20:24 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit [No route to host] 21:21 -!- gregHome [n=gleblanc@75.108.7.23] has quit [Read error: 113 (No route to host)] 21:42 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 22:58 -!- Luria [n=trashed@cpe-74-66-17-216.nyc.res.rr.com] has joined ##openvpn 22:58 -!- Luria [n=trashed@cpe-74-66-17-216.nyc.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 23:46 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has joined ##openvpn --- Day changed Thu Dec 25 2008 00:05 -!- ByronGrobe [n=grobe0ba@server.lethaltechnology.net] has joined ##openvpn 00:05 -!- Pulpie [n=Pulpie@unaffiliated/pulpie] has joined ##openvpn 00:13 < Pulpie> so I have a freebsd 6.4-release-p1 server and im trying to get the server launched after setting up the cacert and cakey. I have tried twice now to make sure that I put in the passwords the same and have remade both the cacert and the cakey with a different password. They cakey is selfsigned and the error is: http://pastebin.com/m22604d34 Anyone see why its rejecting the password that I'm pretty sure is right 00:18 -!- grndslm [n=grndslm@24-116-87-97.cpe.cableone.net] has quit ["Leaving"] 00:18 -!- ByronGrobe [n=grobe0ba@server.lethaltechnology.net] has left ##openvpn [] 01:55 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:55 < krzee> merry christmas security lovers! 02:35 -!- tjz [n=tjz@bb116-15-92-175.singnet.com.sg] has joined ##openvpn 02:35 < tjz> merry xmas, guys! 02:35 < tjz> just in time. :) 03:23 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 131 (Connection reset by peer)] 03:24 -!- tjz [n=tjz@bb116-15-92-175.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 03:35 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 03:41 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 03:47 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 03:53 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 04:16 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 04:16 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 05:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 05:00 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:42 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 05:42 < mlaci> hi guys! i get "TLS Error: Unroutable control packet received". my time settings are correct. what could be wrong? 05:47 < mlaci> gosh, i've used server certificate for the client 05:48 < mlaci> have a merry christmas everyone! 05:48 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has left ##openvpn ["Leaving"] 05:50 -!- tjz [n=tjz@bb116-15-92-175.singnet.com.sg] has joined ##openvpn 06:18 -!- protocols [n=protocol@ip-88-152-40-90.unitymediagroup.de] has joined ##openvpn 07:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:39 -!- munga [n=munga@81.194.35.9] has joined ##openvpn 07:40 < munga> !route 07:40 < vpnHelper> munga: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 07:42 < munga> hi all. I;m using a vpn to get unrestricted access to a set of pubblic servers. The problem is that my vpn server is in the same address range of my public servers. For this reason I can't just add a static route on the client ... 07:43 -!- grndslm [n=grndslm@67-60-143-137.cpe.cableone.net] has joined ##openvpn 07:43 < munga> to solve the problem I've added on the client a static route to the vpn server and a more general route command to the subnet ... 07:44 < munga> I'm wondering if there is a better way to do this... 08:23 -!- grndslm [n=grndslm@67-60-143-137.cpe.cableone.net] has quit [Read error: 110 (Connection timed out)] 08:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:49 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 08:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:12 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 09:18 < Tykling> hello gentlemen, I have a small lan with two redundant freebsd pf firewalls using carp and pfsync, I'd like to create an openvpn tunnel from the firewalls to another freebsd machine, how do I go about the openvpn tunnel with the two firewalls ? can I somehow run openvpn on both and get it to understand that it should only make a tunnel from the master firewall ? 09:18 < Tykling> or even better, synchronize the openvpn state to the backup firewall so it can take over without delays 09:31 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 09:36 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 10:18 -!- tjz [n=tjz@bb116-15-92-175.singnet.com.sg] has quit ["GG. X_X"] 12:13 -!- joh [i=johannj@caracal.stud.ntnu.no] has joined ##openvpn 12:19 < joh> Hi, I've got openvpn set up with UDP over tun, and it works perfectly on most systems. However when I try to connect to the vpn network behind a linksys wrt54g v7 router, the vpn connection is lost after 5 seconds of inactivity. I suspect the issue is the router, but I can't find any info on how to debug further... Any help? 12:59 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 13:00 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 13:10 < krzee> try adding a keepalive 13:19 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 13:27 -!- Pulpie [n=Pulpie@unaffiliated/pulpie] has left ##openvpn [] 14:00 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: justdave, AndyML, disco-, paruchuri, Grapsus, ElCheapo, smk, Solver, thefish, dogmeat, (+9 more, use /NETSPLIT to show all of them) 14:02 -!- Netsplit over, joins: smk, troy-, paruchuri, thefish, ebf0, AndyML, munga, syntaxx, tarbo2, dogmeat (+4 more) 14:06 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: justdave, tarbo2, thefish, paruchuri, ebf0, dogmeat, jabular, syntaxx, jpalmer, munga, (+4 more, use /NETSPLIT to show all of them) 14:07 -!- Solver [n=robert@CPE00a0c96b79ba-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 14:07 -!- imbezol [i=imbezol@igloo.bigfiber.net] has joined ##openvpn 14:07 -!- protocols [n=protocol@ip-88-152-40-90.unitymediagroup.de] has joined ##openvpn 14:07 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 14:07 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has joined ##openvpn 14:07 -!- Netsplit over, joins: smk, troy-, paruchuri, thefish, ebf0, AndyML, munga, syntaxx, tarbo2, dogmeat (+4 more) 14:32 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:48 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 17:13 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote closed the connection] 17:34 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has joined ##openvpn 17:34 < HardDisk_WP> hi 17:34 < HardDisk_WP> how do I specify http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html here that I don't use a tun/tap device? 17:34 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 17:34 < HardDisk_WP> the openvpn host is a vserver w/o the capab of adding net devices 17:35 < HardDisk_WP> I want to be able to reach the Internet from school without being limited to just HTTP 17:36 < HardDisk_WP> how do I configure this, provided I have a Linux vserver at some colo, connected to the internet? 17:36 < HardDisk_WP> communication tunneling over tcp works over a specific port, so this isn't a problem 17:36 < HardDisk_WP> only the vpnd config, is 17:51 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has joined ##openvpn 18:00 < reiffert> HardDisk_WP: follow the official openvpn howto 18:00 < reiffert> !howto 18:00 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:00 < HardDisk_WP> reiffert, does openvpn need a tun/tap device? 18:00 < reiffert> yes. 18:00 < HardDisk_WP> Crap. 18:00 < reiffert> no admin rights at school? 18:00 < HardDisk_WP> reiffert, does there any VPN software exist that does not need a tun/tap device? 18:01 < reiffert> plenty. ipsec, pptp, various others. 18:01 < reiffert> so whats the matter with tun/tap at your place? 18:02 < HardDisk_WP> my vServer hoster doesn't permit adding network devices 18:02 < reiffert> did you ask him to do so, for your case? 18:02 < HardDisk_WP> No, they generally don't do this 18:02 < HardDisk_WP> technically impossible 18:02 < reiffert> ah well, time to get a real root server then. 18:03 < HardDisk_WP> No money left =) 18:03 < reiffert> pptp will use a ppp device. 18:03 < HardDisk_WP> :/ 18:03 < HardDisk_WP> Richte ppp ein (2.4.4rel-8) ... 18:03 < HardDisk_WP> mknod: >>ppp-<<: Die Operation ist nicht erlaubt 18:03 < HardDisk_WP> makedev ppp c 108 0 root dip 0660: failed 18:03 < reiffert> you could use ssh to tunnel ports. 18:04 < HardDisk_WP> hmm... 18:04 < HardDisk_WP> dat is ziemlich aetzend^^ da muss ich ueberall proxies angeben 18:04 < reiffert> but without modifying routing table and other stuff = no real fun. 18:04 < HardDisk_WP> routing table waere kein problem 18:04 < reiffert> english please. 18:05 < reiffert> hetzner root server, ds5000, 59EU/Mon 18:05 < HardDisk_WP> but isn't there any tunnel solution other than ssh which doesn't need any devices at the server? 18:05 < HardDisk_WP> i only got 40EUR / month as pocket money :p 18:05 < reiffert> ds3000 = 49EU/Mon 18:06 < reiffert> well you have to use some sort of adress rewriting. 18:06 < HardDisk_WP> with ssh? 18:07 < reiffert> with any vpn solution where you want to have your packets that pass the tunnel to come back from other hosts. 18:08 < HardDisk_WP> do you have any howtos/links ready? 18:08 < reiffert> no. 18:08 < reiffert> ask on a general purpose linux channel, maybe #debian.de 18:09 < HardDisk_WP> kk 18:09 < HardDisk_WP> hm...response times in debian.de tend to go >6hrs ;) 18:09 < HardDisk_WP> I'l try tomorrow^^ 18:09 < HardDisk_WP> thanks for your help, anyway! 18:09 < HardDisk_WP> und frohes rest-weihnachten noch^^ 18:09 < reiffert> 5 people awake on ircnet #debian.de 18:10 < reiffert> same to you, welcome 18:11 < reiffert> ircnet, like irc.belwue.de 18:12 < reiffert> what happens when you run: openvpn --mktun 18:13 < HardDisk_WP> I've killed the package already, but the debian question if it shall create the device, failed with permission denied for mknod 18:14 < reiffert> do you have root access to your vserver? 18:15 < HardDisk_WP> yes 18:15 < reiffert> paste: grep /dev /proc/mounts 18:15 < reiffert> ls -ld /dev 18:16 < HardDisk_WP> reiffert, http://pastebin.com/m6a3737b 18:17 < reiffert> try /connect -ircnet ircnet irc.belwue.de and join #debian.de 18:17 < reiffert> or appropriate on xchat. 18:18 < HardDisk_WP> it's /server on it 18:18 < reiffert> well, on irssi /connect allows you to run multiple connections. 18:19 < HardDisk_WP> irssi, urgh. irssi sucks when you have more than 10 channels 18:19 < HardDisk_WP> i'm normally in over 50 channels in total =) 18:19 < reiffert> and/or try to mknod in /tmp 18:20 < HardDisk_WP> reiffert, what's the correct parameters for mknod for tuntap 18:20 < HardDisk_WP> ? 18:21 < reiffert> well ... 18:22 < reiffert> paste what happens when you run: openvpn --mktun 18:22 < reiffert> also note that openvpn doesnt need a special file called /dev/tun 18:22 < reiffert> it's just an option. 18:22 < HardDisk_WP> vs5606:/tmp# openvpn --mktun 18:22 < HardDisk_WP> Options error: You must define TUN/TAP device (--dev) 18:23 < HardDisk_WP> reiffert, http://pastebin.com/m38fd89ae 18:23 < reiffert> openvpn --mktun --dev tun0 18:23 < HardDisk_WP> Fri Dec 26 01:25:22 2008 Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2) 18:23 < reiffert> ccm:~# ls -al /dev/net/tun 18:23 < reiffert> crw-rw---- 1 root root 10, 200 2007-08-08 17:00 /dev/net/tun 18:23 < reiffert> mkdir /dev/net; mknod c 10 200 /dev/net/tun 18:25 < HardDisk_WP> reiffert, http://pastebin.com/m1bf84a95 18:26 < reiffert> modprobe tun 18:28 < HardDisk_WP> vs5606:/tmp# modprobe tun 18:28 < HardDisk_WP> modprobe: Can't open dependencies file /lib/modules/2.6.22.19/modules.dep (No such file or directory) 18:28 < HardDisk_WP> vs5606:/tmp# lsmod 18:28 < HardDisk_WP> Module Size Used by Not tainted 18:28 < HardDisk_WP> lsmod: QM_MODULES: Function not implemented 18:29 < reiffert> 3doh 18:29 < HardDisk_WP> it's disabled by kernel 18:29 < reiffert> depmod -ae 18:29 < HardDisk_WP> vs5606:/tmp# depmod -ae 18:29 < HardDisk_WP> depmod: QM_MODULES: Function not implemented 18:30 < krzie> http://www.destructoid.com/worst-parents-ever-kid-gets-an-xbox-360-box-filled-with-clothes-for-christmas-73150.phtml 18:30 < vpnHelper> Title: Worst parents ever: Kid gets an Xbox 360 box filled with clothes for Christmas | Destructoid, The hardcore gamer's community (at www.destructoid.com) 18:32 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 18:32 < reiffert> krzie: please do some magic and get HardDisk_WP some solution, any idea? 18:32 < krzie> lemme scroll up 18:33 < krzie> hes root, its debian, its not a VPS? 18:33 < reiffert> it's a virtual server 18:35 < krzie> the real root needs to do stuff for him then 18:35 < reiffert> socks? 18:35 < krzie> oh hes not looking for ovpn setup? 18:35 * krzie checks where he is 18:36 < krzie> whats his goal again? 18:36 < reiffert> well he would if creating a tun device would work .. 18:36 < reiffert> his goal is to tunnel stuff from a to b 18:36 < krzie> it will if the host enables it 18:36 < krzie> well sure socks or ssh tunnels will do that 18:36 < krzie> but openvpn will work too if his host cooperates 18:37 < reiffert> says the hoster doesnt do that 18:37 < HardDisk_WP> yep 18:37 < krzie> well i know ssh tunnels and socks will work 18:37 < reiffert> and a real root server is 9 bugs / month more... which he doesnt have. 18:37 < HardDisk_WP> technically impossible, their virtualization software dont allow that 18:37 < krzie> dont see why ipsec wouldnt 18:37 < krzie> HardDisk_WP which software? 18:38 < HardDisk_WP> reiffert, 35 bucks per month more, actually. i pay 5EUR/month for the vserver 18:38 < HardDisk_WP> krzie, what way it works I don't really care. problem is that there mustn't be any proxys on the client side which have to be set manually 18:38 < reiffert> wow, that's cheap. strato? 18:38 < HardDisk_WP> MSN, XChat and some other programs regularly fuck up with proxys 18:39 < HardDisk_WP> reiffert, star-hosting.de is my one vserver, and the one i share with a friend is at netfabrik.de 18:39 < HardDisk_WP> both 5EUR / month including one de domain 18:39 < krzie> i socksify my entire internet connection 18:39 < krzie> so your claim is bullshit 18:39 < krzie> i socksify msn, xchat, and everything else i use 18:39 < HardDisk_WP> wow, it works at you. amazing... 18:40 < reiffert> good night guys! 18:40 < krzie> nite tom 18:40 < HardDisk_WP> gn8 reiffert 18:40 < krzie> but i dont enter socks info into each app 18:41 < HardDisk_WP> krzee, wow, cool. how do you do this 18:41 < HardDisk_WP> ?# 18:41 < krzie> theres ways to socksify your entire connection 18:41 < HardDisk_WP> so it's totally transparent for the software? 18:41 < krzie> i THINK the way in linux is an app called socksify 18:41 < HardDisk_WP> i'm on windows 18:41 < HardDisk_WP> on the client 18:41 < krzie> i use osX with proxifier (also works for windows) 18:41 < HardDisk_WP> on server, I have debian stable 18:41 < HardDisk_WP> ok 18:41 < krzie> yes the software its transparent 18:42 < krzie> also gives me a nice lil list of every connection made 18:42 < HardDisk_WP> wow. cool. 18:42 < HardDisk_WP> what do I need on server side? 18:43 < HardDisk_WP> just a socks server? 18:43 < krzie> a socks server configured correctly 18:43 < krzie> NOT WIDE OPEN 18:43 < krzie> dante is a good app 18:43 < krzie> with built in support for auth against linux 18:44 < krzie> i use it on freebsd, hooked it into the system logins with PAM 18:44 < HardDisk_WP> i'm gonna use freecap 18:45 < HardDisk_WP> argh, it wants that I specify any program i want to use for it 18:45 -!- syntaxx [n=syntaxx@unaffiliated/syntaxx] has quit [Nick collision from services.] 18:45 < krzie> the server? 18:46 < HardDisk_WP> no, on client side 18:46 < HardDisk_WP> apparently, for every program I want to socksify, I have to make an entry 18:47 < krzie> proxifier has an option to choose which to force, or which to not force 18:47 < krzie> i dont use that app you said, so dunno 18:52 < krzie> my socks is listening inside openvpn 18:52 < krzie> i use it like that so i can route through openvpn for most traffic, and let torrents go over my normal connection 18:53 < HardDisk_WP> what torrent program do you use? 18:56 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 19:04 < krzie> i use osX... 19:04 < krzie> on osx i use transmition, on bsd i use rtorrent 19:10 < HardDisk_WP> krzie, do you know how I can debug danted? 19:11 < krzie> i havnt looked at it in a long time, im really just here to help with openvpn 19:11 < HardDisk_WP> ok^^ 19:50 -!- mRCUTEO [n=info@96.9.131.182] has joined ##openvpn 19:51 < mRCUTEO> hey 19:51 < mRCUTEO> merry christmas everyone 19:51 < krzie> same to you 19:51 < mRCUTEO> merry xmas krzee ! 19:51 < mRCUTEO> :D 19:51 < krzie> =] 19:58 -!- mRCUTEO [n=info@96.9.131.182] has quit [] 19:59 < krzie> heh that was nice, just stopped through to say merry xmas 20:16 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 21:12 < ecrist> Merry Christmas, folks. 23:17 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Ex-Chat"] --- Day changed Fri Dec 26 2008 00:08 -!- mRCUTEO [n=info@96.9.131.182] has joined ##openvpn 00:18 -!- mRCUTEO [n=info@96.9.131.182] has quit [] 01:49 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 01:55 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 03:51 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 03:51 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 04:50 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 05:01 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 06:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:38 -!- apo [n=apo@pD9E7BF47.dip.t-dialin.net] has joined ##openvpn 06:43 < apo> Hi, can somebody help me getting my vpn to work properly? I've configured the server and a client so far, but the second client can't get in... this is the error log: http://apo2k4.ath.cx/~apo/tmp/pn 06:43 < apo> err 06:43 < apo> http://apo2k4.ath.cx/~apo/tmp/openvpn 06:44 < apo> I'm pretty much using the sample configs 06:58 < ecrist> sure, lemme look 07:00 < ecrist> need to see your server and client configs 07:00 < ecrist> actually, no 07:00 < ecrist> Fri Dec 26 12:42:56 2008 VERIFY ERROR: depth=1, error=certificate is not yet valid: 07:01 < apo> But it works on the other client. :| 07:01 < ecrist> the date on your certificate is in the future, which means it's invalid 07:01 < ecrist> check your time/date on the client that's not working 07:01 < apo> *stares at the date* 07:01 < apo> It's 14:03 >_> 07:01 < apo> hold on... 07:02 < apo> Oh. 07:02 < apo> The client's clock is in the past =P 07:02 < apo> Thanks. 07:02 < ecrist> ok, well, I'm not there, so I can't look at it myself. there is either a date inconsistency on one of the machines, or you built the certificate with the wrong time/date 07:04 < apo> It's working :D Thanks again 07:04 < ecrist> np - next time, try to listen to the advice right away, and not be a smart-ass about it 07:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:53 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 11:07 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has quit [Read error: 110 (Connection timed out)] 12:10 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 13:13 -!- ElCheapo [n=elcheapo@d137-186-181-17.abhsia.telus.net] has quit [Read error: 60 (Operation timed out)] 13:29 -!- protocols [n=protocol@ip-88-152-40-90.unitymediagroup.de] has quit [Remote closed the connection] 14:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:02 -!- apo [n=apo@pD9E7BF47.dip.t-dialin.net] has quit [Read error: 145 (Connection timed out)] 16:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 16:55 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 16:55 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 18:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 18:12 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:43 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 19:16 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 19:16 < onats> morning, merry christmas 19:21 < krzee> evening, merry christmas 19:23 < onats> hehehe 19:51 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 20:21 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 21:01 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has quit ["Leaving."] 22:01 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 23:59 -!- justdave [n=dave@unaffiliated/justdave] has quit ["reboot for kernel upgrade"] --- Day changed Sat Dec 27 2008 00:43 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 00:48 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 113 (No route to host)] 01:56 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 03:17 -!- ikevin [n=kevin@ANancy-256-1-61-139.w90-26.abo.wanadoo.fr] has joined ##openvpn 03:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 03:18 -!- ikevin [n=kevin@ANancy-256-1-61-139.w90-26.abo.wanadoo.fr] has quit [Remote closed the connection] 03:19 -!- ikevin [n=kevin@ANancy-256-1-61-139.w90-26.abo.wanadoo.fr] has joined ##openvpn 03:47 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 04:10 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 145 (Connection timed out)] 04:22 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 06:18 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 06:40 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 07:55 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 07:55 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 10:15 -!- eolo999 [n=eolo999@94.37.108.92] has joined ##openvpn 10:15 < eolo999> hi, what's a roadwarrior? 10:42 < ecrist> someone who works remotely from the office 10:44 < eolo999> ecrist: thx 11:13 -!- eolo999 [n=eolo999@94.37.108.92] has quit [Read error: 110 (Connection timed out)] 12:17 -!- Dougy [n=doug@64-18-159-195.ip.justedge.net] has joined ##openvpn 12:17 < Dougy> hey all 13:37 -!- Blinkiz [n=Blinkiz@unaffiliated/blinkiz] has joined ##openvpn 13:37 < Blinkiz> hello 13:40 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 13:40 < Blinkiz> I get "MULTI: bad source address from client" errors in my logfile on the server side. Basically the client is sending packages with the wrong source address that belongs to the clients LAN. I have read I can fix this with "client-config-dir" and a iroute. Problem is that this is not dynamic. If the client (roadwarrior) connects from another LAN, it will start to complain again. So how can I solve this problem in a more.. eeh.. dynamic way? 13:43 < Blinkiz> Oh, btw, everything seems to work. I just want to get rid of this error in the logfile 13:51 -!- Blinkiz [n=Blinkiz@unaffiliated/blinkiz] has quit [Read error: 60 (Operation timed out)] 13:52 -!- Blinkiz [n=Blinkiz@unaffiliated/blinkiz] has joined ##openvpn 14:05 < reiffert> moin 14:10 < Dougy> hi 14:12 -!- Blinkiz [n=Blinkiz@unaffiliated/blinkiz] has quit [Read error: 110 (Connection timed out)] 14:15 -!- ikevin [n=kevin@ANancy-256-1-61-139.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 14:16 -!- ikevin [n=kevin@ANancy-256-1-136-9.w90-33.abo.wanadoo.fr] has joined ##openvpn 14:21 -!- Blinkiz [n=Blinkiz@unaffiliated/blinkiz] has joined ##openvpn 14:38 -!- Blinkiz [n=Blinkiz@unaffiliated/blinkiz] has quit [Read error: 110 (Connection timed out)] 14:39 -!- Blinkiz [n=Blinkiz@unaffiliated/blinkiz] has joined ##openvpn 15:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 16:53 -!- Dougy [n=doug@64-18-159-195.ip.justedge.net] has quit [] 17:34 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 17:38 -!- Blinkiz [n=Blinkiz@unaffiliated/blinkiz] has quit [Connection timed out] 17:41 -!- Blinkiz [n=Blinkiz@unaffiliated/blinkiz] has joined ##openvpn 19:04 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 19:15 -!- Blinkiz [n=Blinkiz@unaffiliated/blinkiz] has quit [Read error: 113 (No route to host)] 20:39 -!- uncorq [n=corq@183.194.8.67.cfl.res.rr.com] has joined ##openvpn 20:40 < uncorq> !route 20:40 < vpnHelper> uncorq: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:21 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 21:30 -!- uncorq [n=corq@183.194.8.67.cfl.res.rr.com] has quit [Read error: 60 (Operation timed out)] 21:39 -!- unixSnob [n=jj@66-81-68-36.bayarea.dialup.o1.com] has joined ##openvpn 21:41 < unixSnob> i've got an isp that's blocking my tunnel. bastards. how does the isp distinguish SSL encrypted http packets and SSL openvpn packets, both being on port 80? 21:41 < unixSnob> and how can I circumvent this? will corkscrew work? 21:41 < unixSnob> or is corkscrew exclusively for ssh? 21:44 -!- uncorq [n=corq@183.194.8.67.cfl.res.rr.com] has joined ##openvpn 21:49 -!- unixSnob [n=jj@66-81-68-36.bayarea.dialup.o1.com] has quit [Nick collision from services.] 21:52 -!- unixSnob [n=jj@66-81-64-197.bayarea.dialup.o1.com] has joined ##openvpn 21:52 < unixSnob> sorry my connection is lousy... did anyone reply to me? 22:55 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 23:02 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 23:04 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 23:23 < ropetin> Evenin' all, how's everyone been over the holiday period? 23:50 -!- unixSnob [n=jj@66-81-64-197.bayarea.dialup.o1.com] has quit ["leaving"] --- Day changed Sun Dec 28 2008 00:50 < ropetin> !linux 00:50 < vpnHelper> ropetin: Error: "linux" is not a valid command. 00:50 < ropetin> !lnat 00:50 < vpnHelper> ropetin: Error: "lnat" is not a valid command. 00:50 < ropetin> Meh! 00:50 < ropetin> !menu 00:50 < vpnHelper> ropetin: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 00:51 < ropetin> !factoids search * 00:51 < vpnHelper> ropetin: More than 100 keys matched that query; please narrow your query. 00:51 < ropetin> Hehehhe 00:51 < ropetin> !factoids search iptables 00:51 < vpnHelper> ropetin: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 00:51 < ropetin> !factoids search linux 00:51 < vpnHelper> ropetin: No keys matched that query. 00:51 < ropetin> !factoids search nat 00:51 < vpnHelper> ropetin: 'bsdnat', 'nat', and 'linnat' 00:51 < ropetin> !linnat 00:51 < vpnHelper> ropetin: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 01:19 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:01 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 03:15 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has joined ##openvpn 03:17 -!- Blinkiz [n=Blinkiz@unaffiliated/blinkiz] has joined ##openvpn 03:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 04:05 < reiffert> moin 04:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:02 -!- mRCUTEO [n=info@96.9.131.182] has joined ##openvpn 06:05 -!- mRCUTEO [n=info@96.9.131.182] has quit [Client Quit] 06:35 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 07:06 -!- Blinkiz [n=Blinkiz@unaffiliated/blinkiz] has quit ["Leaving"] 09:27 -!- Uncle|Sam [i=iamroot@ist.ein.topkiller.aus.dem.mafiamili.eu] has joined ##openvpn 09:27 < Uncle|Sam> Hi there 09:35 < Uncle|Sam> I want to start a vpn server for me and my friends to let them joint and play like we are in one lokal network. ist this possible with openvpn? 10:48 < reiffert> Yes. 10:48 < reiffert> !howto 10:48 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:49 < reiffert> you want to follow the routing setup and then advance to the tap/bridging setup afterwards. 10:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 11:26 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: Solver, imbezol 11:32 -!- Netsplit over, joins: Solver, imbezol 11:33 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn 11:33 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has quit [Nick collision from services.] 11:35 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has joined ##openvpn 11:40 -!- munga [n=munga@81.194.35.9] has quit [Read error: 110 (Connection timed out)] 11:40 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 11:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:29 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:44 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 14:35 -!- timholum [n=chatzill@64-91-67-5.stat.centurytel.net] has joined ##openvpn 14:37 -!- joh [i=johannj@caracal.stud.ntnu.no] has left ##openvpn [] 14:40 < timholum> I looked at the documentation, and i can't find how to tell openvpn what network is behind the client and route to it? any ideas. I thought i saw something on this a while ago but i cant find it now 14:50 < timholum> I looked at the documentation, and i can't find how to tell openvpn what network is behind the client and route to it? any ideas. I thought i saw something on this a while ago but i cant find it now 14:51 < timholum> Hello is anyone hear? 14:59 -!- tarbo2_ is now known as tarbo2 15:46 -!- timholum [n=chatzill@64-91-67-5.stat.centurytel.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.5/2008120122]"] 15:46 -!- timholum [n=chatzill@64-91-67-5.stat.centurytel.net] has joined ##openvpn 15:47 < timholum> hello i am wondering how to configure openvpn to route networks behind the client? 15:50 < krzie> timholum 15:50 < krzie> seen the topic? 15:50 < uncorq> !howto 15:50 < vpnHelper> uncorq: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:50 < krzie> namely, lans behind openvpn? see !route 15:51 < timholum> does push "route " work from the client side? 15:51 < krzie> !push 15:51 < vpnHelper> krzie: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 15:53 < krzie> why would you even want to push from client to server? 15:53 < timholum> I need to route from my server to the network behind my clients 15:54 < krzie> see !route 15:54 < krzie> !route 15:54 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:54 < krzie> i made that writeup for your situation 15:54 < krzie> it explains everything you need to know about having LANs behind server and or client(s) 15:56 < timholum> I will look at that closer, i have found that already thought, and on my client it tells me "Options error: option 'iroute' cannot be used in this context" 15:57 < krzie> then you used it wrong 15:57 < krzie> !configs 15:57 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:59 < timholum> ok, and i think i figured out what i have wrong i dont have client-config-dir on my server.conf yet 15:59 < timholum> one sec 15:59 < krzie> you must not have read my doc good enough then, it explains why iroute can ONLY work in a ccd entry 16:01 < timholum> I just looked at the sample configs, :) when i re-read your doc's it showed me that 16:02 < krzie> ya docs only help when you read them 16:02 < krzie> :-p 16:06 < timholum> :) Thank you, It works now, :) 16:07 < krzie> np 16:08 < timholum> I will have to remember to read the entire document befor i assume it doesnt work :) 16:14 < krzie> =] 16:40 -!- timholum [n=chatzill@64-91-67-5.stat.centurytel.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.5/2008120122]"] 17:28 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:03 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Remote closed the connection] 18:10 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 18:13 -!- Uncle|Sam is now known as uncle|sam 18:17 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Remote closed the connection] 18:20 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 19:02 < ecrist> evening, folks 20:35 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 20:55 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 21:42 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [] 22:46 < krzee> wassup --- Day changed Mon Dec 29 2008 01:00 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 01:13 -!- tjz [n=tjz@bb116-15-92-175.singnet.com.sg] has joined ##openvpn 01:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:29 -!- ikevin [n=kevin@ANancy-256-1-136-9.w90-33.abo.wanadoo.fr] has quit [Remote closed the connection] 02:34 -!- ikevin [n=kevin@ANancy-256-1-136-9.w90-33.abo.wanadoo.fr] has joined ##openvpn 02:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:50 -!- tjz [n=tjz@bb116-15-92-175.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 03:13 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 03:15 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 03:19 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 04:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:04 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 05:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:42 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 06:04 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 06:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:04 -!- itguru [n=itguru__@5ac10611.bb.sky.com] has joined ##openvpn 07:05 < itguru> What can be the reason that my connection keeps reseting every five seconds? 07:18 < ecrist> good morning, folks. 07:18 < ecrist> itguru: does your connection actually go down? 07:25 * cpm resets ecrist 07:27 -!- itguru [n=itguru__@5ac10611.bb.sky.com] has quit ["This computer has gone to sleep"] 07:39 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 08:57 -!- incorrect [n=fw1@mail.taptu.com] has joined ##openvpn 09:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:58 -!- desrt [i=desrt@ubuntu/member/desrt] has joined ##openvpn 09:59 < desrt> hi. i have a general question about ssl that i was hoping someone here might know about 09:59 < desrt> (i can't find any "ssl" irc channels) 09:59 < desrt> basically: is it safe to use a client certificate with an untrusted server? 10:00 < desrt> or could that server effectively MITM you by connecting to the 'real' server, getting its challenge, sending that challenge to you, waiting for your reply, then using your response to authenticate itself to the real server? 10:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:30 < ecrist> desrt: it's unsafe 10:32 < desrt> that's pretty lame, isn't it? 10:32 < desrt> because the client performs its CertificateVerify operation before it verifies the server's certificate 10:38 < ecrist> why's it lame - if you've not trusted it, how can you be certain it is who you think it is. 10:41 < desrt> well, the problem with that is that, by reading the TLS spec, the client certificate exchange occurs before the client has had a chance to authenticate the server's certificate 10:42 < desrt> so the client is effectively answering a challenge from an untrusted source over an open channel 10:44 < desrt> i'd have rather the server generated random, encrypted it with the client certificate, then sent it to the client. the client would then say nothing, but use the decrypted random secret as part of the master key hash 10:44 < desrt> seems a lot more secure 10:48 -!- incorrect [n=fw1@mail.taptu.com] has quit ["Leaving"] 10:55 -!- int [n=quassel@wikia/int] has joined ##openvpn 11:39 < ecrist> desrt: I may have misspoke. I didn't fully grok your question. 11:39 < ecrist> without your client certificate key, you cannot be MITM-attacked by an untrusted server. 11:43 -!- uncle|sam is now known as Uncle|Sam 11:59 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:00 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 12:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:04 < krzee> !mitm 12:04 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 12:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:16 -!- uncorq [n=corq@183.194.8.67.cfl.res.rr.com] has quit [Connection timed out] 12:49 -!- Uncle|Sam is now known as uncle|sam 13:42 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 15:20 -!- deadeyes [n=dqslfdj@213.219.137.8.adsl.dyn.edpnet.net] has joined ##openvpn 15:21 < deadeyes> hi all 15:21 < deadeyes> whenever I want to create a certificate for a user, it tells me that it will be certified for 3650 days 15:21 < deadeyes> I want to change this to 365 15:21 < deadeyes> but whatever I try it keeps being the same 15:21 < deadeyes> (I edited the ./vars in easy-rsa) 15:22 < deadeyes> also edited openssl.cnf 15:22 < deadeyes> is this expiry dependent on the CA? 15:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 15:25 -!- xuser_ [n=xuser@unaffiliated/xuser] has joined ##openvpn 15:25 < xuser_> !route 15:25 < vpnHelper> xuser_: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:26 < xuser_> !menu 15:26 < vpnHelper> xuser_: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 15:38 < deadeyes> I think I found it :s seems like the 3650 days is hardcoded in the build-key script 15:38 < deadeyes> will try it and let it know 15:38 -!- uncle|sam [i=iamroot@ist.ein.topkiller.aus.dem.mafiamili.eu] has quit [Remote closed the connection] 15:45 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: roentgen, dogmeat, grndslm, HardDisk_WP, justdave, troy-, xuser_, jabular, jpalmer, disco-, (+7 more, use /NETSPLIT to show all of them) 15:45 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: Solver, imbezol 15:47 -!- Netsplit over, joins: xuser_, roentgen, int, paruchuri, jpalmer, krzee, HardDisk_WP, grndslm, troy-, justdave (+7 more) 15:47 -!- Netsplit over, joins: Solver, imbezol 15:49 -!- snejk [n=snejk@c213-89-24-35.bredband.comhem.se] has joined ##openvpn 15:51 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 15:52 < snejk> Hi. I am trying to access my hardware token through PKCS#11, openvpn --show-pkcs11-ids ipkcs11.dll, I get this error: PKCS#11: Cannot add provider 'ipkcs11.dll' 6-'CKR_FUNCTION_FAILED', any ideas? 15:55 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 104 (Connection reset by peer)] 15:55 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has quit ["Leaving"] 16:00 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 16:29 < deadeyes> editing build-key did the trick 16:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:35 -!- deadeyes [n=dqslfdj@213.219.137.8.adsl.dyn.edpnet.net] has quit [Read error: 60 (Operation timed out)] 16:57 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:58 < krzie> snejk, only idea i have is that you need something external to openvpn for your hardware token, which you do not have 16:59 < krzie> the fact that you know the name of the dll you need should give some sort of hint as to what you need 17:04 < krzie> seems to be part of Win32 Cryptoki libraries 17:05 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 17:20 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 17:29 -!- uncorq [n=corq@183.194.8.67.cfl.res.rr.com] has joined ##openvpn 17:33 < snejk> krzie, there? 17:34 < snejk> i supplied the wrong path to the dll. ok now, but how do I login to the token? 17:34 < snejk> token needs login before it gets access 17:40 -!- gregHome [n=gleblanc@75.108.7.23] has joined ##openvpn 17:47 < krzie> ive never played with tokens 17:47 < krzie> but i bet its in the manual 17:47 < krzie> !manual 17:47 < vpnHelper> krzie: Error: "manual" is not a valid command. 17:47 < krzie> heh 17:47 < krzie> !man 17:47 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:47 < krzie> theres also an option to make a script validate login/pass 17:48 < snejk> been reading like crazy =) 17:48 < krzie> that might be the way if nothing else looks good 17:48 < krzie> manual > google with openvpn 17:48 < snejk> I tried this management-query-passwords 17:48 < krzie> nah man 17:48 < snejk> now i see : Need password(s) from management interface, waiting... 17:48 < krzie> thats for management interface 17:48 < snejk> ok 17:48 < krzie> as the manual says 17:49 < snejk> yes, i thought maybe it could be used for pw input 17:49 < snejk> but not :) 17:49 < snejk> I did also specify pkcs11-cert-private 1 17:50 < krzie> you know how to auth from the shell? 17:50 < snejk> in windows, hmm 17:50 < snejk> I am using openvpn GUI 17:51 < snejk> " us=359000 Error: private key password verification failed" 17:51 < snejk> shouldnt i get a popup for token pin? 17:52 < krzie> no idea, as ive said ive never played with those toeksn 17:52 < krzie> tokens 17:53 < snejk> ok 17:53 < krzie> http://openvpn.net#pkcs11_about 17:53 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 17:53 < snejk> I did find this very helpful http://michele.pupazzo.org/docs/smart-cards-openvpn.html 17:53 < vpnHelper> Title: Michele Baldessari - Homepage (at michele.pupazzo.org) 17:54 < krzie> oops i meant: 17:54 < krzie> http://openvpn.net/howto#pkcs11_about 17:54 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 17:54 < snejk> yep, read that 17:55 < snejk> http://christophe.vandeplas.com/node?page=7 mentions something not at that howto, how to format a serialized ID in config :) 17:55 < vpnHelper> Title: White snow agains the black ice ... | Some thoughts from Christophe Vandeplas (at christophe.vandeplas.com) 17:56 < snejk> but now im stuck , well lets try 10 more times before my token self destructs :) 17:56 < krzie> Each certificate/private key pair have unique "Serialized id" string. The serialized id string of the requested certificate should be specified to the pkcs11-id option using single quote marks. 17:57 < krzie> you sure you read the whole howto as it pertains to pkcs11...? 17:57 < snejk> yep 17:57 < krzie> cause it sure is in the howto 17:57 < krzie> <snejk> http://christophe.vandeplas.com/node?page=7 mentions something not at 17:57 < krzie> that howto, how to format a serialized ID in config :) 17:57 < vpnHelper> Title: White snow agains the black ice ... | Some thoughts from Christophe Vandeplas (at christophe.vandeplas.com) 17:57 < snejk> I have the correct Serialized ID 17:57 < krzie> it IS in the config 17:57 < krzie> in the howto 17:57 < snejk> oh hmm, mustve missed it 17:57 < krzie> leading me to believe you need to read it again 17:58 < snejk> no i see now why it isnt there 17:59 < krzie> it IS there 17:59 < snejk> my ID has alot of \x20 ascii, need to convert it like \x20 > space 18:01 < snejk> Vendor\x2C\x20Inc\x2E\x20\x20\x20\x20\x20\x20\x20PKCS\x2311/\x20\x20\x20\ etc. but its ok now 18:07 < snejk> hey almost worked, from command line. 18:07 < snejk> "Enter PKCS#11 token Password:" 18:10 < krzie> isnt the token more like a cert then something that uses a PW? 18:12 < krzie> PW protecting the vpn seems seperate to me than using a token 18:12 < krzie> a token is something you have, as is a cert... a pw is something you know 18:12 < krzie> so for dual factor auth requiring a token, you can use token as something you have, and PW as something you know 18:13 < snejk> true 18:13 < snejk> but I have this token, and I have a password too :) 18:13 < krzie> openvpn does have a box that pops up for l/p, but i guess its not made for token PW's, im guessing for the reasons i mentioned 18:13 < snejk> I see 18:13 < krzie> you do PW's seperately 18:14 < krzie> --auth-user-pass-verify 18:14 < snejk> hmm, maybe thats the one! 18:14 < krzie> Require the client to provide a username/password (possibly in addition to a client certificate) for authentication. 18:14 < krzie> OpenVPN will execute script as a shell command to validate the username/password provided by the client. 18:15 < snejk> need to write my own script then 18:18 < krzie> unless you're authing against something that exists already 18:18 < krzie> like active directory, ldap, pam 18:18 < krzie> in those cases scripts already exist 18:18 < krzie> but yes, you certainly can invent your own system with a custom script 18:19 < snejk> I will look into that, thanks 18:21 < krzie> np 18:22 < snejk> "PW protecting the vpn seems seperate to me than using a token", its a pw to login to the token only. in the token is a Cert stored in a crypto chip 18:26 < ecrist> evening, krzie 18:40 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 18:47 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Read error: 110 (Connection timed out)] 19:02 < krzie> hey wassup ecrist 19:02 < krzie> snejk, that is correct, why does the cert need a pw as opposed to the vpn? 19:15 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: Pagautas 19:16 -!- Netsplit over, joins: Pagautas 19:27 < snejk> I guess I could remove it 19:27 < snejk> I found "askpass", "For the extremely security conscious, it is possible to protect your private key with a password." 19:29 < snejk> now having problems with TLS instead 19:37 -!- legis_ [n=wad@unaffiliated/legis] has joined ##openvpn 19:38 < legis_> Can one use the windows vpn client in openvpn? 19:42 < krzie> no, but one can use the windows openvpn client in openvpn 19:42 < snejk> krze, thx for help. will test more tomorrow 19:42 < krzie> np snejk 19:43 -!- snejk [n=snejk@c213-89-24-35.bredband.comhem.se] has quit ["zzz"] 19:44 -!- gregHome [n=gleblanc@75.108.7.23] has quit [Read error: 110 (Connection timed out)] 19:45 < ecrist> uggh 19:45 * ecrist is on hold with IRS. 19:45 < ecrist> the *worst* customer service eva! 19:46 < legis_> krzie: I see, does the windows vpn client has to match the server version, server is 2.1-rc11, client 2.1-r15 19:48 < ecrist> legis_: especially with an RC, it's a good idea, but shouldn't be necessary. 19:48 < ecrist> I've got a 2.1-rc9 connecting to a 2.0.9 server all the time 19:49 < legis_> ecrist: thanks, I'll give it a try. 20:14 * ikevin is away: holly dayz 20:15 < krzie> the only way you run into problems is if you try to use something that changed 20:15 < krzie> in ecrists example, his older version server wont try to do anything that didnt exist in the old version, so no conflicts 20:15 < krzie> but if he switched and had 2.1 server, and tried to use topology subnet (for example) he would have a problem 20:45 -!- xuser_ [n=xuser@unaffiliated/xuser] has left ##openvpn [] 20:57 < legis_> What should I ommit or select to install only the client side in windows? 20:58 < legis_> I guess 'openvpn service' is the server so I don't need that. 21:27 < krzie> no such difference 21:27 < krzie> server and client are just different configs 21:27 < krzie> service refers to a windows service 21:27 < krzie> versus opening the program 21:28 < legis_> oh, thanks. 22:00 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 22:10 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 22:40 -!- mRCUTEO [n=info@96.9.131.182] has joined ##openvpn 22:43 < mRCUTEO> hiya :-) 22:52 -!- mRCUTEO [n=info@96.9.131.182] has left ##openvpn [] 22:52 -!- mRCUTEO [n=info@96.9.131.182] has joined ##openvpn 22:58 -!- mRCUTEO [n=info@96.9.131.182] has left ##openvpn [] 22:58 -!- mRCUTEO [n=info@96.9.131.182] has joined ##openvpn 23:03 -!- mRCUTEO [n=info@96.9.131.182] has quit [] 23:30 < legis_> should I be able to ping from LAN to LAN? openvpn server is running in the firewall, openvpn client is windows machine with a public IP. 23:34 < legis_> nevermind, I should finish reading the howto :) 23:41 < krzee> !route 23:41 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 23:42 < krzee> yes you should also finish reading the howto 23:42 < krzee> but in the topic: 23:42 < krzee> "lans behind openvpn? see !route" 23:47 < legis_> yeah, thanks. 23:47 < legis_> got it working. 23:48 < krzee> nice, that was quick 23:50 < legis_> yes :), spent more time troubleshooting the firewall than setting up openvpn :) 23:50 < krzee> nice 23:50 < krzee> that explains the first part of the topic 23:50 < krzee> hehehe 23:51 < legis_> ;) --- Day changed Tue Dec 30 2008 00:13 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 00:30 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 00:49 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 00:51 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:36 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 02:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:04 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 04:05 < SuperEvilDeath> question is it posible to setup openvpn to function literally like a network cable ( meaning setup 2 pc's to connect 2 networks and forward everything including broadcasts and dhcp requests ) over the tunnel ? 04:06 < krzee> !bridge 04:06 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 04:06 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 04:06 < krzee> you want to use bridging for that 04:07 < krzee> like in the topic 04:07 < krzee> Bridging is for ethernet, routing is for IP 04:08 < SuperEvilDeath> krzee will it include broadcast and dhcp request address ranges ( namely 255.255.255.255 and lower ). ? 04:09 < krzee> correct 04:09 < krzee> broadcast and dhcp both happen over ethernet 04:09 < krzee> so if you are tunneling ethernet, you tunnel those too 04:17 < SuperEvilDeath> oke so in theory, i could save on network wire buy getting 2 machines whit 3 network cards and compressing it all over 2 tunnels ( different ports ) to the otherside and brigding the network back there. ( don't ask me why i jump to these kinda hoops to save on wires i have to save on wires basicly ) 04:26 < krzee> lol 04:27 < krzee> just go buy cable 04:27 < krzee> or buy wireless 04:29 < krzee> and youd need the same amount of cable 04:29 < krzee> took me a second to catch that 04:29 < krzee> how do you expect a vpn to stop you from needing a cable to each machine? 04:38 < SuperEvilDeath> because there are 3 cable there now ( 3 networks ) if i can tunnel 2 of them over the 3rd network i have 2 cables spare and its not like buying a othercable there points truth about a meter of solid wall ;) 04:39 < SuperEvilDeath> so i can't add extra there and i need more then i have like always 04:40 < krzee> i have no clue what you're saying, could you make a drawing of the network on gliffy.com 04:40 < krzee> like the one i made at bottom of this page: 04:40 < krzee> !route 04:40 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:49 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 04:53 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 104 (Connection reset by peer)] 04:53 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 05:02 < reiffert> moin 06:25 < ecrist> krzee: I'll be back on in about 45 mins. 06:25 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Ex-Chat"] 06:46 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:04 < ecrist> ok, I lied 07:04 < ecrist> I'm back 07:22 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 07:25 < Determinist> hey guys. i'm using tunnelblick on OS X leopard to connect to the office using openvpn. once the vpn is connected, i manually change the /etc/hosts file to match the VPN addresses. while at the office the /etc/hosts file contains other entries matching the correct values without the VPN connection. 07:26 < Determinist> my question: is there a way to add/remove domain to IP mappings using the configuration file (similar to the way route commands are used) ? 07:26 < Determinist> i was unable to find any information about this in the manual. 07:27 < Determinist> !menu 07:27 < vpnHelper> Determinist: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 07:31 < ecrist> sure, with a script 07:31 < ecrist> you can create an up and down script to do this for you 07:32 < Determinist> ecrist: and this should change the entries in the /etc/hosts file, right? 07:32 < ecrist> I've got our VPN setup here at my office with proper DNS, so there's no need for such things. 07:32 < Determinist> yeah well, our admin is a lazy ass, so i'm doing this from the client side. 07:33 < ecrist> too funny - DNS is by far the lazier way to do this 07:33 < ecrist> ~up 07:33 < ecrist> !up 07:33 < vpnHelper> ecrist: Error: "up" is not a valid command. 07:33 < ecrist> --up is an option which specifies a script to be run when a tunnel is brought up 07:33 < Determinist> isn't there some programmatic way to add/remove hosts without modifying the /etc/hosts file? 07:33 < ecrist> --down is the inverse 07:34 < ecrist> Determinist: yes, it's called DNS 07:34 < Determinist> ecrist: oh, yes, i am aware of that, only i don't happen to have a dns daemon running on this mac. unless you're going to tell me you can do this with the DNS client? 07:35 < ecrist> no, what I'm saying, is your admin should be running a DNS daemon and pushing that server's address via the VPN config to clients 07:36 < ecrist> that server should have all the address/name matchings 07:36 < Determinist> hm 07:36 < Determinist> ok 07:36 < Determinist> i'll try nagging and see if i can make him do this. 07:38 < Determinist> manners. thanks :) 07:38 < ecrist> np 07:51 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 08:07 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 08:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:11 -!- ropetin_ is now known as ropetin 09:29 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:29 < plaerzen> morning irc 09:29 < ecrist> good morning plaerzen 09:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:21 -!- cyberjames [n=james@unaffiliated/cyberjames] has joined ##openvpn 10:24 < cyberjames> Hi everyone. Have you try running openvpn on virtual machine and this vpn is providing different network ip address segment such as 192.168.240.x? 10:28 -!- SuperEvilDeath [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 11:10 < ecrist> no, I have not, but as long as you can modify the network stack, there should be no real reason you can't do so. 11:26 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 11:52 -!- Determinist [n=lior@unaffiliated/determinist] has quit ["Leaving..."] 12:04 < ecrist> http://it.slashdot.org/article.pl?sid=08/12/30/1655234 12:04 < vpnHelper> Title: Slashdot | CCC Create a Rogue CA Certificate (at it.slashdot.org) 12:07 < reiffert> ecrist: want to watch the whole lecture? 12:07 < ecrist> no, that's OK. hrm, unless I'm unable to sleep tonight... 12:07 < ecrist> ;) 12:08 < reiffert> allright, you can get it at ... 12:08 < reiffert> ftp://25c3.sys-panel.de/25c3-mirror/saal1/ 12:08 < reiffert> it will be online shortly. 12:09 < reiffert> details here: http://events.ccc.de/congress/2008/Fahrplan/day_2008-12-30.en.html 12:09 < vpnHelper> Title: 25C3: Schedule Day 4 (2008-12-30) (at events.ccc.de) 12:09 < reiffert> MD5 considered harmful today 12:09 < reiffert> Creating a rogue CA Certificate 12:10 < reiffert> you can get it here: http://81.163.130.141/streamdump/saal1/ 12:10 < vpnHelper> Title: Index of /streamdump/saal1 (at 81.163.130.141) 12:10 < reiffert> ID3023 12:11 < ecrist> tx 12:31 < reiffert> it's in english btw 12:37 < ecrist> that's even better - 50% downloaded. 12:39 < reiffert> I'd recommend the ogg theora stream 12:39 < reiffert> s,'d,, 12:42 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has joined ##openvpn 13:05 -!- hiptobecubic [n=john@c-68-56-198-177.hsd1.fl.comcast.net] has joined ##openvpn 13:07 -!- Qwonder [n=travis@c-71-203-18-41.hsd1.fl.comcast.net] has joined ##openvpn 13:07 < hiptobecubic> hay guys. I'm having no luck here. Slackware linux. Should i have a tun0 interface or something? this is new to me 13:08 < hiptobecubic> I'm trying to set it up with Qwonder. His side is the 'server' or what have you and i'm the remote client 13:09 < Qwonder> i'm running openvpn on a router with dd-wrt 13:11 < hiptobecubic> looking at this.... http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 13:11 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 13:12 < hiptobecubic> ooo, neat bot 13:12 < Qwonder> this is the config on my router: /tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 1194 --pro 13:13 < hiptobecubic> Qwonder, why don't we try following this howto. from scratch 13:13 < Qwonder> yeah 13:13 < Qwonder> i'll just remove all this crap from my router 13:13 < Qwonder> and build the config file from scratch 13:13 < hiptobecubic> wait 13:14 < Qwonder> we'll keep the key 13:15 < hiptobecubic> my tun/tap is set up incorrectly or something... 13:15 < Qwonder> i'm not sure if i have my firewall open 13:16 < Qwonder> apparently not 13:16 < Qwonder> wait 13:16 < Qwonder> it says that it connected? 13:17 < hiptobecubic> yea i think so... 13:17 < hiptobecubic> i had to modprobe tun.. apparently it didn't load correctly... or something 13:17 < hiptobecubic> i thuoght it was supposed to autoload 13:18 < hiptobecubic> but tun0 has no ip 13:18 < hiptobecubic> according to ifconfig 13:19 < hiptobecubic> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 13:19 < hiptobecubic> maybe dhcp...? 13:19 < hiptobecubic> no.. dhcpcd said go to hell 13:19 < hiptobecubic> alright let's just try this howto 13:21 < Qwonder> hold on 13:21 < Qwonder> just manually configure it 13:21 < Qwonder> ip: 192.168.1.245 subnet: 255.255.255.0 13:21 < Qwonder> then see if you can ping 192.168.1.1 13:22 < hiptobecubic> hold.... 13:23 < hiptobecubic> nothing yet... perhaps route..... 13:23 < hiptobecubic> route is already set it looks liike.... 13:24 < hiptobecubic> sh: route -n: command not found 13:25 < hiptobecubic> are pings blocked? 13:26 < hiptobecubic> can you ping me? 13:26 < hiptobecubic> or anything at all? what's going on here lol 13:27 < Qwonder> hold on 13:27 < Qwonder> what's your ip? 13:27 < hiptobecubic> which one? i have three 13:27 < hiptobecubic> the ip bound to tun0 for the vpn? 13:27 < Qwonder> your ip from my network 13:27 < hiptobecubic> 245 i think 13:27 < Qwonder> oh 13:27 < hiptobecubic> 192.168.1.245 13:27 < Qwonder> nothing 13:28 < Qwonder> maybe i should just put these machines in a vpn 13:28 < Qwonder> then run openvpn on one of them 13:28 < Qwonder> instead of screwing with my router 13:28 < hiptobecubic> i still think 13:28 < hiptobecubic> we should try this howto. It has sample configs. 13:29 < Qwonder> alright 13:29 < hiptobecubic> what's your ip there? 13:29 < hiptobecubic> pm it 13:30 < hiptobecubic> oh nevermind i have it in my log 13:30 < hiptobecubic> alright i just used the client config file. straight. No mod at all. 13:31 < Qwonder> the short one at the beginning? 13:32 < hiptobecubic> yes 13:32 < Qwonder> wait 13:32 < Qwonder> how is that going to work 13:32 < Qwonder> without a key 13:32 < hiptobecubic> we already have the keys 13:32 < Qwonder> nevermind 13:32 < Qwonder> i see it 13:32 < hiptobecubic> just point "secret" at the path to your key 13:34 < hiptobecubic> tell me when it's running 13:35 < ecrist> howdy 13:39 < Qwonder> hmm 13:39 < Qwonder> crap 13:40 < hiptobecubic> ? 13:41 < Qwonder> there's something wrong with my configuration 13:42 < hiptobecubic> how? didn't you just use the one in the howto? 13:45 < Qwonder> path to static.key was wrong 13:45 < Qwonder> i guess it's running 13:45 < Qwonder> yeah 13:45 < hiptobecubic> ok 13:45 < Qwonder> but i can't edit files on my router and save them to the nvram 13:45 < Qwonder> at least i don't know how 13:46 < Qwonder> so i save then reboot and they are gone 13:46 < hiptobecubic> oh.. hm 13:46 < Qwonder> so i have to use the scripts section of the dd-wrt web interface to make a startup script to echo the configuration into a file 13:46 < Qwonder> then start it 13:46 < hiptobecubic> yeah i was just about to say that 13:46 < Qwonder> it's running now 13:46 < hiptobecubic> i'm connected i think 13:47 < hiptobecubic> tell your firewall to stop throwing everything out 13:47 < Qwonder> what's your ip? 13:47 < hiptobecubic> should be 10.8.0.2 ... as the howto is written 13:47 < hiptobecubic> i'm trying to ping .1 now and getting nothing 13:48 < Qwonder> ugh 13:48 < Qwonder> it's iptables 13:48 < hiptobecubic> yeah 13:48 < Qwonder> oh wait 13:49 < Qwonder> all the vpn passthrough stuff in my router config is on 13:50 < Qwonder> the firewall is off 13:50 < Qwonder> i can ping you 13:52 * ecrist thinks people who use static key should just use IPSEC 13:52 < hiptobecubic> got it 13:53 * hiptobecubic thinks ecrist is missing the point. 13:53 < Qwonder> hmm 13:53 < Qwonder> well 13:53 < Qwonder> now you have a vpn into my router 13:53 < hiptobecubic> alright well that's useless 13:53 < Qwonder> and nothing else 13:53 < hiptobecubic> lol 13:53 < hiptobecubic> let's change the ip's and see if i can ping other boxes in your lan 13:53 < hiptobecubic> what did you change in iptables? 13:53 * ecrist wonder's what point he's missing 13:53 < Qwonder> nothing 13:53 < Qwonder> i just shut off the firewall 13:54 < hiptobecubic> Qwonder, lol. Not the best approach. but sure. 13:54 < Qwonder> i wonder if i can just have my dhcp server assign you a LAN address 13:54 < Qwonder> hold on 13:54 < Qwonder> let me turn it back on and see if we can get it working with the firewall 13:54 < hiptobecubic> oh good call. 13:55 < hiptobecubic> does it still say i'm connected? 13:55 < hiptobecubic> i'm just going to leave it pinging you and we'll see when it goes through 13:55 < Qwonder> i'm stilling pinging you 13:55 < Qwonder> it's on 13:56 < Qwonder> are your pings getting through? 13:57 < hiptobecubic> no 13:58 < Qwonder> hiptobecubic: now? 14:00 < hiptobecubic> Qwonder, no 14:02 < Qwonder> hiptobecubic: now? 14:02 < hiptobecubic> no 14:03 < hiptobecubic> Qwonder, turn it off again 14:03 < Qwonder> done 14:03 < hiptobecubic> yeah pings work with it off 14:03 < hiptobecubic> gotta be firewall 14:03 < hiptobecubic> turn it back on 14:04 < hiptobecubic> still pinging... 14:04 < hiptobecubic> still pinging... 14:06 < Qwonder> asl;djghafdgkl;jh 14:06 < Qwonder> damn 14:06 < Qwonder> we need to figure out the difference between tun and tap 14:06 < Qwonder> actually 14:06 < Qwonder> i have to go 14:06 < Qwonder> sorry 14:07 < Qwonder> i'll work on it when i get back 14:07 < Qwonder> bye 14:07 < hiptobecubic> see you 14:07 < Qwonder> you could screw around with it if you want 14:07 < hiptobecubic> naw, we'll try again later 14:08 < hiptobecubic> i'll do some reading or something 14:11 < hiptobecubic> Qwonder, hey 14:11 -!- Qwonder [n=travis@c-71-203-18-41.hsd1.fl.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 14:11 < hiptobecubic> damnit 14:14 -!- Qwonder [n=travis@c-71-203-18-41.hsd1.fl.comcast.net] has joined ##openvpn 14:14 < hiptobecubic> Qwonder, yeah i don't think it's working. not sure what's wrong. we'll try it alter 14:17 < hiptobecubic> Qwonder, also your router is denying me ssh entry. 14:21 * ecrist points to first part of channel topic 14:22 < hiptobecubic> ecrist, you're a really helpful guy. 14:23 -!- uncorq [n=corq@183.194.8.67.cfl.res.rr.com] has quit [Remote closed the connection] 14:23 -!- phlax [n=phlax@87-194-204-173.bethere.co.uk] has joined ##openvpn 14:24 -!- uncorq [n=corq@183.194.8.67.cfl.res.rr.com] has joined ##openvpn 14:25 < phlax> hi - i dont have client-to-client enabled for a particular VPN, but clients can still ssh to each other - is there a way to specifically disable any client-to-client connections? 14:46 -!- jfkw [n=jtk@75-94-104-185.roc.clearwire-dns.net] has quit ["leaving"] 14:55 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 14:56 < bigjohnto> hi, if i want to just add a new vpn client and not recreate certs etc... do i still use openvpn-build-key? or will that command affect other users? or do i just use openvpn-create-package? 15:15 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: legis_, int, troy-, ropetin, hiptobecubic 15:17 -!- legis [n=wad@unaffiliated/legis] has joined ##openvpn 15:19 -!- int [n=quassel@wikia/int] has joined ##openvpn 15:20 -!- hiptobecubic [n=john@c-68-56-198-177.hsd1.fl.comcast.net] has joined ##openvpn 15:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [No route to host] 15:24 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 16:07 -!- justdave_ [n=dave@unaffiliated/justdave] has joined ##openvpn 16:08 -!- Balzac21 [n=hoebag@76-10-176-231.dsl.teksavvy.com] has joined ##openvpn 16:08 -!- justdave [n=dave@unaffiliated/justdave] has quit [Remote closed the connection] 16:08 < Balzac21> !route 16:08 < vpnHelper> Balzac21: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 16:10 < Balzac21> Hi. I have a new openvpn server running and my client on vista is able to connect to it, get assigned an ip yada yada. That client though just won't connect to the internet after that. I tried it on another pc (XP) and it worked just fine. 16:17 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 16:29 < Balzac21> anyone home? 16:33 -!- protocols [n=protocol@ip-88-152-40-90.unitymediagroup.de] has joined ##openvpn 17:17 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 60 (Operation timed out)] 17:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 17:31 < bigjohnto> Balzac21, are you sure the routes are being excuted properly? 17:31 < bigjohnto> I am having that problem in vista as we speak 17:31 < bigjohnto> check your routes 17:31 < bigjohnto> you will see that they didn't execute due to vista's permission issues 17:32 < bigjohnto> if they are executing properly let me know what you did to allow them to execute 17:32 < bigjohnto> i you find a solution for routes to add properly let me know, if i find one i will let you know. 17:33 < Balzac21> ugh 17:34 -!- legis [n=wad@unaffiliated/legis] has quit ["leaving"] 17:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 18:35 < krzie> !winroute 18:35 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up 18:36 < krzie> also remember in windows you must run openvpn with admin privs 18:36 < krzie> right click, run as, admin 19:25 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 20:18 -!- protocols [n=protocol@ip-88-152-40-90.unitymediagroup.de] has quit [Read error: 110 (Connection timed out)] 20:18 -!- protocols [n=protocol@ip-88-152-40-90.unitymediagroup.de] has joined ##openvpn 20:34 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:51 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 20:51 < mepholic> !route 20:51 < vpnHelper> mepholic: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 20:53 < mepholic> not what i want 20:53 < mepholic> welp 20:53 < mepholic> So i have a tap vpn, it has a few clients 20:53 < mepholic> it is in the 1.0.0.0/8 range 20:54 < mepholic> I have a windows virtuozzo vps node connected to the vpn with the ip 1.3.3.6 20:55 < mepholic> how do I get a vps on the node to be 1.3.3.10 20:55 < mepholic> I've tried both bridging to the openvpn interface and routing 20:55 < mepholic> neither seem to work 20:55 < mepholic> i may be wrong ._. 20:56 < mepholic> sorry i'm stupid ignore me 20:56 < mepholic> routing worked 22:17 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 22:17 < tjz> yo guys!!! 22:24 < tjz> ... 22:25 < Balzac21> Sup 22:28 < mepholic> welp 22:28 < mepholic> it stopped working 22:42 < mepholic> it works 22:42 < mepholic> lul 22:47 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 22:49 < krzee> lol ecrist i had fun reading you helping that guy with dns vs hosts file 22:49 < tjz> welcome jeff!!! 22:49 < tjz> lol 22:49 < krzee> hey man whats up! 22:49 < tjz> new year eve 22:49 < tjz> :P 23:02 < tjz> jeff, do you know how to setup another instance of openvpn using another IP? 23:07 < krzee> where clients connect to another ip, or where traffic NAT'ed to the inet uses another ip? 23:08 < tjz> hmm 23:09 < tjz> Which local IP address should OpenVPN 23:09 < tjz> # listen on? (optional) 23:09 < krzee> that will make openvpn listen on another ip for connections 23:09 < tjz> i never use that option 23:09 < tjz> ah 23:09 < krzee> if you leave that off, it will listen on ALL ips 23:10 < tjz> ok 23:11 < tjz> i have to do some testing 23:11 < tjz> to find out myself 23:11 < tjz> :P 23:11 < krzee> netstat -l will show you listening stuffs 23:11 < krzee> or if you use bsd, sockstat -l4 23:12 < krzee> oh looks like netstat -l shows a ton more tho 23:13 < tjz> lol 23:13 < krzee> even shows active connections on osx 23:13 < krzee> but i dont have a linux box to look 23:16 < tjz> it show like: 23:16 < tjz> tcp 0 0 *:http *:* LISTEN 23:16 < tjz> tcp 0 0 *:ssh *:* LISTEN 23:16 < tjz> udp 0 0 *:openvpn *:* 23:16 < krzee> that means 23:16 < krzee> something is listening on * ips on port 80 23:16 < krzee> and port 22 23:16 < krzee> and the openvpn port 23:16 < krzee> you can see what port by matching that name to /etc/services 23:17 < tjz> hmm 23:17 < krzee> or in osx, /private/etc/services ;] 23:17 < tjz> do you think we can use the same .ca, .crt files when try to connect to the 2nd openvpn instance(configure to use another public ip) 23:18 < krzee> sure 23:18 < krzee> no reason why not if its only same people and stuff 23:19 < tjz> 2nd openvpn instance for another different guy 23:19 < tjz> i plan to do that.. 23:19 < krzee> different guy, why use same certs? 23:20 < tjz> ya 23:20 < tjz> i think i should generate another cert 23:20 < tjz> :P 23:20 < tjz> i never try b4 23:20 < krzee> time to learn 23:21 < tjz> lol 23:49 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 23:49 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Wed Dec 31 2008 00:54 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Ex-Chat"] 01:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:57 -!- gfather [n=g@79.173.207.35] has joined ##openvpn 01:57 < gfather> hello guys 01:57 < gfather> im getting read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) 01:58 < tjz> hi 01:58 < gfather> i turnd of the firewall on openvpn server side 01:58 < gfather> but it seems i have something wronge in the server config 01:58 < gfather> hay tjz 01:59 < tjz> Hello 01:59 < tjz> by peer 01:59 < tjz> that error generated from your server? 01:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:59 < gfather> no , on clint side 02:00 < gfather> im not sure what it means , so im confuced :) 02:04 < tjz> any error on the server side? 02:07 < gfather> mm not sure 02:07 < gfather> let me chek , ill try to ssh server side and see if there are any errors 02:07 < tjz> k 02:11 < gfather> <tjz> im not sure if i got any errors , do u want me to post the log , mjaybe i missed something 02:12 < tjz> hmm 02:12 < gfather> http://pastie.org/349558 02:12 < tjz> you can paste in pastebin.ca 02:12 < tjz> ok 02:12 < tjz> look good 02:12 < gfather> tjz , do u want me to post server and client config ? 02:13 < tjz> no needed 02:13 < gfather> :( 02:13 < gfather> so what could be the problem 02:13 < tjz> could it be your user ISP disconnect him? 02:13 < gfather> maybe i have something wronge with dhcp push 02:14 < gfather> why it would do that ? 02:14 < tjz> connection reset by peer 02:15 < tjz> that is a big clue 02:15 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:15 < gfather> any similar situations ? 02:15 < gfather> it couldent be something wronge in the configs ? 02:18 < tjz> nothing wrong 02:18 < tjz> how often does that "connection reset by peer" occurred? 02:19 < gfather> it keeps going 02:19 < gfather> untill it disconnect 02:22 < gfather> iv read some that says he solved it , by chanching firewall settings to accept the openvpn port 02:23 < gfather> but i have tth efirewall turend off 02:26 < tjz> server side firewall is off? 02:28 < krzee> how bout client side firewall? 02:32 < gfather> clint side to is off 02:32 < gfather> i just uploaded the cirtifacets to client side , and mad sure of the config 02:32 < gfather> now i get this error 02:33 < gfather> http://pastie.org/349563 02:33 < gfather> ;S 02:34 < krzee> either wrong key, wrong location, or messed up during xfer 02:34 < krzee> and btw your first log paste had no errors 02:35 < krzee> !configs 02:35 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:36 < gfather> <krzee do u think i should redo the keys ? 02:36 < gfather> or pastebin every info i have first 02:36 < krzee> i think you should do what vpnHelper just said, and go back to the keys you were using before you just messed it up 02:36 < krzee> it was connecting fine, not sure why you played with the keys after that 02:38 < gfather> im very confuced right now :( 02:38 < gfather> ill redo th ekeys on server and client side 02:38 < gfather> and pastebin all the info i have 02:40 < gfather> krzee is the a small tool that can generate certificate , or i have to do them manually ? 02:40 < gfather> the = there 02:40 < krzee> 2 02:40 < krzee> easy-rsa (ships with openvpn) 02:41 < krzee> and ssl-admin (in freebsd ports, i THINK its in gentoo portage, and available from svn) 02:41 < gfather> ah i see , im on xp now 02:41 < krzee> then 1 02:41 < krzee> easy-rsa 02:41 < gfather> so i have easy-rsa only 02:43 < gfather> krzee there is 1 line in the howto i didnt do 02:43 < gfather> Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. 02:43 < krzee> lol 02:44 < gfather> i dont think i have to do that , right 02:44 < krzee> does it say you dont need to? 02:45 < gfather> but in the couple times i did openvpn it didt require to edit that file when generating certificates 02:45 < krzee> does it say you dont need to? 02:46 < krzee> ill be going back to my movie in a minute 02:46 < krzee> so lets get everything you need to know asked if you wanna 02:46 < gfather> krzee but they are already there ? 02:46 < krzee> if it didnt say you dont need to do that, i dont know why you assume you dont 02:47 < krzee> but i dont use windows so i cant say 02:47 < krzee> but i do know the optional stuff is said to be optional on the howto 02:47 < krzee> so if it says do something, you might want to do it instead of assuming you know better 02:47 < krzee> unless of course you do know better 02:47 < krzee> but then you wouldnt be asking 02:48 < gfather> loool 02:48 < gfather> oks 02:48 < gfather> ill edit them , and do it 02:48 < gfather> and ill post all info and configs soon 02:48 < krzee> but anyways 02:48 < krzee> your keys were fine in the first place 02:48 < krzee> you posted a log of a sucessful connection 02:48 < krzee> why you kept messing with the keys after that is beyond me 02:49 < gfather> yes , i saved the first ones 02:49 < krzee> but if nothing else at least its a learning experience 02:49 < gfather> but im just making sure its not a key prolem , i read someone fixed the problem with the keys , becouse they where messed up 02:49 < gfather> and as you say , im learning :) 02:50 < krzee> http://pastie.org/349558 02:50 < krzee> what was the error there? 02:50 < krzee> thats a successful connection 02:51 < gfather> yes , no error 02:51 < krzee> aka, nothing to fix from that logfile 02:51 < gfather> yes . so configs are right 02:51 < krzee> not necessarily 02:51 < krzee> a connection, and a working vpn doing what you want are 2 diff things 02:52 < gfather> just making sure clint certificate is right , maybe tahts why peer got disconnected 02:52 < krzee> but that did prove the certs were right 02:52 < krzee> they were right, or there would have been an error 02:52 < krzee> and there was not one 02:52 < gfather> but it didnt connect from client side 02:52 < krzee> it connected, thats not the real problem 02:53 < krzee> but we cant find that til you fix your new cert problem 02:53 < gfather> yes , just 1 minute , and ill make sure cert problem is solved 02:57 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 02:58 < mRCUTEO> hiya all 02:58 -!- Qwonder [n=travis@c-71-203-18-41.hsd1.fl.comcast.net] has quit [Read error: 54 (Connection reset by peer)] 02:59 < tjz> BUDDY! 02:59 < mRCUTEO> hiya tjz 02:59 < mRCUTEO> merry xmas and happy new ya 02:59 < tjz> you always come and go very fast 02:59 < tjz> lol 02:59 < tjz> happy new year 02:59 < mRCUTEO> :D 03:00 < mRCUTEO> been woking hard to fix my adsl speed :) 03:00 < mRCUTEO> finally i got it working 03:01 < tjz> still on 1mbp plan? 03:02 < mRCUTEO> im on 2 Mbps now 03:02 < mRCUTEO> i can dload full speed now 254 KB/s :) 03:02 < tjz> WA 03:02 < tjz> wtf 03:02 < tjz> that is fast for your plan 03:02 < tjz> i get 170-180kb for my 3mbp 03:02 < mRCUTEO> yerp and of course with a good VPN which have good route to my isp 03:02 < mRCUTEO> oh :) 03:02 < tjz> x_x 03:03 < mRCUTEO> i host my VPN at east USA 03:03 < mRCUTEO> so i could get faster connection to the VPN server and download from the VPN server 03:03 < mRCUTEO> i could burst speed up to 200 KB/s easily now :) 03:04 < mRCUTEO> but of course with a help of a download manager 03:04 < mRCUTEO> :) 03:04 < mRCUTEO> have u heard about gigaget? 03:05 < tjz> what is that? 03:05 < tjz> do you mean giganet? 03:06 < mRCUTEO> a download accelrator with latest new technology which functions like p2p 03:06 < tjz> wa 03:06 < mRCUTEO> not giganet 03:06 < mRCUTEO> gigaget 03:06 < mRCUTEO> chinaman use it to download 03:06 < mRCUTEO> it really increased speed 03:06 < tjz> wa 03:06 < tjz> must try 03:06 < mRCUTEO> its just like downloading through p2p 03:06 < mRCUTEO> hold on i give you the site 03:07 < mRCUTEO> this is chinaman technology 03:07 < tjz> i found it on downloadcom 03:07 < tjz> another guy intro me another chinaman sw also 03:07 < tjz> xunlei 03:07 < mRCUTEO> www.gigaget.com 03:07 < tjz> lot of chinaman 03:07 < mRCUTEO> yes xunlei is very good 03:07 < mRCUTEO> but if you prefer to use english version use gigaget 03:08 < mRCUTEO> and another one is www.freedownloadmanager.org 03:08 < mRCUTEO> this is USA version of xunlei 03:08 < mRCUTEO> :) 03:08 < mRCUTEO> with gigaget i could burst up to 200 KB/s 03:08 < mRCUTEO> with xunlei around 180 KB/s 03:08 < tjz> how does it compare to utorrent? 03:09 < mRCUTEO> well torrent find the best closest mirror to download but freedownloadmanager/gigaget is different, it download the file and chop the file into smaller pieces and download again at full speed 03:09 < mRCUTEO> its like you're eatinmg a pizza 03:09 < mRCUTEO> you cant eat the pizza alone if the pizza is extra large 03:09 < tjz> freedownloadmanager/gigaget handle torrent too? 03:09 < mRCUTEO> but you can eat it when it has been chopped to smaller pieces 03:10 < mRCUTEO> freedownloadmanager yes it has torrent 03:10 < mRCUTEO> but not gigaget 03:10 < mRCUTEO> gigaget only for web based and ftp 03:10 < tjz> ok 03:11 < mRCUTEO> you should try freedownloadmanager and of course with a good VPN server if you're downloading from the USA 03:11 < tjz> ya 03:11 < tjz> local ISP can't censor you 03:11 < mRCUTEO> i could get 254 KB/s from penssylvania and 310 KB/s from nevada 03:11 < tjz> x_x 03:12 < mRCUTEO> i have 2 servers in different location actually :) 03:12 < mRCUTEO> east and west USA 03:12 < tjz> hmm 03:12 < tjz> both are vps? 03:12 < mRCUTEO> dedicated :) 03:12 < tjz> ohok 03:13 < tjz> you got vbox on both? 03:13 < mRCUTEO> yes 03:13 < mRCUTEO> both 03:13 < mRCUTEO> i use the headless mode 03:13 < tjz> ya lor 03:13 < tjz> quite easy to setup? 03:13 < mRCUTEO> and if i couldnt get it to work i do VNC to the server and use the graphic mode :D 03:13 < mRCUTEO> very easy for NAT networking 03:13 < tjz> vnc.. 03:13 < mRCUTEO> but harder for bridget networking 03:14 < tjz> is that a windows dedicated server? 03:14 < mRCUTEO> nope Linux 03:14 < mRCUTEO> i install gnome and x windows 03:14 < mRCUTEO> and vnc to the server 03:14 < tjz> hmm 03:14 < mRCUTEO> i got graphic interface 03:14 < mRCUTEO> i use www.realvnc.com 03:14 < mRCUTEO> :) 03:14 < tjz> install gnome & x windows through ssh? 03:15 < mRCUTEO> not through ssh through realvnc client 03:15 < tjz> hmm 03:15 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 03:15 -!- gfather [n=g@79.173.207.35] has quit [] 03:15 < tjz> let's say you got a centos 5 server 03:15 < mRCUTEO> the best part is each user in your shell can have its own private vnc session :) so each shell user can vnc :D 03:15 < tjz> you can vnc into there too? 03:15 < mRCUTEO> yes 03:15 < mRCUTEO> using realvnc you can activate gnome and aother GUI like firefox etc.. 03:16 < tjz> never try that b4.. 03:16 < mRCUTEO> yum groupinstall 'X Window System' 'GNOME Desktop Environment' 03:16 < mRCUTEO> :) 03:16 < tjz> how can that be possible... 03:16 < mRCUTEO> this would help ou to install GUI for your server 03:16 < mRCUTEO> then just user the vnc to connect 03:17 < tjz> don't think it will works for vps 03:17 < mRCUTEO> oh vps wont work oh.. 03:17 < mRCUTEO> unless you have a VBox or openVZ vps 03:17 < tjz> i have a openvz vps.. 03:17 < mRCUTEO> i think it will work if openvz 03:18 < tjz> hmm 03:18 < mRCUTEO> Xen didnt work for me 03:18 < tjz> how come? 03:18 < tjz> i think we need a graphic card on the server? 03:18 < mRCUTEO> maybe sometimes its from the provider too 03:18 < mRCUTEO> my server doesnt have a graphic card.. 03:18 < mRCUTEO> just a rack server without any graphic card 03:19 < mRCUTEO> and still i can do vnc 03:19 < mRCUTEO> through X Windows 03:19 < tjz> wa 03:19 < tjz> you got any simple tutorial? 03:19 < tjz> right from yum groupinstall 'X Window System' 'GNOME De 03:19 < mRCUTEO> well its just 3 steps :) 03:20 < tjz> until we can vnc in 03:20 < tjz> wa 03:20 < mRCUTEO> 1) yum groupinstall 'X Window System' 'GNOME Desktop Environment' 03:20 < mRCUTEO> 2) download realvnc server from www.realvnc.com and install the rpm 03:20 < mRCUTEO> 3) download the client and install in your PC 03:20 < mRCUTEO> 4) type vncserver in the server 03:20 < mRCUTEO> 5) Connect from client 03:20 < mRCUTEO> thats it :) 03:20 < mRCUTEO> 5 steps actually 03:20 < mRCUTEO> hehe 03:21 < tjz> ok 03:21 < tjz> i must try 03:21 < tjz> about vbox 03:21 < tjz> you used vbox to create vps like xen? 03:21 < mRCUTEO> sometime you cant download using your server if you're just using lynx or elinks thats why im using vnc so i can browse the website from the server 03:21 < mRCUTEO> yes 03:21 < mRCUTEO> i created openvz and xen in the vbox 03:21 < tjz> through headless mode? 03:21 < mRCUTEO> but xen always got some problem in the networking part 03:22 < mRCUTEO> i prefer openvz for vbox 03:22 < mRCUTEO> yerp 03:22 < tjz> ok 03:22 < mRCUTEO> i use ubuntu and centos both working and in bridge networking mode or HIS 03:22 < tjz> what kind of networking problem for xen? 03:22 < mRCUTEO> sorry HIN 03:22 < mRCUTEO> it cnnot forward internet to the xen 03:22 < mRCUTEO> very wierd 03:23 < tjz> do you think it is related to iptable? 03:23 < tjz> btw, what is HIN <-- mean? 03:23 < mRCUTEO> nope i've tried different methods 03:23 < mRCUTEO> host interface networking 03:23 < mRCUTEO> its in the vbox networking 03:23 < mRCUTEO> openvz works in vbox and openvz in vbox mode too 03:23 < mRCUTEO> tried them all and its flawless 03:23 < mRCUTEO> :D 03:23 < tjz> wa 03:28 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has left ##openvpn [] 03:28 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 03:32 < tjz> must get my hand dirty on vbox 03:32 < tjz> :P 03:32 < tjz> also the realvnc server 03:33 < mRCUTEO> :) 03:33 < mRCUTEO> yerp 03:33 < mRCUTEO> you can do a lot of things in GUI if you configured the VNC correctly 03:34 < tjz> ya.. GUI should get you more stuffs compare to headless mode 03:34 < tjz> i think.. 03:34 < mRCUTEO> yerp 03:34 < mRCUTEO> but for quick setup i prefer headless 03:34 < mRCUTEO> :) 03:35 < tjz> ok 03:36 < tjz> any plan later on? 03:37 < mRCUTEO> yerp going to friend party tonite 03:37 -!- onats [n=Juanito@unaffiliated/onats] has joined ##openvpn 03:38 < mRCUTEO> gotta find that liang moi 03:38 < mRCUTEO> hahahah 03:38 < onats> !config 03:38 < vpnHelper> onats: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose. 03:38 < onats> !samplme 03:38 < vpnHelper> onats: Error: "samplme" is not a valid command. 03:38 < onats> !sample 03:38 < mRCUTEO> must go enjoy enjoy first mah tjz 03:38 < vpnHelper> onats: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:38 < mRCUTEO> hehe 03:38 < mRCUTEO> tjz : any plan for the new year 03:39 < onats> dammit.. i forgot i wasn't able to generate keys for this laptop 03:40 < mRCUTEO> ahax 03:40 < mRCUTEO> and why is that onats 03:40 < tjz> probably going to check out celeberation in the neigbhourhood 03:43 < mRCUTEO> ic :) 03:43 < mRCUTEO> good lah 03:45 < tjz> nothing much .. 03:45 < tjz> x_x 03:48 < mRCUTEO> heheh 03:48 < mRCUTEO> so hows your vbox setup 03:49 -!- onats [n=Juanito@unaffiliated/onats] has left ##openvpn [] 03:50 < mRCUTEO> okay already? 03:55 < tjz> haven't start.. 03:55 < tjz> i want to relax for today 03:55 < tjz> :P 03:55 < mRCUTEO> :) 03:58 < tjz> give me a break.. 03:58 < tjz> x_x 03:58 < tjz> LOL 03:58 < mRCUTEO> hehehe 04:01 < reiffert> moin 04:04 < tjz> morning 04:04 < mRCUTEO> mornin reiffert 04:12 < mRCUTEO> hmm 04:13 < mRCUTEO> going to party now 04:13 < mRCUTEO> see ya later tjz :) 04:13 < tjz> enjoy your day 04:13 < tjz> have fun 04:13 < tjz> party time! 04:13 < tjz> ^_^ 04:14 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [] 04:15 < krzee> moin 04:16 < tjz> morning jeff 04:18 < krzee> mornin 04:18 < krzee> i still need to sleep tho 04:18 < krzee> haha 04:18 < krzee> just finished the movie 04:19 -!- gfather [n=g@79.173.207.35] has joined ##openvpn 04:19 < gfather> hello guys :) 04:19 < gfather> krzee u there ? 04:21 < krzee> i am 04:21 < tjz> what movie did you watch? 04:21 < krzee> just finished the movie 04:21 < krzee> shoot on sight 04:21 < tjz> hmm 04:22 < tjz> how was the movie? 04:22 < krzee> wasnt bad 04:23 < gfather> so now every thing returend to normal , and peer is disconnecting :) 04:23 < gfather> http://pastebin.com/m20e1aa65 04:23 < gfather> here is the config of server , client , and client log 04:23 < krzee> why dev tap? 04:24 < gfather> what it should be ? 04:24 < tjz> okay 04:24 < krzee> tun 04:24 < gfather> should i remove it ? 04:24 < krzee> dev tun 04:25 < gfather> ok changed it to dev tun 04:25 < krzee> server 192.168.10.0 255.255.255.128 04:25 < krzee> why such a small subnet? 04:25 < krzee> its not being used on the clients side, right? 04:25 < gfather> no 04:25 < krzee> then why not use 255.255.255.0 04:25 < reiffert> omg, I bought so much alcohol, I guess it will last till next year :) 04:25 < gfather> what i mean is right 04:26 < krzee> lol reif 04:26 < gfather> krzee is the dhcp push setting right ? 04:26 < tjz> lol!! 04:26 < krzee> yes but 04:26 < krzee> !pushdns 04:26 < vpnHelper> krzee: "pushdns" is (#1) push \"dhcp-option DNS a.b.c.d\" (remove the \'s) to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 04:27 < tjz> reiffert, too excited for the new year 04:27 < tjz> :P 04:27 < krzee> see that link 04:27 < krzee> theres problems often with pushing dns 04:27 < krzee> the windows resolver doesnt handle it well enough 04:28 < gfather> ok i stoped the push dns , 04:28 < gfather> im not concered about it 04:28 < krzee> if you have max-clients 100 and 255.255.255.128, im confused 04:28 < gfather> i just want to have a sucsesfull connection :) 04:28 < krzee> haha 04:28 < gfather> i dont have 100 lool 04:28 < gfather> i only have 1 :) 04:28 < krzee> max-clients 100 # Assign the maximum number of clients here 04:29 < krzee> then make your own configs instead of using a copy/paste from a website :-p 04:29 < krzee> you can just remove that line 04:29 < krzee> and change 255.255.255.128 to 255.255.255.0 04:29 < krzee> !logs 04:29 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:30 < krzee> whoa 04:30 < krzee> wait 04:30 < krzee> found it 04:30 < gfather> what 04:30 < krzee> cipher BF-CBC # Blowfish (default) encryption 04:30 < krzee> cipher AES-128-CBC 04:30 < krzee> you have to pick one 04:30 < krzee> and use it on both 04:30 < gfather> ah sorry , i was messing with those , the first time they where the same 04:30 < krzee> btw if you choose BF-CBC you can just remove the line from both configs 04:31 < krzee> cause BF-CBC is default 04:31 < gfather> cool 04:31 < gfather> and better 04:31 < krzee> whats tls-exit 04:32 < gfather> not sure :) 04:32 < krzee> k well i looked it it 04:32 < krzee> !man 04:32 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 04:32 < krzee> i suggest knowing what you're telling your vpn to do 04:33 < krzee> read through the manual 04:33 < gfather> im trying 04:33 < gfather> i read the howto 04:33 < gfather> and followed examples and tutorials that are recomended 04:33 < krzee> cool 04:33 < krzee> thats good intro 04:33 < krzee> the manual is best source of info 04:34 < gfather> i know that my settings are not perfect , but im really trying to learn , and make it work 04:34 < krzee> anyways 04:34 < krzee> now that ciphers are correct, set verb 6 04:34 < krzee> and restart 04:34 < gfather> on both sides 04:34 < krzee> then 04:34 < krzee> !logs 04:34 < krzee> yes 04:34 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:34 < krzee> both sides 04:38 < gfather> something is changed 04:39 < gfather> http://pastebin.com/d23d43087 here is log 04:39 < gfather> i hope u like iT :) 04:40 < krzee> server isnt on verb 6 04:42 < gfather> i changed it to verb 6 04:42 < krzee> Wed Dec 31 12:39:16 2008 us=639768 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005 04:42 < krzee> whoa oldness 04:43 < krzee> and the problem is that isnt a logfile 04:43 < krzee> !router 04:43 < vpnHelper> krzee: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 04:44 < krzee> is it one of those? 04:44 < gfather> yes 04:44 < krzee> then observe the note from the bot ;] 04:44 < gfather> but its based on openwrt ( linux) not modified firmware 04:45 < krzee> same deal 04:45 < krzee> turn on logging so you can post it 04:45 < krzee> i dont use those, you'll need to figure that out 04:45 < krzee> you'll want to turn it off during troubleshooting 04:45 < gfather> yes 04:46 < krzee> actually, you could prolly start the vpn in the forground 04:46 < krzee> without using --daemon 04:46 < krzee> (after giving it verb 6 in the config) 04:46 < gfather> :S 04:52 < gfather> krzee im not sure how to do that 04:53 < krzee> then figure out how to turn on your logging 04:53 < krzee> [06:47] <krzee> turn on logging so you can post it 04:53 < krzee> [06:47] <krzee> i dont use those, you'll need to figure that out 04:53 < krzee> [06:47] <krzee> you'll want to turn it off during troubleshooting 04:53 < krzee> i said during, i meant after 04:54 < krzee> those dont save logs because the filesystem is so small 04:54 < krzee> so when we're done, turn it back off 04:56 < gfather> im not sure how to turn the logging on , ill ask @ openwrt # for logging 04:58 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 05:12 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 05:25 < gfather> krzee they say verb6 only for critical , so its working normally , that why verb6 didnt show on server side 05:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:48 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 06:02 -!- protocols [n=protocol@ip-88-152-40-90.unitymediagroup.de] has quit ["Leaving"] 06:14 -!- gfather [n=g@79.173.207.35] has quit [Read error: 145 (Connection timed out)] 06:36 -!- gfather [n=g@94.249.97.71] has joined ##openvpn 06:36 < gfather> im still trying :( 06:53 -!- gfather [n=g@94.249.97.71] has quit [] 06:56 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 07:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:18 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 07:31 -!- gfather [n=g@77.241.65.48] has joined ##openvpn 07:32 < gfather> im trying to use tcp now , but its the same , TCP: connect to 92.241.56.x:1194 failed, will try again in 5 seconds: Connection refused (WSAECONNREFUSED) 07:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:51 -!- gfather [n=g@77.241.65.48] has quit [] 07:57 -!- gfather [n=g@77.241.65.48] has joined ##openvpn 07:57 < gfather> guys , finally :D , i have a sucsesfull connection 07:57 < gfather> but i cant ping the pc's behind the vpn server 07:58 < gfather> how can i fix that ? 08:00 < krzee> [07:27] <gfather> krzee they say verb6 only for critical , so its working normally , that why verb6 didnt show on server side 08:00 < krzee> what is that even supposed to mean? 08:01 < gfather> forget about it :) , im have a connection now :D 08:01 < krzee> and for your last ?... 08:01 < krzee> !route 08:01 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 08:01 < krzee> topic: "lans behind openvpn? see !route" 08:01 < gfather> krzee the problem was , i changed the 192.168.1.1 to the dyndns domain 08:01 < gfather> and worked 08:02 < krzee> gave the local command your dyndns hostname? 08:02 < krzee> local 192.168.1.1 # This is the IP address of the real network interface on the server connected to the router 08:02 < krzee> that line? 08:02 < gfather> yes 08:02 < krzee> lol 08:02 < krzee> that shouldnt even work 08:03 < krzee> all local is for is choosing which ip to bind to 08:03 < krzee> you can remove it to bind to all ips 08:03 < gfather> well its the only way it worked for me :D 08:03 < krzee> ohhhhh wait 08:03 < gfather> its confusing :D yes 08:03 < krzee> your server has external interface 08:03 < krzee> its the router 08:03 < krzee> LOL 08:04 < krzee> thats funny, im so used to just assuming its behind a NAT when i see a 1918 ip in local 08:05 < gfather> well its working now :D 08:05 < gfather> i dont care if i was wronge , i dont care if anything was wronge , :D 08:05 < gfather> testing route , brb 08:06 < krzee> im not laughing at you 08:06 < krzee> more at me for not catching that 08:06 < gfather> its okay :D 08:07 < gfather> just help me with the route , and ill be very pleased , so i can go and get ready to newyears evening 08:07 < krzee> i did help you 08:07 < krzee> i wrote that writeup 08:07 < krzee> !route 08:07 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 08:07 < krzee> trust me, that thing didnt write itself 08:07 < krzee> took some effort 08:07 < krzee> i even made a drawing for you 08:07 < gfather> yes , i followed it , but still cant ping the pc 08:07 < krzee> lan is behind server, right? 08:08 < gfather> thanks allot for the drawing , and you coulve added a bunny to it :D 08:08 < krzee> and client lan is NOT on same netblock as server lan, right? 08:09 < gfather> i didnt understand that 08:09 < krzee> ok 08:09 < krzee> server lan is 192.168.1.X 08:09 < gfather> yes 08:09 < krzee> is client lan also 192.168.1.X? 08:10 < gfather> yes 08:10 < krzee> that wont work 08:10 < krzee> change serer lan to something abnormal 08:10 < krzee> server lan 08:10 < gfather> it should be 192.168.2.x 08:10 < krzee> like 192.168.69.X 08:10 < krzee> hehe 08:10 < gfather> can i change the client lan to that 08:10 < krzee> well 08:11 < krzee> do you ever want to login remotely? 08:11 < gfather> if i change server side , ill lose it 08:11 < krzee> like from laptop 08:11 < gfather> yes 08:11 < krzee> cause 192.168.1.X is common, if you plan on logging in from your laptop while roaming around, you'll have this problem often 08:12 < gfather> nah 08:12 < gfather> not from a laptop 08:12 < gfather> onl from client side 08:12 < krzee> ok, then you can change client side 08:12 < gfather> cools :) 08:12 < krzee> then all you hafta do is 08:12 < krzee> push "route 192.168.1.0 255.255.255.0" 08:12 < krzee> in server config 08:13 < gfather> i did that 08:13 < gfather> and push "route 192.168.1.15 255.255.255.0" 08:13 < gfather> the pc behind it , or i dont need that ? 08:14 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 08:14 < SgtPepperKSU> !route 08:14 < vpnHelper> SgtPepperKSU: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 08:15 < krzee> gfather, only what i said 08:15 < krzee> gfather, if there was more, i would not have said it like i did 08:15 < krzee> [10:14] <krzee> then all you hafta do is 08:15 < krzee> [10:15] <krzee> push "route 192.168.1.0 255.255.255.0" 08:15 < krzee> [10:15] <krzee> in server config 08:16 < gfather> oks , im sorry 08:16 < krzee> also, you mentioned you tried tcp 08:16 < krzee> change it back to udp 08:16 < krzee> !tcp 08:16 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 08:16 < gfather> yes i changed it back 08:16 < gfather> udp is reported to work better 08:17 < krzee> right, for the reason in that link 08:17 < krzee> (which i stole from the manual) 08:18 < krzee> btw 08:18 < krzee> [10:15] <gfather> and push "route 192.168.1.15 255.255.255.0" 08:19 < krzee> that is the exact same thing as push "route 192.168.1.0 255.255.255.0" 08:19 < krzee> read up on netmask (general networking) to know why 08:20 < krzee> http://en.wikipedia.org/wiki/Subnetwork 08:20 < vpnHelper> Title: Subnetwork - Wikipedia, the free encyclopedia (at en.wikipedia.org) 08:27 -!- gfather [n=g@77.241.65.48] has quit [Read error: 145 (Connection timed out)] 08:38 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn ["Leaving."] 08:45 < reiffert> let's see if the beer is allready cold enough... 08:58 -!- gfather [n=g@77.241.65.48] has joined ##openvpn 08:58 < gfather> krzee u said btw , and i lost connection 08:58 < gfather> and btw when i enable the push u told me about , i get the same old annoying msg 08:59 < gfather> peer somethin ..... 09:04 < gfather> krzee u here ? 09:05 < gfather> krzie ? 09:18 < gfather> krzee when i ping 192.168.1.15 i get 09:18 < gfather> Reply from 172.16.10.1: Destination host unreachable. 09:23 -!- gfather [n=g@77.241.65.48] has quit [Read error: 54 (Connection reset by peer)] 09:33 -!- gfather [n=g@77.241.65.48] has joined ##openvpn 09:37 < gfather> krzee ? 09:50 < ecrist> morning, folks 09:50 < ecrist> krzee: I think it's funny people try to automate updates to the hosts file, when they can more easily setup DNS 09:51 < ecrist> 08:18 < krzee> [10:15] <gfather> and push "route 192.168.1.15 255.255.255.0" 09:52 < ecrist> 08:19 < krzee> that is the exact same thing as push "route 192.168.1.0 255.255.255.0" 09:52 < ecrist> 08:19 < krzee> read up on netmask (general networking) to know why 09:52 < ecrist> 08:20 < krzee> http://en.wikipedia.org/wiki/Subnetwork 09:52 < vpnHelper> Title: Subnetwork - Wikipedia, the free encyclopedia (at en.wikipedia.org) 09:52 < ecrist> that's everything after btw 09:59 -!- gfather [n=g@77.241.65.48] has quit [Read error: 54 (Connection reset by peer)] 10:09 -!- gfather [n=g@77.241.65.48] has joined ##openvpn 10:18 -!- gfather [n=g@77.241.65.48] has quit [Read error: 145 (Connection timed out)] 10:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:07 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:32 < cyberjames> Hi everyone. Any one had tried running openvpn under virtual machine guest (xen,vmware,virtualbox) and its providing other network ip address segment such as 192.168.9.0/24? 12:39 < ecrist> sure 12:39 < ecrist> I answered that question yesterday, I think, for you. 12:43 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 12:56 -!- uncorq [n=corq@183.194.8.67.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 13:02 -!- uncorq [n=corq@183.194.8.67.cfl.res.rr.com] has joined ##openvpn 13:08 < cyberjames> ecrist: sorry, I was away immediately yesterday. Can you repeat it again as what you said yesterday? :) 13:09 * cyberjames wish to get logs for yesterday on this channel 13:10 < krzee> !irclogs 13:10 < vpnHelper> krzee: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.) 13:10 < cyberjames> great, thanks krzee 13:11 < krzee> np 13:11 < krzee> he likely said "yes" 13:13 < cyberjames> ok, so it's not possible 13:13 < krzee> thats what he said yesterday? 13:14 < krzee> i KNOW people have done it in virtualbox, virtuozzo 13:14 < cyberjames> I see 13:14 < krzee> not sure on xen or vmware, but ecrist might be 13:15 < cyberjames> he said: "< ecrist> no, I have not, but as long as you can modify the network stack, there should be no real reason you can't do so." 13:15 < krzee> well that and make a tun/tap device 13:16 < krzee> well 13:16 < cyberjames> yeah, but I really need to get a good example from internet which I can follow to. 13:16 < krzee> thats both of us saying you prolly can 13:16 < krzee> haha 13:16 < cyberjames> lol 13:16 < krzee> you cant learn it on your own? 13:17 < cyberjames> I can but I need to read and makes me a lot of time 13:17 < krzee> vpns are advanced networking 13:17 < krzee> doing advanced networking from within a virtual machine SHOULD require some reading 13:17 < krzee> lol 13:17 < cyberjames> meaning, need to get a good summery howto/tutorial and later I will later read the whole process 13:17 < cyberjames> summary* 13:17 < krzee> well, goodluck 13:18 < cyberjames> ah 13:18 < cyberjames> krzee: if you happen to catch any example from internet, don't hestitate to PM me :D 13:21 < cyberjames> krzee: what are some alternative for openvpn? 13:22 < cyberjames> oh pptp 13:24 < krzee> ipsec would be another 13:24 < krzee> and hamachi 13:25 < cyberjames> i see 13:25 < krzee> im unlikely to catch an example walkthrough, especially because i hate them 13:25 < cyberjames> lol 13:25 < krzee> cause people who have no clue what they're doing use them, then come here with problems that stem from them not reading anything they should have 13:26 < krzee> that was not aimed at you 13:26 < krzee> (yet...?) 13:26 < krzee> lol 13:26 < cyberjames> what can you suggest for me how to start? 13:26 < krzee> !howto 13:26 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:27 < cyberjames> there is no example howto there that could the same on my situation. 13:27 < krzee> lol 13:27 < krzee> again, i dont know 13:28 < cyberjames> np :) 13:28 < krzee> so you're going to use xen, vmware, and virtualbox? 13:30 < cyberjames> xen 13:30 < cyberjames> this is just a test only 13:31 < krzee> why even do a test if not willing to read the docs? 13:32 < krzee> !/30 13:32 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:32 < krzee> (thats for an answer for the mailing list, not you) 13:32 < krzee> !topology 13:32 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:46 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 13:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 14:20 -!- uncorq [n=corq@183.194.8.67.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 14:23 -!- xattack [i=xattack@132.248.108.239] has quit [] 14:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:44 -!- oc80z [i=oc80z@89.46.100.91] has joined ##openvpn 15:11 -!- Balzac21 [n=hoebag@76-10-176-231.dsl.teksavvy.com] has quit [Operation timed out] 15:20 < ecrist> :wq 15:21 < ecrist> bet you can't tell who uses vim around here... 15:21 < ecrist> doh 15:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:24 < ecrist> !irclogs 15:24 < vpnHelper> ecrist: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.) 15:26 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 15:26 < mRCUTEO> happy new year everyone 15:27 -!- uncorq [n=corq@183.194.8.67.cfl.res.rr.com] has joined ##openvpn 15:27 < krzie> happy new yrs 15:27 < mRCUTEO> :) 15:30 < ecrist> happy new year, mRCUTEO 15:31 < mRCUTEO> :) 15:36 < ecrist> I'm done with work - don't go back until monday. 15:36 < ecrist> huzzah! 15:43 < krzie> nice, taking the rest of the yr off! 15:43 < ecrist> yep! 15:43 < ecrist> all 7 hours of it 15:43 < mRCUTEO> =) 15:44 < krzie> my #1 girl gets back to town on monday 15:44 < krzie> she called me last night and was telling me about the dream i was in 15:44 < ecrist> nice 15:45 < krzie> apparently i was only the co-star, her female friend was the main star 15:45 < krzie> shich is WAY cooler 15:45 < krzie> s/shich/which 15:45 < mRCUTEO> #1 girl eh wow 15:45 < krzie> ya, shes a good one 15:45 < mRCUTEO> :D 15:50 < krzie> i only really have 2 right now tho 15:51 < krzie> unless we count that my #2 brings friends, but i dont cross the line by getting their numbers or anything, they're only mine when they're with me and her 15:51 < mRCUTEO> :) 15:52 < mRCUTEO> so whats the time in your place ow? 15:52 < mRCUTEO> is it new year already 15:52 < mRCUTEO> do you planning a party? 15:59 < krzie> its 6 15:59 < krzie> im gunna hang out til around 12, then hit up a bar where its gunna be crazy partying 15:59 < krzie> with the #2 15:59 < mRCUTEO> so 6 hours to new year 16:00 < mRCUTEO> its 6 AM here :) , 6 hours past new year 16:01 < mRCUTEO> i ruin my new year celebration, felt asleep after drinkin 7 bottles of carlton 16:01 < mRCUTEO> so dont get drunk to much :) 16:01 * mRCUTEO wish i could back to the future 6 hours :D 16:05 < mRCUTEO> krzie the #1 and #2 which one you love most :D 16:12 -!- justdave_ is now known as justdave 16:14 < krzie> the fact that they are #1 and #2 should say it 16:16 < mRCUTEO> ic :-) 16:16 < krzie> ild make #1 my girl but i dont wanna give up variety =/ 16:17 < mRCUTEO> :-) 16:22 -!- oc80z [i=oc80z@89.46.100.91] has quit [Remote closed the connection] 16:24 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 16:41 * mRCUTEO bfast time 16:41 * mRCUTEO bubye 16:41 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [] 17:34 < mepholic> how do you generate a csr in windows? 17:41 < krzie> with easy-rsa 17:44 < mepholic> welp 17:44 < mepholic> nothing in the windows easy-rsa 17:44 < mepholic> for csr 17:44 < mepholic> last i looked 17:47 < krzie> you generate a cert 17:48 < krzie> thats a csr, til you sign it 17:48 < krzie> just follow the howto 17:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:02 -!- uncorq [n=corq@183.194.8.67.cfl.res.rr.com] has quit [Remote closed the connection] 18:08 -!- et [n=et@feynman.fachschaft.physik.tu-darmstadt.de] has quit [Read error: 104 (Connection reset by peer)] 18:21 < deever> hmm...how exactly can i make openvpn set the client's default route to the tunnel? 18:21 < deever> "redirect-gateway def1" alone doesn't work 18:24 < krzie> !configs 18:24 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:24 < krzie> !logs 18:24 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:24 < krzie> OHHH 18:24 < krzie> you putting that in the server config 18:24 < krzie> ? 18:25 < krzie> it should be push "redirect-gateway def1" 19:59 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has joined ##openvpn 20:05 -!- tomh [i=565ed8e8@gateway/web/ajax/mibbit.com/x-e47c48da46ae5365] has joined ##openvpn 20:05 < tomh> hey, anyone knows how i can use the openvpn connection in windows for internet? 20:08 < krzie> i dont understand the question 20:09 < dvl> Gidday 20:09 < krzie> wassup 20:09 < dvl> tomh: what is it you wish to use OpenVPN for? 20:09 < dvl> krzie: just converted my Bacula jobs to backup over the VPN rather than public Internet. 20:10 < dvl> Had to create new certs, and then it just worked. 20:10 < krzie> nice, good idea 20:10 < tomh> dvl: for internet browsing 20:10 < dvl> It was encrypted TLS.. 20:10 < krzie> tomh: 20:10 < dvl> tomh: Hmm, what is your goal? 20:10 < krzie> you need to use redirect-gateway and have NAT on the server 20:10 < krzie> !nat 20:10 < vpnHelper> krzie: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 20:10 < krzie> !def1 20:10 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 20:11 < tomh> well to browse the internet with another IP :) 20:11 < tomh> redirect gateway hmm 20:11 < krzie> right, see the info my bot just gave you 20:11 < tomh> yup thanks 20:11 < krzie> np 20:11 < tomh> my client already connects succesfully to my server 20:12 < krzie> you will need NAT on the server, for the exact same reason your home router (which i prefer to call NAT boxes in most cases) needs to 20:12 < krzie> and you will need --redirect-gateway 20:13 < tomh> i see, im trying to do the link you gave me now 20:15 < krzie> http://www.engadget.com/2008/12/30/hackers-playstation-3-make-ssl-much-less-secure/ 20:15 < vpnHelper> Title: PlayStation 3 used to hack SSL, Xbox used to play Boogie Bunnies - Engadget (at www.engadget.com) 20:17 < tomh> krzie: do i need to restart my browser after or? 20:17 < krzie> no 20:17 < krzie> your browser has no control over the routes 20:19 < krzie> it just sends packets out, the OS checks routing table to find where to send them 20:19 < tomh> i think something is wrong with my client settings then 20:19 < tomh> server is configured like mentioned on that link 20:20 < krzie> if you have push "redirect-gateway def1" in your server config 20:20 < krzie> and it still doesnt work 20:20 < krzie> and you can ping the vpn ip of the server from client 20:20 < krzie> then your problem is your firewall (aka your NAT rules) 20:21 < tomh> my pc firewall or my wireless home router? 20:30 < dvl> 01-Jan 02:31 bacula-sd JobId 24396: Job write elapsed time = 00:08:13, Transfer rate = 846.9 K bytes/second 20:30 < dvl> Hmm, that's not a bad download rate. 20:30 < reiffert> and a happy new year! 20:34 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 20:41 < krzie> tom, see my link? 20:45 < reiffert> no 20:45 < reiffert> should I? 20:45 < reiffert> All the girls n boys return on tomorrow, finishing it off ... so much food and alc .. enjoying it 20:46 < reiffert> Small chances are it ends off with two couples in my bed :) 20:46 < krzie> GL 20:47 < reiffert> Talked to my friend, he likes my girl and I'll enjoy his .. well. sigh. 20:48 < tomh> krzie: i did everything on the link, i think the problem is that windows still uses my wireless NIC instead of the new openvpn NIC 20:48 < reiffert> Oh, that tom ... 20:48 < krzie> no no 20:48 < tomh> reiffert: know a solution? 20:48 < krzie> i meant you reiffert 20:49 < krzie> SSL hacked 20:49 < reiffert> tomh: proablay yes, talk to me th eother day ... not before the day after tomorrorw 20:49 < tomh> oh 20:49 < krzie> tomh you logs should tell you if thats true, redirect-gateway should be changing that for you 20:49 < reiffert> krzie: want to have the original lesson/lecture about ssl hacking? 20:49 < krzie> but if you see an error in the logs, theres 2 common problems in windows 20:51 < reiffert> ftp://25c3videos.lug-in.de/saal1/ 20:51 < reiffert> ID3023 20:51 < krzie> reiffert they were able to use a bug in MD5 to make a fake CA 20:51 < reiffert> I recommend ogg 20:51 < krzie> and hell yes i do 20:51 < krzie> lemme grab 20:51 < krzie> thx 20:51 < krzie> i remember when the MD5 collisions were found to be possible 20:52 < krzie> but seeing it implimented to own ssl, cool 20:52 < reiffert> the obvious md5 flaw ... together with a ca signing with predictable serial numbers 20:52 < krzie> especially with a large ass ps3 cluster 20:52 < tomh> krzie: well i still see my own home ip on sites like whatsmyip 20:53 < tomh> i probably need a specialized route in windows to use the nic from openvpn 20:53 < reiffert> krzie: you like german language, dont you 20:54 < reiffert> krzie: http://www.heise.de/newsticker/25C3-Erfolgreicher-Angriff-auf-das-SSL-Zertifikatsystem--/meldung/121005 20:54 < vpnHelper> Title: heise online - 30.12.08 - 25C3: Erfolgreicher Angriff auf das SSL-Zertifikatsystem (at www.heise.de) 20:56 < krzie> haha 20:56 < krzie> i dont spekenzie any german 20:56 < krzie> except "moin" 20:57 < krzie> which i learned from googling after seeing kraut 20:57 < krzie> haha 20:57 < reiffert> Ah well, lets have some bablefish then 20:57 < krzie> tomh 20:57 < krzie> !logs 20:57 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:59 < reiffert> well, maybe tomorrow might be a better day to start off ... wish you a happy nightmare^w^w^w^w^w^w^w^w wish you a happy new year! 20:59 < krzie> hahah 21:00 < reiffert> english version: http://www.heise-online.co.uk/news/25C3-MD5-collisions-crack-CA-certificate--/112327 21:00 < vpnHelper> Title: 25C3: MD5 collisions crack CA certificate - heise online UK (at www.heise-online.co.uk) 21:04 < krzie> 0% [ ] 4,513,416 404K/s eta 19m 54s 21:04 < krzie> not bad for across the world 21:05 < reiffert> 2009-01-01 04:08:14 (159 KB/s) - `112327' saved [37044] 21:06 < reiffert> damn, it's 2009 21:06 < reiffert> have to sleep about that 21:06 < krzie> im getting that .ogm 21:06 < krzie> ya dude, didnt it just turn 2000? 21:06 < tomh> ok gonna try 21:07 < krzie> tomh, try what? 21:07 < krzie> i cant help you til you do what my bot said to do 21:07 < krzie> and using pastebin to post logs requires no trying, you just do it 21:08 < tomh> try getting the log files 21:08 < tomh> that was what i was trying :) 21:10 < krzie> cool 21:11 < tomh> http://mibbit.com/pb/M6k49z 21:11 < vpnHelper> Title: Mibbit: PasteBin (at mibbit.com) 21:12 < tomh> the client log 21:15 < krzie> hrm looks like its not even connecting 21:15 < krzie> server log...? 21:16 < tomh> mm it is connected 21:16 < krzie> ok 21:17 < krzie> i dont even see it trying to add routes 21:17 < krzie> server log... 21:17 < tomh> whats the default location? 21:18 < krzie> default location...? 21:19 < tomh> oh nvm found it 21:20 < tomh> http://mibbit.com/pb/d0pmCp server 21:20 < vpnHelper> Title: Mibbit: PasteBin (at mibbit.com) 21:22 < krzie> !configs 21:22 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:25 < tomh> http://mibbit.com/pb/0ZNxHr 21:25 < vpnHelper> Title: Mibbit: PasteBin (at mibbit.com) 21:28 < tomh> oh server os: ubuntu 8.10 and client os: windows xp sp2 21:35 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 21:36 < krzie> OHH 21:36 * tomh thinks he did something stupid :( 21:36 < krzie> i dont know if you can redirect-gateway on a p2p connection 21:36 < krzie> try somethinbg like this: 21:36 < krzie> !sample 21:36 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 21:36 < krzie> and for pushing DNS... 21:37 < krzie> !pushdns 21:37 < vpnHelper> krzie: "pushdns" is (#1) push \"dhcp-option DNS a.b.c.d\" (remove the \'s) to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 21:37 < krzie> see #2 21:37 < tomh> hmm problem with the certs is that my windows libs couldn't handle them 21:37 < tomh> but i gonna try that tommorrow 21:37 < krzie> huh?? 21:37 < krzie> windows libs? 21:37 < krzie> openvpn handles all that 21:38 < tomh> hmm.. 21:38 < krzie> no external requirements 21:38 < krzie> also, when using user/group to drop privledges 21:39 < krzie> you want to persist stuff like in my samples 21:39 < tomh> ok 21:39 < tomh> well thanks a lot for all your help 21:40 < tomh> first thing i gonna do tomorrow is try out that sample file 21:41 < tomh> bye 21:41 -!- tomh [i=565ed8e8@gateway/web/ajax/mibbit.com/x-e47c48da46ae5365] has quit ["http://www.mibbit.com ajax IRC Client"] 22:12 < tjz> http://www.youtube.com/watch?v=Rogd9spApbc 22:12 < vpnHelper> Title: YouTube - COMING WORLD WAR 3 PROPHECY PREDICT FOOD SHORTAGE AND STARVATION IN AMERICA 2009-2010 (at www.youtube.com) 22:12 < tjz> thx vpnhelper 22:12 < tjz> hehehe 22:12 < tjz> http://www.youtube.com/watch?v=hzDrpKnbgiI&feature=related 22:12 < vpnHelper> Title: YouTube - WORLD WAR 3 ISRAEL MIGHT ATTACK IRAN BEFORE OBAMA INAUGURATION 2009 (at www.youtube.com) 22:14 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 23:00 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 23:22 < ropetin> !linnat 23:22 < vpnHelper> ropetin: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 23:26 < ropetin> !nat 23:26 < vpnHelper> ropetin: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 23:26 < ropetin> !firewall 23:26 < vpnHelper> ropetin: "firewall" is please see http://openvpn.net/man#lbBD for more info 23:26 < ropetin> !iptables 23:26 < vpnHelper> ropetin: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 23:39 < cyberjames> !xen 23:39 < vpnHelper> cyberjames: Error: "xen" is not a valid command. --- Day changed Thu Jan 01 2009